Verifying IDP Counters for Application Identification Processes
Purpose
Verify the IDP counters for the application identification processes.
Action
From the CLI, enter the show security idp counters application-identification command.
Sample Output
user@host> show security idp counters
application-identification
IDP counters: IDP counter type Value AI cache hits 2682 AI cache misses 3804 AI matches 74 AI no-matches 27 AI-enabled sessions 3804 AI-disabled sessions 2834 AI-disabled sessions due to cache hit 2682 AI-disabled sessions due to configuration 0 AI-disabled sessions due to protocol remapping 0 AI-disabled sessions due to non-TCP/UDP flows 118 AI-disabled sessions due to no AI signatures 0 AI-disabled sessions due to session limit 0 AI-disabled sessions due to session packet memory limit 34 AI-disabled sessions due to global packet memory limit 0
Meaning
The output shows a summary of the application identification counters. Verify the following information:
- AI cache hits—Displays the number of hits on the application identification cache
- AI cache misses—Displays the number of times the application matches but the application identification cache entry is not added.
- AI matches—Displays the number of times the application matches, and an application identification cache entry is added.
- AI no-matches—Displays the number of times when application does not match.
- AI-enabled sessions—Displays the number of sessions on which application identification is enabled.
- AI-disabled sessions—Displays the number of sessions on which application identification is enabled.
- AI-disabled sessions due to cache hit—Displays the number of sessions on which application identification is disabled after a cache entry is matched. Application identification process is discontinued for this session.
- AI-disabled sessions due to configuration—Displays the number of sessions on which application identification is disabled because of the sensor configuration.
- AI-disabled sessions due to protocol remapping—Displays the number of sessions for which application identification is disabled because you have configured a specific service in the IDP policy rule definition.
- AI-disabled sessions due to non-TCP/UDP flows—Displays the number of sessions for which application identification is disabled because the session is not a TCP or UDP session.
- AI-disabled sessions due to no AI signatures—Displays the number of sessions for which application identification is disabled because no match is found on the application identification signatures.
- AI-disabled due to session limit—Displays the number of sessions for which application identification is disabled because sessions have reached the maximum limit configured. Application identification is disabled for future sessions too.
- AI-disabled due to session packet memory limit—Displays the sessions for which application identification is disabled because sessions have reached the maximum memory limit on TCP or UDP flows. Application identification is disabled for future sessions too.
- AI-disabled due to global packet memory limit—Displays the sessions for which application identification is disabled because the maximum memory limit is reached. Application identification is disabled for future sessions too.
For a complete description of show security idp counters output, see the JUNOS Software CLI Reference.
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Understanding IDP Application Identification
- Example: Setting Memory and Session Limits for IDP Application Identification (CLI)
- Understanding IDP Service and Application Bindings by Attack Objects
- Verifying Application System Cache Statistics