Next-Generation Firewall
Configure Session Timeout
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure Session Timeout
Define the duration of time for which the firewall maintains a session after
inactivity in the session.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
A session timeout defines the duration of time for which the firewall maintains a
session after inactivity. By default, when the session timeout for the protocol
expires, the firewall closes the session. You can define a number of timeouts for
TCP, UDP, and ICMP sessions in particular. The Default timeout applies to any other
type of session. The timeouts are global, meaning they apply to all of the sessions
of that type on the firewall.
You can also configure a global ARP cache timeout setting, which controls how long
the firewall keeps ARP entries (IP address-to-hardware addresses mappings) in its
cache.
- Log in to Strata Cloud Manager.
- Select ManageConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupSession and select the Configuration Scope where you want to configure the session timeout settings.You can select a folder or firewall from your Folders or select Snippets to configure the session timeout settings in a snippet.
- Configure the miscellaneous timeout settings.
- Default (sec)—Maximum length of time that a TCP session remains open after it’s denied based on a Security policy configured on the firewall.Range is 1 to 15,999,999; default is 90.
- Discard Default (sec)—Maximum length of time that a non-TCP/UDP session remains open after the firewall denies a session based on configured Security policies.Range is 1 to 15,999,999; default is 60.
- Scan (sec)—Maximum length of time that any session remains open after it’s considered inactive; an application is regarded as inactive when it exceeds the application trickling threshold defined for the applicationRange is 5 to 30; default is 10.
- Captive Portal (sec)—Authentication session timeout for the Authentication Portal web form. To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticatedRange is 1 to 15,999,999; default is 30.
- Configure the TCP timeout settings.
- Discard TCP (sec)—Maximum length of time that a TCP session remains open after it’s denied based on a Security policy configured on the firewall.Range is 1 to 15,999,999; default is 90.
- TCP (sec)—Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete, while data is being transmitted, or both).Range is 1 to 15,999,999; default is 3,600.
- TCP Handshake (sec)—Maximum length of time permitted between receiving the SYN-ACK and the subsequent ACK to fully establish the session.Range is 1 to 60; default is 10.
- TCP Init (sec)—Maximum length of time permitted between receiving the SYN and SYN-ACK before starting the TCP handshake timer.Range is 1 to 60; default is 5.
- TCP Half Closed (sec)—Maximum length of time between receiving the first FIN and receiving the second FIN or an RST.Range is 1 to 604,800; default is 120.
- TCP Time Wait (sec)—Maximum length of time after receiving the second FIN or an RST.Range is 1 to 600; default is 15.
- Unverified RST—Maximum length of time after receiving an RST that can’t be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path).Range is 1 to 600; default is 30.
- Configure the UDP timeout settings.
- Discard UDP (sec)—Maximum length of time that a UDP session remains open after it’s denied based on a Security policy configured on the firewall.Range is 1 to 15,999,999; default is 60.
- UDP (sec)—Maximum length of time that a UDP session remains open without a UDP response.Range is 1 to 15,999,999; default is 30.
- Configure the ICMP timeout settings.
- ICMP (sec)—Maximum length of time that an ICMP session can be open without an ICMP response.Range is 1 to 15,999,999; default is 6.
- Save.
- (Optional) Configure the remaining firewall session settings.
- Push Config to push your configuration changes.