- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-04-2015 06:17 AM
I know there are timeouts set for different application is there a reason other that session table information. Is there any risk? Is it the firewall that is closing a connection? If so what would it close a active connection? Is there a security reason why you should make the time outs longer?
06-04-2015 10:29 AM
The timeouts set are for session table utilization, and activate when a packet is received. Every new packet on that session (5-tupple of sPort, dPort, sIP, dIP & protocol) will reset the timer.
The app timeouts won't apply for active connections, just idle ones. There is a risk if you increase it because the firewall still has to do extra work to remove an idle connection if your session table utilization is very high (over 80%). If you were to bump the idle time up on all your apps, and you had a big spike of new sessions, the accelerated aging mechanism would need to find the oldest idle connection and kill it so that the new session could get allocated. Compared with a normal age-out mechanism, it's much more expensive in terms of CPU.
The timeouts are based on data and analysis when the apps are put in or modified. Some customers find that they need longer idle timeouts for some apps because the software that uses those apps may be different. It's generally safe to adjust them how you want, just apply logic when you're doing it so you don't cause more work for the firewall. If an application will keep a connection idle for 3 hours sometimes, bump the app timeout to around that time. Don't put it at 7 days because you know it covers the 3 hours
Cheers,
Greg
06-05-2015 08:55 AM
Well now I am trying to create a custom application signature so I can set the one rule or session that needs to be kept open longer and its not working. Is there a trick to creating the custom apps?
06-05-2015 03:10 PM
You'll want to set that traffic with application override. It's port based so it's a lot less granular than the standard app-id process, but should get you what you need.
How to Create an Application Override Policy
-Greg
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!