02-28-2021 03:29 PM
Our developers are connecting from Zone1 to Zone2 with tcp (on ports between 2000 and 3000)
The tcp session timeout on firewall is 3 hours.
The security policy allows any application, any port from Zone1 to Zone2. But there are all default security profiles applied on that rule.
When going to Zone2, the source IP is NATted to the firewall interface IP of Zone2.
Still the sessions end with reason "aged-out" after 1 hour when there is no activity.
If we bypass the firewall, this behaviour is not observed. All other devices with and without firewall bypass are the same. Hence the suspicion on firewall.
Any idea what could be the reason or what parameters I can check?
03-01-2021 03:01 AM
When monitoring the traffic logs using Monitor > logs > Traffic, some traffic is seen with the Session. Try this - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW
03-01-2021 07:27 AM
are the connections being identified as an app-id? cause then the default timeout will be inored in favor of the app timeout
you could create a custom app with a 3 hour timeout and set an app override so all connections from zone1 to zone2 on those ports are forced to your custom app-id, which will also enforce the timeout
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!