A packet undergoes flow-based processing after packet-based filters and some screens have been applied to it. All flow-based processing for a single flow occurs on a single SPU. An SPU processes the packets of a flow according to the security features and other services configured for the session.
Figure 6 shows a conceptual view of how flow-based traffic processing occurs on an SPU of an SRX 5600 or SRX 5800 services gateway.
Figure 6: Traffic Flow for Flow-Based Processing
A flow is a stream of related packets that meet the same matching criteria and share the same characteristics. JUNOS software treats packets belonging to the same flow in the same manner.
Configuration settings that determine the fate of a packet—such as the security policy that applies to it, if it requires an Application Layer Gateway (ALG), if Network Address Translation (NAT) is applied to translate the packet’s source and/or destination IP address—are assessed for the first packet of a flow.
To determine if a flow exists for a packet, the NPU attempts to match the packet’s information to that of an existing session based on the following match criteria: