Focus

Next-Generation Firewall

Configure the NGFW Session Timeout

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure the NGFW Session Timeout

Learn how to configure the firewall session timeout settings.

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS or Panorama Managed)

A session timeout defines the duration of time for which the firewall maintains a session after inactivity. By default, when the session timeout for the protocol expires, the firewall closes the session. You can define a number of timeouts for TCP, UDP, and ICMP sessions in particular. The Default timeout applies to any other type of session. The timeouts are global, meaning they apply to all of the sessions of that type on the firewall.

You can also configure a global ARP cache timeout setting, which controls how long the firewall keeps ARP entries (IP address-to-hardware addresses mappings) in its cache.

Cloud Management

Configure the session timeout settings in Strata Cloud Manager.

Log in to Strata Cloud Manager.
Select ManageConfigurationNGFW and Prisma AccessDevice SetupSession and select the Configuration Scope where you want to configure the session timeout settings.

You can select a folder or firewall from your Folders or select Snippets to configure the session timeout settings in a snippet.
Configure the miscellaneous timeout settings.
- Default (sec)—Maximum length of time that a TCP session remains open after it’s denied based on a Security policy configured on the firewall.
  
  Range is 1 to 15,999,999; default is 90.
- Discard Default (sec)—Maximum length of time that a non-TCP/UDP session remains open after the firewall denies a session based on configured Security policies.
  
  Range is 1 to 15,999,999; default is 60.
- Scan (sec)—Maximum length of time that any session remains open after it’s considered inactive; an application is regarded as inactive when it exceeds the application trickling threshold defined for the application
  
  Range is 5 to 30; default is 10.
- Captive Portal (sec)—Authentication session timeout for the Authentication Portal web form. To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated
  
  Range is 1 to 15,999,999; default is 30.
Configure the TCP timeout settings.
- Discard TCP (sec)—Maximum length of time that a TCP session remains open after it’s denied based on a Security policy configured on the firewall.
  
  Range is 1 to 15,999,999; default is 90.
- TCP (sec)—Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete, while data is being transmitted, or both).
  
  Range is 1 to 15,999,999; default is 3,600.
- TCP Handshake (sec)—Maximum length of time permitted between receiving the SYN-ACK and the subsequent ACK to fully establish the session.
  
  Range is 1 to 60; default is 10.
- TCP Init (sec)—Maximum length of time permitted between receiving the SYN and SYN-ACK before starting the TCP handshake timer.
  
  Range is 1 to 60; default is 5.
- TCP Half Closed (sec)—Maximum length of time between receiving the first FIN and receiving the second FIN or an RST.
  
  Range is 1 to 604,800; default is 120.
- TCP Time Wait (sec)—Maximum length of time after receiving the second FIN or an RST.
  
  Range is 1 to 600; default is 15.
- Unverified RST—Maximum length of time after receiving an RST that can’t be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path).
  
  Range is 1 to 600; default is 30.
Configure the UDP timeout settings.
- Discard UDP (sec)—Maximum length of time that a UDP session remains open after it’s denied based on a Security policy configured on the firewall.
  
  Range is 1 to 15,999,999; default is 60.
- UDP (sec)—Maximum length of time that a UDP session remains open without a UDP response.
  
  Range is 1 to 15,999,999; default is 30.
Configure the ICMP timeout settings.
- ICMP (sec)—Maximum length of time that an ICMP session can be open without an ICMP response.
  
  Range is 1 to 15,999,999; default is 6.
Save.
(Optional) Configure the remaining firewall session settings.
- Configure the NGFW Session Settings
- Configure the NGFW VPN Session Settings
Push Config to push your configuration changes.

PAN-OS & Panorama

Configure the firewall session timeout settings.

For more information about managing the general settings of you PAN-OS or Panorama managed device, see here.

Next-Generation Firewall Docs

Configure the NGFW Session Timeout

Next-Generation Firewall Docs

Configure the NGFW Session Timeout

Cloud Management

PAN-OS & Panorama

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner

Configure the NGFW Session Timeout

Next-Generation Firewall Docs

Configure the NGFW Session Timeout

Cloud Management

PAN-OS &amp; Panorama

PAN-OS & Panorama