Best practice guide for IDP deployment on branch SRX devices

This article provides the best practice guide that can used, when IDP, UTM, NSM, AppSecure, and other features are simultaneously running on Branch SRX devices that have a memory of 1GB.

  • Advanced security software memory usage is growing from release to release, due to increased functionality and use of combined features, such as IDP, UTM (anti-virus, anti-spam, web filtering, and content filtering), NSM, AppSecure, and so on.
  • These features consume more control plane memory and cause failure of loading large IDP policies on Branch SRX devices that have a memory of 1GB (SRX100H, SRX110H, SRX210H/HE, SRX220H, and SRX240H) or cause the device to run out of memory on the control plane, which triggers a system reboot or freeze.
  • This article is based on Junos OS 11.4R4/R4-S1/R5 and provides the best practice guide to avoid such failures.

For more information about each of the following FAQs, refer to the Branch SRX IDP Deployment Best Practice Guide Application Note:

  • Memory requirements for security-package download and install
  • Before IDP security-package update, how to determine if the control plane memory usage is safe or too low?
  • When to use IDP incremental or full-update?
  • How much memory is required to compile IDP policy?
  • Configuring custom IDP policy
  • IDP Functionality/Support on different Junos OS release
  • UTM AV pattern-update and IDP security-package download/install/policy compile
  • Management connection to the device where IDP security-package download/install/policy compile to be run
  • Turn off services which are not being used
  • Adjusting control plane memory
  • Logging

About the author


Leave a Comment