Select Device > Setup > Session to configure session age-out times, decryption certificate settings, and global session-related settings such as firewalling IPv6 traffic and rematching security policy to existing sessions when the policy changes. The tab has the following sections:
Session Settings
The following table describes session settings.
Session Setting Description
Rematch Sessions Click Edit and select Rematch Sessions to cause the firewall to apply newly configured security policies to sessions that are already in progress. This capability is enabled by default. If this setting is disabled, any policy change applies only to sessions initiated after the policy change was committed. For example, if a Telnet session started while an associated policy was configured that allowed Telnet, and you subsequently committed a policy change to deny Telnet, the firewall applies the revised policy to the current session and blocks it.
ICMPv6 Token Bucket Size Enter the bucket size for rate limiting of ICMPv6 error messages. The token bucket size is a parameter of the token bucket algorithm that controls how bursty the ICMPv6 error packets can be (range is 10–65,535 packets; default 100).
ICMPv6 Error Packet Rate Enter the average number of ICMPv6 error packets per second allowed globally through the firewall (range is 10–65,535 packets/second; default is 100 packets/second). This value applies to all interfaces. If the firewall reaches the ICMPv6 error packet rate, the ICMPv6 token bucket is used to enable throttling of ICMPv6 error messages.
Enable IPv6 Firewalling To enable firewall capabilities for IPv6, click Edit and select IPv6 Firewalling. All IPv6-based configurations are ignored if IPv6 is not enabled. Even if IPv6 is enabled for an interface, the IPv6 Firewalling option must also be enabled for IPv6 to function.
Enable Jumbo Frame Global MTU Select to enable jumbo frame support on Ethernet interfaces. Jumbo frames have a maximum transmission unit (MTU) of 9192 bytes and are available on certain platforms. If you do not check Enable Jumbo Frame, the Global MTU defaults to 1500 bytes (range is 576–1,500). If you check Enable Jumbo Frame, the Global MTU defaults to 9,192 bytes (range is 9,192–9,216 bytes. If you enable jumbo frames and you have interfaces where the MTU is not specifically configured, those interfaces will automatically inherit the jumbo frame size. Therefore, before you enable jumbo frames, if you have any interface that you do not want to have jumbo frames, you must set the MTU for that interface to 1500 bytes or another value. To configure the MTU for the interface ( Network > Interfaces > Ethernet), see Layer 3 Interface.
NAT64 IPv6 Minimum Network MTU Enter the global MTU for IPv6 translated traffic. The default of 1280 bytes is based on the standard minimum MTU for IPv6 traffic.
NAT Oversubscription Rate Select the DIPP NAT oversubscription rate, which is the number of times that the same translated IP address and port pair can be used concurrently. Reducing the oversubscription rate will decrease the number of source device translations, but will provide higher NAT rule capacities. Platform Default —Explicit configuration of the oversubscription rate is turned off; the default oversubscription rate for the platform applies. See platform default rates at https://www.paloaltonetworks.com/products/product-selection.html. 1x —1 time. This means no oversubscription; each translated IP address and port pair can be used only once at a time. 2x —2 times 4x —4 times 8x —8 times
ICMP Unreachable Packet Rate (per sec) Define the maximum number of ICMP Unreachable responses that the firewall can send per second. This limit is shared by IPv4 and IPv6 packets. Default value is 200 messages per second (range is 1–65,535).
Accelerated Aging Enables accelerated aging-out of idle sessions. Select this option to enable accelerated aging and specify the threshold (%) and scaling factor. When the session table reaches the Accelerated Aging Threshold (% full), PAN-OS applies the Accelerated Aging Scaling Factor to the aging calculations for all sessions. The default scaling factor is 2, meaning that accelerated aging occurs at a rate twice as fast as the configured idle time. The configured idle time divided by 2 results in a faster timeout of one-half the time. To calculate the session’s accelerated aging, PAN-OS divides the configured idle time (for that type of session) by the scaling factor to determine a shorter timeout. For example, if the scaling factor is 10, a session that would normally time out after 3600 seconds would time out 10 times faster (in 1/10 of the time), which is 360 seconds.
Multicast Route Setup Buffering Select this option to enable multicast route setup buffering, which allows the firewall to preserve the first packet in a multicast session when the multicast route or forwarding information base (FIB) entry does not yet exist for the corresponding multicast group. By default, the firewall does not buffer the first multicast packet in a new session; instead, it uses the first packet to set up the multicast route. This is expected behavior for multicast traffic. You only need to enable multicast route setup buffering if your content servers are directly connected to the firewall and your custom application cannot withstand the first packet in the session being dropped. This option is disabled by default.
Multicast Route Setup Buffer Size If you enable Multicast Route Setup Buffering, you can tune the buffer size, which specifies the buffer size per flow (range is 1–2,000; default is 1,000.) The firewall can buffer a maximum of 5,000 packets.
Session Timeouts
A session timeout defines the duration for which PAN-OS maintains a session on the firewall after inactivity in the session. By default, when the session timeout for the protocol expires, PAN-OS closes the session.
On the firewall, you can define a number of timeouts for TCP, UDP, and ICMP sessions in particular. The Default timeout applies to any other type of session. All of these timeouts are global, meaning they apply to all of the sessions of that type on the firewall.
In addition to the global settings, you have the flexibility to define timeouts for an individual application in the Objects > Applications tab. The timeouts available for that application appear in the Options window. The firewall applies application timeouts to an application that is in Established state. When configured, timeouts for an application override the global TCP or UDP session timeouts.
Use the options in this section to configure global session timeout settings —specifically for TCP, UDP and ICMP, and for all other types of sessions.
The defaults are optimal values. However, you can modify these according to your network needs. Setting a value too low could cause sensitivity to minor network delays and could result in a failure to establish connections with the firewall. Setting a value too high could delay failure detection.
Session Timeouts Setting Description
Default Maximum length of time, in seconds, that a non-TCP/UDP or non-ICMP session can be open without a response (range is 1–15,999,999; default is 30).
Discard Timeouts PAN-OS applies the discard timeout when denying a session based on security policies configured on the firewall.
Discard Default Applies only to non-TCP/UDP traffic (range is 1–15,999,999; default is 60).
Discard TCP Applies to TCP traffic (range is 1–15,999,999; default is 90).
Discard UDP Applies to UDP traffic (range is 1–15,999,999; default is 60).
ICMP Maximum length of time that an ICMP session can be open without an ICMP response (range is 1–15,999,999; default is 6).
Scan Maximum length of time, in seconds, that any session remains open after it is considered inactive. PAN-OS regards an application as inactive when it exceeds the trickling threshold defined for the application (range is 5–30; default is 10).
TCP Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete and/or data transmission has started); (range is 1–15,999,999; default is 3,600).
TCP handshake Maximum length of time, in seconds, between receiving the SYN-ACK and the subsequent ACK to fully establish the session (ranges is 1–60; default is 10).
TCP init Maximum length of time, in seconds, between receiving the SYN and SYN-ACK before starting the TCP handshake timer (ranges is 1–60; default is 5).
TCP Half Closed Maximum length of time, in seconds, between receiving the first FIN and receiving the second FIN or a RST (range is 1–604,800; default is 120).
TCP Time Wait Maximum length of time, in seconds, after receiving the second FIN or a RST (range is 1–600; default is 15).
Unverified RST Maximum length of time, in seconds, after receiving a RST that cannot be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path); (ranges is 1–600; default is 30).
UDP Maximum length of time, in seconds, that a UDP session remains open without a UDP response (range is 1–1,599,999; default is 30).
Captive Portal The authentication session timeout in seconds for the Captive Portal web form (default is 30, range is 1–1,599,999). To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated. To define other Captive Portal timeouts, such as the idle timer and the expiration time before the user must be re-authenticated, use the Device > User Identification > Captive Portal Settings tab. See Device > User Identification > Captive Portal Settings.
TCP Settings
The following table describes TCP settings.
TCP Setting Description
Urgent Data Flag Use this option to configure whether the firewall allows the urgent pointer (URG bit flag) in the TCP header. The urgent pointer in the TCP header is used to promote a packet for immediate processing—the firewall removes it from the processing queue and expedites it through the TCP/IP stack on the host. This process is called out-of-band processing. Because the implementation of the urgent pointer varies by host, select Clear to eliminate any ambiguity, by disallowing out-of-band processing so that the out-of-band byte in the payload becomes part of the payload and the packet is not processed urgently. Additionally, setting this option to Clear ensures that the firewall sees the exact stream in the protocol stack as the host for whom the packet is destined. To see a count of the number of segments in which the firewall cleared the URG flag due to setting this option to Clear, from the CLI run the show counter global tcp_clear_urg command. By default, this flag is set to Do Not Modify, which means the firewall allows packets with the URG bit flag in the TCP header and enables out-of-band processing. However, Palo Alto Networks recommends setting this option to Clear for the most secure deployment. Setting this option to Clear should not result in performance degradation; in the rare instance that applications, such as telnet, are using the urgent data feature, TCP may be impacted.
Drop segments with null timestamp option The TCP timestamp records when the segment was sent and allows the firewall to verify that the timestamp is valid for that session, preventing TCP sequence number wrapping. The TCP timestamp is also used to calculate round trip time. Select this option if you want the firewall to drop packets with null timestamps. To see a count of the number of segments that the firewall dropped as a result of enabling this option, from the CLI run the show counter global tcp_invalid_ts_option command. This option is disabled by default. However, Palo Alto Networks recommends enabling it for the most secure deployment. Enabling this option should not result in performance degradation. However, if a network stack incorrectly generates segments with null TCP timestamp option value, enabling this option may result in connectivity issues.
Drop segments without flag Illegal TCP segments without any flags set can be used to evade content inspection. Enable this option to configure the firewall to drop packets that have no flags set in the TCP header. To see a count of the number of segments that the firewall dropped as a result of enabling this option, from the CLI run the show counter global tcp_flag_zero command. This option is disabled by default. However, Palo Alto Networks recommends enabling this option for the most secure deployment. Enabling this option should not result in performance degradation. However, if a network stack incorrectly generates segments with no TCP flags, enabling this option may result in connectivity issues.
Forward segments exceeding TCP out-of-order queue Select this option if you want the firewall to forward segments that exceed the TCP out-of-order queue limit of 64 per session. If you disable this option, the firewall drops segments that exceed the out-of-order queue limit. To see a count of the number of segments that the firewall dropped as a result of enabling this option, from the CLI run the show counter global tcp_exceed_flow_seg_limit command. This option is enabled by default. However, Palo Alto Networks recommends disabling this option for the most secure deployment. Disabling this option may result in increased latency for the specific stream that received over 64 segments out of order. No loss of connectivity should be seen as the TCP stack should handle missing segments retransmission.
Decryption Settings: Certificate Revocation Checking
Select Session, and in Decryption Settings, select Certificate Revocation Checking to set the parameters described in the following table.
Session Features: Certificate Revocation Checking Setting Description
Enable: CRL Select this option to use the certificate revocation list (CRL) method to verify the revocation status of certificates. If you also enable Online Certificate Status Protocol (OCSP), the firewall first tries OCSP; if the OCSP server is unavailable, the firewall then tries the CRL method. For more information on decryption certificates, see Keys and Certificates for Decryption .
Receive Timeout: CRL If you enabled the CRL method for verifying certificate revocation status, specify the interval in seconds (1-60; default is 5) after which the firewall stops waiting for a response from the CRL service.
Enable: OCSP Select this option to use OCSP to verify the revocation status of certificates.
Receive Timeout: OCSP If you enabled the OCSP method for verifying certificate revocation status, specify the interval in seconds (1-60; default is 5) after which the firewall stops waiting for a response from the OCSP responder.
Block Session With Unknown Certificate Status Select this option to block SSL/TLS sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the firewall proceeds with the session.
Block Session On Certificate Status Check Timeout Select this option to block SSL/TLS sessions after the firewall registers a CRL or OCSP request timeout. Otherwise, the firewall proceeds with the session.
Certificate Status Timeout Specify the interval in seconds (1-60; default is 5) after which the firewall stops waiting for a response from any certificate status service and applies any session blocking logic you optionally define. The Certificate Status Timeout relates to the OCSP/CRL Receive Timeout as follows: If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes—the Certificate Status Timeout value or the aggregate of the two Receive Timeout values. If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes—the Certificate Status Timeout value or the OCSP Receive Timeout value. If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes—the Certificate Status Timeout value or the CRL Receive Timeout value.
Decryption Settings: Forward Proxy Server Certificate Settings
In the Session tab, Decryption Settings section, select Forward Proxy Server Certificate Settings to configure the Key Size and hashing algorithm of the certificates that the firewall presents to clients when establishing sessions for SSL/TLS Forward Proxy decryption. The following table describes the parameters.
Session Features: Forward Proxy Server Certificate Setting Description
Defined by destination host Select this option if you want PAN-OS to generate certificates based on the key that the destination server uses: If the destination server uses an RSA 1024-bit key, PAN-OS generates a certificate with that key size and an SHA-1 hashing algorithm. If the destination server uses a key size larger than 1024 bits (for example, 2048 bits or 4096 bits), PAN-OS generates a certificate that uses a 2048-bit key and SHA-256 algorithm. This is the default setting.
1024-bit RSA Select this option if you want PAN-OS to generate certificates that use an RSA 1024-bit key and SHA-1 hashing algorithm regardless of the key size that the destination server uses. As of December 31, 2013, public certificate authorities (CAs) and popular browsers have limited support for X.509 certificates that use keys of fewer than 2048 bits. In the future, depending on its security settings, when presented with such keys the browser might warn the user or block the SSL/TLS session entirely.
2048-bit RSA Select this option if you want PAN-OS to generate certificates that use an RSA 2048-bit key and SHA-256 hashing algorithm regardless of the key size that the destination server uses. Public CAs and popular browsers support 2048-bit keys, which provide better security than the 1024-bit keys.
VPN Session Settings
Select Session, and in VPN Session Settings, configure global settings related to the firewall establishing a VPN session. The following table describes the settings.
VPN Session Setting Description
Cookie Activation Threshold Specify a maximum number of IKEv2 half-open IKE SAs allowed per firewall, above which cookie validation is triggered. When the number of half-open IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie. If the cookie validation is successful, another SA session can be initiated. A value of 0 means that cookie validation is always on. The Cookie Activation Threshold is a global firewall setting and should be lower than the Maximum Half Opened SA setting, which is also global. Range is 0-65535; default is 500.
Maximum Half Opened SA Specify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the firewall without getting a response. Once the maximum is reached, the firewall will not respond to new IKE_SA_INIT packets (range is 1-65535; default is 65535).
Maximum Cached Certificates Specify the maximum number of peer certificate authority (CA) certificates retrieved via HTTP that the firewall can cache. This value is used only by the IKEv2 Hash and URL feature (range is 1-4000; default is 500).

Related Documentation