Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

application-services (Security Forwarding Process)

Syntax

Hierarchy Level

Description

You can configure SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices to switch from an integrated firewall mode to maximize Intrusion Detection and Prevention (IDP) mode to run IDP processing in tap mode and increase the capacity of processing with the maximize-idp-sessions option. Inline tap mode can only be configured if the forwarding process mode is set to maximize-idp-sessions, which ensures stability and resiliency for firewall services. You also do not need a separate tap or span port to use inline tap mode. When you maximize IDP, you are decoupling IDP processes from firewall processes, allowing the device to support the same number of firewall and IDP sessions, also run the IDP processing in tap mode.

You can configure maximum Application Layer Gateway (ALG) sessions by using the maximize-alg-sessions option. The session capacity number for Real-Time Streaming Protocol (RTSP), FTP, and Trivial File Transfer Protocol (TFTP) ALG varies per flow SPU. For SRX5000 series devices the session capacity is 10,240 per flow SPU. You must reboot the device (and its peer in chassis cluster mode) for the configuration to take effect. The maximize-alg-sessions option now enables you to increase defaults as follows:

  • TCP proxy connection capacity: 40,000 per flow SPU

    Flow session capacity is reduced to half per flow SPU; therefore the aforementioned capacity numbers will not change on central point flow.

Enable GPRS tunneling protocol. GTP-U session distribution is a UE (User equipment) based distribution, generating tunnel based GTP-U session and distributing them across SPUs on a UE basis.

Before 15.1X49-D40, GTP-U sessions are distributed by GGSN IP address always.

15.1X49-D40 onward, the GTP-U distribution is disabled and fat GTP-U sessions are distributed as normal UDP.

Use the enable-gtpu-distribution command to enable GTP-U session distribution.

Use the inline-fpga-crypto (disabled | enabled) to enable or disable inline FPGA crypto

Options

The remaining statements are explained separately. See the CLI Explorer.

Required Privilege Level

security—To view this in the configuration.

security-control—To add this to the configuration.

Release Information

Statement introduced in Junos OS Release 9.6. Statement updated in Junos OS Release 10.4. Statement updated in Junos OS Release 15.1X49-D40 with the enable-gtpu-distribution option. Statement updated in Junos OS Release 20.4R1 with the inline-fpga-crypto (disabled | enabled) option.