Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Ignoring control flags

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ignoring control flags

L4 Transporter

Is it possible to ignore tcp control flags in the Palo Alto?

I have a client where several nodes talk back to a server through the PAN. The nodes will send a FIN packet so the PAN will drop the session.. however, the vendor requires the session to stay up. In the ASA world, there is an option to -ignore control flags-.

1 accepted solution

Accepted Solutions

L5 Sessionator

Hello mackwage,

As soon as the firewall sees one TCP packet with the FIN flag set, it will close the connection as soon as the number of seconds defined in timeout-tcpwait value expires. By default the timeout-tcpwait is set to 30 seconds.

Increase the timeout-tcpwait value. This can be done using the following command. Maximum value is 60 seconds.

In the configuration mode
#set deviceconfig setting session timeout-tcpwait <1-60>

#commit force

The above change can be cross checked with the following command. I changed the timeout-tcpwait value to 100 seconds

admin@94-PA-VM-300> show session info | match timeout

Session timeout

  TCP default timeout:                           3600 secs

  TCP session timeout before SYN-ACK received:      5 secs

  TCP session timeout before 3-way handshaking:    10 secs

  TCP session timeout after FIN/RST:              100 secs                     <------------------

  UDP default timeout:                             30 secs

  ICMP default timeout:                             6 secs

  other IP default timeout:                        30 secs

  Captive Portal session timeout:                  30 secs

  Session timeout in discard state:

admin@94-PA-VM-300>

The timeout value is a global setting and will affecting entire traffic.

Hope that helps!

Thanks and regards,

Kunal Adak

View solution in original post

3 REPLIES 3

L5 Sessionator

Hello mackwage,

As soon as the firewall sees one TCP packet with the FIN flag set, it will close the connection as soon as the number of seconds defined in timeout-tcpwait value expires. By default the timeout-tcpwait is set to 30 seconds.

Increase the timeout-tcpwait value. This can be done using the following command. Maximum value is 60 seconds.

In the configuration mode
#set deviceconfig setting session timeout-tcpwait <1-60>

#commit force

The above change can be cross checked with the following command. I changed the timeout-tcpwait value to 100 seconds

admin@94-PA-VM-300> show session info | match timeout

Session timeout

  TCP default timeout:                           3600 secs

  TCP session timeout before SYN-ACK received:      5 secs

  TCP session timeout before 3-way handshaking:    10 secs

  TCP session timeout after FIN/RST:              100 secs                     <------------------

  UDP default timeout:                             30 secs

  ICMP default timeout:                             6 secs

  other IP default timeout:                        30 secs

  Captive Portal session timeout:                  30 secs

  Session timeout in discard state:

admin@94-PA-VM-300>

The timeout value is a global setting and will affecting entire traffic.

Hope that helps!

Thanks and regards,

Kunal Adak

kadak

Thanks for the info but I am confused on one part..

Increase the timeout-tcpwait value. This can be done using the following command. Maximum value is 60 seconds.

In the configuration mode
#set deviceconfig setting session timeout-tcpwait <1-60>

#commit force

The above change can be cross checked with the following command. I changed the timeout-tcpwait value to 100 seconds

You said the max value is 60 seconds then set it to 100 seconds.. how does that work? Smiley Happy

Hello mackwage,

Pardon me, that command was taken from an older PANOS version.

In 5.0.9, the maximum limit you can set is 600 seconds.

admin@94-PA-VM-300> set session timeout-tcpwait

<value>  <1-600> set session tcp wait timeout value in seconds

Hope that helps!

Thanks and regards,

Kunal Adak

  • 1 accepted solution
  • 2539 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!