Session Settings

The following table describes session settings.
Session Settings
Description
Rematch Sessions
Click Edit and select Rematch Sessions to cause the firewall to apply newly configured security policies to sessions that are already in progress. This capability is enabled by default. If this setting is disabled, any policy change applies only to sessions initiated after the policy change was committed.
For example, if a Telnet session started while an associated policy was configured that allowed Telnet, and you subsequently committed a policy change to deny Telnet, the firewall applies the revised policy to the current session and blocks it.
ICMPv6 Token Bucket Size
Enter the bucket size for rate limiting of ICMPv6 error messages. The token bucket size is a parameter of the token bucket algorithm that controls how bursty the ICMPv6 error packets can be (range is 10–65,535 packets; default 100).
ICMPv6 Error Packet Rate
Enter the average number of ICMPv6 error packets per second allowed globally through the firewall (range is 10–65,535 packets/second; default is 100 packets/second). This value applies to all interfaces. If the firewall reaches the ICMPv6 error packet rate, the ICMPv6 token bucket is used to enable throttling of ICMPv6 error messages.
Enable IPv6 Firewalling
To enable firewall capabilities for IPv6, click Edit and select IPv6 Firewalling.
All IPv6-based configurations are ignored if IPv6 is not enabled. Even if IPv6 is enabled for an interface, the IPv6 Firewalling option must also be enabled for IPv6 to function.
Enable Jumbo Frame
Global MTU
Select to enable jumbo frame support on Ethernet interfaces. Jumbo frames have a maximum transmission unit (MTU) of 9192 bytes and are available on certain models.
  • If you do not check Enable Jumbo Frame, the Global MTU defaults to 1500 bytes (range is 576–1,500).
  • If you check Enable Jumbo Frame, the Global MTU defaults to 9,192 bytes (range is 9,192–9,216 bytes).
If you enable jumbo frames and you have interfaces where the MTU is not specifically configured, those interfaces will automatically inherit the jumbo frame size. Therefore, before you enable jumbo frames, if you have any interface that you do not want to have jumbo frames, you must set the MTU for that interface to 1500 bytes or another value. To configure the MTU for the interface (NetworkInterfacesEthernet), see PA-7000 Series Layer 3 Interface.
NAT64 IPv6 Minimum Network MTU
Enter the global MTU for IPv6 translated traffic. The default of 1,280 bytes is based on the standard minimum MTU for IPv6 traffic. Range is 1,280-9,216.
NAT Oversubscription Rate
Select the DIPP NAT oversubscription rate, which is the number of times that the same translated IP address and port pair can be used concurrently. Reducing the oversubscription rate will decrease the number of source device translations, but will provide higher NAT rule capacities.
  • Platform Default—Explicit configuration of the oversubscription rate is turned off; the default oversubscription rate for the model applies. See default rates of firewall models at https://www.paloaltonetworks.com/products/product-selection.html.
  • 1x—1 time. This means no oversubscription; each translated IP address and port pair can be used only once at a time.
  • 2x—2 times
  • 4x—4 times
  • 8x—8 times
ICMP Unreachable Packet Rate (per sec)
Define the maximum number of ICMP Unreachable responses that the firewall can send per second. This limit is shared by IPv4 and IPv6 packets.
Default value is 200 messages per second (range is 1–65,535).
Accelerated Aging
Enables accelerated aging-out of idle sessions.
Select this option to enable accelerated aging and specify the threshold (%) and scaling factor.
When the session table reaches the Accelerated Aging Threshold (% full), PAN-OS applies the Accelerated Aging Scaling Factor to the aging calculations for all sessions. The default scaling factor is 2, meaning that accelerated aging occurs at a rate twice as fast as the configured idle time. The configured idle time divided by 2 results in a faster timeout of one-half the time. To calculate the session’s accelerated aging, PAN-OS divides the configured idle time (for that type of session) by the scaling factor to determine a shorter timeout.
For example, if the scaling factor is 10, a session that would normally time out after 3600 seconds would time out 10 times faster (in 1/10 of the time), which is 360 seconds.
Packet Buffer Protection
Enable packet buffer protection. This option protects the receive buffers on the firewall from attacks or abusive traffic that causes system resources to back up and cause legitimate traffic to be dropped. Packet buffer protection is achieved by identifying offending sessions, using Random Early Drop (RED) as a first line of defense, and discarding the session if abuse continues. If the firewall detects many small sessions or rapid session creation (or both) from a particular IP address, it blocks that IP address.
  • Alert (%)—When packet buffer utilization exceeds this threshold for more than 10 seconds, the firewall creates a log event every minute. The firewall generates log events when packet buffer protection is enabled globally.The default threshold is 50% and the range is 0% to 99%. If the value is 0%, the firewall does not create a log event.
  • Activate (%)—When this threshold is reached, the firewall begins to mitigate the most abusive sessions on the zone with Pack Buffer Protection enabled. The default threshold is 50% and the range is 0% to 99%. If the value is 0%, the firewall does not apply RED.
  • Block Hold Time (sec)—The amount of time, in seconds, the session is allowed to continue before it is discarded. This timer monitors RED-mitigated sessions to see if they are still pushing buffer utilization above the configured threshold. If the abusive behavior continues past the block hold time, the session is discarded. By default, the block hold time is 60 seconds. The range is 0 to 65,535 seconds. If the value is 0, the firewall does not discard sessions based on packet buffer protection.
  • Block Duration (sec)—The amount of time, in seconds, that a discarded session remains discarded or a blocked IP address remains blocked. The default is 3,600 seconds with a range of 1 seconds to 15,999,999 seconds.
Multicast Route Setup Buffering
Select this option (disabled by default) to enable multicast route setup buffering, which allows the firewall to preserve the first packet in a multicast session when the multicast route or forwarding information base (FIB) entry does not yet exist for the corresponding multicast group. By default, the firewall does not buffer the first multicast packet in a new session; instead, it uses the first packet to set up the multicast route. This is expected behavior for multicast traffic. You only need to enable multicast route setup buffering if your content servers are directly connected to the firewall and your custom application cannot withstand the first packet in the session being dropped.
Multicast Route Setup Buffer Size
If you enable Multicast Route Setup Buffering, you can tune the buffer size, which specifies the buffer size per flow (range is 1 to 2,000; default is 1,000.) The firewall can buffer a maximum of 5,000 packets.

Related Documentation