https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-session-timeout/m-p/515289#M399 <P>Hello Team,</P> <P>&nbsp;</P> <P>Just a query - wanted to understand few things related to PA- sessions timeout.</P> <P>&nbsp;</P> <P>We have a server -&nbsp; &nbsp;which needs to connect to a specific port say 8xxx or 9xxx but unfortunately it requires connection to be established till more that 10 hours say 12 hours for example.</P> <P>&nbsp;</P> <P>So how can i achieve this ?</P> <P>&nbsp;</P> <P>1. can i change global setting of TCP session of 3600 to&nbsp;43200 -12 hours , if yes that what impact will i be facing.</P> <P>current scenario my MP and DP load is 3-6%</P> <P>&nbsp;</P> <P>2. For that security policy - under service ports - 8xxx and 9xxx if i increase the TCP session timeout setting to&nbsp;43200 -12 hours.</P> <P>will it override the global settings which is applied for all sessions ?</P> <P>&nbsp;</P> <P>Please guide or at least provide a specific document to justify to the customer.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 19 Sep 2022 15:29:52 GMT Doyenadmin 2022-09-19T15:29:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-session-timeout/m-p/515289#M399 <P>Hello Team,</P> <P>&nbsp;</P> <P>Just a query - wanted to understand few things related to PA- sessions timeout.</P> <P>&nbsp;</P> <P>We have a server -&nbsp; &nbsp;which needs to connect to a specific port say 8xxx or 9xxx but unfortunately it requires connection to be established till more that 10 hours say 12 hours for example.</P> <P>&nbsp;</P> <P>So how can i achieve this ?</P> <P>&nbsp;</P> <P>1. can i change global setting of TCP session of 3600 to&nbsp;43200 -12 hours , if yes that what impact will i be facing.</P> <P>current scenario my MP and DP load is 3-6%</P> <P>&nbsp;</P> <P>2. For that security policy - under service ports - 8xxx and 9xxx if i increase the TCP session timeout setting to&nbsp;43200 -12 hours.</P> <P>will it override the global settings which is applied for all sessions ?</P> <P>&nbsp;</P> <P>Please guide or at least provide a specific document to justify to the customer.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 19 Sep 2022 15:29:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-session-timeout/m-p/515289#M399 Doyenadmin 2022-09-19T15:29:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-session-timeout/m-p/515649#M405 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/227096">@Doyenadmin</a></P> <P>&nbsp;</P> <P>thank you for the post.</P> <P>&nbsp;</P> <P>1. Personally, I would start with changing it on application / service port level first instead of changing it globally for all sessions. Regarding impact changing this globally, it is hard to give estimate without knowing your customer traffic environment, however since firewall has to maintain sessions for prolog time, you could doble your DP utilization. Also you should watch for maximum session count and memory utilization.</P> <P>&nbsp;</P> <P>2. This is correct understanding. Changing time out on service port level will override global setting:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/service-based-session-timeouts" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/service-based-session-timeouts</A></P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Wed, 21 Sep 2022 21:45:48 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-session-timeout/m-p/515649#M405 PavelK 2022-09-21T21:45:48Z https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-session-timeout/m-p/515671#M406 <P>Thanks alot&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;for confirming the same, appreciate your help.</P> Thu, 22 Sep 2022 04:26:23 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/tcp-session-timeout/m-p/515671#M406 Doyenadmin 2022-09-22T04:26:23Z