>
    Strata Copilot
    Device Setup (Session)
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: NGFW and Prisma Access
    6. Configuration: Device Settings
    7. Device Settings: Device Setup
    8. Device Setup (Session)
    Download PDF
    Strata Cloud Manager

    Device Setup (Session)

    Table of Contents

    Device Setup (Session)

    Learn about configuring the device setup Session settings.
    In Strata Cloud Manager, select ConfigurationNGFW and Prisma Access and set the Configuration Scope to the folder or NGFW you wish to configure. From the scope of your folder or NGFW, select Device Settings > Device Setup > Session.

    Session Settings

    Session SettingsDescription
    Rematch All Sessions on Config Policy Change
    Enable to cause the NGFW to apply newly configured security policy rules to sessions that are already in progress. This capability is enabled by default. If this setting is disabled, any policy rule change applies to only those sessions initiated after the change was committed.
    For example, if a Telnet session started while an associated policy rule was configured that allowed Telnet, and you subsequently committed a policy rule change to deny Telnet, the NGFW applies the revised policy rule to the current session and blocks it.
    ICMPv6 Token Bucket SizeEnter the bucket size for rate limiting of ICMPv6 error messages. The token bucket size is a parameter of the token bucket algorithm that controls how bursty the ICMPv6 error packets can be (range is 10 to 65,535 packets; default is 100).
    ICMPv6 Error Packet Rate (per sec)Enter the average number of ICMPv6 error packets per second allowed globally through the NGFW (range is 10 to 65,535; default is 100). This value applies to all interfaces. If the NGFW reaches the ICMPv6 error packet rate, the ICMPv6 token bucket is used to enable throttling of ICMPv6 error messages.
    Enable IPv6 NGFWing
    Enable the NGFW capabilities for IPv6 traffic.
    The NGFW ignores all IPv6-based configurations if you do not enable IPv6 NGFWing. Even if you enable IPv6 traffic on an interface, you must also enable the IPv6 NGFWing option for IPv6 NGFWing to function.
    Enable ERSPAN SupportEnable the NGFW to terminate Generic Routing Encapsulation (GRE) tunnels and decapsulate Encapsulated Remote Switched Port Analyzer (ERSPAN) data. This is useful for Security services like IoT Security. Network switches mirror network traffic and use ERSPAN to send it to the NGFW through GRE tunnels. After decapsulating the data, the NGFW inspects it similar to how it inspects traffic received on a TAP port. It then creates enhanced application logs (EALs) and traffic, threat, WildFire, URL, data, GTP (when GTP is enabled), SCTP (when SCTP is enabled), tunnel, auth, and decryption logs. The NGFW forwards these logs to the logging service where IoT Security accesses and analyzes the data.
    Enable Jumbo Frame
    Select to enable jumbo frame support on Ethernet interfaces. Jumbo frames have a maximum transmission unit (MTU) of 9,192 bytes and are available only on certain models.
    • If you do not Enable Jumbo Frame, the Global MTU defaults to 1,500 bytes (range is 576 to 1,500).
    • If you Enable Jumbo Frame, the Global MTU defaults to 9,192 bytes (range is 9,192 to 9,216 bytes).
    Enable DHCP Broadcast SessionIf your NGFW is acting as a DHCP server, select this option to enable session logs for DHCP broadcast packets. The DHCP Broadcast Session option enables generation of Enhanced Application Logs (EAL logs) for DHCP for use by IoT Security and other services. If you do not enable this option, the NGFW forwards the packets without creating logs for the DHCP broadcast packets.
    NAT64 IPv6 Minimum Network MTUEnter the global MTU for IPv6 translated traffic. The default of 1,280 bytes is based on the standard minimum MTU for IPv6 traffic (range is 1,280 to 9,216).
    NAT Oversubscription Rate
    Select the DIPP NAT oversubscription rate, which is the number of times that the NGFW can use the same translated IP address and port pair concurrently. Reducing the oversubscription rate decreases the number of source device translations but will provide higher NAT rule capacities.
    • Platform Default—Explicit configuration of the oversubscription rate is turned off and the default oversubscription rate for the model applies. (See default rates of NGFW models at https://www.paloaltonetworks.com/products/product-selection.html).
    • 1x—1 time. This means no oversubscription; the NGFW cannot use the same translated IP address and port pair more than once concurrently.
    • 2x—2 times
    • 4x—4 times
    • 8x—8 times
    ICMP Unreachable Rate (per sec)
    Define the maximum number of ICMP Unreachable responses that the NGFW can send per second. This limit is shared by IPv4 and IPv6 packets.
    The default value is 200 messages per second (range is 1 to 65,535).
    Accelerated Aging
    Enables accelerated age-out of idle sessions.
    Select this option to enable accelerated aging and specify the threshold (%) and scaling factor.
    When the session table reaches the Accelerated Aging Threshold (% full), PAN-OS applies the Accelerated Aging Scaling Factor to the aging calculations for all sessions. The default scaling factor is 2, meaning that accelerated aging occurs at a rate twice as fast as the configured idle time. The configured idle time divided by 2 results in a faster timeout (one-half the time). To calculate the accelerated aging of a session, PAN-OS divides the configured idle time (for that type of session) by the scaling factor to determine a shorter timeout.
    For example, if the scaling factor is 10, a session that would normally time out after 3,600 seconds will time out 10 times faster (in 1/10 of the time), which is 360 seconds.
    Packet Buffer Protection
    Protect against packet buffer exhaustion attacks or high-volume traffic that could overwhelm the device's packet processing capabilities.
    Monitor OnlyEnable to monitor and log traffic patterns and threshold violations but not take active blocking or mitigation actions. Used for observation and tuning before implementing active protection.
    Latency Based ActivationEnable protection mechanisms based on network latency thresholds rather than just packet volume, helping to identify and respond to performance degradation that may indicate attacks or network issues.
    Alert (%)Define the percentage threshold at which the system generates alerts or notifications when packet buffer utilization or other monitored metrics reach this level. This is typically a warning level before more serious actions are taken.
    Activate (%)Define the percentage threshold that triggers the activation of protection mechanisms. When monitored metrics exceed this percentage, active protection features will engage.
    Block Countdown Threshold (%)Define the percentage level that initiates a countdown timer before blocking actions are implemented to provide a grace period or final warning before more aggressive protection measures activate.
    Block Hold Time (sec)Define the duration in seconds that the system maintains blocking decisions or protection states before re-evaluating whether to continue, modify, or lift the protective measures.
    Block Duration (sec)Define the total time in seconds that blocking or protective actions remain in effect once triggered, after which the system will reassess the threat level and potentially return to normal operation.
    Multicast Route Setup Buffering
    Select this option (disabled by default) to enable multicast route setup buffering, which allows the NGFW to preserve the first packet in a multicast session when the multicast route or forwarding information base (FIB) entry does not yet exist for the corresponding multicast group. By default, the NGFW does not buffer the first multicast packet in a new session; instead, it uses the first packet to set up the multicast route. This is expected behavior for multicast traffic. You only need to enable multicast route setup buffering if your content servers are directly connected to the NGFW and your custom application cannot withstand the first packet in the session being dropped.
    Buffering SizeIf you enable Multicast Route Setup Buffering, you can tune the buffer size, which specifies the buffer size per flow (range is 1 to 2,000; default is 1,000.) The NGFW can buffer a maximum of 5,000 packets.

    Session Timeout

    Session TimeoutDescription
    Default (sec)Maximum length of time, in seconds, that a non-TCP/UDP, non-SCTP, or non-ICMP session can be open without a response (range is 1 to 15,999,999; default is 30).
    Discard Default (sec)Maximum length of time (in seconds) that a non-TCP/UDP/SCTP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 60).
    Discard TCP (sec)Maximum length of time (in seconds) that a TCP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 90).
    Discard UDP (sec)Maximum length of time (in seconds) that a UDP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 60).
    ICMP (sec)Maximum length of time that an ICMP session can be open without an ICMP response (range is 1 to 15,999,999; default is 6).
    Scan (sec)Maximum length of time, in seconds, that a session can be inactive before the NGFW clears the session and recovers the buffer resources the session was using. The inactive time is the length of time that has passed since the session was last refreshed by a packet or an event. Range is 5 to 30; default is 10.
    TCP (sec)Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete and/or data transmission has started); (range is 1 to 15,999,999; default is 3,600).
    TCP Handshake (sec)Maximum length of time, in seconds, between receiving the SYN-ACK and the subsequent ACK to fully establish the session (ranges is 1 to 60; default is 10).
    TCP Init (sec)Maximum length of time, in seconds, between receiving the SYN and SYN-ACK before starting the TCP handshake timer (ranges is 1 to 60; default is 5).
    TCP Half Closed (sec)Maximum length of time, in seconds, between receiving the first FIN and receiving the second FIN or a RST (range is 1 to 604,800; default is 120).
    TCP Time Wait (sec)Maximum length of time, in seconds, after receiving the second FIN or a RST (range is 1 to 600; default is 15).
    Unverified RST (sec)Maximum length of time, in seconds, after receiving a RST that cannot be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path); (ranges is 1 to 600; default is 30).
    UDP (sec)Maximum length of time, in seconds, that a UDP session remains open without a UDP response (range is 1 to 1,599,999; default is 30).
    Captive Portal (sec)
    The authentication session timeout in seconds for the Authentication Portal web form (default is 30, range is 1 to 1,599,999). To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated.
    The authentication session timeout in seconds for the Authentication Portal web form (default is 30, range is 1 to 1,599,999). To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated.

    TCP Settings

    TCP SettingsDescription
    Forward Segments Exceeding TCP Out-of-Order QueueSelect this option if you want the NGFW to forward segments that exceed the TCP out-of-order queue limit of 64 per session. If you disable this option, the NGFW drops segments that exceed the out-of-order queue limit.
    Allow Arbitrary ACK in Response to SYNEnable this option to allow a response to a challenge ACK (also known as an arbitrary ACK) for cases where the server responds to the client SYN with an ACK instead of a SYN/ACK. For example, challenge ACKs can be sent from the server for attack mitigation purposes, and enabling this setting on the NGFW allows communication between the client and server so that the challenge ACK process can be completed even when the handshake is out of state or out of sequence.
    Drop Segments with Null Timestap OptionThe TCP timestamp records when the segment was sent and allows the NGFW to verify that the timestamp is valid for that session, preventing TCP sequence number wrapping. The TCP timestamp is also used to calculate round trip time. With this option enabled, the NGFW drops packets with null timestamps.
    Asymmetric Path
    Set globally whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers.
    • Drop—Drop packets that contain an asymmetric path.
    • Bypass—Bypass scanning on packets that contain an asymmetric path.
    Urgent Data Flag
    Use this option to configure whether the NGFW allows the urgent pointer (URG bit flag) in the TCP header. The urgent pointer in the TCP header is used to promote a packet for immediate processing—the NGFW removes it from the processing queue and expedites it through the TCP/IP stack on the host. This process is called out-of-band processing.
    Because the implementation of the urgent pointer varies by host, setting this option to Clear (the default and recommended setting) eliminates any ambiguity by disallowing out-of-band processing so that the out-of-band byte in the payload becomes part of the payload and the packet is not processed urgently. Additionally, the Clear setting ensures that the NGFW sees the exact stream in the protocol stack as the host for whom the packet is destined.
    Drop Segments Without FlagIllegal TCP segments without any flags set can be used to evade content inspection. With this option enabled (the default) the NGFW drops packets that have no flags set in the TCP header.
    Strip MPTCP OptionEnabled globally by default to convert (Multipath TCP) MPTCP connections to standard TCP connections.
    SIP TCP Cleartext
    Select one of the following options to set the cleartext proxy behavior for SIP TCP sessions when a segmented SIP header is detected:
    • Always Off—Disables the cleartext proxy. Disable the proxy when the SIP message size is generally smaller than the MSS and when the SIP messages fit within a single segment, or if you need to ensure TCP proxy resources are reserved for SSL forward proxy or HTTP/2.
    • Always enabled—Default. Uses TCP proxy for all SIP over TCP sessions to help with the correct reassembly and ordering of TCP segments for proper ALG operation.
    • Automatically enable proxy when needed—When selected, the cleartext proxy is automatically enabled for sessions where the ALG detects SIP message fragmentation. Helps optimize the proxy when it is also used for SSL forward proxy or HTTP/2.
    TCP Retransmit ScanIf enabled, the checksum for the original packet is scanned when a retransmitted packet is seen. If the checksum are different between the original and retransmitted packet, the retransmitted packet is assumed to be malicious and dropped.

    VPN Session Settings

    VPN Session SettingsDescription
    Cookie Activation Threshold
    Specify a maximum number of IKEv2 half-open IKE SAs allowed per NGFW, above which cookie validation is triggered. When the number of half-open IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie. If the cookie validation is successful, another SA session can be initiated.
    A value of 0 means that cookie validation is always on.
    The Cookie Activation Threshold is a global NGFW setting and should be lower than the Maximum Half Opened SA setting, which is also global (range is 0 to 65535; default is 500).
    Maximum Half Opened SASpecify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the NGFW without getting a response. Once the maximum is reached, the NGFW will not respond to new IKE_SA_INIT packets (range is 1 to 65535; default is 65535).
    Maximum Cached CertificatesSpecify the maximum number of peer certificate authority (CA) certificates retrieved via HTTP that the NGFW can cache. This value is used only by the IKEv2 Hash and URL feature (range is 1 to 4000; default is 500).

    © 2026 Palo Alto Networks, Inc. All rights reserved.