Setting Memory and Session Limits

Although you cannot create application signatures, you can configure sensor settings to limit the number of sessions running application identification and also limit memory usage for application identification.

• Memory limit for a session—You can configure the maximum amount of memory bytes that can be used to save packets for application identification for one TCP or UDP session. You can also configure a limit for global memory usage for application identification. Application identification is disabled for a session after the system reaches the specified memory limit for the session. However, IDP continues to match patterns. Matched application is saved to cache so that the next session can use it. This prevents the system from attackers trying to bypass application identification by purposefully sending large client-to-server packets.
• Number of sessions—You can configure the maximum number of sessions that can run application identification at the same time. Application identification is disabled after the system reaches the specified number of sessions. You limit the number of sessions so that you can prevent a denial-of-service (DOS) attack, when too many connection requests overwhelm and exhaust all the allocated resources on the system.

In the configuration instructions for this example, you configure the limit so that only 600 sessions can run application identification at the same time. You also configure 5000 memory bytes as the maximum amount of memory that can be used for saving packets for application identification for one TCP session.

You can use either J-Web or the CLI configuration editor to configure memory and session limits for application identification.

This topic contains:

• CLI Configuration
• Related Topics

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.