This article provides information on how to check the size of a successfully loaded, active IDP policy.
In case of a suspicion that the IDP policy size is consuming a lot of memory, the administrator can check the size of IDP policy, especially on branch SRX devices.
The following example illustrates the recommended template that is set to be the active IDP policy:
[edit]
root@3400-2# set security idp active-policy Recommended
[edit]
root@3400-2# commit
commit complete
[edit]
root@3400-2# run show security idp policy-commit-status
Compiling policy...
To check the loaded IDP policy size, use the following command:
[edit]
root@3400-2# run show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/Recommended.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:4344169 Bytes
Similarly, the size of any loaded active IDP policy can be checked. However, in certain cases, when any kind of minor non-IDP change is made, the above command will display the following output:
root@srx3400> show security idp policy-commit-status
Active policy not configured or Active policy not modified
In such cases, use the following method to check the size of the policy (in this example,
test-ssl is the active policy):
root@srx3400> start shell
root@srx3400% cd /var/db/idpd/bins
root@srx3400% ls -al
total 16560
drwxr-xr-x 2 root wheel 512 Jan 24 09:02 .
drwxr-xr-x 8 root wheel 512 Jan 24 09:02 ..
-rw-r--r-- 1 root wheel 2415816 Jan 8 15:16 compiled_ai.bin
-rw-r--r-- 1 root wheel 2840770 Jan 8 15:16 compressed_ai.bin
-rw-r--r-- 1 root wheel 1832 Jan 24 09:02 last-good-policy.bin.gz.v
-rw-r--r-- 1 root wheel 3134686 Dec 14 09:55 libidp-detector.so.tgz.v
lrwxr-xr-x 1 root wheel 52 Dec 14 09:55 running-detector -> /var/db/idpd/sec-repository/libidp-detector.so.tgz.v
lrwxr-xr-x 1 root wheel 35 Jan 24 09:02 running-policy -> /var/db/idpd/bins/test-ssl.bin.gz.v
-rw-r----- 1 root wheel 1831 Jan 24 09:02 test-ssl.bin.gz.v
root@srx3400% addver -r test-ssl.bin.gz.v test-ssl.bin.gz
infile test-ssl.bin.gz.v , outfile test-ssl.bin.gz
Version is 1.0 build 0
compressed
Not encrypted
root@srx3400% ls -al
total 16564
drwxr-xr-x 2 root wheel 512 Jan 30 12:39 .
drwxr-xr-x 8 root wheel 512 Jan 24 09:02 ..
-rw-r--r-- 1 root wheel 2415816 Jan 8 15:16 compiled_ai.bin
-rw-r--r-- 1 root wheel 2840770 Jan 8 15:16 compressed_ai.bin
-rw-r--r-- 1 root wheel 1832 Jan 24 09:02 last-good-policy.bin.gz.v
-rw-r--r-- 1 root wheel 3134686 Dec 14 09:55 libidp-detector.so.tgz.v
lrwxr-xr-x 1 root wheel 52 Dec 14 09:55 running-detector -> /var/db/idpd/sec-repository/libidp-detector.so.tgz.v
lrwxr-xr-x 1 root wheel 35 Jan 24 09:02 running-policy -> /var/db/idpd/bins/test-ssl.bin.gz.v
-rw-r----- 1 root wheel 1783 Jan 30 12:38 test-ssl.bin.gz
-rw-r----- 1 root wheel 1831 Jan 24 09:02 test-ssl.bin.gz.v
root@srx3400% gunzip test-ssl.bin.gz
gunzip: test-ssl.bin.gz: decompression OK, trailing garbage ignored
root@srx3400% du -sh test-ssl.bin
10K test-ssl.bin
root@srx3400% ls -al
total 16580
drwxr-xr-x 2 root wheel 512 Jan 30 12:39 .
drwxr-xr-x 8 root wheel 512 Jan 24 09:02 ..
-rw-r--r-- 1 root wheel 2415816 Jan 8 15:16 compiled_ai.bin
-rw-r--r-- 1 root wheel 2840770 Jan 8 15:16 compressed_ai.bin
-rw-r--r-- 1 root wheel 1832 Jan 24 09:02 last-good-policy.bin.gz.v
-rw-r--r-- 1 root wheel 3134686 Dec 14 09:55 libidp-detector.so.tgz.v
lrwxr-xr-x 1 root wheel 52 Dec 14 09:55 running-detector -> /var/db/idpd/sec-repository/libidp-detector.so.tgz.v
lrwxr-xr-x 1 root wheel 35 Jan 24 09:02 running-policy -> /var/db/idpd/bins/test-ssl.bin.gz.v
-rw-r----- 1 root wheel 8488 Jan 30 12:38 test-ssl.bin
-rw-r----- 1 root wheel 1831 Jan 24 09:02 test-ssl.bin.gz.v
root@srx3400# run show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/test-ssl.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:8488 Bytes