SRX Services Gateway
SRX Services Gateway

Traffic generation

02.06.12   |  
‎02-06-2012 08:37 AM

Hi guys,

I'm wondering is there the capacity on the srx platform to self generate traffic to test a policy rule?

 

The Cisco ASA can do it using the following commands:

 

acket-tracer input public rawip 201.201.201.201 51 146.247.40.125

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   146.247.40.125  255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: public
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (np-sp-invalid-spi) Invalid SPI

 

 

Thanks,

 

Paul

5 REPLIES
SRX Services Gateway

Re: Traffic generation

[ Edited ]
02.06.12   |  
‎02-06-2012 08:50 AM

Hi Paul,

I don't know wether is possible to generate traffic from the SRX, but a nice tool I use to check which policy will be matched by a flow is the op script "policy-test.slax", you can find here the code and an explanation.

 

Bye,

Mattia

 

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIP-SP et al.
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Highlighted
SRX Services Gateway
Solution
Accepted by topic author paulkil
‎08-26-2015 01:27 AM

Re: Traffic generation

02.06.12   |  
‎02-06-2012 12:14 PM

paulkil wrote:

 

I'm wondering is there the capacity on the srx platform to self generate traffic to test a policy rule?

...

 acket-tracer input public rawip 201.201.201.201 51 146.247.40.125


"packet-tracer" on the ASA does not actually "generate traffic" -- it simulates the path & processing that the packet would take and shows you the results.

 

You can do the same thing with "show security match-policies <...>" available on Junos 10.3 and newer.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
SRX Services Gateway

Re: Traffic generation

02.06.12   |  
‎02-06-2012 03:19 PM

Thanks kr,

that's exactly what I was looking for. Also thanks to the first replyer, sounds like a good script.

 

Regards,

 

Paul

SRX Services Gateway

Re: Traffic generation

02.07.12   |  
‎02-07-2012 02:57 AM

Actually it's not quite the same as on the ASA as on the SRX you have to specify the source and destination zones.

SRX Services Gateway

Re: Traffic generation

02.09.12   |  
‎02-09-2012 03:18 PM

paulkil wrote:

Actually it's not quite the same as on the ASA as on the SRX you have to specify the source and destination zones.


Yes, but when you're looking to test the results of what a packet would do through an SRX, that is important information to define.

 

Since the ASA is not a zone-based firewall, it's going to operate differently than a SRX which is a zone-based firewall.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.