Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] What is the maximum URL pattern limit that can be configured on vSRX and TVP SRX platforms?

0

0

Article ID: KB33855 KB Last Updated: 23 Jul 2021Version: 2.0
Summary:

This article clarifies that the maximum URL pattern limit that can be configured on vSRX and TVP SRX platforms is as per design and cannot be increased.

Symptoms:

More than 2,000 URL patterns were configured on an SRX1500 device, and they were falling back to permit due to “Timeout.”

# run show security utm web-filtering statistics
UTM web-filtering statistics:
Total requests:                     3301067
white list hit:                     0
Black list hit:                     0
No license permit:                  0
Queries to server:                  0
Server reply permit:                0
Server reply block:                 0
Server reply quarantine:            0
Server reply quarantine block:      0
Server reply quarantine permit:     0
Custom category permit:             0
Custom category block:              0
Custom category quarantine:         0
Custom category quarantine block:    0
Custom category quarantine permit:  0
Site reputation permit:             0
Site reputation block:              0
Site reputation quarantine:         0
Site reputation quarantine block:   0
Site reputation quarantine permit:  0
Site reputation by Category         0
Site reputation by Global           0
Cache hit permit:                   0
Cache hit block:                    0
Cache hit quarantine:               0
Cache hit quarantine block:         0
Cache hit quarantine permit:        0
Safe-search redirect:               0
SNI pre-check queries to server:    0
SNI pre-check server responses:     0
Web-filtering sessions in total:    512000
Web-filtering sessions in use:      259
Fallback:                       log-and-permit           block
Default                                 0               0
Timeout                           2224294               0 
Connectivity                            0               0
Too-many-requests                       0               0 

After lowering the URL number to half of the original value, the URL pattern matching worked as expected. The following shows max_url_pattern on SRX1500.

% sysctl -a | grep utm
hw.product.pvi.config.utmd.max_utm_policy: 500
hw.product.pvi.config.utmd.max_wf_profile: 500
hw.product.pvi.config.utmd.max_av_profile: 500
hw.product.pvi.config.utmd.max_cf_profile: 500
hw.product.pvi.config.utmd.max_as_profile: 500
hw.product.pvi.config.utmd.max_mime_pattern: 500
hw.product.pvi.config.utmd.max_file_ext_list: 500
hw.product.pvi.config.utmd.max_url_pattern: 1000  
hw.product.pvi.config.utmd.max_cust_cat: 1000 

Is this the limitation of the URL number? Is there a way to increase this number to 2,000 or higher?

Solution:

The max_url_pattern limit for the different SRX platforms is given below:

  • vSRX small flavor:        1000

  • vSRX medium flavor:    3000

  • vSRX large flavor:         3000

  • vSRX xlarge flavor:       3000

  • SRX1500:                     3000

  • SRX4100/SRX4200:     3000

  • SRX4600:                     3000

This is the current designed behavior. The maximum number cannot be increased.

For details on url-pattern configuration, refer to url-pattern.

Note: PR1206968 changed the following system settings:

  • The SRX TVP platform now supports 500 UTM policies/profiles/mime-patterns/filename-exts/command-lists and 1000 url-patterns/custom-categories. The other platforms have been left unchanged.

Modification History:

2021-07-23: Added list of max_url_pattern values for other SRX platforms and made other minor modifications

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search