How to modify TCP socket connections between SRX and TSC, using a hidden command.
In enhanced web filtering (EWF), SRX makes TCP socket connections to the TSC server. Multiple TCP connections need to be established from SRX to the TSC server. SRX sends requests to the TSC using one of the available connections using a round-robin algorithm. Using more sessions is not recommended because the number of connections you can make from the device is limited. Using fewer sessions means that even one misbehaving TCP session can adversely affect URL filtering performance.
For SRX Branch, the default value is 16. For SRX high end, the default value is 32. How can we modify the value?
There is a hidden command to configure sockets.
set security utm feature-profile web-filtering type juniper-enhanced juniper-enhanced sockets <number>
First, modify the default value,
root@SRX220> show version Hostname: SRX220 Model: srx220h-poe JUNOS Software Release [12.1X44-D20.3] TSC -- rp.cloud.threatseeker.com (116.50.57.140) root@SRX220% netstat -an | grep 116.50.57.140.80 | grep ESTABLISHED tcp4 0 0 172.27.103.22.50002 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.55422 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.64229 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.56672 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.63388 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.57596 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.59446 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.65075 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.57203 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.62913 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.59819 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.64357 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.57303 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.53045 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.59151 116.50.57.140.80 ESTABLISHED
Modify the value to 8:
set security utm feature-profile web-filtering type juniper-enhanced juniper-enhanced sockets 8
Then, check the connections.
root@SRX220% netstat -an | grep 116.50.57.140.80 | grep ESTABLISHED tcp4 0 0 172.27.103.22.65234 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.55561 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.54781 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.60067 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.60770 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.56540 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.61861 116.50.57.140.80 ESTABLISHED tcp4 0 0 172.27.103.22.52790 116.50.57.140.80 ESTABLISHED root@SRX220% fstat | grep "internet stream" | grep utmd root utmd 1258 34* internet stream tcp c1f687f0 root utmd 1258 35* internet stream tcp c1f683f8 root utmd 1258 36* internet stream tcp c1f68000 root utmd 1258 37* internet stream tcp c1f67000 root utmd 1258 38* internet stream tcp c2ba23f8 root utmd 1258 39* internet stream tcp c2ba3de4 root utmd 1258 40* internet stream tcp c2ba37f0 root utmd 1258 41* internet stream tcp c2b69be8