Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

global-config (Services)

Syntax

Hierarchy Level

Description

Specify the global proxy configuration. When SSL proxy is configured at a global level (within “services ssl proxy”), it is visible across the system configurations on the device.

Options

cache-usage-enforcement-threshold cache-usage-enforcement-threshold

Percentage of total cache size after which per logical system limits will be enforced.

  • Range: 1 through 100
certificate-cache-timeout seconds

Regulates the certificate cache timeout.

  • Default: 600 seconds
disable-cert-cache

Disable the certificate cache. By default certificate cache is enabled.
disable-deferred-profile-selection

Disable the deferred profile selection mechanism. In the defered profile selection mechanism, the SSL proxy module defers SSL profile selection until the dynamic application is detected in a client hello message based on the Server Name Indication (SNI). After detecting dynamic application, SSL proxy module does a firewall rule lookup based on the identified application and selects an appropriate SSL proxy profile.
invalidate-cache-on-crl-update

Invalidate the existing certificate cache. By default, this option is disabled.
non-ssl-detection-threshold

Set limit that allows you to decide how long to wait before ignoring the the session if StartTLS is not received from the client.

  • byte-threshold byte-threshold—Minimum bytes required to ignore the session. SSL proxy allows the configured number of bytes of plain (unencrypted) SMTP. After reaching the limit, it ignores the session if StartTLS is not received from the client.

    • Default: 200

    • Range: 1 through 600

  • packet-threshold packet-threshold—Number of plain (unencrypted) packets in client-to-server direction. SSL proxy allows the configured number of packets of plain (unencrypted) SMTP. After reaching the limit, it ignores the session if StartTLS is not received from the client.

    • Default: 5

    • Range: 1 through 15
Note:

Starting in Junos OS Release 23.4R1, we've renamed the mail-threshold statement to non-ssl-detection-threshold.
Note:

In case your firewall is processing FTP or SMTP traffic and has unified policy (dynamic-application) and ssl-proxy configured, we recommend the following configuration:

session-cache-timeout seconds

Specify the session cache timeout.

  • Range: 300 to 3600 seconds

Required Privilege Level

services—To view this statement in the configuration.

services-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 12.1X44-D10. disable-cert-cache, certificate-cache-timeout, and Invalidate-cache-on-crl-update options are introduced in Junos OS Release 18.1R1.

Related Documentation