Discard UDP from Paloalto Session TImeout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Discard UDP from Paloalto Session TImeout

L3 Networker

Screenshot 2023-01-12 at 9.40.17 AM.png

Hello all,

Recently, customers are experiencing a phenomenon that Syslog traffic coming into the same source port remains in the Discarded Deny Session.

As a result of my checking, it was confirmed that it occurred while being constantly refreshed due to Discard UDP Timeout in Paloalto Session Timeout setting.

Discard UDP : Maximum length of time (in seconds) that a UDP session remains open after PAN-OS denies the session based on Security policy rules configured on the firewall (range is 1 to 15,999,999; default is 60).

Does anyone know why Discard UDP values are needed?

Thanks and regards,

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @JoHyeonJae ,

 

This document is a good reference -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/session-settings-and-timeouts/....

 

The Note box indicates that they are optimal values that can be modified "according to your network needs."  The UDP protocol has no mechanism to end a session like TCP.  Therefore, the NGFW does not know when a session ends based upon packet inspection.  It relies on the session aging out.  This is why the most common Session End Reason for UDP under Monitor > Logs > Traffic is aged-out.

 

Notice also that the doc says you can adjust the application-specific timers.  If your traffic is identified as "syslog," it has a UDP timeout of 30 seconds that overrides the global timeout.  If you are positive it is a timeout issue, you can increase the App-ID timeout.  Increasing the global timeouts will result in more active sessions on the NGFW.

 

This is a great article on session states -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0.  Typically discard identifies a security policy or threat detection drop.

 

I am curious why the NGFW does not create a new UDP session if the old session timed out.  As mentioned earlier, UDP is not like TCP with session setup and teardown.

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

@TomYoung 

Thank you for your kind explanation.


The cause that NGFW is not creating a new UDP session is still under analysis.

Could you please explain more what are the benefits of setting up Discard UDP timeout?

Thanks,

Cyber Elite
Cyber Elite

Hi @JoHyeonJae ,

 

The main value of adjusting the protocol timeouts is so that return traffic will be allowed through the NGFW based upon the session.  Most syslog traffic is unidirectional.  So, it should not be needed.  Are you sure the syslog drops are caused by the UDP timeout value?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

@TomYoung 

Yes, a Syslog failure has occurred and I have cleared all the discarded sessions, and syslog Issue has been resolved.

This is the reason why the customer asked me why Discard UDP is needed.

  • 1830 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!