SRX

I have the COS class book but it doesnt really cover the SRX platforms.  I am finally understanding how to use the firewall filters for writing the QOS config but I am unsure if this should be done in the firewall filters or the zone filters.  I also am wondering about the jflow configs.  Should these be done in firewall filters or can it be done within the zone.  I assume the answer to both of these is that it should be done in a packet based firewall filter, but I want to make sure. 

What is the order of operation?  Packet then flow?  Can I apply multiple firewall filters to the same interface?  For example, one filter that exports the flow data followed by another filter that sets the COS settings or should only one large multi-function filter be used. 

Coming from a Cisco background, this is very different for me.  I hope my question makes sense.

Thanks....

Chris

Packet filters are handled before flow services (and after, if you have egress filters), and yes, you do this at the interface filter not in zone (flow-based) processing.

See page 5 of this document for a packet flow diagram.

You can apply multiple filters to interfaces, and they're processed in the order they're listed.  Your interfaces also get configured with scheduler and classifier maps for your QoS.

Thanks, that is what I thought.  Is it best practice to use one large filter or seperate smaller filters?  I am used to very large ASA ACLs but smaller per function filters are easier to troubleshoot.  One last question, should the filter that outputs the jflow be first inline on the list?

Chris

---

@csnow wrote:

Thanks, that is what I thought.  Is it best practice to use one large filter or seperate smaller filters?  I am used to very large ASA ACLs but smaller per function filters are easier to troubleshoot.  One last question, should the filter that outputs the jflow be first inline on the list?

---

I think in that case, "best practice" would just be whatever you prefer, honestly.  I try to think of that sort of thing as if I were programming -- if I have filters that will be used in more than one place, I define them once and reference them in multiple places.  If I have something very specific or one-off, I simply define that instance individually to accomplish the task at hand.

For the jflow -- putting it last seems logical.  I honestly don't know if it would have any effect on what's exported if you put it, say, first, before your other filters are called.  I don't know if the jflow export happens as soon as the filter is called, or if it waits until all processing is done and the packet is accepted or forwarded on, etc.