Change the Cookie Activation Threshold for IKEv2
Focus
Focus
Network Security

Change the Cookie Activation Threshold for IKEv2

Table of Contents

Change the Cookie Activation Threshold for IKEv2

Where Can I Use This?What Do I Need?
  • PAN-OS
No license required
Cookie validation is always enabled for IKEv2; it helps protect against half-SA DoS attacks. You can configure the global threshold number of half-open SAs that will trigger cookie validation. You can also configure individual IKE gateways to enforce cookie validation for every new IKEv2 SA.
  • The Cookie Activation Threshold is a global VPN session setting that limits the number of simultaneous half-opened IKE SAs (default is 500). When the number of half-opened IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie to validate the connection. If the cookie validation is successful, another SA can be initiated. A value of zero means that cookie validation is always on.
    The Responder doesn’t maintain a state of the Initiator, nor does it perform a Diffie-Hellman key exchange, until the Initiator returns the cookie. IKEv2 cookie validation mitigates a DoS attack that would try to leave numerous connections half open.
    The Cookie Activation Threshold must be lower than the Maximum Half Opened SA setting. If you change the cookie activation threshold for IKEv2 to a higher number (for example, 65534) and the Maximum Half Opened SA setting remained at the default value of 65535, cookie validation is disabled.
  • You can enable Strict Cookie Validation if you want cookie validation performed for every new IKEv2 SA a gateway receives, regardless of the global threshold. Strict Cookie Validation affects only the IKE gateway being configured and is disabled by default. With Strict Cookie Validation disabled, the system uses the Cookie Activation Threshold to determine whether a cookie is needed or not.
Perform the following task if you want a firewall to have a threshold different from the default setting of 500 half-opened SA sessions before cookie validation is required.
  1. Change the Cookie Activation Threshold.
    1. Select DeviceSetupSession and edit the VPN Session Settings. For Cookie Activation Threshold, enter the maximum number of half-opened SAs that are allowed before the responder requests a cookie from the initiator (range is 0-65,535; default is 500).
    2. Click OK.
  2. Commit your changes.
    Click OK and Commit.