sensor-configuration
Syntax
sensor-configuration {
application-identification {
max-packet-memory-ratio percentage-value;
}
detector {
protocol-name protocol-name {
tunable-name tunable-name {
tunable-value protocol-value;
}
}
}
flow (Security IDP) {
(allow-icmp-without-flow | no-allow-icmp-without-flow);
fifo-max-size value;
drop-if-no-policy-loaded;
drop-on-failover;
drop-on-limit;
hash-table-size value;
idp-bypass-cpu-threshold idp-bypass-cpu-threshold;
idp-bypass-cpu-tolerance idp-bypass-cpu-tolerance;
idp-bypass-cpu-usg-overload;
intel-inspect-cpu-usg-threshold intel-inspect-cpu-usg-threshold;
intel-inspect-cpu-usg-tolerance intel-inspect-cpu-usg-tolerance;
intel-inspect-disable-content-decompress;
intel-inspect-enable;
intel-inspect-free-mem-threshold intel-inspect-free-mem-threshold;
intel-inspect-mem-tolerance intel-inspect-mem-tolerance;
intel-inspect-protocols [ intel-inspect-protocols ... ];
intel-inspect-session-bytes-depth intel-inspect-session-bytes-depth;
intel-inspect-signature-severity (critical | major | minor);
(log-errors | no-log-errors);
max-sessions-offset value;
max-timers-poll-ticks value;
min-objcache-limit-lt lower-threshold-value;
min-objcache-limit-ut upper-threshold-value;
reject-timeout value;
(reset-on-policy | no-reset-on-policy);
udp-anticipated-timeout value;
}
global {
(enable-all-qmodules | no-enable-all-qmodules);
(enable-packet-pool | no-enable-packet-pool);
memory-limit-percent value;
(policy-lookup-cache | no-policy-lookup-cache);
}
high-availability {
no-policy-cold-synchronization;
}
ips {
content-decompression-max-memory-kb value;
content-decompression-max-ratio value;
(detect-shellcode | no-detect-shellcode);
fifo-max-size value;
(ignore-regular-expression | no-ignore-regular-expression);
log-supercede-min minimum-value;
pre-filter-shellcode;
(process-ignore-s2c | no-process-ignore-s2c);
(process-override | no-process-override);
process-port port-number;
}
log (Security IDP Sensor Configuration) {
cache-size size;
suppression {
disable;
(include-destination-address | no-include-destination-address);
max-logs-operate value;
max-time-report value;
start-log value;
}
}
packet-log {
host ip-address < port number>;
max-sessions percentage;
source-address ip-address;
total-memory percentage;
ssl-profile-name <profile-name>;}
re-assembler {
action-on-reassembly-failure (drop | drop-session | ignore);
(force-tcp-window-checks | no-force-tcp-window-checks);
(ignore-memory-overflow | no-ignore-memory-overflow);
(ignore-reassembly-memory-overflow | no-ignore-reassembly-memory-overflow);
ignore-reassembly-overflow;
max-flow-mem value;
max-packet-mem-ratio percentage-value;
max-synacks-queued value;
(tcp-error-logging | no-tcp-error-logging);
}
ssl-inspection {
cache-prune-chunk-size number;
key-protection;
maximum-cache-size number;
session-id-cache-timeout seconds;
sessions number;
}
}
Hierarchy Level
[edit security idp]
Description
Configure various IDP parameters to match the properties of transiting network traffic.
Options
Starting in Junos OS Release 22.1R1, you can enable a secure SSL connection and send encrypted IDP packet capture log to the packet capture receiver. To establish the SSL connection you must specify the SSL initiation profile you want to use in the IDP packet log configuration.ssl-profile-name profile-name—SSL initiation profile name to be used for encrypted packet log transmission.The SSL profile name must be configured in the SSL initiation profile configuration. Configuration and installation of SSL certificates and SSL handshake related configurations that are required to establish secure connection are performed as part of SSL initiation profile configuration. SSL versions are chosen based on the SSL initiation configuration. SSL profile needs to be configured in each logical system separately .
If SSL profile name is not configured in SSL initiation profile configuration, then the following message is displayed Referenced SSL initiation profile is not defined.
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.2. Packet memory ratios added in Junos OS Release 12.1X44-D20.
intel-inspect-cpu-usg-threshold, intel-inspect-cpu-usg-tolerance, intel-inspect-disable-content-decompress, intel-inspect-enable, intel-inspect-free-mem-threshold, intel-inspect-mem-tolerance, intel-inspect-protocols, intel-inspect-session-bytes-depth, and intel-inspect-signature-severity options added in Junos OS Release 19.2R1.