>
    Change the Cookie Activation Threshold for IKEv2
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Configure IPSec VPN Tunnels (Site-to-Site)
    4. Set Up an IKE Gateway
    5. Change the Cookie Activation Threshold for IKEv2
    Download PDF
    Network Security

    Change the Cookie Activation Threshold for IKEv2

    Table of Contents

    Change the Cookie Activation Threshold for IKEv2

    Where Can I Use This?
    What Do I Need?
    • PAN-OS
    No license required
    Cookie validation is always enabled for IKEv2; it helps protect against half-SA DoS attacks. You can configure the global threshold number of half-open SAs that will trigger cookie validation. You can also configure individual IKE gateways to enforce cookie validation for every new IKEv2 SA.
    • The
      Cookie Activation Threshold
       is a global VPN session setting that limits the number of simultaneous half-opened IKE SAs (default is 500). When the number of half-opened IKE SAs exceeds the
      Cookie Activation Threshold
      , the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie to validate the connection. If the cookie validation is successful, another SA can be initiated. A value of zero means that cookie validation is always on.
      The Responder doesn’t maintain a state of the Initiator, nor does it perform a Diffie-Hellman key exchange, until the Initiator returns the cookie. IKEv2 cookie validation mitigates a DoS attack that would try to leave numerous connections half open.
      The
      Cookie Activation Threshold
       must be lower than the
      Maximum Half Opened SA
       setting. If you change the cookie activation threshold for IKEv2 to a higher number (for example, 65534) and the
      Maximum Half Opened SA
       setting remained at the default value of 65535, cookie validation is disabled.
    • You can enable
      Strict Cookie Validation
       if you want cookie validation performed for every new IKEv2 SA a gateway receives, regardless of the global threshold.
      Strict Cookie Validation
       affects only the IKE gateway being configured and is disabled by default. With
      Strict Cookie Validation
       disabled, the system uses the
      Cookie Activation Threshold
       to determine whether a cookie is needed or not.
    Perform the following task if you want a firewall to have a threshold different from the default setting of 500 half-opened SA sessions before cookie validation is required.
    1. Change the Cookie Activation Threshold.
      1. Select
        Device
        Setup
        Session
         and edit the VPN Session Settings. For
        Cookie Activation Threshold
        , enter the maximum number of half-opened SAs that are allowed before the responder requests a cookie from the initiator (range is 0-65,535; default is 500).
      2. Click
        OK
        .
    2. Commit your changes.
      Click
      OK
       and
      Commit
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.