12-19-2013 06:38 AM
Is it possible to ignore tcp control flags in the Palo Alto?
I have a client where several nodes talk back to a server through the PAN. The nodes will send a FIN packet so the PAN will drop the session.. however, the vendor requires the session to stay up. In the ASA world, there is an option to -ignore control flags-.
12-19-2013 10:25 AM
Hello mackwage,
As soon as the firewall sees one TCP packet with the FIN flag set, it will close the connection as soon as the number of seconds defined in timeout-tcpwait value expires. By default the timeout-tcpwait is set to 30 seconds.
Increase the timeout-tcpwait value. This can be done using the following command. Maximum value is 60 seconds.
In the configuration mode
#set deviceconfig setting session timeout-tcpwait <1-60>
#commit force
The above change can be cross checked with the following command. I changed the timeout-tcpwait value to 100 seconds
admin@94-PA-VM-300> show session info | match timeout
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP session timeout after FIN/RST: 100 secs <------------------
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
admin@94-PA-VM-300>
The timeout value is a global setting and will affecting entire traffic.
Hope that helps!
Thanks and regards,
Kunal Adak
12-19-2013 10:25 AM
Hello mackwage,
As soon as the firewall sees one TCP packet with the FIN flag set, it will close the connection as soon as the number of seconds defined in timeout-tcpwait value expires. By default the timeout-tcpwait is set to 30 seconds.
Increase the timeout-tcpwait value. This can be done using the following command. Maximum value is 60 seconds.
In the configuration mode
#set deviceconfig setting session timeout-tcpwait <1-60>
#commit force
The above change can be cross checked with the following command. I changed the timeout-tcpwait value to 100 seconds
admin@94-PA-VM-300> show session info | match timeout
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP session timeout after FIN/RST: 100 secs <------------------
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
admin@94-PA-VM-300>
The timeout value is a global setting and will affecting entire traffic.
Hope that helps!
Thanks and regards,
Kunal Adak
12-19-2013 06:19 PM
Thanks for the info but I am confused on one part..
Increase the timeout-tcpwait value. This can be done using the following command. Maximum value is 60 seconds.In the configuration mode
#set deviceconfig setting session timeout-tcpwait <1-60>#commit force
The above change can be cross checked with the following command. I changed the timeout-tcpwait value to 100 seconds
You said the max value is 60 seconds then set it to 100 seconds.. how does that work? 
12-20-2013 09:51 AM
Hello mackwage,
Pardon me, that command was taken from an older PANOS version.
In 5.0.9, the maximum limit you can set is 600 seconds.
admin@94-PA-VM-300> set session timeout-tcpwait
<value> <1-600> set session tcp wait timeout value in seconds
Hope that helps!
Thanks and regards,
Kunal Adak
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
