IDP Sensor Configuration
Although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and also to limit memory usage for application identification.
For more information, see the following topics:
Understanding IDP Sensor Configuration Settings
Sensor configuration options are used to:
Log run conditions as IDP session capacity and memory limits are approached.
Analyze traffic dropped by IDP and application identification when the limits are exceeded.
Although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and also to limit memory usage for application identification.
You can configure the maximum amount of memory bytes that can be used to save packets for application identification for one TCP or UDP session. You can also configure a limit for global memory usage for application identification. Application identification is disabled for a session after the system reaches the specified memory limit for the session. However, IDP continues to match patterns. The matched application is saved to cache so that the next session can use it. This protects the system from attackers trying to bypass application identification by purposefully sending large client-to-server packets.
max-tcp-session-packet-memory—To configure memory and session limits for IDP application identification services, run the set security idp sensor-configuration application-identification max-tcp-session-packet-memory 5000 command.
memory-limit-percent—To set memory limit percentage for data plane available in the system, which can be used for IDP allocation, run the set security idp sensor-configuration global memory-limit-percent command. The supported percentage value is from 10 through 90.
drop-if-no-policy-loaded—At startup, traffic is ignored by IDP by default if the IDP policy is not yet loaded. The
drop-if-no-policy-loadedoption changes this behavior so that all sessions are dropped before the IDP policy is loaded.The following counter for the
show security idp counters flowcommand output analyzes dropped traffic due to thedrop-if-no-policy-loadedoption:Sessions dropped due to no policy 0
drop-on-failover—By default, IDP ignores failover sessions in an SRX Series chassis cluster deployment. The
drop-on-failoveroption changes this behavior and automatically drops sessions that are in the process of being inspected on the primary node when a failover to the secondary node occurs.The following counter for the
show security idp counters flowcommand output analyzes dropped failover traffic due to thedrop-on-failoveroption:Fail-over sessions dropped 0
drop-on-limit—By default, sessions are not dropped if the IDP session limit or resource limits are exceeded. In this case, IDP and other sessions are dropped only when the device’s session capacity or resources are depleted. The
drop-on-limitoption changes this behavior and drops sessions when resource limits are exceeded.The following counters for the
show security idp counters flowcommand output analyze dropped IDP traffic due to thedrop-on-limitoption:SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 SM Sessions dropped 0 Both directions flows ignored 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0
The following counters for the
show security idp counters application-identificationcommand output analyze dropped application identification traffic due to thedrop-on-limitoption:AI-session dropped due to malloc failure before session create 0 AI-Sessions dropped due to malloc failure after create 0 AI-Packets received on sessions marked for drop due to malloc failure 0
The following options are used to trigger informative log messages about current run conditions. When set, the log messages are triggered whether the
drop-on-limitoption is set or not.max-sessions-offset—The
max-sessions-offsetoption sets an offset for the maximum IDP session limit. When the number of IDP sessions exceeds the maximum session limit, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal.Jul 19 04:38:13 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374233893, FPC 4 PIC 1 IDP total sessions pass through high mark 100000. IDP may drop new sessions. Total sessions dropped 0. Jul 19 04:38:21 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374233901, FPC 4 PIC 1 IDP total sessions drop below low mark 99000. IDP working in normal mode. Total sessions dropped 24373.
min-objcache-limit-lt—The
min-objcache-limit-ltoption sets a lower threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If the available cache memory drops below the lower threshold level, a message is logged stating that conditions exist where IDP sessions could be dropped because of memory allocation failures. For example, the following message shows that the IDP cache memory has dropped below the lower threshold and that a number of sessions have been dropped:Jul 19 04:07:33 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374232053, FPC 4 PIC 1 IDP total available objcache(used 4253368304, limit 7247757312) drops below low mark 3986266515. IDP may drop new sessions. Total sessions dropped 1002593.
min-objcache-limit-ut—The
min-objcache-limit-utoption sets an upper threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If available IDP cache memory returns to the upper threshold level, a message is logged stating that available cache memory has returned to normal. For example, the following message shows that the available IDP cache memory has increased above the upper threshold and that it is now performing normally:Jul 19 04:13:47 4.0.0.254 RT_IDP: IDP_SESSION_LOG_EVENT: IDP: at 1374232428, FPC 4 PIC 1 IDP total available objcache(used 2782950560, limit 7247757312) increases above high mark 4348654380. IDP working in normal mode. Total sessions dropped 13424632.
Note:This message is triggered only if the lower threshold has been reached and the available memory has returned above the upper threshold. Fluctuations in available memory that dropped below the upper threshold but did not fall below the lower threshold do not trigger the message.
Starting with Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, IDP Intelligent Bypass feature is supported on SRX Series.
In its default configuration, IDP attempts to inspect new and existing sessions, regardless of CPU utilization. This can lead to dropped packets, latency, and instability across the system during high CPU utilization events. To overcome unpredictable IDP packet processing behavior, you can enable the IDP Intelligent Bypass feature. This feature will give you the flexibility to bypass IDP or to drop the packets when the system CPU utilization reaches a high level, otherwise known as “Failing Open” (permit packets) or “Failing Closed” (dropping packets). By default, IDP Intelligent Bypass feature is not enabled. The following options are used to configure the IDP Intelligent Bypass feature.
idp-bypass-cpu-usage-overload— By default, IDP may consume 100 percent of available CPU and may begin dropping packets for all sessions inadvertently. To handle IDP packet processing behavior when the system CPU utilization reaches high threshold value, you can enable the IDP Intelligent Bypass feature. To enable IDP Intelligent Bypass feature, issue the
set security idp sensor-configuration flow idp-bypass-cpu-overloadcommand. By default, IDP Intelligent Bypass feature is not enabled.idp-bypass-cpu-threshold— IDP stops inspecting new sessions when CPU utilization reaches the defined threshold value. The default threshold CPU utilization value is 85 percent. When CPU utilization reaches threshold value, IDP keeps on bypassing new sessions until CPU utilization falls below the lower threshold value. Alternatively, if you set the
drop-on-limit, where IDP drops new session until CPU utilization falls below the lower threshold value. To configure the threshold value, issueset security idp sensor-configuration flow idp-bypass-cpu-thresholdcommand. You can set a threshold value in the range 0 through 99. This threshold value is expressed as a percentage.idp-bypass-cpu-tolerance— To configure the tolerance value, issue the
set security idp sensor-configuration flow idp-bypass-cpu-tolerancecommand. You can set a tolerance value in the range 1 through 99. The default tolerance value is 5. This tolerance value is expressed as a percentage.
You can calculate the CPU upper and lower threshold values by using the following equations:
CPU upper threshold value = CPU threshold + CPU tolerance value.
CPU lower threshold value = CPU threshold - CPU tolerance value.
When the system CPU utilization exceeds the threshold value,
IDP stops inspecting new sessions, but continues to inspect existing
sessions. In this state, if drop-on-limit is set, IDP starts
dropping new sessions. Log messages are triggered to indicate new
sessions are dropped. For example, the following message states that
IDP CPU utilization has crossed the threshold value and IDP may drop
new sessions:
FPC 0 PIC 1 IDP CPU usage 86 crossed threshold value 85. IDP may drop new sessions. Total sessions dropped 2
When the system CPU utilization exceeds the upper threshold
value, IDP stops inspecting the packets of existing sessions and new
sessions. In this state, no packets can go through IDP inspection.
If drop-on-limit is set, IDP drops all sessions. Log messages
are triggered to indicate all sessions are dropped. For example, the
following message states that IDP CPU utilization has crossed the
upper threshold value, and IDP stops inspecting the packets of existing
sessions and new sessions:
FPC 0 PIC 1 IDP CPU usage 92 crossed upper threshold value 90. IDP may drop packets of existing sessions as well as new sessions. Total sessions dropped 21
When the system CPU utilization falls below the lower threshold value, IDP starts inspecting new session and returns to normal mode. IDP will not inspect existing discarded sessions. Log messages are triggered to indicate IDP starts inspecting new session and returned to normal mode. For example, the following message states that IDP CPU utilization falls below the lower threshold value, and IDP returns to normal mode:
FPC 0 PIC 1 IDP CPU usage 75 dropped below lower threshold value 80. IDP working in normal mode. Total sessions dropped 25
IDP Protection Modes
IDP protection modes adjust the inspection parameters for efficient
inspection of traffic in the device. To enable the IDP protection
modes, issue the security-configuration protection-mode mode command at the [edit security idp sensor-configuration] hierarchy level.
user@host# set security-configuration
protection-mode mode
There are four IDP protection modes :
All IDP protection modes inspect CTS(Client To Server) traffic.
Mode |
Description |
|---|---|
Perimeter-Full |
Inspects all STC(Server To Client) traffic. Processes TCP errors without any optimization. Note:
This is the default mode. |
Perimeter |
Inspects all STC traffic. Processes TCP errors with optimization. For TCP packets, if SYN is received in a window and has a TCP error flag set, then process the TCP error and take appropriate action. Drop the current packet and ignore inspection on the entire session. |
Datacenter-Full |
Disables all STC traffic inspection. Processes TCP errors without any optimization. Note:
Datacenter-Full can be used in situations where the SRX Series Firewall is only responsible for protecting servers whose response traffic is not deemed interesting for analysis. Datacenter-Full should not be used in cases where the SRX Series Firewall is responsible for protecting clients. |
Datacenter |
Disables all STC traffic inspection. Processes TCP errors with optimization. For TCP packets, if SYN is received in a window and has a TCP error flag set, then process the TCP error and take appropriate action. Drop the current packet and ignore inspection on the entire session. Datacenter configuration is optimized to provide balanced protection and performance. |
See Also
Example: Improving Logging and Traffic Analysis with IDP Sensor Configuration Options
This example shows how to improve logging and traffic analysis by configuring IDP sensor configuration options. For instance, although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and to limit its memory usage. In addition, you can use these options to log run conditions as IDP session capacity and memory limits are approached, and to analyze traffic dropped by IDP and application identification when exceeding these limitations.
Requirements
Before you begin:
Configure network interfaces.
Download the signature database. See Example: Updating the IDP Signature Database Manually. Application signatures are available as part of the security package provided by Juniper Networks. You download predefined application signatures along with the security package updates.
Overview
The IDP sensor monitors the network and detects suspicious and anomalous network traffic based on specific rules defined in IDP rulebases. It applies attack objects to traffic based on protocols or applications. Application signatures enable the sensor to identify known and unknown applications running on nonstandard ports and to apply the correct attack objects.
The default behavior of IDP is to ignore the sessions when:
IDP policy is not configured in the device
Resource limits (memory or active sessions) are reached
In case of Chassis Cluster, for failed over sessions
If traffic availability is considered more important than security, then it is recommended to continue to use the above mentioned default behavior of IDP. However, If security is considered more important than availability, then it is recommended to change the default behavior with the configuration provided in this example.
You can achieve the following from this example:
Although you cannot create application signatures with the IDP signature database, you can configure sensor settings to limit the number of sessions running application identification and also limit memory usage for application identification. You can configure the maximum amount of memory bytes that can be used to save packets for application identification for one TCP or UDP session. You can also configure a limit for global memory usage for application identification. Application identification is disabled for a session after the system reaches the specified memory limit for the session.
By default, IDP ignores failover sessions that are in the process of being inspected on the primary node when a failover to the secondary node occurs in an SRX Series chassis cluster deployment. In this example, you specify that these sessions are dropped automatically and are captured in the respective counter instead of being ignored. You can monitor and analyze the sessions dropped when a failover on the secondary node occurs.
By default, sessions are not dropped if the IDP session limit or resource limits are exceeded. In this example, you specify that if the IDP session limit or resource limits are exceeded, then the sessions are dropped and logging is added. You can set a maximum sessions offset limit value for the maximum IDP session limit. When the number of IDP sessions exceeds that value, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal.
You can specify a lower threshold for available cache memory. If the available cache memory drops below the lower threshold level, a message is logged stating that conditions exist where IDP sessions could be dropped because of memory allocation failures. This log enables you to control the number of sessions dropped, and these dropped sessions can later be analyzed and considered for processing.
Similarly, you can specify an upper threshold for available cache memory. If available IDP cache memory returns to the upper threshold level, a message is logged stating that available cache memory has returned to normal. This log enables you to control the number of sessions dropped, and these dropped sessions can later be analyzed and considered for processing.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security idp sensor-configuration application-identification max-tcp-session-packet-memory 5000 set security idp sensor-configuration flow drop-if-no-policy-loaded set security idp sensor-configuration flow drop-on-failover set security idp sensor-configuration flow drop-on-limit set security idp sensor-configuration flow max-sessions-offset 5 set security idp sensor-configuration flow min-objcache-limit-lt 21 set security idp sensor-configuration flow min-objcache-limit-ut 56
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To set IDP sensor configuration options:
Specify the memory limits for application identification.
[edit security idp sensor-configuration] user@host# set application-identification max-tcp-session-packet-memory 5000
Specify that traffic is dropped before the IDP policy is loaded.
[edit security idp sensor-configuration flow] user@host# set drop-if-no-policy-loaded
Specify that failover sessions in an SRX Series chassis cluster deployment are dropped.
[edit security idp sensor-configuration flow] user@host# set drop-on-failover
Specify that sessions are dropped when resource limits are exceeded.
[edit security idp sensor-configuration flow] user@host# set drop-on-limit
Note:If you do not want the sessions to be dropped when resource limits are exceeded, run the
delete drop-on-limitcommand.Configure an offset value for the maximum IDP session limit.
[edit ssecurity idp sensor-configuration flow] user@host# set max-sessions-offset 5
Set a lower threshold for available cache memory.
[edit security idp sensor-configuration flow] user@host# set min-objcache-limit-lt 21
Set an upper threshold for available cache memory.
[edit security idp sensor-configuration flow] user@host# set min-objcache-limit-ut 56
Results
From configuration mode, confirm your configuration
by entering the show security idp command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security idp
sensor-configuration {
application-identification {
max-tcp-session-packet-memory 5000;
}
flow {
drop-on-limit;
drop-on-failover;
drop-if-no-policy-loaded;
max-sessions-offset 5;
min-objcache-limit-lt 21;
min-objcache-limit-ut 56;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying IDP Sensor Configuration Settings
Purpose
Verify the IDP sensor configuration settings.
Action
From operational mode, enter the show security
idp sensor-configuration command.
user@host> show security idp sensor-configuration
application-identification {
max-tcp-session-packet-memory 5000;
}
flow {
drop-on-limit;
drop-on-failover;
drop-if-no-policy-loaded;
max-sessions-offset 5;
min-objcache-limit-lt 21;
min-objcache-limit-ut 56;
}
}
Meaning
The show security idp sensor-configuration command displays all sensor configuration options that are set with
certain values.
Verifying IDP Counters
Purpose
Verify the IDP counters.
Action
From operational mode, enter the show security
idp counters flow command.
Sample Output
command-name
IDP counters: IDP counter type Value Fast-path packets 0 Slow-path packets 0 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 0 Policy cache misses 0 Policy cache entries 0 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 0 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 0 Policy init failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 IDP session gate creation requests 0 IDP session gate creation acknowledgements 0 IDP session gate hits 0 IDP session gate timeouts 0 Number of times Sessions crossed the CPU threshold value that is set 0 Number of times Sessions crossed the CPU upper threshold 0 Sessions constructed 0 SM Sessions ignored 0 SM Sessions dropped 0 SM Sessions interested 0 SM Sessions not interested 749 SM Sessions interest error 0 Sessions destructed 0 SM Session Create 0 SM Packet Process 0 SM ftp data session ignored by idp 0 SM Session close 0 SM Client-to-server packets 0 SM Server-to-client packets 0 SM Client-to-server L7 bytes 0 SM Server-to-client L7 bytes 0 Client-to-server flows ignored 0 Server-to-client flows ignored 0 Both directions flows ignored 0 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 AI-session dropped due to malloc failure before session create 0 AI-Sessions dropped due to malloc failure after create 0 AI-Packets received on sessions marked for drop due to malloc failure 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 0 kq op route 0 kq op continue 0 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0
Meaning
The show security idp counters flow command
displays all counters that are used for analyzing dropped failover
traffic, dropped IDP traffic, and dropped application identification
traffic.
IDP Intelligent Inspection
On SRX Series Firewalls, if the configured CPU and memory threshold values exceed the resource limits, then IDP intelligent inspection helps the device recover from the overload state. Starting in Junos OS Release 19.2R1, you can enable IDP intelligent inspection and tune it dynamically to reduce the load of full IDP inspection. IDP does not reject or ignore the session by tuning the IDP inspection when the resource limits reach the configured CPU and memory threshold values.
Before Junos OS Release 19.2R1, when the device exceeds the configured CPU and memory threshold limit, IDP either rejects or ignores new sessions.
To enable IDP intelligent inspection and the bypass feature, use the set security
idp sensor-configuration flow intel-inspect-enable command.
- Benefits of IDP Inspection Tuning
- Security Mechanisms for Tuning IDP Intelligent Inspection
- CPU Utilization
- Memory Utilization
- Limitation
Benefits of IDP Inspection Tuning
-
Gives importance to critical IDP inspection
-
Avoids low-priority IDP inspection
-
Reduces high system resource usage
Security Mechanisms for Tuning IDP Intelligent Inspection
-
Dynamic policy—Critical, major, and minor are the three important signature severities. You can tune the policy dynamically to include only the signatures of desired severity level. To include signatures of only critical severity, use the command
set security idp sensor-configuration flow intel-inspect-signature-severity critical. To include signatures of critical and major severity, use the commandset security idp sensor-configuration flow intel-inspect-signature-severity major. To include signatures of both critical, major and minor severity, use the commandset security idp sensor-configuration flow intel-inspect-signature-severity minor. By default, attacks with severity as critical are included. -
Content decompression—The content decompression can be avoided only when intel inspect is enabled and thresholds are reached. The protocol decoder decompresses the protocol content if the content is in a compressed state. You can avoid decompression of the protocol content by configuring the
set security idp sensor-configuration flow intel-inspect-disable-content-decompresscommand. -
Selective protocols—By default, IDP inspects all critical protocols. You can specify the list of critical protocols for IDP processing. To specify the list of protocols, use the
set security idp sensor-configuration flow intel-inspect-protocols protocolcommand. IDP does not inspect noncritical protocols. -
Inspection depth—For each session, by default, IDP inspects all the bytes of the session. By specifying inspection depth, IDP limits inspection to only specified number of bytes. To enable the inspection depth, use the command
set security idp sensor-configuration flow intel-inspect-session-bytes-depth value. By default, the IDP intelligent inspection disables the inspection depth, which means all bytes are inspected.
CPU Utilization
You can configure the threshold limits for IDP inspection. When the CPU usage reaches the configured threshold, IDP intelligent inspection is activated.
To configure the threshold limits, use the following commands:
-
set security idp sensor-configuration flow intel-inspect-cpu-usg-threshold value -
set security idp sensor-configuration flow intel-inspect-cpu-usg-tolerance value
CPU utilization behaves as follows:
-
IDP stops full IDP processing on the new session when the CPU utilization reaches the configured intelligent inspection threshold. The IDP process only the tuned security inspection. This behavior triggers a syslog message to activate the IDP intelligent inspection.
-
IDP continues to function in intelligent inspection mode when the CPU utilization exceeds the intelligent inspection threshold and is in between the IDP bypass threshold and intelligent inspection lower threshold.
-
IDP starts the full IDP inspection on the new session and triggers a syslog to deactivate the IDP intelligent inspection when the CPU utilization drops below the lower threshold of intelligent inspection.
-
The IDP intelligent bypass feature activates when the CPU utilization reaches the IDP bypass threshold.
Memory Utilization
You can configure the memory limits for the IDP inspection. When the memory usage reaches the configured limit, it activates the IDP intelligent inspection.
To configure the available memory limits, use the following commands:
-
set security idp sensor-configuration flow intel-inspect-free-mem-threshold value -
set security idp sensor-configuration flow intel-inspect-mem-tolerance value
Memory utilization behaves as follows:
-
IDP activates the IDP intelligent inspection mode when the memory utilization reaches the intelligent inspection available memory lower threshold.
-
IDP continues to function in intelligent inspection mode when the memory utilization is in between intelligent inspection memory upper threshold and memory lower threshold.
-
IDP activates the IDP bypass feature when the memory utilization reaches the available memory lower threshold.
-
IDP activates to normal mode when the memory utilization drops and exceeds the intelligent inspection available memory upper threshold.
Limitation
IDP intelligent inspection is supported only at the primary logical system level.
Example: Configuring IDP Intelligent Inspection
The IDP intelligent inspection helps the device to recover from the overload state when the device exceeds the configured CPU and memory threshold limit.
This example shows how to enable the IDP intelligent inspection and tune the IDP inspection dynamically to reduce the load of full IDP inspection.
Requirements
Read IDP Sensor Configuration to understand when and how the IDP intelligent inspection and IDP bypass feature works.
Overview
Prior to Junos OS Release 19.2R1, when the device reaches the configured CPU and memory threshold values, IDP ignores or rejects new session. Also, when the device crosses the upper threshold, IDP discards packets of existing and new session.
Tuning the IDP inspection helps the device gradually increase the CPU and memory utilization and gives importance to critical inspection. This example shows how to tune the IDP inspection after enabling the IDP intelligent inspection.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit from configuration mode.
set security idp sensor-configuration flow intel-inspect-enable set security idp sensor-configuration flow intel-inspect-cpu-usg-threshold 60 set security idp sensor-configuration flow intel-inspect-cpu-usg-tolerance 15 set security idp sensor-configuration flow intel-inspect-mem-tolerance 5 set security idp sensor-configuration flow intel-inspect-free-mem-threshold 30 set security idp sensor-configuration flow intel-inspect-signature-severity critical set security idp sensor-configuration flow intel-inspect-disable-content-decompress set security idp sensor-configuration flow intel-inspect-session-bytes-depth 2 set security idp sensor-configuration flow intel-inspect-protocols HTTP set security idp sensor-configuration flow intel-inspect-protocols FTP
Procedure
Step-by-Step Procedure
To configure the IDP intelligent inspection:
Enable the IDP intelligent inspection.
[edit security idp sensor-configuration] user@host# set flow intel-inspect-enable
Configure the CPU threshold limit.
[edit security idp sensor-configuration] user@host# set flow intel-inspect-cpu-usg-threshold 60
Configure the CPU tolerance.
[edit security idp sensor-configuration] user@host# set flow intel-inspect-cpu-usg-tolerance 15
Configure the memory tolerance.
[edit security idp sensor-configuration] user@host# set security idp sensor-configuration flow intel-inspect-mem-tolerance 5
Configure the memory limit.
[edit security idp sensor-configuration] user@host# set security idp sensor-configuration flow intel-inspect-memory-limit-lt 30
Specify the severity level.
[edit security idp sensor-configuration] user@host# set flow intel-inspect-signature-severity critical
Disable content decompression.
[edit security idp sensor-configuration] user@host# set flow intel-inspect-disable-content-decompress
Configure the packet inspection depth.
[edit security idp sensor-configuration] user@host# set flow intel-inspect-session-bytes-depth 2
Configure the the protocol for inspection.
[edit security idp sensor-configuration] user@host# set flow intel-inspect-protocols HTTP user@host# set flow intel-inspect-protocols FTP
Results
From configuration mode, confirm your configuration by entering the show
security idp sensor-configuration command. If the output does not display the
intended configuration, repeat the instructions in this example to correct the
configuration.
[edit]
user@host# show security idp sensor-configuration
flow {
intel-inspect-enable;
intel-inspect-cpu-usg-threshold 60;
intel-inspect-cpu-usg-tolerance 15;
intel-inspect-free-mem-threshold 30;
intel-inspect-mem-tolerance 5;
intel-inspect-disable-content-decompress;
intel-inspect-session-bytes-depth 2;
intel-inspect-protocols [ HTTP FTP ];
intel-inspect-signature-severity critical;
}
If you are done configuring the devices, enter commit from
configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying the status of all IDP flow counter values
- Verify the status of IDP current policy
- Protocol-Specific Intelligent-Offload
- Configuring Protocol-Specific Offload Limits
Verifying the status of all IDP flow counter values
Purpose
Verify that the IDP intelligent inspection captures counter values.
Action
user@host> show security idp counters flow IDP counters: IDP counter type Value Fast-path packets 580 Slow-path packets 61 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 58 Policy cache misses 3 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 62 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 47 Policy init failed 0 Policy reinit failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 Number of times Sessions crossed the CPU threshold value that is set 0 Number of times Sessions crossed the CPU upper threshold 0 Sessions constructed 61 SM Sessions ignored 3 SM Sessions dropped 0 SM Sessions interested 61 SM Sessions not interested 101612 SM Sessions interest error 0 Sessions destructed 62 SM Session Create 58 SM Packet Process 580 SM ftp data session ignored by idp 0 SM Session close 59 SM Client-to-server packets 312 SM Server-to-client packets 268 SM Client-to-server L7 bytes 8468 SM Server-to-client L7 bytes 19952 Client-to-server flows ignored 0 Server-to-client flows ignored 0 Server-to-client flows tcp optimized 0 Client-to-server flows tcp optimized 0 Both directions flows ignored 47 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 NGAppID Events with no L7 App 0 NGAppID Events with no active-policy 0 NGAppID Detector failed from event handler 0 NGAppID Detector failed from API 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 11 kq op route 47 kq op continue 522 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0 IDP sessions ignored for content decompression in intel inspect mode 47 IDP sessions ignored for bytes depth limit in intel inspect mode 0 IDP sessions ignored for protocol decoding in intel inspect mode 0 IDP sessions detected CPU usage crossed intel inspect CPU threshold 43 IDP sessions detected mem drop below intel inspect low mem threshold 0
Meaning
The show command displays counters for the IDP intelligent inspection.
Verify the status of IDP current policy
Purpose
Verify that the IDP intelligent inspection captures current policy.
Action
user@host>show security idp status Intelligent Inspection State Details: State: Active State of IDP: Default, Up since: 2018-07-03 14:16:03 PDT (132w4d 09:19 ago) Packets/second: 6 Peak: 12 @ 2019-01-17 22:25:26 PST KBits/second : 249 Peak: 490 @ 2019-01-17 22:25:26 PST Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 0] [TCP: 127] [UDP: 7] [Other: 0] Flow Statistics: ICMP: [Current: 0] [Max: 6 @ 2019-01-16 20:36:17 PST] TCP: [Current: 4] [Max: 4 @ 2019-01-17 22:34:33 PST] UDP: [Current: 2] [Max: 6 @ 2019-01-17 20:03:55 PST] Other: [Current: 0] [Max: 0 @ 2016-07-03 14:16:03 PDT] Session Statistics: [ICMP: 0] [TCP: 2] [UDP: 1] [Other: 0] Number of SSL Sessions : 0 Policy Name : idp-policy-unified Running Detector Version : 12.6.130180509
Meaning
The show security idp status command displays IDP current policy. Though you have
enabled IDP intelligent inspection, the state of IDP intelligent inspection can be
inactive when you execute show security idp status operational
command. The reason is the configured CPU and memory threshold values don’t exceed the
resource limit. When the CPU usage reaches the configured threshold, the state of IDP
intelligent inspection becomes active.
Protocol-Specific Intelligent-Offload
The existing Intelligent offload feature in IDP offloads a session when the limit for the examined bytes is reached. In addition to this, the inspection limit is not granular, and it is applied to all the sessions irrespective of the protocol or service.
With the ability to enable or disable IDP intelligent offloading on a per protocol basis, the administrators can use the flexibility to decide which protocols should leverage the offloading capability. The administrators can also configure the offload limit per protocol.
The Protocol-Specific Intelligent-Offload Configuration feature in Intrusion Detection and Prevention (IDP) systems allows you to tailor inspection depth limits for different protocols, enhancing both performance and security. By configuring individual offload limits for protocols such as SSH and FTP, you can optimize resource usage and ensure more efficient session inspections.
This feature simplifies configuration and management with clear CLI commands, making it easier for administrators to implement and adjust offload settings based on specific network requirements.
Configuring Protocol-Specific Offload Limits
You can use the new options to configure the offload limit per protocol by specifying the protocol and setting the offload limit.
[edit]
user@host# set security idp sensor-configuration
global intelligent-offload-tunable ?
The range for the offload limit is the same for all the protocols, that is, 0 to 4294967295 bytes. Offload limit range is same for all protocols and range is 0 to 4294967295 in bytes and 0 means unlimited inspection.
You can configure the limits in KB, MB, and GB, in which case you must append the end of the limit value with k, m, and g respectively.
The set security idp sensor-configuration global intelligent-offload disable command disables intelligent offload globally. You cannot configure set security idp sensor-configuration global intelligent-offload disable as well as the per protocol custom offload limit.
-
If there is any offload limit configured for a protocol, then that offload limit has the highest precedence for that protocol. For example, if the limit is configured for the protocol MYSQL, the session offload limit is taken from the configuration and not from the detector-capabilities.xml file.
-
If no offload limit is configured for a protocol, but limits exist in the detector-capablities.xml file, the limit from the file is applied for that protocol.
-
If offload limits for a protocol are not present in the detector-capabilities.xml file, the default limit of 256 KB is applied (unless intelligent offload is in conservative mode, in which case the limit is 1 MB). If the intelligent offload is disabled, no offloading occurs.
If you use the set security idp sensor-configuration global
intelligent-offload disable option, the offloading feature is disabled, and
it will work for the entire data inspection until the session gets closed.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.