Session Settings
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Session Settings
The following table describes session settings.
Session Settings | Description |
---|---|
Rematch Sessions | Click Edit and select Rematch
Sessions to cause the firewall to apply newly configured
security policy rules to sessions that are already in progress.
This capability is enabled by default. If this setting is disabled,
any policy rule change applies to only those sessions initiated after
the change was committed. For example, if a Telnet session
started while an associated policy rule was configured that allowed
Telnet, and you subsequently committed a policy rule change to deny
Telnet, the firewall applies the revised policy rule to the current
session and blocks it. Enable Rematch Sessions to
apply your latest Security policy rules to currently active sessions. |
ICMPv6 Token Bucket Size | Enter the bucket size for rate limiting
of ICMPv6 error messages. The token bucket size is a parameter of
the token bucket algorithm that controls how bursty the ICMPv6 error
packets can be (range is 10 to 65,535 packets; default is 100). |
ICMPv6 Error Packet Rate | Enter the average number of ICMPv6 error
packets per second allowed globally through the firewall (range
is 10 to 65,535; default is 100). This value applies to all interfaces.
If the firewall reaches the ICMPv6 error packet rate, the ICMPv6
token bucket is used to enable throttling of ICMPv6 error messages. |
Enable IPv6 Firewalling | To enable firewall capabilities for IPv6
traffic, Edit and select IPv6 Firewalling. The
firewall ignores all IPv6-based configurations if you do not enable
IPv6 firewalling. Even if you enable IPv6 traffic on an interface, you
must also enable the IPv6 Firewalling option
for IPv6 firewalling to function. |
ERSPAN Support | Enable the firewall to terminate Generic
Routing Encapsulation (GRE) tunnels and decapsulate Encapsulated
Remote Switched Port Analyzer (ERSPAN) data. This is useful for
Security services like IoT Security. Network switches mirror network
traffic and use ERSPAN to send it to the firewall through GRE tunnels.
After decapsulating the data, the firewall inspects it similar to
how it inspects traffic received on a TAP port. It then creates
enhanced application logs (EALs) and traffic, threat, WildFire,
URL, data, GTP (when GTP is enabled), SCTP (when SCTP is enabled),
tunnel, auth, and decryption logs. The firewall forwards these logs
to the logging service where IoT Security accesses and analyzes
the data. |
Enable Jumbo Frame Global MTU | Select to enable jumbo frame support on
Ethernet interfaces. Jumbo frames have a maximum transmission unit
(MTU) of 9,192 bytes and are available only on certain models.
If you enable jumbo
frames and you have interfaces where the MTU is not specifically
configured, those interfaces automatically inherit the jumbo frame
size. Therefore, before you enable jumbo frames, if you have any
interface on which you do not want to allow jumbo frames, you must
set the MTU for that interface to 1,500 bytes or another
value. To configure the MTU for the interface (NetworkInterfacesEthernet),
see PA-7000
Series Layer 3 Interface. |
DHCP Broadcast Session | If your firewall is acting as a DHCP server,
select this option to enable session logs for DHCP broadcast packets.
The DHCP Broadcast Session option enables generation of Enhanced
Application Logs (EAL logs) for DHCP for use by IoT Security and
other services. If you do not enable this option, the firewall forwards
the packets without creating logs for the DHCP broadcast packets. |
L3 & L4 Header Inspection | Enables Layer3 and Layer4 header inspection.
Select this option to write custom threat signatures based on L3
and L4 header fields through the Zone Protection profile to defend
against vulnerabilities that are not typically addressed through
standard signature updates, such as those present in certain IoT
devices. You must reboot the firewall for the configuration change
to take effect. |
NAT64 IPv6 Minimum Network MTU | Enter the global MTU for IPv6 translated
traffic. The default of 1,280 bytes is based on the standard minimum
MTU for IPv6 traffic (range is 1,280 to 9,216). |
NAT Oversubscription Rate | Select the DIPP NAT oversubscription rate,
which is the number of times that the firewall can use the same
translated IP address and port pair concurrently. Reducing the oversubscription
rate decreases the number of source device translations but will
provide higher NAT rule capacities.
|
ICMP Unreachable Packet Rate (per sec) | Define the maximum number of ICMP Unreachable
responses that the firewall can send per second. This limit is shared
by IPv4 and IPv6 packets. Default value is 200 messages per
second (range is 1 to 65,535). |
Accelerated Aging | Enables accelerated age-out of idle sessions. Select
this option to enable accelerated aging and specify the threshold
(%) and scaling factor. When the session table reaches the Accelerated Aging
Threshold (% full), PAN-OS applies the Accelerated
Aging Scaling Factor to the aging calculations for all
sessions. The default scaling factor is 2, meaning that accelerated
aging occurs at a rate twice as fast as the configured idle time.
The configured idle time divided by 2 results in a faster timeout
(one-half the time). To calculate the accelerated aging of a session,
PAN-OS divides the configured idle time (for that type of session)
by the scaling factor to determine a shorter timeout. For
example, if the scaling factor is 10, a session that would normally
time out after 3,600 seconds will time out 10 times faster (in 1/10
of the time), which is 360 seconds. Enable
an accelerated aging threshold and set an acceptable scaling factor
to free up session table space faster when the session table begins
to fill up. |
Packet Buffer Protection
(Buffer Based Activation) | Packet Buffer Protection is enabled by default globally and on each zone. As a best practice,
keep packet buffer protection enabled globally and on each zone to
protect the firewall buffers from DoS attacks and aggressive
sessions and sources. This option protects the receive buffers on
the firewall from attacks or abusive traffic that causes system
resources to back up and legitimate traffic to get dropped. Packet
buffer protection identifies offending sessions, uses Random Early
Detection (RED) as a first line of defense, and discards the session
or blocks the offending IP address if abuse continues. If the
firewall detects many small sessions or rapid session creation (or
both) from a particular IP address, it blocks that IP address. Take
baseline measurements of firewall packet buffer utilization to understand
the firewall capacity and ensure that the firewall is properly configured
so that only an attack causes a large spike in buffer usage.
As of PAN-OS 11.2.3, both buffer based and
latency based packet buffer protection can be enabled
simultaneously.
Network Address Translation (NAT) can increase packet buffer
utilization. If this affects the buffer utilization, reduce the
Block Hold Time to block individual sessions faster and reduce
the Block Duration so other sessions from the underlying IP
address aren’t unduly penalized.
|
Packet Buffer Protection
(Latency Based Activation) |
Packet buffer protection that is based on utilization percentages
(described above) can instead trigger packet buffer protection based
on CPU processing latency by enabling Buffering Latency
Based and configuring the following settings:
As of PAN-OS 11.2.3, both latency based and
buffer based packet buffer protection can be enabled
simultaneously.
|
Multicast Route Setup Buffering | Select this option (disabled by default)
to enable multicast route setup buffering, which allows the firewall
to preserve the first packet in a multicast session when the multicast
route or forwarding information base (FIB) entry does not yet exist
for the corresponding multicast group. By default, the firewall
does not buffer the first multicast packet in a new session; instead,
it uses the first packet to set up the multicast route. This is
expected behavior for multicast traffic. You only need to enable
multicast route setup buffering if your content servers are directly
connected to the firewall and your custom application cannot withstand
the first packet in the session being dropped. |
Multicast Route Setup Buffer Size | If you enable Multicast Route Setup Buffering,
you can tune the buffer size, which specifies the buffer size per
flow (range is 1 to 2,000; default is 1,000.) The firewall can buffer
a maximum of 5,000 packets. |