Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IDP Sensor Configuration

Although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and also to limit memory usage for application identification.

For more information, see the following topics:

Understanding IDP Sensor Configuration Settings

Sensor configuration options are used to:

  • Log run conditions as IDP session capacity and memory limits are approached.

  • To analyze traffic dropped by IDP and application identification when the limits are exceeded.

Although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and also to limit memory usage for application identification.

You can configure the maximum amount of memory bytes that can be used to save packets for application identification for one TCP or UDP session. You can also configure a limit for global memory usage for application identification. Application identification is disabled for a session after the system reaches the specified memory limit for the session. However, IDP continues to match patterns. The matched application is saved to cache so that the next session can use it. This protects the system from attackers trying to bypass application identification by purposefully sending large client-to-server packets.

  • max-tcp-session-packet-memory—To configure memory and session limits for IDP application identification services, run the set security idp sensor-configuration application-identification max-tcp-session-packet-memory 5000 command.

  • memory-limit-percent—To set memory limit percentage for data plane available in the system, which can be used for IDP allocation, run the set security idp sensor-configuration global memory-limit-percent command. The supported percentage value is from 10 through 90.

  • drop-if-no-policy-loaded—At startup, traffic is ignored by IDP by default if the IDP policy is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that all sessions are dropped before the IDP policy is loaded.

    The following counter for the show security idp counters flow command output analyzes dropped traffic due to the drop-if-no-policy-loaded option:

  • drop-on-failover—By default, IDP ignores failover sessions in an SRX Series chassis cluster deployment. The drop-on-failover option changes this behavior and automatically drops sessions that are in the process of being inspected on the primary node when a failover to the secondary node occurs.

    The following counter for the show security idp counters flow command output analyzes dropped failover traffic due to the drop-on-failover option:

  • drop-on-limit—By default, sessions are not dropped if the IDP session limit or resource limits are exceeded. In this case, IDP and other sessions are dropped only when the device’s session capacity or resources are depleted. The drop-on-limit option changes this behavior and drops sessions when resource limits are exceeded.

    The following counters for the show security idp counters flow command output analyze dropped IDP traffic due to the drop-on-limit option:

    The following counters for the show security idp counters application-identification command output analyze dropped application identification traffic due to the drop-on-limit option:

    The following options are used to trigger informative log messages about current run conditions. When set, the log messages are triggered whether the drop-on-limit option is set or not.

  • max-sessions-offset—The max-sessions-offset option sets an offset for the maximum IDP session limit. When the number of IDP sessions exceeds the maximum session limit, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal.

  • min-objcache-limit-lt—The min-objcache-limit-lt option sets a lower threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If the available cache memory drops below the lower threshold level, a message is logged stating that conditions exist where IDP sessions could be dropped because of memory allocation failures. For example, the following message shows that the IDP cache memory has dropped below the lower threshold and that a number of sessions have been dropped:

  • min-objcache-limit-ut—The min-objcache-limit-ut option sets an upper threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If available IDP cache memory returns to the upper threshold level, a message is logged stating that available cache memory has returned to normal. For example, the following message shows that the available IDP cache memory has increased above the upper threshold and that it is now performing normally:

    Note:

    This message is triggered only if the lower threshold has been reached and the available memory has returned above the upper threshold. Fluctuations in available memory that dropped below the upper threshold but did not fall below the lower threshold do not trigger the message.

Starting with Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, IDP Intelligent Bypass feature is supported on SRX Series.

In its default configuration, IDP attempts to inspect new and existing sessions, regardless of CPU utilization. This can lead to dropped packets, latency, and instability across the system during high CPU utilization events. To overcome unpredictable IDP packet processing behavior, you can enable the IDP Intelligent Bypass feature. This feature will give you the flexibility to bypass IDP or to drop the packets when the system CPU utilization reaches a high level, otherwise known as “Failing Open” (permit packets) or “Failing Closed” (dropping packets). By default, IDP Intelligent Bypass feature is not enabled. The following options are used to configure the IDP Intelligent Bypass feature.

  • idp-bypass-cpu-usage-overload— By default, IDP may consume 100 percent of available CPU and may begin dropping packets for all sessions inadvertently. To handle IDP packet processing behavior when the system CPU utilization reaches high threshold value, you can enable the IDP Intelligent Bypass feature. To enable IDP Intelligent Bypass feature, issue the set security idp sensor-configuration flow idp-bypass-cpu-overload command. By default, IDP Intelligent Bypass feature is not enabled.

  • idp-bypass-cpu-threshold— IDP stops inspecting new sessions when CPU utilization reaches the defined threshold value. The default threshold CPU utilization value is 85 percent. When CPU utilization reaches threshold value, IDP keeps on bypassing new sessions until CPU utilization falls below the lower threshold value. Alternatively, if you set the drop-on-limit, where IDP drops new session until CPU utilization falls below the lower threshold value. To configure the threshold value, issue set security idp sensor-configuration flow idp-bypass-cpu-threshold command. You can set a threshold value in the range 0 through 99. This threshold value is expressed as a percentage.

  • idp-bypass-cpu-tolerance— To configure the tolerance value, issue the set security idp sensor-configuration flow idp-bypass-cpu-tolerance command. You can set a tolerance value in the range 1 through 99. The default tolerance value is 5. This tolerance value is expressed as a percentage.

You can calculate the CPU upper and lower threshold values by using the following equations:

CPU upper threshold value = CPU threshold + CPU tolerance value.

CPU lower threshold value = CPU threshold - CPU tolerance value.

Figure 1: Understanding IDP Packet Processing Behavior During High ThresholdUnderstanding IDP Packet Processing Behavior During High Threshold

When the system CPU utilization exceeds the threshold value, IDP stops inspecting new sessions, but continues to inspect existing sessions. In this state, if drop-on-limit is set, IDP starts dropping new sessions. Log messages are triggered to indicate new sessions are dropped. For example, the following message states that IDP CPU utilization has crossed the threshold value and IDP may drop new sessions:

When the system CPU utilization exceeds the upper threshold value, IDP stops inspecting the packets of existing sessions and new sessions. In this state, no packets can go through IDP inspection. If drop-on-limit is set, IDP drops all sessions. Log messages are triggered to indicate all sessions are dropped. For example, the following message states that IDP CPU utilization has crossed the upper threshold value, and IDP stops inspecting the packets of existing sessions and new sessions:

When the system CPU utilization falls below the lower threshold value, IDP starts inspecting new session and returns to normal mode. IDP will not inspect existing discarded sessions. Log messages are triggered to indicate IDP starts inspecting new session and returned to normal mode. For example, the following message states that IDP CPU utilization falls below the lower threshold value, and IDP returns to normal mode:

IDP Protection Modes

IDP protection modes adjust the inspection parameters for efficient inspection of traffic in the device. To enable the IDP protection modes, issue the security-configuration protection-mode mode command at the [edit security idp sensor-configuration] hierarchy level.

user@host# set security-configuration protection-mode mode

There are four IDP protection modes :

Note:

All IDP protection modes inspect CTS(Client To Server) traffic.

Table 1:

Mode

Description

Perimeter-Full

Inspects all STC(Server To Client) traffic.

Processes TCP errors without any optimization.

Note:

This is the default mode.

Perimeter

Inspects all STC traffic.

Processes TCP errors with optimization. For TCP packets, if SYN is received in a window and has a TCP error flag set, then process the TCP error and take appropriate action. Drop the current packet and ignore inspection on the entire session.

Datacenter-Full

Disables all STC traffic inspection.

Processes TCP errors without any optimization.

Note:

Datacenter-Full can be used in situations where the SRX device is only responsible for protecting servers whose response traffic is not deemed interesting for analysis. Datacenter-Full should not be used in cases where the SRX device is responsible for protecting clients.

Datacenter

Disables all STC traffic inspection.

Processes TCP errors with optimization. For TCP packets, if SYN is received in a window and has a TCP error flag set, then process the TCP error and take appropriate action. Drop the current packet and ignore inspection on the entire session.

Datacenter configuration is optimized to provide balanced protection and performance.

Example: Improving Logging and Traffic Analysis with IDP Sensor Configuration Options

This example shows how to improve logging and traffic analysis by configuring IDP sensor configuration options. For instance, although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and to limit its memory usage. In addition, you can use these options to log run conditions as IDP session capacity and memory limits are approached, and to analyze traffic dropped by IDP and application identification when exceeding these limitations.

Requirements

Before you begin:

  • Configure network interfaces.

  • Download the signature database. See Example: Updating the IDP Signature Database Manually. Application signatures are available as part of the security package provided by Juniper Networks. You download predefined application signatures along with the security package updates.

Overview

The IDP sensor monitors the network and detects suspicious and anomalous network traffic based on specific rules defined in IDP rulebases. It applies attack objects to traffic based on protocols or applications. Application signatures enable the sensor to identify known and unknown applications running on nonstandard ports and to apply the correct attack objects.

The default behavior of IDP is to ignore the sessions when:

  • IDP policy is not configured in the device

  • Resource limits (memory or active sessions) are reached

  • In case of Chassis Cluster, for failed over sessions

If traffic availability is considered more important than security, then it is recommended to continue to use the above mentioned default behavior of IDP. However, If security is considered more important than availability, then it is recommended to change the default behavior with the configuration provided in this example.

You can achieve the following from this example:

  • Although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and also limit memory usage for application identification. You can configure the maximum amount of memory bytes that can be used to save packets for application identification for one TCP or UDP session. You can also configure a limit for global memory usage for application identification. Application identification is disabled for a session after the system reaches the specified memory limit for the session.

  • By default, IDP ignores failover sessions that are in the process of being inspected on the primary node when a failover to the secondary node occurs in an SRX Series chassis cluster deployment. In this example, you specify that these sessions are dropped automatically and are captured in the respective counter instead of being ignored. You can monitor and analyze the sessions dropped when a failover on the secondary node occurs.

  • By default, sessions are not dropped if the IDP session limit or resource limits are exceeded. In this example, you specify that if the IDP session limit or resource limits are exceeded, then the sessions are dropped and logging is added. You can set a maximum sessions offset limit value for the maximum IDP session limit. When the number of IDP sessions exceeds that value, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal.

  • You can specify a lower threshold for available cache memory. If the available cache memory drops below the lower threshold level, a message is logged stating that conditions exist where IDP sessions could be dropped because of memory allocation failures. This log enables you to control the number of sessions dropped, and these dropped sessions can later be analyzed and considered for processing.

  • Similarly, you can specify an upper threshold for available cache memory. If available IDP cache memory returns to the upper threshold level, a message is logged stating that available cache memory has returned to normal. This log enables you to control the number of sessions dropped, and these dropped sessions can later be analyzed and considered for processing.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To set IDP sensor configuration options:

  1. Specify the memory limits for application identification.

  2. Specify that traffic is dropped before the IDP policy is loaded.

  3. Specify that failover sessions in an SRX Series chassis cluster deployment are dropped.

  4. Specify that sessions are dropped when resource limits are exceeded.

    Note:

    If you do not want the sessions to be dropped when resource limits are exceeded, run the delete drop-on-limit command.

  5. Configure an offset value for the maximum IDP session limit.

  6. Set a lower threshold for available cache memory.

  7. Set an upper threshold for available cache memory.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying IDP Sensor Configuration Settings

Purpose

Verify the IDP sensor configuration settings.

Action

From operational mode, enter the show security idp sensor-configuration command.

Meaning

The show security idp sensor-configuration command displays all sensor configuration options that are set with certain values.

Verifying IDP Counters

Purpose

Verify the IDP counters.

Action

From operational mode, enter the show security idp counters flow command.

Sample Output
command-name
Meaning

The show security idp counters flow command displays all counters that are used for analyzing dropped failover traffic, dropped IDP traffic, and dropped application identification traffic.

IDP Intelligent Inspection

On SRX Series devices, if the configured CPU and memory threshold values exceed the resource limits, then IDP intelligent inspection helps the device recover from the overload state. Starting in Junos OS Release 19.2R1, you can enable IDP intelligent inspection and tune it dynamically to reduce the load of full IDP inspection. IDP does not reject or ignore the session by tuning the IDP inspection when the resource limits reach the configured CPU and memory threshold values.

Before Junos OS Release 19.2R1, when the device exceeds the configured CPU and memory threshold limit, IDP either rejects or ignores new sessions.

To enable IDP intelligent inspection and the bypass feature, use the set security idp sensor-configuration flow intel-inspect-enable command.

Benefits of IDP Inspection Tuning

  • Gives importance to critical IDP inspection

  • Avoids low-priority IDP inspection

  • Reduces high system resource usage

Security Mechanisms for Tuning IDP Intelligent Inspection

  • Dynamic policy—Critical, major, and minor are the three important signature severities. You can tune the policy dynamically to include only the signatures of desired severity level. To include signatures of only critical severity, use the command set security idp sensor-configuration flow intel-inspect-signature-severity severity. To include signatures of critical and major severity, use the command set security idp sensor-configuration flow intel-inspect-signature-severity major. To include signatures of both critical, major and minor severity, use the command set security idp sensor-configuration flow intel-inspect-signature-severity minor. By default, attacks with severity as critical are included.

  • Content decompression—The content decompression can be avoided only when intel inspect is enabled and thresholds are reached. The protocol decoder decompresses the protocol content if the content is in a compressed state. You can avoid decompression of the protocol content by configuring the set security idp sensor-configuration flow intel-inspect-disable-content-decompress command.

  • Selective protocols—By default, IDP inspects all critical protocols. You can specify the list of critical protocols for IDP processing. To specify the list of protocols, use the set security idp sensor-configuration flow intel-inspect-protocols protocol command. IDP does not inspect noncritical protocols.

  • Inspection depth—For each session, by default, IDP inspects all the bytes of the session. By specifying inspection depth, IDP limits inspection to only specified number of bytes. To enable the inspection depth, use the command set security idp sensor-configuration flow intel-inspect-session-bytes-depth value. By default, the IDP intelligent inspection disables the inspection depth, which means all bytes are inspected.

CPU Utilization

You can configure the threshold limits for IDP inspection. When the CPU usage reaches the configured threshold, IDP intelligent inspection is activated.

To configure the threshold limits, use the following commands:

  • set security idp sensor-configuration flow intel-inspect-cpu-usg-threshold value

  • set security idp sensor-configuration flow intel-inspect-cpu-usg-tolerance value

Figure 12: Understanding CPU UsageUnderstanding CPU Usage

CPU utilization behaves as follows:

  • IDP stops full IDP processing on the new session when the CPU utilization reaches the configured intelligent inspection threshold. The IDP process only the tuned security inspection. This behavior triggers a syslog message to activate the IDP intelligent inspection.

  • IDP continues to function in intelligent inspection mode when the CPU utilization exceeds the intelligent inspection threshold and is in between the IDP bypass threshold and intelligent inspection lower threshold.

  • IDP starts the full IDP inspection on the new session and triggers a syslog to deactivate the IDP intelligent inspection when the CPU utilization drops below the lower threshold of intelligent inspection.

  • The IDP intelligent bypass feature activates when the CPU utilization reaches the IDP bypass threshold.

Memory Utilization

You can configure the memory limits for the IDP inspection. When the memory usage reaches the configured limit, it activates the IDP intelligent inspection.

To configure the available memory limits, use the following commands:

  • set security idp sensor-configuration flow intel-inspect-free-mem-threshold value

  • set security idp sensor-configuration flow intel-inspect-mem-tolerance value

Figure 13: Understanding Memory UsageUnderstanding Memory Usage

Memory utilization behaves as follows:

  • IDP activates the IDP intelligent inspection mode when the memory utilization reaches the intelligent inspection available memory lower threshold.

  • IDP continues to function in intelligent inspection mode when the memory utilization is in between intelligent inspection memory upper threshold and memory lower threshold.

  • IDP activates the IDP bypass feature when the memory utilization reaches the available memory lower threshold.

  • IDP activates to normal mode when the memory utilization drops and exceeds the intelligent inspection available memory upper threshold.

Limitation

IDP intelligent inspection is supported only at the primary logical system level.

Example: Configuring IDP Intelligent Inspection

The IDP intelligent inspection helps the device to recover from the overload state when the device exceeds the configured CPU and memory threshold limit.

This example shows how to enable the IDP intelligent inspection and tune the IDP inspection dynamically to reduce the load of full IDP inspection.

Requirements

Read IDP Sensor Configuration to understand when and how the IDP intelligent inspection and IDP bypass feature works.

Overview

Prior to Junos OS Release 19.2R1, when the device reaches the configured CPU and memory threshold values, IDP ignores or rejects new session. Also, when the device crosses the upper threshold, IDP discards packets of existing and new session.

Tuning the IDP inspection helps the device gradually increase the CPU and memory utilization and gives importance to critical inspection. This example shows how to tune the IDP inspection after enabling the IDP intelligent inspection.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

To configure the IDP intelligent inspection:

  1. Enable the IDP intelligent inspection.

  2. Configure the CPU threshold limit.

  3. Configure the CPU tolerance.

  4. Configure the memory tolerance.

  5. Configure the memory limit.

  6. Specify the severity level.

  7. Disable content decompression.

  8. Configure the packet inspection depth.

  9. Configure the the protocol for inspection.

Results

From configuration mode, confirm your configuration by entering the show security idp sensor-configuration command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the devices, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the status of all IDP flow counter values

Purpose

Verify that the IDP intelligent inspection captures counter values.

Action
Meaning

The show command displays counters for the IDP intelligent inspection.

Verify the status of IDP current policy

Purpose

Verify that the IDP intelligent inspection captures current policy.

Action
Meaning

The show security idp status command displays IDP current policy. Though you have enabled IDP intelligent inspection, the state of IDP intelligent inspection can be inactive when you execute show security idp status operational command. The reason is the configured CPU and memory threshold values don’t exceed the resource limit. When the CPU usage reaches the configured threshold, the state of IDP intelligent inspection becomes active.

Release History Table
Release
Description
12.3X48-D10
Starting with Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, IDP Intelligent Bypass feature is supported on SRX Series.