Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Specifies the number of flow sessions that user logical system administrators and primary logical system administrators configure for their logical systems if the security profile is bound to the logical systems.

The primary administrator:

  • uses security profiles to provision logical systems with resources.

  • binds security profiles to user logical systems and the primary logical system.

  • can configure more than one security profile, specifying different amounts of resource allocations in various profiles.

Only the primary administrator can create security profiles and bind them to logical systems.


maximum amount

A maximum allowed quota. If a logical system requires more of a resource than its reserved amount allows, it can utilize resources configured for the global maximum amount if they are available—that is, if they are not allocated to other logical systems. The maximum allowed quota specifies the portion of the free global resources that the logical system can use. The maximum allowed quota does not guarantee that the amount specified for the resource in the security profile is available. Logical systems compete for global resources.

  • Range: 0 through 1000000

reserved amount

A reserved quota that guarantees that the resource amount specified is always available to the logical system.

  • Default: 0


An IPv6 session consumes twice the memory of an IPv4 session. Therefore the number of sessions available for IPv6 is half the reserved and maximum quotas configured for the flow session resource in a security profile. Use the vty command show usp flow resource usage cp-session to check flow session usage.

For performance consideration, flow session rate-limiting is done on distributed central point (DCP) for SRX5400, SRX5600, and SRX5800 devices. DCP session is always created before SPU flow session on these devices. You can count DCP session instead of SPU flow session to check whether the maximum/reserved quotas are reached for a specific logical system or tenant system.

There are no differences between DCP session and SPU flow session count because a session without NAT consumes one DCP session and one SPU flow session.

For sessions with NAT configuration, one connection can consume one SPU flow session and two DCP sessions. If all sessions are NAT sessions and each session consumes two DCP sessions, then the logical system or tenant system can only reach half of the maximum quotas configured for the flow session resources.

Typically, there are sessions with NAT and non-NAT mixed traffic, so the logical system or tenant system can create flow sessions between “maximum”/2 and “maximum”.

This functionality is similar to the reserved quotas that are configured for the flow session resources in a security profile. As a logical system or tenant system can consume more resources than the reserved quotas, you can configure additional flow session resources for reserved quotas with NAT configuration, if there are free resources available in the logical system or tenant system.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.2.