application-services (Security Forwarding Process)
Syntax
application-services {
enable-gtpu-distribution;
inline-fpga-crypto (disabled | enabled);
maximize-alg-sessions;
maximize-idp-sessions {
weight (firewall | idp);
}
packet-ordering-mode (Application Services) {
(hardware | software);
}
}
Hierarchy Level
[edit security forwarding-process]
Description
You can configure SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800
devices to switch from an integrated firewall mode to maximize Intrusion
Detection and Prevention (IDP) mode to run IDP processing in tap
mode and increase the capacity of processing with the maximize-idp-sessions option. Inline tap mode can only be configured if the forwarding
process mode is set to maximize-idp-sessions, which ensures
stability and resiliency for firewall services. You also do not need
a separate tap or span port to use inline tap mode. When you maximize
IDP, you are decoupling IDP processes from firewall processes, allowing
the device to support the same number of firewall and IDP sessions,
also run the IDP processing in tap mode.
You can configure maximum Application Layer Gateway (ALG)
sessions by using the maximize-alg-sessions option. The
session capacity number for Real-Time Streaming Protocol (RTSP), FTP,
and Trivial File Transfer Protocol (TFTP) ALG varies per flow SPU.
For SRX5000 line devices the session capacity is 10,240 per flow
SPU. You must reboot the device (and its peer in chassis cluster mode)
for the configuration to take effect. The maximize-alg-sessions option now enables you to increase defaults as follows:
TCP proxy connection capacity: 40,000 per flow SPU
Flow session capacity is reduced to half per flow SPU; therefore the aforementioned capacity numbers will not change on central point flow.
Enable GPRS tunneling protocol. GTP-U session distribution is a UE (User equipment) based distribution, generating tunnel based GTP-U session and distributing them across SPUs on a UE basis.
Before 15.1X49-D40, GTP-U sessions are distributed by GGSN IP address always.
15.1X49-D40 onward, the GTP-U distribution is disabled and fat GTP-U sessions are distributed as normal UDP.
Use the enable-gtpu-distribution command to enable
GTP-U session distribution.
Use the inline-fpga-crypto
(disabled | enabled) to enable or disable inline FPGA crypto
Options
The remaining statements are explained separately. See the CLI Explorer.
Required Privilege Level
security—To view this in the configuration.
security-control—To add this to the configuration.
Release Information
Statement introduced in Junos OS Release
9.6. Statement updated in Junos OS Release 10.4. Statement updated
in Junos OS Release 15.1X49-D40 with the enable-gtpu-distribution option. Statement updated
in Junos OS Release 20.4R1 with the inline-fpga-crypto (disabled
| enabled) option.