Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX-IDP] "show security idp counters policy-manager" command

0

0

Article ID: KB29233 KB Last Updated: 04 Mar 2017Version: 3.0
Summary:

This article explains the output of the show security idp counters policy-manager command.

Symptoms:

The show security idp counters policy-manager command displays the status of all IDP policies counter values.

Consider, for example, the output of the show security idp counters policy-manager command on an SRX-3600:

SRX-3600> show security idp counters policy-manager
IDP counters:

IDP counter type                                                   Value
Number of policies                                                7     <-
Number of aged out policies                                       0
Policy compile failure due to memory                              0

This gives the impression that the device has 7 IDP policies, whereas, for example, a customer may actually have only one active IDP policy that has, for example, two rules:

idp {
    idp-policy TestIPS-SRX {
      rulebase-ips {
        rule 1 {
          match {
            source-address any;
            destination-address any;
            attacks {
              predefined-attacks [P2P:GNUTELLA:DOWNLOAD];          
        rule 2 {
          match {
            source-address any;
            destination-address any;
            attacks {
            predefined-attacks [ P2P:NAPSTER:DATA-8888];
          then {
            action {
              drop-packet;

Given this sample configuration, the customer is left wondering why the value "7" appears in the command output.

Solution:

The Number of policies in the output refers to the number of polices loaded at the PFE level.

In the example above, the SRX3600 has 7 SPUs; thus, the number of policies shows up as "7." These counters are intended for development debugging, and are not for general customer use. The number of SPUs per customer SRX will vary with the number of SPCs installed.  

To see which IDP policy is loaded:

  • Use the show security idp policies command (instead of the show security idp counters policy-manager command).
  • The show security idp policies command displays the list of currently installed policies.
Sample output of the above command :

labroot> show security idp policies
ID    Name                   Sessions    Memory      Detector
6     Recommended            0           1258        12.6.160151117

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search