juniepr SRX 系列防火墙数据包处理流程

防火墙数据包处理流程

对于防火墙日常运维来说,最重要的就是了解防火墙的数据包处理流程,以及针对数据包处理流程的排查。防火墙数据包处理流程入下图:

juniepr SRX 系列防火墙数据包处理流程_第1张图片

  • 针对到达防火墙的数据包进行流量监管
  • 对放到防火墙的数据包进行过滤
  • 检查是否匹配到现有会话,根据源地址,目的地址,源端口,目的端口,协议,唯一的会话token确定是否属于同一个会话。如果匹配到现有会话, 则跳过路由,策略查找过程,直接根据之前的会话信息进行转发。称为fast-path processing。fast-path processing 主要包括screen, TCP检查(检查SYN标志,序列号等信息),NAT检查等
  • 如果没有匹配到会话,则进入screens流程,主要判断是否有攻击行为
  • 检查是否匹配到静态NAT,如果是进行静态NAT后进入路由查找过程
  • 检查是否匹配到目的NAT,如有匹配,进行目的NAT
  • 进行路由查找,确定出入方向的端口和ZONE
  • 检查ZONES时间段策略
  • 是否匹配反向的static nat。因为static nat只定义了一个方向,该步骤是对反向方向的数据包进行NAT匹配检查。如果匹配则进入ALG流程。
    反向static nat举例:
set security nat static rule-set rs1 from interface ge-0/0/0.0
set security nat static rule-set rs1 rule r1 match destination-address 203.0.113.0/24
set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.0/24
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.1/32 to 203.0.113.249/32
set security address-book global address server-group 192.168.1.0/24
set security policies from-zone trust to-zone untrust policy permit-all match source-address server-group
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
set security policies from-zone untrust to-zone trust policy server-access match source-address any
set security policies from-zone untrust to-zone trust policy server-access match destination-address server-group
set security policies from-zone untrust to-zone trust policy server-access match application any
set security policies from-zone untrust to-zone trust policy server-access then permit

本例中从服务器到外部访问即为反向static nat
10.检查是否匹配source nat

  • .ALG。对报文中控制信息包含的地址进行NAT,例如FTP
  • 建立会话信息。
  • 进入fast processing 流程。
  • 检查出方向过滤
  • 检查限速

排查手段和工具

  • 检查是否存在会话
    show security flow session | display set
    如果以存在会话,说明防火墙策略检查已经通过,检查会话两个方向是否有匹配到数据包。如果会话反方向无数据包,很大可能是防火墙之后的网元问题,如没有回城路由等
  • 如果未形成会话,可以使用抓包命令,查看防火墙处理流程
set security flow traceoptions file flow size 1m    
set security flow traceoptions flag basic-datapath
set security flow traceoptionsfile filename.log
set security flow traceoptions packet-filter remote-to-local source-prefix  10.1.146.40
set security flow traceoptions packet-filter remote-to-local destination-prefix  10.18.133.113
set security flow traceoptions packet-filter local-to-remote source-prefix  10.18.133.113
set security flow traceoptions packet-filter local-to-remote destination-prefix 10.1.146.40
  • 抓包完成后,一定要记住删除抓包命令,避免对防火墙性能造成影响
delete security flow traceoptions file flow      
delete security flow traceoptions flag basic-datapath
delete security flow traceoptionsfile filename.log
delete security flow traceoptions packet-filter remote-to-local source-prefix  10.1.146.40
delete security flow traceoptions packet-filter remote-to-local destination-prefix  10.18.133.113
delete security flow traceoptions packet-filter local-to-remote source-prefix  10.18.133.113
delete security flow traceoptions packet-filter local-to-remote destination-prefix 10.1.146.40

你可能感兴趣的:(防火墙)