Table of Contents
Advertisement
Configuring Intrusion Detection and Prevention Devices Guide
Table 48: IDP Device Configuration: Load Time Parameters
Setting
Flow table size (requires
sensor restart)
Enable log suppression
Include destination IP's
while performing log
suppression
Number of log
occurrences after which
log suppression begins
Maximum number of logs
that log suppression can
operate on
Time (seconds) after
which suppressed logs
will be reported
Enable application
identification
Maximum number of
Application Identification
sessions
Enable policy sharing
Related Topics
Configuring Run-Time Parameters (NSM Procedure)
88
Description
For improved IDP performance, set the flow table size to limit the size of the connection table. This
setting should reflect the maximum number of concurrent flows you expect to have at any one
time. A TCP connection has about two flows per session, and a UDP connection has about three
flows per session. The default setting is 100,000 concurrent flows. If you change this value, you
have to restart the IDP device.
Log suppression reduces the number of logs displayed in the Log Viewer by displaying a single
record for multiple occurrences of the same event.
NOTE: If the reporting interval is set too high, log suppression can negatively impact IDP
performance.
When log suppression is enabled, multiple occurrences of events with the same source IP, service,
and matching attack object generate a single log record with a count of occurrences. If you enable
this option, log suppression combines log records for events with the same destination IP.
This number represents the number of identical log records received before suppression starts.
The default is 1 (meaning log suppression begins with the first redundancy).
When log suppression is enabled, IDP must cache log records so that it can identify when multiple
occurrences of the same event occur. This number represents the number of log records in the IDP
management server that IDP tracks for log suppression. The default is 16,384 log records.
When log suppression is enabled, the IDP device maintains a count of multiple occurrences of the
same event. This number represents the number of seconds that pass before IDP reports a single
log entry containing the count of occurrences. The default is 10 seconds.
The application identification feature is used to detect the session application regardless of port.
We recommend you disable this feature only when troubleshooting.
Specifies the maximum number of sessions where application identification is in use. The default
is 100,000. Valid values are 0 - 200,000. We recommend you tune this setting only if you encounter
issues.
This option allows two CPUs on a security module to share a policy. This enables the policy with
all attacks to withhold maximum memory. Aslso the memory usage increases while the attacks
database grows.
Pushing Security Policy Updates to an IDP Device (NSM Procedure) on page 119
Troubleshooting Configuration Push Errors (NSM Procedure) on page 121
Configuring Run-Time Parameters (NSM Procedure) on page 88
Run-time parameters include options for tuning IDP detection methods. In general, you
modify these settings only if you encounter false positives or performance issues. These
options control the security module operations.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Troubleshooting
