https://live.paloaltonetworks.com/t5/general-topics/why-tcp-aged-out/m-p/388395#M90501 <P>are the connections being identified as an app-id? cause then the default timeout will be inored in favor of the app timeout</P><P>&nbsp;</P><P>you could create a custom app with a 3 hour timeout and set an app override so all connections from zone1 to zone2 on those ports are forced to your custom&nbsp; app-id, which will also enforce the timeout</P> Mon, 01 Mar 2021 15:27:17 GMT reaper 2021-03-01T15:27:17Z https://live.paloaltonetworks.com/t5/general-topics/why-tcp-aged-out/m-p/388325#M90484 <P>Hi all,</P><P>Our developers are connecting from Zone1 to Zone2 with tcp (on ports between 2000 and 3000)</P><P>The tcp session timeout on firewall is 3 hours.</P><P>The security policy allows any application, any port from Zone1 to Zone2. But there are all default security profiles applied on that rule.</P><P>When going to Zone2, the source IP is NATted to the firewall interface IP of Zone2.</P><P>Still the sessions end with reason "aged-out" after 1 hour when there is no activity.</P><P>If we bypass the firewall, this behaviour is not observed. All other devices with and without firewall bypass are the same. Hence the suspicion on firewall.</P><P>Any idea what could be the reason or what parameters I can check?</P><P>Thanks!</P> Sun, 28 Feb 2021 23:29:43 GMT https://live.paloaltonetworks.com/t5/general-topics/why-tcp-aged-out/m-p/388325#M90484 rjdahav163 2021-02-28T23:29:43Z https://live.paloaltonetworks.com/t5/general-topics/why-tcp-aged-out/m-p/388373#M90494 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44973">@rjdahav163</a>&nbsp;</P><P>When monitoring the traffic logs using Monitor &gt; logs &gt; Traffic, some traffic is seen with the Session. Try this - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW</A></P> Mon, 01 Mar 2021 11:01:58 GMT https://live.paloaltonetworks.com/t5/general-topics/why-tcp-aged-out/m-p/388373#M90494 marcomi 2021-03-01T11:01:58Z https://live.paloaltonetworks.com/t5/general-topics/why-tcp-aged-out/m-p/388395#M90501 <P>are the connections being identified as an app-id? cause then the default timeout will be inored in favor of the app timeout</P><P>&nbsp;</P><P>you could create a custom app with a 3 hour timeout and set an app override so all connections from zone1 to zone2 on those ports are forced to your custom&nbsp; app-id, which will also enforce the timeout</P> Mon, 01 Mar 2021 15:27:17 GMT https://live.paloaltonetworks.com/t5/general-topics/why-tcp-aged-out/m-p/388395#M90501 reaper 2021-03-01T15:27:17Z