About jkw117

Okay, so the basic gist of what is going. We are moving from an ASA to a PA-3020 a vendor we work with needs to have these timeout settings: arp timeout 14400 timeout xlate 3:00:00 timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 12:30:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00   we set them globally on our ASA, but now we want to use an application specific timeout on the paloalto. I made a custom app, and then made an override for it so that as long as the traffic was going over the specified port and between specific clients and their server it was marked as the new custom appid I made with these timeouts: Timeout: 3600 TCP Timeout:3600 UDP Timeout: blank TCP half closed: 600 TCP Time Wait: 600   Even with these settings the application is still resetting it's tcp session and essentially logging them out of the app. Any suggestions, and I really don't want to set these settings globally.   ... View more

I'm starting to setup an Active/Active cluster And I'm looking at using arp-Load-Sharing as that seems to be the fault tolerant/load balancing one. So here's the question will SSL VPN (web interface) & site2site vpn's (with cisco and sonicwall devices) work with Arp-Load-Sharing, or should I switch to Floating IP. Also we are going to be using these firewalls to replace our proxy server (with content filtering), AD authentication, as well as the full gambit of APP-ID and user-id etc... And if there's any +'s or -'s to each. And/or should the arp-Load-Sharing only be used internal and the floating-IP used for external with an ISP? Just trying to figure out the best practice here before going to far. Message was edited by: Kyle Weir ... View more