Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

flow (Security IDP)

Syntax

Hierarchy Level

Description

Configure the IDP engine to manage the packet flow.

Options

allow-nonsyn-connection

Allow TCP non-syn connection.
drop-if-no-policy-loaded

Drop all traffic till IDP policy gets loaded.
drop-on-failover

Drop traffic on HA failover sessions.
drop-on-limit

Drop connections on exceeding resource limits.
fifo-max-size

Maximum fifo size.

Sets the maximum FIFO size (range: 1 through 65535).

  • Range: 1 through 65535
hash-table-size

Flow hash table size. Sets the packet flow hash table size.

  • Range: 1024 through 1000000
idp-bypass-cpu-threshold

CPU usage in percentage for IDP bypass.

  • Default: 85

  • Range: 0 through 99
idp-bypass-cpu-tolerance

CPU usage in percentage for IDP bypass.

  • Default: 5

  • Range: 1 through 99
idp-bypass-cpu-usg-overload

Enable IDP bypass of sessions or packets on CPU usage overload.
intel-inspect-cpu-usg-threshold

CPU usage threshold percentage for intelligent inspection.

  • Default: 80

  • Range: 0 through 99
intel-inspect-cpu-usg-tolerance

CPU usage tolerance percentage for intelligent inspection.

  • Default: 5

  • Range: 1 through 99
intel-inspect-disable-content-decompress

Disable payload content decompression.
intel-inspect-enable

Minimize IDP processing during system overload.
intel-inspect-free-mem-threshold

Free memory threshold percentage for intelligent inspection.

  • Default: 15

  • Range: 1 through 100
intel-inspect-mem-tolerance

Memory tolerance percentage for intelligent inspection.

  • Default: 5

  • Range: 1 through 100
intel-inspect-protocols

Protocols to be processed in intelligent inspection mode.
intel-inspect-session-bytes-depth

Session bytes scanning depth.

  • Default: 0

  • Range: 0 through 1000000
intel-inspect-signature-severity

Signature severities to be considered for IDP processing.

  • Values:

    • critical

    • major

    • minor
log-errors

Enable the error log to generate the result of success or failure about the flow. A flow-related error is when IDP receives a packet that does not fit into the expected flow. By default an error log is enabled.
max-sessions-offset

Maximum session offset limit percentage.

Set an offset (percentage) for the maximum IDP session limit. The max-sessions-offset option sets an offset for the maximum IDP session limit. When the number of IDP sessions exceeds the maximum session limit, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal.

  • Range: 0 through 99
max-timers-poll-ticks

Specify the time at which timer ticks at regular interval.

  • Syntax: value—Maximum amount of time at which the timer ticks.

  • Range: 0 through 1000 ticks

  • Default: 1000 ticks
min-objcache-limit-lt

Memory lower threshold limit percentage.

  • Syntax: value— Memory lower threshold limit percentage.

  • Range: 1 through 100
min-objcache-limit-ut

Memory upper threshold limit percentage.

  • Syntax: value— Memory upper threshold limit percentage.

  • Range: 1 through 100
no-log-errors

Do not flow log errors.
reject-timeout

Specify the amount of time in seconds within which a response must be received.

This time-out is applied on flow when drop-connection action is taken by IPS for TCP flow.

  • Syntax: value—Maximum amount of time in seconds.

  • Range: 1 through 65535

  • Default: 300 seconds
reset-on-policy

IDP keeps track of connections in a table. If enabled, the security module resets the flow table each time a security policy loads or unloads. If this setting is disabled, then the security module continues to retain a previous security policy until all flows referencing that security policy go away. Juniper Networks recommends that you keep this setting enabled to preserve memory.

When a new IDP policy is loaded, the existing sessions are inspected using the newly loaded policy and the existing sessions not ignored for IDP processing. The reset-on-policy command is used to decide whether to continue the IDP inspection with the newly loaded IDP policy or not. This command is disabled by default and all the existing sessions continue to be inspected with newly loaded IDP policy.

Note:

In Junos OS Release 18.2R1-S1and Junos OS Release 18.3R1, the no-reset-on-policy option is not supported on SRX5000 line of devices with SRX5K-SPC3.
session-steering

Session steering for session anticipation.
udp-anticipated-timeout

Sets the maximum UDP anticipated timeout value.

  • Range: 1 through 65535

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 9.2.

Options intel-inspect-cpu-usg-threshold, intel-inspect-cpu-usg-tolerance, intel-inspect-disable-content-decompress, intel-inspect-enable, intel-inspect-free-mem-threshold, intel-inspect-mem-tolerance, intel-inspect-protocols, intel-inspect-session-bytes-depth, and intel-inspect-signature-severity options added in Junos OS Release 19.2R1.

Starting in Junos OS Release 18.4R1, the reset-on-policy command is deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.