If you work with firewalls long enough you will undoubtably run into this issue. I have a webserver in the DMZ that needs to talk to the database server on the inside. The connections need to be nailed up. In otherwords, I dont want the firewalls to close any connections that it feels may be idle as this causes errors in the aplpication.
So, I cloned the service and attempted to change the TCP timeouts to zero.
Then, I created a rule high up in the scheme which states, from this webserver to this database server, using this custom service, Accept.
but when I look at the logs, the traffic isnt going through this rule and I have a suspicion that the timeouts are still occuring. When I look at my custom timeouts, they are now greyed with a 0-604800 setting on them.
Any clue as to why my rule wont trigget and what this greyed out 0-604800 means ? I attached the picture
Solved! Go to Solution.
I may have answered part of this myself. I just found the application override rules. I'm assuming that this is what I want to create? If so, the only remaining question is about the timeouts.
Does that greyed out 0-604800 mean Zero ? Or does it mean 604800 ?
Yes, Applicaction Override can be used to extend/shorten the timeouts of applications. You would match the app ovveride on src/dst IPs, tcp/udp ports and assign a new application for this traffic. The 0-604800 values is Zero to 604800. I don't recommend using a value= ZERO because it will never expire and tie up TCP/UDP sessions forever or until the next reboot of the PAN device. You should set this value to a high duration to meet your needs.
Thanks for the response
It needs to be 0 because the app won't support keep alives. Between these 2 servers there are 8 nailed up connections. 8 nailed up connections are not going to override the boxes capabilities. Only this traffic will be changed to the alternate traffic type.
So I guess I'm still left with, when I put in 0, why does the firewall change it to 0 - 604800 ? How do I disable TCP Timeouts for this particular stream ?
Justin...When you set it to ZERO this is the default so ZERO does not show up and you are left at the default, grey out 0 to 604800.
604800 seconds = 7 days and the TCP/UDP timeouts are idle sessions. Unless your traffic has no communication in 7 days, you can set the timeouts to 604800 or even half this value.
Enter the number of seconds before an idle application flow is terminated (0 to 7200). A zero indicates that there is no timeout (the default). This value is used for protocols other than TCP and UDP in all cases, and is used for TCP and UDP timeouts when the TCP timeout and UDP timeout are not specified.
TCP Timeout/UDP Timeout:
Enter the number of seconds before an idle TCP or UDP application flow is terminated (0 to 604800).
A zero indicates that there is no timeout (the default).
CORRECTION: a zero does not mean that there is no timeout. it means that the global session timer will be used. global session timer for TCP is 3600 seconds.
One oddity remains. When I look at the traffic in the logs, its still says the traffic type is 'Oracle'. I would think it would show that the traffic type is Oracle-no-timeout. I checked the policy numerous times and cant figure out what I am doing wrong.
Also, I have an end log for a session, but it doesnt say why it ended. If it ended due to a Firewall Timeout, would that show up in the logs?
Those may be existing Oracle sessions that finally ended, i.e sessions established prior to your app override. You can click on the log detail, magnifying-glass icon, and see the start and duration of the sessions. See attached screenshot.
Sessions established after you commit the app override should be logged as Oracle-no-timeout.
Sessions logged as 'end' can be because the application ended the connection or a timeout is reached.
Thanks.. I had the policy configured with 1 less IP then I needed. It's classifying correctly now.
It's odd that the log wont tell you why the session closed. That's important information. In Cisco logs you will either see a FIN or a TCP Timeout. I'm pretty sure the firewall is not timing me out so it's ok but in the future this could be critical.
Thanks again for your help,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!