forwarding-process
Syntax
forwarding-process {
application-services (Security Forwarding Process) {
enable-gtpu-distribution;
inline-fpga-crypto (disabled | enabled);
maximize-alg-sessions;
maximize-idp-sessions {
inline-tap;
weight (Security) {
firewall;
idp {
}
}
}
maximize-persistent-nat-capacity;
packet-ordering-mode (hardware | software);
}
enhanced-services-mode;
}
Hierarchy Level
[edit security]
Description
You can configure SRX5400, SRX5600, and SRX5800
devices to switch from an integrated firewall mode to maximize Intrusion
Detection and Prevention (IDP) mode to run IDP processing in tap
mode and increase the capacity of processing with the maximize-idp-sessions option. Inline tap mode can only be configured if the forwarding
process mode is set to maximize-idp-sessions, which ensures
stability and resiliency for firewall services. You also do not need
a separate tap or span port to use inline tap mode. When you maximize
IDP, you are decoupling IDP processes from firewall processes, allowing
the device to support the same number of firewall and IDP sessions,
also run the IDP processing in tap mode.
You can configure maximum Application Layer Gateway (ALG)
sessions by using the maximize-alg-sessions option. By
default, the session capacity number for Real-Time Streaming Protocol
(RTSP), FTP, and Trivial File Transfer Protocol (TFTP) ALG sessions
is 10,000 per flow Services Processing Unit (SPU). You must reboot
the device (and its peer in chassis cluster mode) for the configuration
to take effect. The maximize-alg-sessions option now enables
you to increase defaults as follows:
RTSP, FTP, and TFTP ALG session capacity: 25,000 per flow SPU
TCP proxy connection capacity: 40,000 per flow SPU
Note:Flow session capacity is reduced to half per flow SPU; therefore the aforementioned capacity numbers will not change on central point flow.
Enable GPRS tunneling protocol, user plane(GTP-U) session distribution
to distribute GTP-U traffic handled by a Gateway GPRS Support Node
(GGSN) and a Serving GPRS Support Node (SGSN) pair on all Services
Processing Units (SPUs). You can configure tunnel-base distribution
to distribute GTP-U traffic to multiple SPUs by the enable-gtpu-distribution option on SRX5400, SRX5600, and SRX5800 devices , which helps to
resolve the GTP-U fat session issue. Also, enable-gtpu-distribution command is must for enabling stateful GTP-U inspection.
Options
| enhanced-services-mode | Enable enhanced application services mode. When Enhanced Service Mode is enabled, resources such as MBUF, JBUF, SERVICE-MEM, TCP-PROXY TCB, SZ-INFO and user heap are increased in size and Layer 4 session numbers are reduced by half. |
The remaining statements are explained separately. See the CLI Explorer.
Required Privilege Level
security—To view this in the configuration.
security-control—To add this to the configuration.
Release Information
Statement introduced in Junos OS Release 9.6. This statement is supported.
Option enhanced-services-mode introduced in Junos OS Release 20.3R1 on vSRX Virtual Firewall 3.0.