Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01 Manual page 110

Configuring Intrusion Detection and Prevention Devices Guide
Table 49: IDP Device Configuration: Run-Time Parameters (continued)
Setting
Run-time Parameters
94
Description
RPC program timeout (seconds)–IDP performs a stateful inspection of all RPC messages on port
111, then builds a table of program-to-port mapping for each RPC server that it finds on the network.
This setting indicates how long an entry in the table is maintained. The default is 300 seconds.
RPC transaction timeout (Seconds)–All RPC messages (port 111) are based on a request/response
protocol. When the IDP receives a request, it adds the request to a request table. If IDP does not
receive an RPC reply in the specified timeout, the RPC entry times out. The default is 5 seconds.
Exempt management server flows–Exempts NSM connections from IDP processing. This setting
is enabled by default.
Fragment timeout (seconds)–Controls when IDP drops an incomplete fragment chain because
one or more fragments did not arrive. If IDP does not receive missing fragments in the specified
timeout, it generates a log (FRAGMENT_TIME_EXCEEDED). The default is 5 seconds.
Minimum fragment size (bytes)–IDP drops all IP fragments less than the specified size (bytes).
The default is 0 bytes (no fragments are dropped).
Maximum fragments per IP datagram–An IP datagram can be broken into many fragments which,
when assembled, should not exceed 64 K. Because IP fragment processing is CPU and memory
intensive, this setting controls the size of the IP fragment chain. If the number of fragments in a
chain exceeds this number, IDP drops the entire fragment chain. The default is 65,535 bytes.
Maximum concurrent fragments in queue–IDP can perform pseudo reassembly of IP fragment
chains. This setting controls the maximum number of reassembled fragment chains. Once this
limit is reached, IDP drops all new IP fragment chains and generates a log
(TOO_MANY_FRAGMENTS). If your network produces a large number of IP fragments, such as
those produced by Network File System (NFS), increase the number of fragments per chain to
eliminate unnecessary logs. The default is 16 fragments.
Log fragment related errors–Logs fragment related errors. This setting is not enabled by default.
Enable GRE decapsulation support–Enables IDP to decode generic routing encapsulation (GRE)
tunnels where IP-in-GRE or PPP-in-GRE encapsulation is used. This allows IDP to inspect the packet
in its original form. GRE decapsulation is not enabled by default.
Enable GTP decapsulation support–Enables GPRS Tunneling Protocol (GTP) decapsulation. IDP
supports decapsulation of UDP GTPv0 and GTPv1 only. GTP decapsulation is not enabled by
default.
Enable SSL decryption support–Enables SSL inspection. SSL decryption is not enabled by default.
Copyright © 2010, Juniper Networks, Inc.