topic Re: Discard UDP from Paloalto Session TImeout in General Topics

Discard UDP from Paloalto Session TImeout

JoHyeonJae — Thu, 12 Jan 2023 00:53:06 GMT

Hello all,

Recently, customers are experiencing a phenomenon that Syslog traffic coming into the same source port remains in the Discarded Deny Session.

As a result of my checking, it was confirmed that it occurred while being constantly refreshed due to Discard UDP Timeout in Paloalto Session Timeout setting.

Discard UDP : Maximum length of time (in seconds) that a UDP session remains open after PAN-OS denies the session based on Security policy rules configured on the firewall (range is 1 to 15,999,999; default is 60).

Does anyone know why Discard UDP values are needed?

Thanks and regards,

Re: Discard UDP from Paloalto Session TImeout

TomYoung — Thu, 12 Jan 2023 18:06:18 GMT

Hi @JoHyeonJae ,

This document is a good reference -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/session-settings-and-timeouts/configure-session-timeouts.

The Note box indicates that they are optimal values that can be modified "according to your network needs." The UDP protocol has no mechanism to end a session like TCP. Therefore, the NGFW does not know when a session ends based upon packet inspection. It relies on the session aging out. This is why the most common Session End Reason for UDP under Monitor > Logs > Traffic is aged-out.

Notice also that the doc says you can adjust the application-specific timers. If your traffic is identified as "syslog," it has a UDP timeout of 30 seconds that overrides the global timeout. If you are positive it is a timeout issue, you can increase the App-ID timeout. Increasing the global timeouts will result in more active sessions on the NGFW.

This is a great article on session states -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0. Typically discard identifies a security policy or threat detection drop.

I am curious why the NGFW does not create a new UDP session if the old session timed out. As mentioned earlier, UDP is not like TCP with session setup and teardown.

Thanks,

Tom

Re: Discard UDP from Paloalto Session TImeout

JoHyeonJae — Fri, 13 Jan 2023 00:21:53 GMT

@TomYoung

Thank you for your kind explanation.

The cause that NGFW is not creating a new UDP session is still under analysis.

Could you please explain more what are the benefits of setting up Discard UDP timeout?

Thanks,

Re: Discard UDP from Paloalto Session TImeout

TomYoung — Fri, 13 Jan 2023 01:00:26 GMT

Hi @JoHyeonJae ,

The main value of adjusting the protocol timeouts is so that return traffic will be allowed through the NGFW based upon the session. Most syslog traffic is unidirectional. So, it should not be needed. Are you sure the syslog drops are caused by the UDP timeout value?

Thanks,

Tom

Re: Discard UDP from Paloalto Session TImeout

JoHyeonJae — Fri, 13 Jan 2023 01:09:09 GMT

@TomYoung

Yes, a Syslog failure has occurred and I have cleared all the discarded sessions, and syslog Issue has been resolved.

This is the reason why the customer asked me why Discard UDP is needed.