https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19788#M14442 <HTML><HEAD></HEAD><BODY><P>The timeouts set are for session table utilization, and activate when a packet is received. Every new packet on that session (5-tupple of sPort, dPort, sIP, dIP &amp; protocol) will reset the timer.</P><P></P><P>The app timeouts won't apply for active connections, just idle ones. There is a risk if you increase it because the firewall still has to do extra work to remove an idle connection if your session table utilization is very high (over 80%). If you were to bump the idle time up on all your apps, and you had a big spike of new sessions, the accelerated aging mechanism would need to find the oldest idle connection and kill it so that the new session could get allocated. Compared with a normal age-out mechanism, it's much more expensive in terms of CPU.</P><P></P><P>The timeouts are based on data and analysis when the apps are put in or modified. Some customers find that they need longer idle timeouts for some apps because the software that uses those apps may be different. It's generally safe to adjust them how you want, just apply logic when you're doing it so you don't cause more work for the firewall. If an application will keep a connection idle for 3 hours sometimes, bump the app timeout to around that time. Don't put it at 7 days because you know it covers the 3 hours <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Cheers,</P><P>Greg</P></BODY></HTML> Thu, 04 Jun 2015 17:29:31 GMT gwesson 2015-06-04T17:29:31Z https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19787#M14441 <HTML><HEAD></HEAD><BODY><P>I know there are timeouts set for different application is there a reason other that session table information. Is there any risk? Is it the firewall that is closing a connection? If so what would it close a active connection? Is there a security reason why you should make the time outs longer?</P></BODY></HTML> Thu, 04 Jun 2015 13:17:09 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19787#M14441 jdprovine 2015-06-04T13:17:09Z https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19788#M14442 <HTML><HEAD></HEAD><BODY><P>The timeouts set are for session table utilization, and activate when a packet is received. Every new packet on that session (5-tupple of sPort, dPort, sIP, dIP &amp; protocol) will reset the timer.</P><P></P><P>The app timeouts won't apply for active connections, just idle ones. There is a risk if you increase it because the firewall still has to do extra work to remove an idle connection if your session table utilization is very high (over 80%). If you were to bump the idle time up on all your apps, and you had a big spike of new sessions, the accelerated aging mechanism would need to find the oldest idle connection and kill it so that the new session could get allocated. Compared with a normal age-out mechanism, it's much more expensive in terms of CPU.</P><P></P><P>The timeouts are based on data and analysis when the apps are put in or modified. Some customers find that they need longer idle timeouts for some apps because the software that uses those apps may be different. It's generally safe to adjust them how you want, just apply logic when you're doing it so you don't cause more work for the firewall. If an application will keep a connection idle for 3 hours sometimes, bump the app timeout to around that time. Don't put it at 7 days because you know it covers the 3 hours <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Cheers,</P><P>Greg</P></BODY></HTML> Thu, 04 Jun 2015 17:29:31 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19788#M14442 gwesson 2015-06-04T17:29:31Z https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19789#M14443 <HTML><HEAD></HEAD><BODY><P>Well now I am trying to create a custom application signature so I can set the one rule or session that needs to be kept open longer and its not working. Is there a trick to creating the custom apps?</P></BODY></HTML> Fri, 05 Jun 2015 15:55:59 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19789#M14443 jdprovine 2015-06-05T15:55:59Z https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19790#M14444 <HTML><HEAD></HEAD><BODY><P>You'll want to set that traffic with application override. It's port based so it's a lot less granular than the standard app-id process, but should get you what you need.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1071">How to Create an Application Override Policy</A></P><P></P><P>-Greg</P></BODY></HTML> Fri, 05 Jun 2015 22:10:46 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-fin-and-aged-out/m-p/19790#M14444 gwesson 2015-06-05T22:10:46Z