Configure Session Timeouts

A session timeout defines the duration of time for which PAN-OS maintains a session on the firewall after inactivity in the session. By default, when the session timeout for the protocol expires, PAN-OS closes the session. You can define a number of timeouts for TCP, UDP, and ICMP sessions in particular. The Default timeout applies to any other type of session. The timeouts are global, meaning they apply to all of the sessions of that type on the firewall.
In addition to the global settings, you can define timeouts for an individual application in the
Objects
Applications
tab. The firewall applies application timeouts to an application that is in established state. When configured, timeouts for an application override the global TCP or UDP session timeouts.
If you change the timers at the application level, predefined applications and shared applications will all be the same, regardless of whether they’re for shared virtual systems or per virtual system. If you need an application’s timers to be different for a virtual system, you must create a custom application, assign it unique timers, and then assign the custom application to a unique virtual system.
Perform the task below if you need to change default values of the global session timeout settings for TCP, UDP, ICMP, Captive Portal authentication, or other types of sessions. All values are in seconds.
The defaults are optimal values. However, you can modify these according to your network needs. Setting a value too low could cause sensitivity to minor network delays and could result in a failure to establish connections with the firewall. Setting a value too high could delay failure detection.
  1. Access the Session Settings.
    Select
    Device
    Setup
    Session
    and edit the Session Timeouts.
  2. (
    Optional
    ) Change miscellaneous timeouts.
    • Default
      —Maximum length of time that a non-TCP/UDP or non-ICMP session can be open without a response (range is 1-15,999,999; default is 30).
    • Discard Default
      —Maximum length of time that a non-TCP/UDP session remains open after PAN-OS denies a session based on security policies configured on the firewall (range is 1-15,999,999; default is 60).
    • Scan
      —Maximum length of time that any session remains open after it is considered inactive; an application is regarded as inactive when it exceeds the application trickling threshold defined for the application (range is 5-30; default is 10).
    • Captive Portal
      —Authentication session timeout for the Captive Portal web form. To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated (range is 1-15,999,999; default is 30).
    To define other Captive Portal timeouts, such as the idle timer and the expiration time before the user must be re-authenticated, select
    Device
    User Identification
    Captive Portal Settings
    . See Configure Captive Portal
  3. (
    Optional
    ) Change TCP timeouts.
    • Discard TCP
      —Maximum length of time that a TCP session remains open after it is denied based on a security policy configured on the firewall. Default: 90. Range: 1-15,999,999.
    • TCP
      —Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete and/or data is being transmitted). Default: 3,600. Range: 1-15,999,999.
    • TCP Handshake
      —Maximum length of time permitted between receiving the SYN-ACK and the subsequent ACK to fully establish the session. Default: 10. Range: 1-60.
    • TCP init
      —Maximum length of time permitted between receiving the SYN and SYN-ACK prior to starting the TCP handshake timer. Default: 5. Range: 1-60.
    • TCP Half Closed
      —Maximum length of time between receiving the first FIN and receiving the second FIN or a RST. Default: 120. Range: 1-604,800.
    • TCP Time Wait
      —Maximum length of time after receiving the second FIN or a RST. Default: 15. Range: 1-600.
    • Unverified RST
      —Maximum length of time after receiving a RST that cannot be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path). Default: 30. Range: 1-600.
    • See also the
      Scan
      timeout in the section (Optional) Change miscellaneous timeouts.
  4. (
    Optional
    ) Change UDP timeouts.
    • Discard UDP
      —Maximum length of time that a UDP session remains open after it is denied based on a security policy configured on the firewall. Default: 60. Range: 1-15,999,999.
    • UDP
      —Maximum length of time that a UDP session remains open without a UDP response. Default: 30. Range: 1-15,999,999.
    • See also the
      Scan
      timeout in the section (Optional) Change miscellaneous timeouts.
  5. (
    Optional
    ) Change ICMP timeouts.
    • ICMP
      —Maximum length of time that an ICMP session can be open without an ICMP response. Default: 6. Range: 1-15,999,999.
    • See also the
      Discard Default
      and
      Scan
      timeout in the section (Optional) Change miscellaneous timeouts.
  6. Commit your changes.
    Click
    OK
    and
    Commit
    .

Related Documentation