Focus

Next-Generation Firewall

Configure VPN Session Settings

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Configure Session Timeout

Set Up Firewalls

Configure VPN Session Settings

Modify the default VPN session settings for your firewall.

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
`NGFW (Managed by Strata Cloud Manager)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use the Strata Cloud Manager app)`

Configure the VPN session settings for your firewall to define the global settings related to the firewall establishing a VPN session. You can configure some or all of the VPN session settings for your firewall as needed.

Strata Cloud Manager

Select

Manage

Configuration

NGFW and Prisma Access

Device Setup

Session

and select the Configuration Scope where you want to configure the VPN session settings.

You can select a folder or firewall from your

Folders

or select

Snippets

to configure the VPN session settings in a snippet.

Click the cog wheel to edit the VPN Session Settings and

Customize

If you modified the VPN Session Settings for a nested folder or individual device, you can

Revert to Inherited

to revert the VPN Session Settings configuration from the

Customized

configuration to that inherited from the parent folder of the nester folder or that inherited from the folder the firewall is associated with.

Set the

Cookie Activation Threshold

to specify a maximum number of IKEv2 half-open IKE SAs allowed per firewall, above which cookie validation is triggered.

When the number of half-open IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie. If the cookie validation is successful, another SA session can be initiated.

Range is

65535

; default is

500

. A value of

means that cookie validation is always on.

The Cookie Activation Threshold is a global firewall setting and should be lower than the

Maximum Half Opened SA

setting, which is also global.

Set the

Maximum Halfway Opened SA

to specify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the firewall without getting a response.

Once the maximum is reached, the firewall won’t respond to new IKE_SA_INIT packets.

Range is

65535

; default is

65535

Set the

Maximum Cached Certificates

to specify the maximum number of peer certificate authority (CA) certificates retrieved via HTTP that the firewall can cache.

This value is used only by the IKEv2 Hash and URL feature.

Range is

4000

; default is

500

Save

(Optional) Configure the remaining firewall session settings.

Configure Session Settings

Configure Session Timeout

Push Config

to push your configuration changes.

Configure Session Timeout

Set Up Firewalls

Next-Generation Firewall Docs

Configure VPN Session Settings

Next-Generation Firewall Docs

Configure VPN Session Settings

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner