TAP Mode for Flow Sessions
In TAP mode, an SRX Series Firewall will be connected to a mirror port of the switch, which provides a copy of the traffic traversing the switch. An SRX Series Firewall in TAP mode processes the incoming traffic from TAP interface and generates a security log to display the information on threats detected, application usage, and user details.
Understanding TAP Mode Support for Security Flow Sessions
Starting in Junos OS Release 18.3R1, TAP mode supports security flow sessions. The security flow session configuration remains the same as non-TAP mode. When you configure a device to operate in TAP mode, the device generates a security log information to display the information on threats detected, application usage, and user details according to the incoming traffic. TAP mode is enabled in flow status when there is a configured TAP interface.
Traffic with and without VLAN can be received by TAP interface.
By default, on all devices, the FLOW SYN-check and sequence-check options are disabled at [set security] hierarchy level.
Starting in Junos OS Release 20.1R1, TAP mode can be used to inspect at most two levels of embedding IP-IP tunnels and one level of embedding GRE tunnel by de-encapsulating the outer and inner IP header and creating flow sessions. You can configure up to eight TAP interfaces on an SRX Series Firewall.
Example: Configuring Security Flow Sessions in TAP mode
This example shows how to configure security flow sessions when the SRX Series Firewall is configured in TAP mode.
Requirements
This example uses the following hardware and software components:
-
An SRX Series Firewall
-
Junos OS Release 19.1R1
Overview
In this example, you configure the security flow sessions when the SRX Series Firewall is configured in TAP mode. Sessions are created when a TCP SYN packet is received and permitted by the security policy.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security flow tcp-session no-syn-check set security flow tcp-session no-sequence-check
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.
To configure security flow sessions in TAP mode:
Configure the security flow session.
user@host#set security flow tcp-session no-syn-check user@host# set security flow tcp-session no-sequence-check
Results
From configuration mode, confirm your configuration by entering the show security flow command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
[edit]
user@host# show security flow
tcp-session {
no-syn-check;
no-sequence-check;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Security Session Configuration in TAP Mode
Purpose
Verify information about security sessions.
Action
From operational mode, enter the show security flow session command.
user@host> show security flow session node0: -------------------------------------------------------------------------- Flow Sessions on FPC4 PIC0: Total sessions: 0 Flow Sessions on FPC4 PIC1: Total sessions: 0
Meaning
Displays information about all currently active security sessions on the device in TAP mode.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.