SRX210 Services Gateway Processing Overview

This topic describes the process that the SRX210 Services Gateway undertakes in establishing a session for packets belonging to a flow that transits the device. The flow services of the SRX210 device are single-threaded and non-distributed. Although it differs from the other SRX Series devices in this respect, the same flow model is followed and the same command line interface (CLI) is implemented.

To illustrate session establishment and the packet “walk” including the points at which services are applied to the packets of a flow, the example described in the following sections uses the simple case of a unicast session:

• Understanding Flow Processing and Session Management
• Understanding First-Packet Processing
• Understanding Session Creation
• Understanding Fast-Path Processing

Understanding Flow Processing and Session Management

This topic explains how a session is set up to process the packets composing a flow. In the following topic, the SPU refers to the data plane thread of the SRX210 Services Gateway.

At the outset, the data plane thread fetches the packet and performs basic sanity checks on it. Then it processes the packet for stateless filters and CoS classifiers and applies some screens.

Understanding First-Packet Processing

To determine if a packet belongs to an existing flow, the device attempts to match the packet’s information to that of an existing session based on the following six match criteria:

• Source address
• Destination address
• Source port
• Destination port
• Protocol
• Unique token from a given zone and virtual router

The SPU checks its session table for an existing session for the packet. If no existent session is found, the SPU sets up a session for the flow. If a session match is found, the session has already been created, so the SPU performs fast-path processing on the packet.

Understanding Session Creation

In setting up the session, the SPU executes the following services for the packet:

• Screens
• Route lookup
• Policy lookup
• Service lookup
• NAT, if required

After a session is set up, it is used for all packets belonging to the flow. Packets of a flow are processed according to the parameters of its session. For the remainder of the steps entailed in packet processing, proceed to Step 1 in “Fast-Path Processing”. All packets undergo fast-path processing.

Understanding Fast-Path Processing

If a packet matches a session, JUNOS Software performs fast-path processing as described in the following steps. After a session has been set up for the first packet in a flow, also undergoes fast-path processing. All packets undergo fast-path processing.

1. The SPU applies flow-based security features to the packet.
   • Configured screens are applied.
   • TCP checks are performed.
   • Flow services, such as NAT, ALG, and IPsec are applied, if required.
2. The SPU prepares the packet for forwarding and transmits it.
   • Routing packet filters are applied.
   • Traffic shaping is applied.
   • Traffic prioritizing is applied.
   • Traffic scheduling is applied.
   • The packet is transmitted.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding Data Path Debugging for SRX Series Services Gateways
• SRX Series Services Gateways Processing Overview
• Understanding Session Characteristics for SRX Series Services Gateways