SRX Services Gateway
Reply
Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0
Accepted Solution

Traffic generation

Hi guys,

I'm wondering is there the capacity on the srx platform to self generate traffic to test a policy rule?

 

The Cisco ASA can do it using the following commands:

 

acket-tracer input public rawip 201.201.201.201 51 146.247.40.125

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   146.247.40.125  255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: public
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (np-sp-invalid-spi) Invalid SPI

 

 

Thanks,

 

Paul

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: Traffic generation

[ Edited ]

Hi Paul,

I don't know wether is possible to generate traffic from the SRX, but a nice tool I use to check which policy will be matched by a flow is the op script "policy-test.slax", you can find here the code and an explanation.

 

Bye,

Mattia

 

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009

Re: Traffic generation


paulkil wrote:

 

I'm wondering is there the capacity on the srx platform to self generate traffic to test a policy rule?

...

 acket-tracer input public rawip 201.201.201.201 51 146.247.40.125


"packet-tracer" on the ASA does not actually "generate traffic" -- it simulates the path & processing that the packet would take and shows you the results.

 

You can do the same thing with "show security match-policies <...>" available on Junos 10.3 and newer.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0

Re: Traffic generation

Thanks kr,

that's exactly what I was looking for. Also thanks to the first replyer, sounds like a good script.

 

Regards,

 

Paul

Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0

Re: Traffic generation

Actually it's not quite the same as on the ASA as on the SRX you have to specify the source and destination zones.

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Traffic generation


paulkil wrote:

Actually it's not quite the same as on the ASA as on the SRX you have to specify the source and destination zones.


Yes, but when you're looking to test the results of what a packet would do through an SRX, that is important information to define.

 

Since the ASA is not a zone-based firewall, it's going to operate differently than a SRX which is a zone-based firewall.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.