This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

tcp-fin and aged out

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

tcp-fin and aged out

jdprovine
L4 Transporter

‎06-04-2015 06:17 AM

I know there are timeouts set for different application is there a reason other that session table information. Is there any risk? Is it the firewall that is closing a connection? If so what would it close a active connection? Is there a security reason why you should make the time outs longer?

1 person had this problem.
0 Likes Likes
3 REPLIES 3

gwesson
L7 Applicator

‎06-04-2015 10:29 AM

The timeouts set are for session table utilization, and activate when a packet is received. Every new packet on that session (5-tupple of sPort, dPort, sIP, dIP & protocol) will reset the timer.

The app timeouts won't apply for active connections, just idle ones. There is a risk if you increase it because the firewall still has to do extra work to remove an idle connection if your session table utilization is very high (over 80%). If you were to bump the idle time up on all your apps, and you had a big spike of new sessions, the accelerated aging mechanism would need to find the oldest idle connection and kill it so that the new session could get allocated. Compared with a normal age-out mechanism, it's much more expensive in terms of CPU.

The timeouts are based on data and analysis when the apps are put in or modified. Some customers find that they need longer idle timeouts for some apps because the software that uses those apps may be different. It's generally safe to adjust them how you want, just apply logic when you're doing it so you don't cause more work for the firewall. If an application will keep a connection idle for 3 hours sometimes, bump the app timeout to around that time. Don't put it at 7 days because you know it covers the 3 hours Smiley Happy

Cheers,

Greg

0 Likes Likes

jdprovine
L4 Transporter
In response to gwesson

‎06-05-2015 08:55 AM

Well now I am trying to create a custom application signature so I can set the one rule or session that needs to be kept open longer and its not working. Is there a trick to creating the custom apps?

0 Likes Likes

gwesson
L7 Applicator
In response to jdprovine

‎06-05-2015 03:10 PM

You'll want to set that traffic with application override. It's port based so it's a lot less granular than the standard app-id process, but should get you what you need.

How to Create an Application Override Policy

-Greg

0 Likes Likes
  • 5498 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks