SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Traffic generation

    Posted 02-06-2012 08:37

    Hi guys,

    I'm wondering is there the capacity on the srx platform to self generate traffic to test a policy rule?

     

    The Cisco ASA can do it using the following commands:

     

    acket-tracer input public rawip 201.201.201.201 51 146.247.40.125

    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   146.247.40.125  255.255.255.255 identity

    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:

    Phase: 3
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:

    Result:
    input-interface: public
    input-status: up
    input-line-status: up
    output-interface: NP Identity Ifc
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (np-sp-invalid-spi) Invalid SPI

     

     

    Thanks,

     

    Paul



  • 2.  RE: Traffic generation

     
    Posted 02-06-2012 08:50

    Hi Paul,

    I don't know wether is possible to generate traffic from the SRX, but a nice tool I use to check which policy will be matched by a flow is the op script "policy-test.slax", you can find here the code and an explanation.

     

    Bye,

    Mattia

     



  • 3.  RE: Traffic generation
    Best Answer

    Posted 02-06-2012 12:14
    @paulkil wrote:

     

    I'm wondering is there the capacity on the srx platform to self generate traffic to test a policy rule?

    ...

     acket-tracer input public rawip 201.201.201.201 51 146.247.40.125

    "packet-tracer" on the ASA does not actually "generate traffic" -- it simulates the path & processing that the packet would take and shows you the results.

     

    You can do the same thing with "show security match-policies <...>" available on Junos 10.3 and newer.



  • 4.  RE: Traffic generation

    Posted 02-06-2012 15:19

    Thanks kr,

    that's exactly what I was looking for. Also thanks to the first replyer, sounds like a good script.

     

    Regards,

     

    Paul



  • 5.  RE: Traffic generation

    Posted 02-07-2012 02:58

    Actually it's not quite the same as on the ASA as on the SRX you have to specify the source and destination zones.



  • 6.  RE: Traffic generation

    Posted 02-09-2012 15:19
    @paulkil wrote:

    Actually it's not quite the same as on the ASA as on the SRX you have to specify the source and destination zones.

    Yes, but when you're looking to test the results of what a packet would do through an SRX, that is important information to define.

     

    Since the ASA is not a zone-based firewall, it's going to operate differently than a SRX which is a zone-based firewall.