Technical Documentation

Configuring Memory for the Stateful Firewall Plug-In

When configuring the stateful firewall internal plug-in, some questions remain regarding the upper limit to specify for the policy-db-size, object-cache-size, and forwarding-db-size statements when the application needs to use a large number of rules, causing the total memory required to approach the size of the object cache configured. The following limits, which are specific to the stateful firewall configuration, await additional review:

  • Maximum number of terms (with one rule per term) per service set: 1200
  • Maximum number of service sets per Multiservices PIC: 4000 (Juniper Networks M Series Multiservice Edge Routers and T Series Core Routers), 6000 (Juniper Networks MX Series Ethernet Services Routers and M120 Multiservice Edge Routers)
  • Maximum object cache size: 1280 MB (Multiservices 400 PICs and DPCs), 512 MB (Multiservices 100 PICs)
  • Maximum policy database size: Still to be determined.

If the policy database is set too small, an error message is logged in the router message file even though the commit may appear to be successful. It is necessary to check the logs to make sure that no message file error is found to be sure that the stateful firewall commit was indeed successful. The remedial action is to increase the size of the policy database.

Published: 2010-05-09