SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Return Path is different on SRX

    Posted 07-31-2011 01:19

    Hi Experts

     

    There are two interfaces (say ge-0/0/.0 and ge-0/0/1 in the untrust zone and one interface in the trust zone. Traffic leaving the firewall from trust to untrust zone via ge-0/0/0 but return traffic coming on the ge-0/0/1 interface.

     

    If I trun off tcp-syn check then firewall can allow this session? As per my experience it works when traffic always going thorugh the firewall but return traffic is coming to host bypassing the firewall.

     

    Thanks



  • 2.  RE: Return Path is different on SRX
    Best Answer

    Posted 07-31-2011 17:33
    Hi, on SRX, as long as traffic comes into another interface in the same zone, you do not need to turn off TCP SYN checking like in ScreenOS. Junos on SRX tracks sessions per zone, not per interface, so you should be good to go without any modifications.


  • 3.  RE: Return Path is different on SRX

    Posted 08-01-2011 13:19

    Thanks Dear.



  • 4.  RE: Return Path is different on SRX

    Posted 08-01-2011 14:27

    Your welcome Dear.



  • 5.  RE: Return Path is different on SRX

    Posted 08-02-2011 08:02

    Hi Stefan,

     

    Thanks for your post. Do you have a link to any document which explains such things as the fact that SRX tracks sessions per zone, not per interface, in more details? I feel I don't have a complete understanding of this topic...

     

    Btw, some related questions were discussed in

    http://forums.juniper.net/t5/SRX-Services-Gateway/Is-ECMP-supposed-to-work-on-SRX-cluster/td-p/97076

     

    It would be great to have a sound guide for SRX routing, and not just rely on enthusiastic lab tests...