Mailing List Archive

I don't know if this is relevant or not in regards to the srx345, but I
recently stress tested a srx4100 and started to notice some
anomalies around 64k prefixes. I don't recall anything being logged and it
reported that it loaded all >=64k prefixes, "show security match-policies"
gave the right answers, but some actual test traffic started to be logged
on an unexpected policy. Opening a ticket is on the TODO list.


One of our production srx4100's currently has 53k dynamic IPv4 prefixes w/o
skipping a beat:

> show security dynamic-address summary
.....
Instance Name : default
Total number of IPv4 entries : 232848
Total number of IPv4 entries from feed : 53445
Total number of IPv6 entries : 0
Total number of IPv6 entries from feed : 0


-Eric


On Fri, Mar 1, 2024 at 5:11?AM Chris Lee via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

> Hi All,
>
> Does anyone know if there's any specific limits/bounds/impacts on the
> number of IP addresses that can be imported into a SRX Dynamic Address
> list, specifically for an SRX345 ?
>
>
> https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html
>
> Have been trialling it for a little while now with a relatively small
> number (around 3000 IPv4 and 1200 IPv6 entries), but looking to do some
> further GeoIP restrictions which would likely be around another 22000 IPv4
> entries I need to import for the specific countries I need. Will anything
> topple/break with that many IP's in various dynamic lists ?
>
> I've tried looking but my google-fu is failing to turn up any data on
> limitations anywhere... I've found reference to address sets "One address
> set can reference a maximum of 16384 address entries and a maximum of 256
> address sets." but I'm not sure that this applies to dynamic address list
> entries as I figure that restriction may have more to do with the SRX
> having to parse a massive configuration file ?
>
> Thanks,
> Chris
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


--
Eric Harrison
Network Services
Cascade Technology Alliance / Multnomah Education Service District
office: 503-257-1554 cell: 971-998-6249 NOC 503-257-1510
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Hi Eric,

Thanks for that, not too sure where the dynamic lists are stored in RAM or
some other onboard memory.

That said I ended up loading the lists in a srx340 first which is pretty
similar anyway and couldn't see any issues so went ahead and loaded on the
srx345's and it looks fine so far, I was a little out with my counts anyway
as the lists I'm feeding are v4/v6 so the split ended up less than 20k v4
and less than 10k v6.

Instance Name : default
Total number of IPv4 entries : 18226
Total number of IPv4 entries from feed : 17258
Total number of IPv6 entries : 9733
Total number of IPv6 entries from feed : 9518

I just found another reference at
https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-policy-configuration.html
which has a table of the various models and suggest the srx345 can only
have 2048 address objects per policy, which is a bit confusing from the
previous link but that was referring to address-sets I think.

In any case this article seems to suggest to me the policy memory usage is
definitely just loaded into regular RAM, and from what I've seen there was
a little bit of an uptick in memory usage but only by a couple of hundred
MB, just a few percentage points in the overall usage on the RE that I can
see, so doesn't look to be an issue.

I do have a pair of srx1600's on order to swap out the 345's, I just
realised the datasheet doesn't list how much RAM they ship with as was
mostly looking at them from the point of view of more throughput on
interfaces, but hopefully they have been a bit more generous on the memory
modules in the 1600's.

Thanks,
Chris


On Sat, Mar 2, 2024 at 1:51?AM Eric Harrison <eric.harrison@cascadetech.org>
wrote:

>
> I don't know if this is relevant or not in regards to the srx345, but I
> recently stress tested a srx4100 and started to notice some
> anomalies around 64k prefixes. I don't recall anything being logged and it
> reported that it loaded all >=64k prefixes, "show security match-policies"
> gave the right answers, but some actual test traffic started to be logged
> on an unexpected policy. Opening a ticket is on the TODO list.
>
>
> One of our production srx4100's currently has 53k dynamic IPv4 prefixes
> w/o skipping a beat:
>
> > show security dynamic-address summary
> .....
> Instance Name : default
> Total number of IPv4 entries : 232848
> Total number of IPv4 entries from feed : 53445
> Total number of IPv6 entries : 0
> Total number of IPv6 entries from feed : 0
>
>
> -Eric
>
>
> On Fri, Mar 1, 2024 at 5:11?AM Chris Lee via juniper-nsp <
> juniper-nsp@puck.nether.net> wrote:
>
>> Hi All,
>>
>> Does anyone know if there's any specific limits/bounds/impacts on the
>> number of IP addresses that can be imported into a SRX Dynamic Address
>> list, specifically for an SRX345 ?
>>
>>
>> https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html
>>
>> Have been trialling it for a little while now with a relatively small
>> number (around 3000 IPv4 and 1200 IPv6 entries), but looking to do some
>> further GeoIP restrictions which would likely be around another 22000 IPv4
>> entries I need to import for the specific countries I need. Will anything
>> topple/break with that many IP's in various dynamic lists ?
>>
>> I've tried looking but my google-fu is failing to turn up any data on
>> limitations anywhere... I've found reference to address sets "One address
>> set can reference a maximum of 16384 address entries and a maximum of 256
>> address sets." but I'm not sure that this applies to dynamic address list
>> entries as I figure that restriction may have more to do with the SRX
>> having to parse a massive configuration file ?
>>
>> Thanks,
>> Chris
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> --
> Eric Harrison
> Network Services
> Cascade Technology Alliance / Multnomah Education Service District
> office: 503-257-1554 cell: 971-998-6249 NOC 503-257-1510
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

We're using stamparm/ipsum: Daily feed of bad IPs (with blacklist hit
scores) (github.com) <https://github.com/stamparm/ipsum> with SRX300.

~37k entries with no issues.

Address name : ipsum-l2
Address id : 11
IPv4 entries : 37317

Regards
Roger



On Fri, Mar 1, 2024 at 11:37?PM Chris Lee via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

> Hi Eric,
>
> Thanks for that, not too sure where the dynamic lists are stored in RAM or
> some other onboard memory.
>
> That said I ended up loading the lists in a srx340 first which is pretty
> similar anyway and couldn't see any issues so went ahead and loaded on the
> srx345's and it looks fine so far, I was a little out with my counts anyway
> as the lists I'm feeding are v4/v6 so the split ended up less than 20k v4
> and less than 10k v6.
>
> Instance Name : default
> Total number of IPv4 entries : 18226
> Total number of IPv4 entries from feed : 17258
> Total number of IPv6 entries : 9733
> Total number of IPv6 entries from feed : 9518
>
> I just found another reference at
>
> https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-policy-configuration.html
> which has a table of the various models and suggest the srx345 can only
> have 2048 address objects per policy, which is a bit confusing from the
> previous link but that was referring to address-sets I think.
>
> In any case this article seems to suggest to me the policy memory usage is
> definitely just loaded into regular RAM, and from what I've seen there was
> a little bit of an uptick in memory usage but only by a couple of hundred
> MB, just a few percentage points in the overall usage on the RE that I can
> see, so doesn't look to be an issue.
>
> I do have a pair of srx1600's on order to swap out the 345's, I just
> realised the datasheet doesn't list how much RAM they ship with as was
> mostly looking at them from the point of view of more throughput on
> interfaces, but hopefully they have been a bit more generous on the memory
> modules in the 1600's.
>
> Thanks,
> Chris
>
>
> On Sat, Mar 2, 2024 at 1:51?AM Eric Harrison <
> eric.harrison@cascadetech.org>
> wrote:
>
> >
> > I don't know if this is relevant or not in regards to the srx345, but I
> > recently stress tested a srx4100 and started to notice some
> > anomalies around 64k prefixes. I don't recall anything being logged and
> it
> > reported that it loaded all >=64k prefixes, "show security
> match-policies"
> > gave the right answers, but some actual test traffic started to be logged
> > on an unexpected policy. Opening a ticket is on the TODO list.
> >
> >
> > One of our production srx4100's currently has 53k dynamic IPv4 prefixes
> > w/o skipping a beat:
> >
> > > show security dynamic-address summary
> > .....
> > Instance Name : default
> > Total number of IPv4 entries : 232848
> > Total number of IPv4 entries from feed : 53445
> > Total number of IPv6 entries : 0
> > Total number of IPv6 entries from feed : 0
> >
> >
> > -Eric
> >
> >
> > On Fri, Mar 1, 2024 at 5:11?AM Chris Lee via juniper-nsp <
> > juniper-nsp@puck.nether.net> wrote:
> >
> >> Hi All,
> >>
> >> Does anyone know if there's any specific limits/bounds/impacts on the
> >> number of IP addresses that can be imported into a SRX Dynamic Address
> >> list, specifically for an SRX345 ?
> >>
> >>
> >>
> https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html
> >>
> >> Have been trialling it for a little while now with a relatively small
> >> number (around 3000 IPv4 and 1200 IPv6 entries), but looking to do some
> >> further GeoIP restrictions which would likely be around another 22000
> IPv4
> >> entries I need to import for the specific countries I need. Will
> anything
> >> topple/break with that many IP's in various dynamic lists ?
> >>
> >> I've tried looking but my google-fu is failing to turn up any data on
> >> limitations anywhere... I've found reference to address sets "One
> address
> >> set can reference a maximum of 16384 address entries and a maximum of
> 256
> >> address sets." but I'm not sure that this applies to dynamic address
> list
> >> entries as I figure that restriction may have more to do with the SRX
> >> having to parse a massive configuration file ?
> >>
> >> Thanks,
> >> Chris
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
> >
> > --
> > Eric Harrison
> > Network Services
> > Cascade Technology Alliance / Multnomah Education Service District
> > office: 503-257-1554 cell: 971-998-6249 NOC 503-257-1510
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

For IP feeds the limits are quite big.
But be aware that for e.g. URL feeds there is a limit of 1000 or 1500 urls in a single feed and platform limits for the total number of Urls.

https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/security-utm-custom-objects-url-feed.html

https://supportportal.juniper.net/s/article/SRX-What-is-the-maximum-URL-patterns-and-maximum-URLs-in-one-URL-pattern-limit-that-can-be-configured-on-vSRX-TVP-SRX-platforms?language=en_US


/Ola T
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp