Intrusion Detection And Prevention (Idp) - Juniper JUNOS OS 10.4 - RELEASE NOTES Release Note

JUNOS OS 10.4 Release Notes
118
On SRX3000 and SRX5000 line devices, the maximum number of traffic-shaping
simple filter rules and policing rules has been changed. For SRX3000 line devices, the
number of simple filter and policing rules is 2000 per I/O card (IOC) for each rule type.
For SRX5000 line devices, the number of simple filter and policing rules is 2000 for
each rule type per PIM on flex I/O cards (FIOCs). This change does not affect ordinary
IOCs on SRX5000 line devices. The previous maximum of 4000 for each rule type is
not achievable because of a hardware limitation.
On T1/E1 Mini-Physical Interface Module installed on SRX210 and SRX240 devices,
the Loopback LED is turned ON based on the Loopback configuration as well as when
the FDL loopback commands are executed from the remote-end. The Loopback LED
remains OFF when no FDL Loopback commands are executed from the remote-end,
even though
remote-loopback-respond
On J4350 devices, ping does not go through even if the ISDN call is connected and the
dialer watch is configured. This issue occurs only when media MTU on Cisco devices
is bigger than the MTU configured on J Series devices. As a workaround, keep MTU
configured on the J Series device equal to or greater than the one set on the Cisco
device.
On SRX and J Series devices, the help description for the
command incorrectly states the default value as
actually restricted .

Intrusion Detection and Prevention (IDP)

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you want to change to
mode, you should configure the
maximize-idp-sessions
application-services maximize-idp-sessions
avoid recompiling IDP policies during every commit. [PR/426575]
On SRX3400 devices, FTP traffic does not go through expedited-forwarding queue
class for FTP control connections. All other traffic like http, telnet and ping goes through
expedited-forwarding queue class as expected.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application identification
CLI commands have been moved from the [
application-identification
hierarchy.
On SRX Series and J Series devices, for brute force and time-binding-related attacks,
the logging is to be done only when the match
only one log is generated within the 60-second period in which the threshold is
measured. This process prevents repetitive logs from being generated and ensures
consistency with other IDP platforms like IDP-standalone.
When no attack is seen within the 60-second period and the BFQ entry is flushed out,
the match count starts afresh, and the new attack match shows up in the attack table,
and the log is generated as explained above.
is configured on the HOST.
unrestricted
command before you reboot the device to
security idp sensor-configuration
] hierarchy to the [ edit services application-identification
count
set <int> interface arp-resp
. The default value is
security forwarding-process
is equal to the . That is,
threshold
Copyright © 2010, Juniper Networks, Inc.
]