Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRXIDP] IDP modes supported by SRX

0

0

Article ID: KB27717 KB Last Updated: 17 Apr 2019Version: 3.0
Summary:

This article describes the configuration of different modes in which the IDP module can run.

Symptoms:

The IDP module can run in the following modes:

Solution:
The IDP module can run in different modes. Only the High End Series SRX can run all three modes. Branch SRX units can only use the default mode which is 'integrated'.


Integrated Mode

This is the default mode; all SRX units support Integrated Mode. In this mode, IDP processing occurs within the firewall process. On high end SRX units, this is done on the Service Processing Unit (SPU).


Dedicated Mode (only supported on High End Series SRX)

This mode separates the firewall and IDP processes. As the two processes are discrete, the firewall process hands traffic marked for IDP inspection off to the IDP engine. After inspection this traffic is returned to the firewall process. The amount of SPU processing power can be set between firewall and IDP processing. This option allows for resources to be allocated to processes for deterministic processing availability. The downside is that the resources allocations cannot accommodate changes to dynamic events/needs.
 
The following three commands are not supported on 12.1X44 versions.

root# set security forwarding-process application-services maximize-idp-sessions weight equal
root# set security forwarding-process application-services maximize-idp-sessions weight firewall
root# set security forwarding-process application-services maximize-idp-sessions weight idp

 

NOTE: Only one option can be chosen under weight:

  • equal distributes resources equally between firewall and IDP
  • firewall distributes resources 2/3rds to firewall and 1/3 to IDP
  • idp distributes resources 2/3rds to IDP and 1/3 to firewall.

Inline Tap (only supported on High End Series SRX)

This mode has the same separation of firewall and IDP process. However, the firewall process does not pass the traffic to the IDP process;  instead it sends a copy. This allows the firewall process to complete its processing regardless of IDP processing results. This option ensures that IDP process failure or resource issue will not compromise the firewall forwarding. This will not stop single packet attacks but can stop an attack that spans multiple packets and is faster than Dedicated Mode. The downside is that traffic may be forwarded prior to an IDP event being detected.

root# set security forwarding-process application-services maximize-idp-sessions inline-tap weight equal  (This command is not supported on 12.1X44 versions)***
root# set security forwarding-process application-services maximize-idp-sessions inline-tap weight firewall
root# set security forwarding-process application-services maximize-idp-sessions inline-tap weight idp

NOTE: Only one option can be chosen under weight:

  • equal distributes resources equally between firewall and IDP
  • firewall distributes resources 2/3rds to firewall and 1/3 to IDP
  • idp distributes resources 2/3rds to IDP and 1/3 to firewall.

***
On all high end SRX Series devices, the maximize-idp-sessions inline-tap weight equal mode command is not supported in Junos OS Release 12.1X44. 
If this mode was configured in the previous release when an upgrade to Junos OS 12.1X44 was done, then the configuration changes to maximize-idp-sessions inline-tap weight firewall.


Please note that IDP inline-tap mode is no longer supported starting from 15.1X49-D10 and 17.3R1.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-overview.html

 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search