View Only


This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  Firewall - to much security policies with 0 hit count.

    Posted 02-07-2022 11:33
    HI All,
    actually, i have a srx with more than 2500 security policies with 0 hit counts. However, to help me to proceed with internal process to remove the rules, i would like to know if so much security policies unused can bring any performance issue. I mean, a big number of unused security policies can decrease srx performance? I didn´t find any documentation that can help me to respond this question.


    João Victor

  • 2.  RE: Firewall - to much security policies with 0 hit count.

    Posted 02-08-2022 05:38
    The issue is more the overall limit of configuration size and not performance The full policy list is only evaluated once per flow at the beginning.  After that the tuple match works against the existing flow table using the short path.  This does not involve any of the policy chain.

    Juniper used to list a number of policy limit, but with more current processor and storage speeds this no longer seems to be an issue either.

    The main reason to remove unused policy is that they open a potential attack surface vector for malicious actors.  If you don't need to policy to exist for legitimate traffic then keeping in in place is just one more potential avenue of entrance for bad actors.

    For rarely used policies like DR or other rare periodic events you can use deactivate to keep the policy in the configuration but not being used while being easily restored when actually needed as another option.

    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)