Strata Cloud Manager
Device Setup (Session)
Table of Contents
Expand All
|
Collapse All
Strata Cloud Manager Docs
Device Setup (Session)
Learn about configuring the device setup Session settings.
In Strata Cloud Manager, select ConfigurationNGFW and Prisma Access and set the Configuration Scope to the folder or NGFW you wish to
configure. From the scope of your folder or NGFW, select Device Settings > Device
Setup > Session.
Session Settings
| Session Settings | Description |
|---|---|
| Rematch All Sessions on Config Policy Change |
Enable to cause the NGFW to apply newly configured
security policy rules to sessions that are already in progress.
This capability is enabled by default. If this setting is
disabled, any policy rule change applies to only those sessions
initiated after the change was committed.
For example, if a Telnet session started while an
associated policy rule was configured that allowed Telnet, and
you subsequently committed a policy rule change to deny Telnet,
the NGFW applies the revised policy rule to the current session
and blocks it.
|
| ICMPv6 Token Bucket Size | Enter the bucket size for rate limiting of ICMPv6 error messages. The token bucket size is a parameter of the token bucket algorithm that controls how bursty the ICMPv6 error packets can be (range is 10 to 65,535 packets; default is 100). |
| ICMPv6 Error Packet Rate (per sec) | Enter the average number of ICMPv6 error packets per second allowed globally through the NGFW (range is 10 to 65,535; default is 100). This value applies to all interfaces. If the NGFW reaches the ICMPv6 error packet rate, the ICMPv6 token bucket is used to enable throttling of ICMPv6 error messages. |
| Enable IPv6 NGFWing |
Enable the NGFW capabilities for IPv6 traffic.
The NGFW ignores all IPv6-based configurations if you
do not enable IPv6 NGFWing. Even if you enable IPv6 traffic on
an interface, you must also enable the IPv6 NGFWing option for
IPv6 NGFWing to function.
|
| Enable ERSPAN Support | Enable the NGFW to terminate Generic Routing Encapsulation (GRE) tunnels and decapsulate Encapsulated Remote Switched Port Analyzer (ERSPAN) data. This is useful for Security services like IoT Security. Network switches mirror network traffic and use ERSPAN to send it to the NGFW through GRE tunnels. After decapsulating the data, the NGFW inspects it similar to how it inspects traffic received on a TAP port. It then creates enhanced application logs (EALs) and traffic, threat, WildFire, URL, data, GTP (when GTP is enabled), SCTP (when SCTP is enabled), tunnel, auth, and decryption logs. The NGFW forwards these logs to the logging service where IoT Security accesses and analyzes the data. |
| Enable Jumbo Frame |
Select to enable jumbo frame support on Ethernet
interfaces. Jumbo frames have a maximum transmission unit (MTU)
of 9,192 bytes and are available only on certain models.
|
| Enable DHCP Broadcast Session | If your NGFW is acting as a DHCP server, select this option to enable session logs for DHCP broadcast packets. The DHCP Broadcast Session option enables generation of Enhanced Application Logs (EAL logs) for DHCP for use by IoT Security and other services. If you do not enable this option, the NGFW forwards the packets without creating logs for the DHCP broadcast packets. |
| NAT64 IPv6 Minimum Network MTU | Enter the global MTU for IPv6 translated traffic. The default of 1,280 bytes is based on the standard minimum MTU for IPv6 traffic (range is 1,280 to 9,216). |
| NAT Oversubscription Rate |
Select the DIPP NAT oversubscription rate, which is the
number of times that the NGFW can use the same translated IP
address and port pair concurrently. Reducing the
oversubscription rate decreases the number of source device
translations but will provide higher NAT rule capacities.
|
| ICMP Unreachable Rate (per sec) |
Define the maximum number of ICMP Unreachable responses
that the NGFW can send per second. This limit is shared by IPv4
and IPv6 packets.
The default value is 200 messages per second (range is
1 to 65,535).
|
| Accelerated Aging |
Enables accelerated age-out of idle sessions.
Select this option to enable accelerated aging and
specify the threshold (%) and scaling factor.
When the session table reaches the Accelerated Aging
Threshold (% full), PAN-OS applies the Accelerated Aging Scaling
Factor to the aging calculations for all sessions. The default
scaling factor is 2, meaning that accelerated aging occurs at a
rate twice as fast as the configured idle time. The configured
idle time divided by 2 results in a faster timeout (one-half the
time). To calculate the accelerated aging of a session, PAN-OS
divides the configured idle time (for that type of session) by
the scaling factor to determine a shorter timeout.
For example, if the scaling factor is 10, a session
that would normally time out after 3,600 seconds will time out
10 times faster (in 1/10 of the time), which is 360 seconds.
|
| Packet Buffer Protection |
Protect against packet buffer exhaustion attacks or
high-volume traffic that could overwhelm the device's packet
processing capabilities.
|
| Monitor Only | Enable to monitor and log traffic patterns and threshold violations but not take active blocking or mitigation actions. Used for observation and tuning before implementing active protection. |
| Latency Based Activation | Enable protection mechanisms based on network latency thresholds rather than just packet volume, helping to identify and respond to performance degradation that may indicate attacks or network issues. |
| Alert (%) | Define the percentage threshold at which the system generates alerts or notifications when packet buffer utilization or other monitored metrics reach this level. This is typically a warning level before more serious actions are taken. |
| Activate (%) | Define the percentage threshold that triggers the activation of protection mechanisms. When monitored metrics exceed this percentage, active protection features will engage. |
| Block Countdown Threshold (%) | Define the percentage level that initiates a countdown timer before blocking actions are implemented to provide a grace period or final warning before more aggressive protection measures activate. |
| Block Hold Time (sec) | Define the duration in seconds that the system maintains blocking decisions or protection states before re-evaluating whether to continue, modify, or lift the protective measures. |
| Block Duration (sec) | Define the total time in seconds that blocking or protective actions remain in effect once triggered, after which the system will reassess the threat level and potentially return to normal operation. |
| Multicast Route Setup Buffering |
Select this option (disabled by default) to enable
multicast route setup buffering, which allows the NGFW to
preserve the first packet in a multicast session when the
multicast route or forwarding information base (FIB) entry does
not yet exist for the corresponding multicast group. By default,
the NGFW does not buffer the first multicast packet in a new
session; instead, it uses the first packet to set up the
multicast route. This is expected behavior for multicast
traffic. You only need to enable multicast route setup buffering
if your content servers are directly connected to the NGFW and
your custom application cannot withstand the first packet in the
session being dropped.
|
| Buffering Size | If you enable Multicast Route Setup Buffering, you can tune the buffer size, which specifies the buffer size per flow (range is 1 to 2,000; default is 1,000.) The NGFW can buffer a maximum of 5,000 packets. |
Session Timeout
| Session Timeout | Description |
|---|---|
| Default (sec) | Maximum length of time, in seconds, that a non-TCP/UDP, non-SCTP, or non-ICMP session can be open without a response (range is 1 to 15,999,999; default is 30). |
| Discard Default (sec) | Maximum length of time (in seconds) that a non-TCP/UDP/SCTP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 60). |
| Discard TCP (sec) | Maximum length of time (in seconds) that a TCP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 90). |
| Discard UDP (sec) | Maximum length of time (in seconds) that a UDP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 60). |
| ICMP (sec) | Maximum length of time that an ICMP session can be open without an ICMP response (range is 1 to 15,999,999; default is 6). |
| Scan (sec) | Maximum length of time, in seconds, that a session can be inactive before the NGFW clears the session and recovers the buffer resources the session was using. The inactive time is the length of time that has passed since the session was last refreshed by a packet or an event. Range is 5 to 30; default is 10. |
| TCP (sec) | Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete and/or data transmission has started); (range is 1 to 15,999,999; default is 3,600). |
| TCP Handshake (sec) | Maximum length of time, in seconds, between receiving the SYN-ACK and the subsequent ACK to fully establish the session (ranges is 1 to 60; default is 10). |
| TCP Init (sec) | Maximum length of time, in seconds, between receiving the SYN and SYN-ACK before starting the TCP handshake timer (ranges is 1 to 60; default is 5). |
| TCP Half Closed (sec) | Maximum length of time, in seconds, between receiving the first FIN and receiving the second FIN or a RST (range is 1 to 604,800; default is 120). |
| TCP Time Wait (sec) | Maximum length of time, in seconds, after receiving the second FIN or a RST (range is 1 to 600; default is 15). |
| Unverified RST (sec) | Maximum length of time, in seconds, after receiving a RST that cannot be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path); (ranges is 1 to 600; default is 30). |
| UDP (sec) | Maximum length of time, in seconds, that a UDP session remains open without a UDP response (range is 1 to 1,599,999; default is 30). |
| Captive Portal (sec) |
The authentication session timeout in seconds for the
Authentication Portal web form (default is 30, range is 1 to
1,599,999). To access the requested content, the user must enter
the authentication credentials in this form and be successfully
authenticated.
The authentication session timeout in seconds for the
Authentication Portal web form (default is 30, range is 1 to
1,599,999). To access the requested content, the user must enter
the authentication credentials in this form and be successfully
authenticated.
|
TCP Settings
| TCP Settings | Description |
|---|---|
| Forward Segments Exceeding TCP Out-of-Order Queue | Select this option if you want the NGFW to forward segments that exceed the TCP out-of-order queue limit of 64 per session. If you disable this option, the NGFW drops segments that exceed the out-of-order queue limit. |
| Allow Arbitrary ACK in Response to SYN | Enable this option to allow a response to a challenge ACK (also known as an arbitrary ACK) for cases where the server responds to the client SYN with an ACK instead of a SYN/ACK. For example, challenge ACKs can be sent from the server for attack mitigation purposes, and enabling this setting on the NGFW allows communication between the client and server so that the challenge ACK process can be completed even when the handshake is out of state or out of sequence. |
| Drop Segments with Null Timestap Option | The TCP timestamp records when the segment was sent and allows the NGFW to verify that the timestamp is valid for that session, preventing TCP sequence number wrapping. The TCP timestamp is also used to calculate round trip time. With this option enabled, the NGFW drops packets with null timestamps. |
| Asymmetric Path |
Set globally whether to drop or bypass packets that
contain out-of-sync ACKs or out-of-window sequence numbers.
|
| Urgent Data Flag |
Use this option to configure whether the NGFW allows
the urgent pointer (URG bit flag) in the TCP header. The urgent
pointer in the TCP header is used to promote a packet for
immediate processing—the NGFW removes it from the processing
queue and expedites it through the TCP/IP stack on the host.
This process is called out-of-band processing.
Because the implementation of the urgent pointer varies
by host, setting this option to Clear (the default and
recommended setting) eliminates any ambiguity by disallowing
out-of-band processing so that the out-of-band byte in the
payload becomes part of the payload and the packet is not
processed urgently. Additionally, the Clear setting ensures that
the NGFW sees the exact stream in the protocol stack as the host
for whom the packet is destined.
|
| Drop Segments Without Flag | Illegal TCP segments without any flags set can be used to evade content inspection. With this option enabled (the default) the NGFW drops packets that have no flags set in the TCP header. |
| Strip MPTCP Option | Enabled globally by default to convert (Multipath TCP) MPTCP connections to standard TCP connections. |
| SIP TCP Cleartext |
Select one of the following options to set the
cleartext proxy behavior for SIP TCP sessions when a segmented
SIP header is detected:
|
| TCP Retransmit Scan | If enabled, the checksum for the original packet is scanned when a retransmitted packet is seen. If the checksum are different between the original and retransmitted packet, the retransmitted packet is assumed to be malicious and dropped. |
VPN Session Settings
| VPN Session Settings | Description |
|---|---|
| Cookie Activation Threshold |
Specify a maximum number of IKEv2 half-open IKE SAs
allowed per NGFW, above which cookie validation is triggered.
When the number of half-open IKE SAs exceeds the Cookie
Activation Threshold, the Responder will request a cookie, and
the Initiator must respond with an IKE_SA_INIT containing a
cookie. If the cookie validation is successful, another SA
session can be initiated.
A value of 0 means that cookie validation is always
on.
The Cookie Activation Threshold is a global NGFW
setting and should be lower than the Maximum Half Opened SA
setting, which is also global (range is 0 to 65535; default is
500).
|
| Maximum Half Opened SA | Specify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the NGFW without getting a response. Once the maximum is reached, the NGFW will not respond to new IKE_SA_INIT packets (range is 1 to 65535; default is 65535). |
| Maximum Cached Certificates | Specify the maximum number of peer certificate authority (CA) certificates retrieved via HTTP that the NGFW can cache. This value is used only by the IKEv2 Hash and URL feature (range is 1 to 4000; default is 500). |