Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS/NSM] Policy sharing option for IDP policy on ISG-IDP



Article ID: KB23761 KB Last Updated: 18 Oct 2020Version: 3.0
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
This article provides information about the policy sharing option for a IDP policy on ISG-IDP devices.
Understanding the available memory for IDP modules on ISG devices:
  • The total memory for Security module is 2048 MB (2GB). This memory is shared by all installed security modules.

  • The available usable memory is 1536 MB.

  • The balance memory, which is 512 MB, is reserved for the IDP operating system (also known as QNX) that is running on the SM.

  • So, 2 GB RAM is used for the OS and processes on the Security Module, policies, and also for the dynamic data, such as sessions and so on.

How to check the available free memory?

This can be done by running the following command:
exec sm # ksh "pidin info" (where # is the security module slot number)
Sample output:
CPU:PPC Release:6.3.0 FreeMem:853Mb/1536Mb BootTime:Oct 01 12:14:41 UTC 2011
Processor1: 80030101 7457A 999MHz FPU
Processor2: 80030101 7457A 999MHz FPU
What does the policy size depend on? This is based on:
  • Number of attack objects.

  • Type of attack objects.

  • Patterns being used in the attack objects.

 Policy installation with policy sharing disabled (required for policy sharing):

On one Security Module (SM), there are two IDP engines running on the 2 CPUs on the SM. These IDP engines have their own copy of the policy; in other words, there will be two copies of the IDP policy on a single Security Module. When an IDP policy is pushed to the ISG firewall, the existing policy on the SM will not get removed; if there are existing sessions, which match the existing IDP policy.

The newly pushed policy is accommodated in SM memory and new sessions are matched against the new policy. This is the default behavior of policy management for SM on ISG-IDP. In this scenario, after an IDP policy push, one SM can end up with the maximum of 4 policies (2 copies of the old policy and 2 copies of the new policy). In other words, each IDP engine will have a copy of the old and new policy. The old policy will automatically get removed from memory; when the old sessions, which are being inspected by the old policy, get removed or expire.

As both IDP engines make use of the same policy, it is not necessary to keep two copies of the same policy (if technically feasible), which results in inefficient use of SM memory.
Enable policy sharing:

This feature is available in ScreenOS 6.3. When policy sharing is enabled, the 2 IDP engines on an SM share a single copy of the policy on the SM, instead of having two copies of the policy. This will ensure that there is enough space in the SM RAM for a new policy.

In NSM, go to Devices and select the ISG-IDP device; under Security > IDP SM Settings, select the Enable policy sharing check box:

Modification History:
2020-10-18: Tagged article for EOL/EOE.
2020-09-21:  No update.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search