This article describes the configuration of different modes in which the IDP module can run.
The IDP module can run in the following modes:
The IDP module can run in different modes. Only the High End Series SRX can run all three modes. Branch SRX units can only use the default mode which is 'integrated'.
Integrated Mode
This is the default mode; all SRX units support Integrated Mode. In this mode, IDP processing occurs within the firewall process. On high end SRX units, this is done on the Service Processing Unit (SPU).
Dedicated Mode (only supported on High End Series SRX)
This mode separates the firewall and IDP processes. As the two processes are discrete, the firewall process hands traffic marked for IDP inspection off to the IDP engine. After inspection this traffic is returned to the firewall process. The amount of SPU processing power can be set between firewall and IDP processing. This option allows for resources to be allocated to processes for deterministic processing availability. The downside is that the resources allocations cannot accommodate changes to dynamic events/needs.
The following three commands are not supported on 12.1X44 versions.
root# set security forwarding-process application-services maximize-idp-sessions weight equal
root# set security forwarding-process application-services maximize-idp-sessions weight firewall
root# set security forwarding-process application-services maximize-idp-sessions weight idp
NOTE: Only one option can be chosen under weight
:
equal
distributes resources equally between firewall and IDP
firewall
distributes resources 2/3rds to firewall and 1/3 to IDP
idp
distributes resources 2/3rds to IDP and 1/3 to firewall.
Inline Tap (only supported on High End Series SRX)
This mode has the same separation of firewall and IDP process. However, the firewall process does not pass the traffic to the IDP process; instead it sends a copy. This allows the firewall process to complete its processing regardless of IDP processing results. This option ensures that IDP process failure or resource issue will not compromise the firewall forwarding. This will not stop single packet attacks but can stop an attack that spans multiple packets and is faster than Dedicated Mode. The downside is that traffic may be forwarded prior to an IDP event being detected.
root# set security forwarding-process application-services maximize-idp-sessions inline-tap weight equal
(This command is not supported on 12.1X44 versions)***
root# set security forwarding-process application-services maximize-idp-sessions inline-tap weight firewall
root# set security forwarding-process application-services maximize-idp-sessions inline-tap weight idp
NOTE: Only one option can be chosen under weight
:
equal
distributes resources equally between firewall and IDP
firewall
distributes resources 2/3rds to firewall and 1/3 to IDP
idp
distributes resources 2/3rds to IDP and 1/3 to firewall.
***
On all high end SRX Series devices, the maximize-idp-sessions inline-tap weight equal mode
command is not supported in Junos OS Release 12.1X44.
If this mode was configured in the previous release when an upgrade to Junos OS 12.1X44 was done, then the configuration changes to maximize-idp-sessions inline-tap weight firewall
.
Please note that IDP inline-tap mode is no longer supported starting from 15.1X49-D10 and 17.3R1.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-overview.html