Junos OS

last person joined: yesterday 

Ask questions and share experiences about Junos OS.

  • 1.  Modyfing default values (i.e. nat table size, tcp session timeout) in J-6350

    Posted 05-13-2010 08:56

    Hello All,

    Is it possible to modify default values for parameters like nat table size, tcp session timeout etc. like it is possible in linux system:

     

    net.netfilter.nf_conntrack_max = 419430400
net.netfilter.nf_conntrack_generic_timeout = 45
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 60

    I've been digging for this stuff for a while and found that it is possible to define new application with inactivity timeout, but there is nothing I can do with NAT.

    Any help would be appreciated

     



  • 2.  RE: Modyfing default values (i.e. nat table size, tcp session timeout) in J-6350

    Posted 05-13-2010 09:06

    Hi,

     

    you can create custom applications and define a custom application timeout there:

     

    user@firewall# set applications application custom_app inactivity-timeout ?
    Possible completions:
      <timeout>            Number of seconds (4 .. 86400)
      never                Disables inactivity timeout

    The maximal size of the NAT table is predetermined by the specific SRX model you use. You can define some parameters here:

     

    user@firewall# set security flow tcp-session ?
    Possible completions:
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      no-sequence-check    Disable sequence-number checking
      no-syn-check         Disable creation-time SYN-flag check
      no-syn-check-in-tunnel  Disable creation-time SYN-flag check for tunnel packets
      rst-invalidate-session  Immediately end session on receipt of reset (RST) segment
      rst-sequence-check   Check sequence number in reset (RST) segment
      strict-syn-check     Enable strict syn check
      tcp-initial-timeout  Timeout for TCP session when initialization fails (20..300 seconds)

    In addition, by using the SCREEN feature (found under [edit security screen]) you can limit sessions based on source IP, destination IP or both (but not on a per policy base like it is possible under ScreenOS).

     

    Regards,

    Dominik



  • 3.  RE: Modyfing default values (i.e. nat table size, tcp session timeout) in J-6350

    Posted 05-13-2010 23:59

    Thank You for your answer. Can You tell me where I can find those predefined values , i.e. size of nat table for J6350 ?



  • 4.  RE: Modyfing default values (i.e. nat table size, tcp session timeout) in J-6350
    Best Answer

    Posted 05-14-2010 00:24

    Hi,

     

    I'm not aware of a specific NAT table size restriction. Only a session limit on every box that is listed in the data sheet. You should be able to get this number of sessions either if you use NAT or not.

     

    Regards,

    Dominik