Configure VPN Session Settings
Focus
Focus
Next-Generation Firewall

Configure VPN Session Settings

Table of Contents

Configure VPN Session Settings

Modify the default VPN session settings for your firewall.
Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
Where Can I Use This?What Do I Need?
One of these:
Configure the VPN session settings for your firewall to define the global settings related to the firewall establishing a VPN session. You can configure some or all of the VPN session settings for your firewall as needed.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupSession and select the Configuration Scope where you want to configure the VPN session settings.
    You can select a folder or firewall from your Folders or select Snippets to configure the VPN session settings in a snippet.
  3. Click the cog wheel to edit the VPN Session Settings and Customize.
    If you modified the VPN Session Settings for a nested folder or individual device, you can Revert to Inherited to revert the VPN Session Settings configuration from the Customized configuration to that inherited from the parent folder of the nester folder or that inherited from the folder the firewall is associated with.
  4. Set the Cookie Activation Threshold to specify a maximum number of IKEv2 half-open IKE SAs allowed per firewall, above which cookie validation is triggered.
    When the number of half-open IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie. If the cookie validation is successful, another SA session can be initiated.
    Range is 0 to 65535; default is 500. A value of 0 means that cookie validation is always on.
    The Cookie Activation Threshold is a global firewall setting and should be lower than the Maximum Half Opened SA setting, which is also global.
  5. Set the Maximum Halfway Opened SA to specify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the firewall without getting a response.
    Once the maximum is reached, the firewall won’t respond to new IKE_SA_INIT packets.
    Range is 0 to 65535; default is 65535.
  6. Set the Maximum Cached Certificates to specify the maximum number of peer certificate authority (CA) certificates retrieved via HTTP that the firewall can cache.
    This value is used only by the IKEv2 Hash and URL feature.
    Range is 0 to 4000; default is 500.
  7. Save.
  8. (Optional) Configure the remaining firewall session settings.
  9. Push Config to push your configuration changes.