Config Router

You are here: Home / Juniper / How to modify TCP socket connections between SRX and TSC?

How to modify TCP socket connections between SRX and TSC?

by

How to modify TCP socket connections between SRX and TSC, using a hidden command.

In enhanced web filtering (EWF), SRX makes TCP socket connections to the TSC server. Multiple TCP connections need to be established from SRX to the TSC server. SRX sends requests to the TSC using one of the available connections using a round-robin algorithm. Using more sessions is not recommended because the number of connections you can make from the device is limited. Using fewer sessions means that even one misbehaving TCP session can adversely affect URL filtering performance.

For SRX Branch, the default value is 16. For SRX high end, the default value is 32. How can we modify the value?

There is a hidden command to configure sockets.

set security utm feature-profile web-filtering type juniper-enhanced juniper-enhanced sockets <number>

First, modify the default value,

[email protected]> show version 
Hostname: SRX220
Model: srx220h-poe
JUNOS Software Release [12.1X44-D20.3]

TSC -- rp.cloud.threatseeker.com (116.50.57.140)

[email protected]% netstat -an | grep 116.50.57.140.80 | grep ESTABLISHED
tcp4 0 0 172.27.103.22.50002 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.55422 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.64229 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.56672 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.63388 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.57596 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.59446 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.65075 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.57203 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.62913 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.59819 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.64357 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.57303 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.53045 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.59151 116.50.57.140.80 ESTABLISHED

Modify the value to 8:

set security utm feature-profile web-filtering type juniper-enhanced juniper-enhanced sockets 8

Then, check the connections.

[email protected]% netstat -an | grep 116.50.57.140.80 | grep ESTABLISHED
tcp4 0 0 172.27.103.22.65234 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.55561 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.54781 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.60067 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.60770 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.56540 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.61861 116.50.57.140.80 ESTABLISHED
tcp4 0 0 172.27.103.22.52790 116.50.57.140.80 ESTABLISHED

[email protected]% fstat | grep "internet stream" | grep utmd
root utmd 1258 34* internet stream tcp c1f687f0
root utmd 1258 35* internet stream tcp c1f683f8
root utmd 1258 36* internet stream tcp c1f68000
root utmd 1258 37* internet stream tcp c1f67000
root utmd 1258 38* internet stream tcp c2ba23f8
root utmd 1258 39* internet stream tcp c2ba3de4
root utmd 1258 40* internet stream tcp c2ba37f0
root utmd 1258 41* internet stream tcp c2b69be8