Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Related Documentation
- J Series
- Understanding IDP Application Identification
- IDP Policies Overview
- Understanding the IDP Signature Database
- Example: Updating the IDP Signature Database Manually
- Example: Setting Memory and Session Limits for IDP Application Identification Services
- SRX Series
- Understanding IDP Application Identification
- IDP Policies Overview
- Understanding the IDP Signature Database
- Example: Updating the IDP Signature Database Manually
- Example: Setting Memory and Session Limits for IDP Application Identification Services
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding Memory and Session Limit Settings for IDP Application Identification
Although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and also limit memory usage for application identification.
- Memory limit for a session—You can configure the maximum amount of memory bytes that can be used to save packets for application identification for one TCP or UDP session. You can also configure a limit for global memory usage for application identification. Application identification is disabled for a session after the system reaches the specified memory limit for the session. However, IDP continues to match patterns. The matched application is saved to cache so that the next session can use it. This protects the system from attackers trying to bypass application identification by purposefully sending large client-to-server packets.
- Number of sessions—You can configure the maximum number of sessions that can run application identification at the same time. Application identification is disabled after the system reaches the specified number of sessions. You limit the number of sessions so that you can prevent a denial-of-service (DOS) attack, which occurs when too many connection requests overwhelm and exhaust all the allocated resources on the system.
Table 1 provides the capacity of a central point (CP) session numbers for SRX3400, SRX3600, SRX5600, and SRX5800 devices.
Table 1: Maximum CP Session Numbers
SRX Series Devices | Maximum Sessions | Central Point (CP) |
|---|---|---|
SRX3400 | 2.25 million | Combo-mode CP |
SRX3600 | 2.25 million | Combo-mode CP |
SRX5600 | 9 million 2.25 million | Full CP Combo-mode CP |
SRX5800 | 10 million 2.25 million | Full CP Combo-mode CP |
Related Documentation
- J Series
- Understanding IDP Application Identification
- IDP Policies Overview
- Understanding the IDP Signature Database
- Example: Updating the IDP Signature Database Manually
- Example: Setting Memory and Session Limits for IDP Application Identification Services
- SRX Series
- Understanding IDP Application Identification
- IDP Policies Overview
- Understanding the IDP Signature Database
- Example: Updating the IDP Signature Database Manually
- Example: Setting Memory and Session Limits for IDP Application Identification Services
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
