Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Express Path Overview

Express Path (formerly known as services offloading) is a mechanism for processing fast-path packets in the network processor instead of in the Services Processing Unit (SPU). Express Path increases the performance by offloading certain traffic from SPU to network processors.

When you create an Express Path session on the network processor, subsequent packets of the flow match the session on the network processors. The network processor then processes and forwards the packet.

The network processor also manages additional processing such as TCP sequence check, time-to-live (TTL) processing, Network Address Translation (NAT), and Layer 2 header translation. The flow table on the IOC3 is managed by the SPU of the flow module. The SPU inserts and deletes flow entries in the flow table based on policy matching results. Express Path supports IPv6.

The figure shows the packet flow in Express Path.

Figure 1: Packet flow and Express PathPacket flow and Express Path

Benefits of Express Path

  • Significantly improves single-flow and chassis-level performance.

  • Reduces SPU utilization and latency.

Express Path Limitations

Express Path does not support:

  • Features

    • Transparent Mode

    • Multicast session with more than one fan-out

    • Fragmented packets

    • IPsec VPN

    • Different MTU size values

    • J-Flow

  • Application Layer Gateway (ALG) data traffic:

    • DNS

    • IKE and ESP

    • PPTP

    • SQL-NET

  • IPv6

    • NAT

    • Transparent mode

    • Different MTU size values

    • Class of Service (CoS) on egress interfaces

Express path and packet offloading doesn't work when you use firewall filters to direct traffic into a virtual router,

If you enable Express Path on a device operating in chassis cluster mode:

  • You cannot configure asymmetric I/O cards (IOC).

  • If a child link from the LACP-enabled reth interface goes down, all traffic on this link is distributed to other active child links of the interface. If the child link comes up and rejoins the reth interface, then the existing traffic or sessions are not redistributed over this newly rejoined active child link. New sessions traverse through this link.

  • If a new child link is added to the LACP-enabled reth interface, then the existing traffic or sessions are not redistributed over this new child link. New sessions traverse this link.

Automated Express Path

On SRX4600, SRX5400, SRX5600, and SRX5800 devices, Automated Express Path is by default enabled from Junos OS Release 21.2R1. When you upgrade to Junos Release 21.2R1 or later, you unlock free, unparalleled next-generation firewall performance, without any additional configuration or hardware investment. By default, an automated Express Path is enabled.

In Junos OS Release 21.2R1 to disable the Express Path per rule, use set security policies from-zone [untrust] to-zone ptrust] policy [services-offload-pol1] then permit no-services-offload command.

To revert to previous behavior by enabling services-offload per rule, use the set security forwarding-options services-offload disable command.

Automated Express Path supports the following features:

  • Stateful Firewall

  • Network Address Translation (NAT)

  • Unified-Policies (with Dynamic-Applications and URL-Categories)

  • User-Firewall

  • Security Intelligence

  • Intrusion Detection and Prevention (IDP)

  • Enhanced Web-Filtering

  • Application Layer Gateways (ALG)

  • Screens (Anti-DDoS)

How does Express Path Process the Traffic?

When the first packet arrives at an interface, the network processor forwards it to the central point (CP). The central point in turn forwards the packet to the SPU. The SPU then creates a session on the network processor and verifies if the traffic qualifies for the Express Path session or a normal session.

If the traffic qualifies for Express Path processing, an Express Path session for the traffic is created in the SPU. The Express Path session processes the fast-path packets in the network processor, and the packets exit from the network processor.

If the traffic doesn't qualify for Express Path processing, the SPU creates a normal session. The normal session forwards packets from the network processor to the SPU for fast-path processing,

Platforms That Support Express Path

The SRX4600, SRX5400, SRX5600, and SRX5800 devices support Express Path.

Table 1 provides details about the Express Path support on different SRX Series cards.

Table 1: Express Path Support on SRX Series Firewall Cards

SRX Series Firewall

Card Name and Model Number

Earliest Supported Release

SRX5600, SRX5800

SRX5K-40GE-SFP

Junos OS Release 11.4

SRX5600, SRX5800

SRX5K-4XGE-XFP

Junos OS Release 11.4

SRX5600, SRX5800

SRX5K-FPC-IOC containing one of the following cards:

  • SRX-IOC-16GE-TX

  • SRX-IOC-4XGE-XFP

  • SRX-IOC-16GE-SFP

Junos OS Release 11.4

SRX5400, SRX5600, SRX5800

SRX5K-MPC containing one of the following MICs:

  • SRX-MIC-10XGE-SFFP

  • SRX-MIC-2X40GE-OSFP

  • SRX-MIC-1X100GE-CFP

  • SRX-MIC-20GE-SFP

Junos OS Release 12.3X48-D10

SRX5400, SRX5600, SRX5800

SRX5K-MPC3 (IOC3) containing one of the following MPCs:

  • SRX5K-MPC3-40G10G (24x10GE + 6x40GE MPC)

  • SRX5K-MPC3-100G10G (2x100GE + 4x10GE MPC)

Junos OS Release 15.1X49-D10

SRX5400, SRX5600, SRX5800

SRX5K-IOC4-10G (IOC4)

SRX5K-IOC4-MRAT

Junos OS Release 19.3R1

SRX4600

Not Applicable

Junos OS Release 19.2R1

How to Enable Express Path

Note:

Express Path is automated from Junos OS Release 21.2R1.

To configure the Express Path mode:

  • • On an SRX5000 line device with IOC or flex IOC cards, use the set chassis fpc fpc-number pic pic-number services-offload command.

  • On an SRX5000 line device with Modular Port Concentrator (MPC), enable NP cache on the IOC using the set chassis fpc fpc-number np-cache command.

  • On SRX4600 device, the np-cache option is enabled by default. Hence, the set chassis fpc fpc- number np-cache command is not applicable.

If you do not use express path, do not configure it in any security policies.

Express Path Network Processor

On SRX4600, SRX5400, SRX5600, and SRX5800 devices with network processor, when all the plugins including packet plugins and stream plugins ignore a session, we service offload the session and then install the session on the network processor. When the packet plugin ignores the session, we mark the ignore flags. When the streaming plugin ignores the session, we mark the ignore flags and short-circuit the TCP-T and TCP-I. We then install the session on the network processor to offload the session.

The I/O card (IOC) network processor processes the fast-path packets without going through the switch fabric or the SPU. This reduces the packet-processing latency.

Each flow entry has a per-wing counter in the Express Path network processor. The counter captures the number of bytes that the network processor sends out over the wing.

The behavior of the network processor in different scenarios is as follows:

  • First-path flow—The first-path flow is the same as the current network processor flow process. When the first packet arrives at the network processor, the network processor parses the TCP or the UDP packet to extract a 5-tuple key and then performs session lookup in the flow table. The network processor then forwards the first packet to the central point. The central point cannot find a match at this time because this is the first packet. The central point and the SPU create a session and match it against user-configured policies to determine if the session is a normal session or a services-offload session.

    If you specify the session to be managed with Express Path the SPU creates a session entry in the network processor flow table. This enables the Express Path flag in the session entry table; otherwise, the SPU creates a normal session entry in the network processor without the Express Path flag.

  • Fast-path flow—After you create the session entry in the network processor, subsequent packets of the session will match the session entry table.

    1. If the Express Path flag is not set, then the network processor forwards the packet to the SPU s specified in the session entry table. The packet goes through the normal flow process.

    2. If the network processor finds the services-offload flag in the session entry table, it will process the packet locally and send the packet out directly.

    3. The fast-forwarding function on the network processor supports one-fanout multicast sessions. The egress port in the session must also be associated with the same network processor as the ingress port. All other multicast cases need to be managed as normal sessions.

  • NAT process—The SPU is responsible for mapping between the internal IP address or port and the external IP address or port. When the first packet of the session arrives, the SPU allocates the IP address or port mapping and stores the information in the network processor session entry. If the NAT flag is set, the network processor modifies the packet.

  • Session age-out—To improve traffic throughput for services-offload sessions, a copy of a packet is sent to the SPU at every predefined time period to reduce the packet processing demand on the SPU. To limit the number of packet copies sent to the SPU, a timestamp is implemented for each service-offload session. The network processor calculates the elapsed time since the last session match. If the elapsed time is greater than the predefined time period, then the network processor sends a copy of the packet to the SPU and updates the session timestamp.

  • Session termination and deletion—If the network processor receives an IP packet with a FIN (finished data) or an RST (reset connection) flag, it forwards the packet to the SPU. The SPU then deletes the session cache on the network processor. The network processor continues to receive and forward any packets to the SPU during state transition.

Wing Statistics Counter

In Express Path, the network processor provides the option for each flow entry to keep a per-wing bytes counter. The counter captures the number of bytes that the network processor sends out over the wing.

When you enable the counter, the network processor searches its flow entry (a session wing) for every ingress packet. If the packet belongs to an established flow entry, the network processor increases the byte counter of the flow entry in the packet. The network processor periodically copies a packet (copy- packet) of each flow entry to its associated SPU, allowing the SPU to maintain the session. The network processor sends flow-byte counter values in the header of copy-packet packets. The SPU accumulates and keeps per-wing statistics counters.

You cannot change the statistics configuration during the life cycle of a live session. Disabling or enabling the per-wing statistics configuration while a session is alive at the network processor invalidates the session statistics on the current session. The new session statistics can be valid only after the configuration changes are committed. Network processor per-wing counters cannot be cleared. On SRX5800 devices with the SRX5K-MPC (IOC2), the SRX 5K-MPC3 (IOC3), and the SRX5K-IOC4-10G (IOC4) the wing statistics counter configuration is enabled, by default, On SRX4600 devices, enable the wing statistics counter.

Sessions per Wing Statistics

The network processor has a larger static RAM (SRAM) to accommodate session resources, thus hosting more sessions per PIC. Table 2 displays the total number of session wings, including both Express Path and non-Express Path. On SRX4600 devices, the IMIX throughput is 400Gbps.

Table 2: Total Number of Sessions per Wing in Network Processor Express Path Configuration Mode

Total Number of Wings

Number of Express Path UDP Wings

Number of Express Path TCP Wings

Cards and SRX Series Firewall Non-Express Path Mode Sessions Without Statistics With Statistics Without Statistics With Statistics

SRX5000 line device SRX5K-MPC (IOC2)

1.8 million

1.8 million

1.8 million

1.8 million

1.8 million

SRX5000 line device SRX5K-MPC3 (IOC3)

20 million

20 million

20 million

20 million

20 million

SRX5000 line device SRX5K IOC4

10 million

10 million

10 million

10 million

10 million

SRX4600

20 million

20 million

20 million

20 million

20 million

Express Path Packet Processing on IOC cards

Express Path on the IOC cards is based on processing fast-path packets through the network processor chipset instead of in the SPU to offload some basic firewall functions to the IOC card.

If you’ve enabled the Express Path feature, then the IOC card provides lower latency and also supports higher throughput by removing the overload on the SPU. The IOC card supports both intra-card traffic flow and inter-card traffic flow. To achieve the best latency results, both the ingress port and egress port of a traffic flow needs to be on the same XM chip of the IOC card.

The IOC card supports 240Gbps FPC and uses third generation Network Processing (NP) line of chipsets. This latest lookup and queuing chip is optimized for higher capacity. IOC card is compatible with SCB2 and SCB3, the earlier SCB is not supported.

You cannot power on all four PICs in the IOC card simultaneously because of power and thermal constrain. Power on a maximum of two PICs either in even or odd order. You can use the set chassis fpc <slot> pic <pic> power off command to choose the PIC to power on.

The system log messages are:

  • XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MINOR

  • XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MAJOR

The error messages indicate that the XM chip on a Flexible PIC Concentrator (FPC) has detected a checksum error, which is causing packet drops. The following error threshold values classify the error as a major error or a minor error:

  • Minor error —> 5 errors per second

  • Major error —> 255 errors per second (maximum count)

In the data plane, the IOC card parses packets and looks them up in the flow table. If the IOC card finds a match in the flow table, then it forwards packets based on the instructions given in the flow table. The IOC card can perform NAT, encapsulate the Layer 2 (L2) header, and forward the packets out of the egress interface. The egress interface can be located on the same IOC card (intra-card case) or another IOC card (inter-card case).

When the IOC card receives the first packet, it does not match any existing fast-forward session. The default hash-based forwarding is performed to send the first packet to the SPU. The SPU then creates the security session. If the SPU finds that the traffic is qualified for fast forwarding, and the related IOC card supports fast forwarding, it will install fast-forward session to the IOC card. If fast forwarding cannot be applied to the traffic, no session message is sent, and the IOC card uses the default hash-based forwarding to forward the packets to the SPU.

In fast-forward IOC card processing, if a fast-forward session is matched, the packet can be directly forwarded according to the session flow result. The IOC card takes all the necessary actions, for example, forwarding the packet, TTL checking and decreasing NAT translation, and Layer 2 header encapsulation.

In addition, the XL chip sends one copy of the forwarding packet to the SPU at a predefined time. This copy is used to refresh the SPU session, detect the current XL chip state, and so on. The SPU consumes this packet and does not forward it, because the real packet has been processed and transmitted.

Figure 2: IOC3 Intra-PFE Express PathIOC3 Intra-PFE Express Path
Figure 3: IOC3 Inter-PFE Express Path
Figure 4: Inter-IOC3 Express Path

Example: Configure Express Path on SRX5400, SRX5600, or SRX5800 Device with an IOC card

This example shows how to configure Express Path on an IOC card on SRX5400, SRX5600, or SRX5800 device.

Express Path is a mechanism for processing fast-path packets in the network instead of in the Services Processing Unit (SPU). This method reduces the long packet-processing latency that arises when packets are forwarded from network processors to SPUs for processing and back to IOCs for transmission.

Starting in Junos OS Release 15.1X49-D40, the configuration is valid for IPv6 traffic, earlier to this release it was supported for IPv4 traffic only.

Requirements

This example uses the following hardware and software components:

  • One SRX5400, SRX5600, or SRX5800 device with an IOC card

  • Junos OS Release 15.1X49-D40 or later for SRX Series Firewalls

Note:

Express Path is automated from Junos OS Release 21.2R1.

Overview

In this example, you configure Express Path on IOC card on an SRX5000 line device for IPv6 traffic.

You configure two interfaces on the IOC card and assign IPv6 addresses to them. Then you enable flow-based processing for IPv6 traffic. Next, you set up zones and add interfaces to them. Then you provide communication between the two different zones by configuring a security policy to allow traffic between two zones. You also enable Express Path in security policies to specify whether the traffic qualifies for Express Path

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the[edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure Express Path on SRX5400, SRX5600, or SRX5800 Line Device with an IOC card:

  1. Configure the Ethernet interface and assign an IPv6 address to it.

  2. Enable flow-based processing for IPv6 traffic.

  3. Configure security zones, add interfaces, and allow all system services and interfaces. Configure a security zone and specify the types of traffic and protocols that are allowed on interface et-2/1/0.0.

  4. Configure security zones, add interfaces, and allow all system services and interfaces. Configure a security zone and specify the types of traffic and protocols that are allowed on interface et-2/3/0.0.

  5. Create a policy and specify the match criteria for that policy. The match criteria specify that the device can allow traffic from any source to any destination, and on any application. Enable Express Path in the security policy.

    Note:

    You can specify the wildcard any-ipv6 for the source and destination address match criteria to include only IPv6 addresses. Specifying any option for the source and destination address match criteria to include both IPv4 and IPv6 addresses.

  6. Set the Express Path mode on IOC card.

Results

From configuration mode, confirm your configuration by entering the show chassis command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verify the Configuration of an IOC card for Express Path

Purpose

Verify that the IOC card was configured properly for Express Path.

Action

From operational mode, enter the show chassis fpc pic-status command

Meaning

The output provides the status of PICs with Express Path enabled on them.

Verifying All Active Sessions on the Device

Purpose

Display information about all currently active Express Path sessions on the device.

Action

From operational mode, enter the show security flow session services-offload command.

Meaning

The output provides the policy details for sessions on which Express Path was enabled.