>
    Strata Copilot
    Configure Session Timeouts
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Session Settings and Timeouts
    4. Configure Session Timeouts
    Download PDF
    Next-Generation Firewall

    Configure Session Timeouts

    Table of Contents

    Configure Session Timeouts

    Specify TCP timeouts, UDP timeouts, ICMP timeouts, ARP cache timeout, or miscellaneous timeouts.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of these licenses when using Strata Cloud Manager:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    A session timeout defines the duration of time for which PAN-OS maintains a session on the firewall after inactivity in the session. By default, when the session timeout for the protocol expires, PAN-OS closes the session. You can define a number of timeouts for TCP, UDP, and ICMP sessions in particular. The Default timeout applies to any other type of session. The timeouts are global, meaning they apply to all of the sessions of that type on the firewall.
    You can also configure a global ARP cache timeout setting, which controls how long the firewall keeps ARP entries (IP address-to-hardware addresses mappings) in its cache.
    In addition to the global settings, you can define timeouts for an individual application in the ObjectsApplications tab. The firewall applies application timeouts to an application that is in established state. When configured, timeouts for an application override the global TCP or UDP session timeouts.
    If you change the TCP or UDP timers at the application level, these timers for predefined applications and shared custom applications will be implemented across all virtual systems. If you need an application’s timers to be different for a virtual system, you must create a custom application, assign it unique timers, and then assign the custom application to a unique virtual system.
    Perform the following task if you need to change default values of the global session timeout settings for TCP, UDP, ICMP, Captive Portal authentication, or other types of sessions. All values are in seconds.
    The defaults are optimal values. However, you can modify these according to your network needs. Setting a value too low could cause sensitivity to minor network delays and could result in a failure to establish connections with the firewall. Setting a value too high could delay failure detection.

    Configure Session Timeouts (PAN-OS)

    Procedure for configuring session timeouts in PAN-OS and Panorama.
    1. Access the session timeouts.
      Select DeviceSetupSession and edit the Session Timeouts.
    2. (Optional) Change miscellaneous timeouts.
      • Default—Maximum length of time that a non-TCP/UDP or non-ICMP session can be open without a response (range is 1 to 15,999,999; default is 30).
      • Discard Default—Maximum length of time that a non-TCP/UDP session remains open after PAN-OS denies a session based on security policies configured on the firewall (range is 1 to 15,999,999; default is 60).
      • Scan—Maximum length of time that any session remains open after it is considered inactive; an application is regarded as inactive when it exceeds the application trickling threshold defined for the application (range is 5 to 30; default is 10).
      • Authentication Portal—Authentication session timeout for the Captive Portal web form. To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated (range is 1 to 15,999,999; default is 30).
      • To define other Authentication Portal timeouts, such as the idle timer and the expiration time before the user must be re-authenticated, select DeviceUser IdentificationAuthentication Portal Settings. See Configure Authentication Portal.
    3. (Optional) Change TCP timeouts.
      • Discard TCP—Maximum length of time that a TCP session remains open after it is denied based on a security policy configured on the firewall. Range is 1 to 15,999,999; default is 90.
      • TCP—Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete and/or data is being transmitted). Range is 1 to 15,999,999; default is 3,600.
      • TCP Handshake—Maximum length of time permitted between receiving the SYN-ACK and the subsequent ACK to fully establish the session. Range is 1 to 60; default is 10.
      • TCP init—Maximum length of time permitted between receiving the SYN and SYN-ACK prior to starting the TCP handshake timer. Range is 1 to 60; default is 5.
      • TCP Half Closed—Maximum length of time between receiving the first FIN and receiving the second FIN or a RST. Range is 1 to 604,800; default is 120.
      • TCP Time Wait—Maximum length of time after receiving the second FIN or a RST. Range is 1 to 600; default is 15.
      • Unverified RST—Maximum length of time after receiving a RST that cannot be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path). Range is 1 to 600; default is 30.
      • See also the Scan timeout in the section (Optional) Change Miscellaneous Timeouts above.
    4. (Optional) Change UDP timeouts.
      • Discard UDP—Maximum length of time that a UDP session remains open after it is denied based on a security policy configured on the firewall. Range is 1 to 15,999,999; default is 60.
      • UDP—Maximum length of time that a UDP session remains open without a UDP response. Range is 1 to 15,999,999; default is 30.
      • See also the Scan timeout in the section (Optional) Change Miscellaneous Timeouts above.
    5. (Optional) Change ICMP timeouts.
      • ICMP—Maximum length of time that an ICMP session can be open without an ICMP response. Range is 1 to 15,999,999; default is 6.
      • See also the Discard Default and Scan timeout in the section (Optional) Change Miscellaneous Timeouts above.
    6. Click OK and Commit.
    7. (Optional) Change the ARP cache timeout.
      1. Access the CLI and specify how many seconds the firewall keeps ARP entries in its cache. Use the operational command set system setting arp-cache-timeout <value>, where the range is 60 to 65,535; default is 1,800.
        If you decrease the timeout and existing entries in the cache have a TTL greater than the new timeout, the firewall removes those entries and refreshes the ARP cache. If you increase the timeout and existing entries have a TTL less than the new timeout, they expire according to the TTL and the firewall caches new entires with the larger timeout value.
      2. View the ARP cache timeout setting with the operational CLI command show system setting arp-cache-timeout.

    Configure Session Timeouts (SCM)

    Procedure for configuring session timeouts in Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupSession ConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupSessionand select the Configuration Scope where you want to configure the session timeout settings.
      You can select a folder or firewall from your Folders or select Snippets to configure the session timeout settings in a snippet.
    3. Configure the miscellaneous timeout settings.
      • Default (sec)—Maximum length of time that a TCP session remains open after it’s denied based on a Security policy configured on the firewall.
        Range is 1 to 15,999,999; default is 90.
      • Discard Default (sec)—Maximum length of time that a non-TCP/UDP session remains open after the firewall denies a session based on configured Security policies.
        Range is 1 to 15,999,999; default is 60.
      • Scan (sec)—Maximum length of time that any session remains open after it’s considered inactive; an application is regarded as inactive when it exceeds the application trickling threshold defined for the application
        Range is 5 to 30; default is 10.
      • Captive Portal (sec)—Authentication session timeout for the Authentication Portal web form. To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated
        Range is 1 to 15,999,999; default is 30.
    4. Configure the TCP timeout settings.
      • Discard TCP (sec)—Maximum length of time that a TCP session remains open after it’s denied based on a Security policy configured on the firewall.
        Range is 1 to 15,999,999; default is 90.
      • TCP (sec)—Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete, while data is being transmitted, or both).
        Range is 1 to 15,999,999; default is 3,600.
      • TCP Handshake (sec)—Maximum length of time permitted between receiving the SYN-ACK and the subsequent ACK to fully establish the session.
        Range is 1 to 60; default is 10.
      • TCP Init (sec)—Maximum length of time permitted between receiving the SYN and SYN-ACK before starting the TCP handshake timer.
        Range is 1 to 60; default is 5.
      • TCP Half Closed (sec)—Maximum length of time between receiving the first FIN and receiving the second FIN or an RST.
        Range is 1 to 604,800; default is 120.
      • TCP Time Wait (sec)—Maximum length of time after receiving the second FIN or an RST.
        Range is 1 to 600; default is 15.
      • Unverified RST—Maximum length of time after receiving an RST that can’t be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path).
        Range is 1 to 600; default is 30.
    5. Configure the UDP timeout settings.
      • Discard UDP (sec)—Maximum length of time that a UDP session remains open after it’s denied based on a Security policy configured on the firewall.
        Range is 1 to 15,999,999; default is 60.
      • UDP (sec)—Maximum length of time that a UDP session remains open without a UDP response.
        Range is 1 to 15,999,999; default is 30.
    6. Configure the ICMP timeout settings.
      • ICMP (sec)—Maximum length of time that an ICMP session can be open without an ICMP response.
        Range is 1 to 15,999,999; default is 6.
    7. Save.
    8. (Optional) Configure the remaining firewall session settings.
    9. Push Config to push your configuration changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.