Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

About the Sensor Page

You are here: Security Services > IPS > Sensor.

You can configure sensor settings to limit the number of sessions running application identification and also to limit memory usage for application identification.

Field Descriptions

Table 1 describes the fields on the Sensor page.

Table 1: Fields on the Sensor Page

Field

Description

Packet Capture

Local Storage

Enable this option to store the PCAP file locally (/var/log/pcap/idp/) on the SRX Series Firewall.

Maximum files

Enter or select the maximum number of unique packet capture files to create before the oldest file is overwritten by a newly created file.

Range: 1 through 5000.

Storage limit

Enter or select the maximum disk space (Megabytes) that can be used in the Routing Engine for packet capture files.

Range: 1 MB through 4096 MB.

External Server

Enable this option to send the PCAP file to an external server.

IP Address

Enter the external server IPv4 address that captures the packet.

Port

Enter or select the port number of the server for SRX Series Firewalls to send the packet capture object.

Port number: 0 through 65535. Default port is 2050.

Source Address

Enter the source IPv4 address for the carrier TCP or UDP packet.

Intelligent IDP ByPass

IDP By Pass

Enable or disable the IDP Intelligent Bypass option.

IDP By Pass CPU Threshold

Enter the threshold value.

Range: 0 through 99. Default value: 85.

IDP By Pass CPU Tolerance

Enter the CPU tolerance value.

Range: 1 through 99. Default value: 5.

Intelligent Inspection

Enable or disable this option.

If you enable this option, enter the following details:

  • Ignore Content Decompression— Enable this option to enable payload content decompression.

  • Signature Severity—Select the severity level of the attack from the list that the signature will report for IDP processing. The available options are minor, major, and critical.

    Note:

    Click Clear All to clear all the selected severity values.

  • Protocols—Select the protocols from the list that needs to be processed in Intelligent Inspection mode.

    Note:

    Click Clear All to clear all the selected protocols.

  • CPU Threshold (%)—Enter the value of CPU usage threshold percentage for intelligent inspection.

    Range: 0 through 99 percent.

  • CPU Tolerance (%)—Enter the value of CPU usage tolerance percentage for intelligent inspection.

    Range: 1 through 99 percent.

  • Memory Tolerance—Enter the value of memory tolerance percentage for intelligent inspection.

    Range: 1 through 100 percent.

  • Free Memory Threshold—Enter the value of free memory threshold percentage for intelligent inspection.

    Range: 1 through 100 percent.

  • Session Bytes Depth—Enter the value of session bytes scanning depth.

    Range: 1 through 1000000 bytes.

Memory Lower Threshold

Enter the memory lower threshold limit percentage.

Range: 1 through 100.

Memory Upper Threshold

Enter the memory upper threshold limit percentage.

Range: 1 through 100.

Advanced Settings
IDP Protection Mode

Protection Mode

Select an option to specify the inspection parameters for efficient inspection of traffic in the device. The options available are:

  • DataCenter—Disables all STC traffic inspection.

  • Datacenter Full—Disables all STC traffic inspection.

  • Perimeter—Inspects all STC (Server To Client) traffic.

  • Perimeter Full—Inspects all STC traffic.

Exception Handling

Drop On Limit

Enable this option to specify the dropped connections on exceeding resource limits.

Drop On Failover

Enable this option to specify the dropped traffic on HA failover sessions.

Drop If No Policy Loaded

Enable this option to specify all the dropped traffic till IDP policy gets loaded.

IDP Flow

Log Errors

Enable this option to specify if the flow errors have to be logged.

Select an option from the list.

Flow FIFO Max Size

Enter a value to specify the maximum FIFO size.

Range: : 1 through 65535. Default value is 1.

Hash Table Size

Enter a value to specify the hash table size.

Range: 1024 through 1,000,000. Default value is 1024.

Max Timers Poll Ticks

Enter a value to specify the maximum amount of time at which the timer ticks at a regular interval.

Range: 0 through 1000 ticks. Default value is 1000 ticks.

Reject Timeout

Enter a value to specify the amount of time in milliseconds within which a response must be received.

Range: 1 through 65,535 seconds. Default value is 300 seconds.

Global

Enable All Qmodules

Select an option from the list to specify all the qmodules of the global rulebase IDP security policy are enabled.

Enable Packet Pool

Select an option from the list to specify the packet pool is enabled to be used when the current pool is exhausted.

Policy Lookup Cache

Select an option from the list to specify the cache is enabled to accelerate IDP policy lookup.

Memory Limit Percent

Enter a value to specify the limit IDP memory usage at this percent of available memory.

Range: 10 through 90 percent.

HTTP X-Forwarded

When you enable this option, during traffic flow, IDP saves the source IP addresses (IPv4 or IPv6) from the contexts of HTTP traffic, and displays it in the attack logs.

IPS

Detect Shellcode

Select an option from the list to specify if shellcode detection has to be applied.

Ignore Regular Expression

Select an option from the list to specify if the sensor has to bypass DFA and PCRE matching.

Process Ignore Server-to-Client

Select an option from the list to specify if the sensor has to bypass IPS processing for server-to-client flows.

Process Override

Select an option from the list to specify if the sensor has to execute protocol decoders even without an IDP policy.

Process Port

Enter an integer to specify a port on which the sensor executes protocol decoders.

Range: 0 through 65535.

IPS FIFO Max Size

Enter an integer to specify the maximum allocated size of the IPS FIFO.

Range: 1 through 65535.

Minimum Log Supercade

Enter an integer to specify the minimum number of logs to trigger the signature hierarchy feature.

Range: 0 through 65535.

Log

Cache Size

Enter a value to specify the size in bytes for each user’s log cache.

Disable Suppression

Enable this option to specify if the log suppression has to be disabled.

Include Destination Address

Select an option from the list to specify if combine log records for events with a matching source address.

Max Logs Operate

Enter a value to specify the maximum number of logs on which log suppression can operate. Range is 255 through 65536.

Max Time Report

Enter a value to specify the time (seconds) after which suppressed logs will be reported. IDP reports suppressed logs after 5 seconds by default.

Start Log

Enter a value to specify the number of log occurrences after which log suppression begins. Log suppression begins with the first occurrence by default.

Range is 1 through 128.

Reassembler

Ignore Memory Overflow

Select an option from the list to specify if the user has to allow per-flow memory to go out of limit.

Ignore Reassembly Memory Overflow

Select an option from the list to specify if the user has to allow per-flow reassembly memory to go out of limit.

Ignore Reassembly Overflow

Enable this option to specify the TCP reassembler to ignore the global reassembly overflow to prevent the dropping of application traffic.

Max Flow Memory

Enter an integer to specify the maximum per-flow memory for TCP reassembly in kilobytes.

Range: 64 through 4,294,967,295 kilobytes.

Max Packet Memory

Enter an integer to specify the maximum packet memory for TCP reassembly in kilobytes.

Range: 64 through 4,294,967,295 kilobytes

Max Synacks Queued

Enter an integer to specify the maximum limit for queuing Syn/Ack packets with different SEQ numbers.

Range: 0 through 5

Packet Log

Max Sessions

Enter an integer to specify the maximum number of sessions actively conducting pre-attack packet captures on a device at one time.

Range: 1 through 100 percent

Total Memory

Enter an integer to specify the maximum amount of memory to be allocated to packet capture for the device.

Range: 1 through 100 percent

Detectors—Click +.

The Detector window opens up and enter the following field details.

Protocol

Select the name of the protocol from the list to enable or disable the detector.

Tunable Name

Select the name of the specific tunable parameter from the list to enable or disable the protocol detector for each of the services.

Tunable Value

Enter the protocol value of the specific tunable parameter to enable or disable the protocol detector for each of the services.

Range: 0 to 4294967295