Session Timeouts
A session timeout defines the duration for which PAN-OS
maintains a session on the firewall after inactivity in the session.
By default, when the session timeout for the protocol expires, PAN-OS
closes the session.
On the firewall, you can define a number of timeouts for TCP,
UDP, and ICMP sessions in particular. The Default timeout applies
to any other type of session. All of these timeouts are global,
meaning they apply to all of the sessions of that type on the firewall.
In addition to the global settings, you have the flexibility
to define timeouts for an individual application in the ObjectsApplications tab.
The timeouts available for that application appear in the Options
window. The firewall applies application timeouts to an application
that is in Established state. When configured, timeouts for an application
override the global TCP or UDP session timeouts.
Use the options in this section to configure global session timeout settings—specifically for TCP, UDP
and ICMP, and for all other types of sessions.
The defaults are optimal values. However, you can modify these
according to your network needs. Setting a value too low could cause
sensitivity to minor network delays and could result in a failure
to establish connections with the firewall. Setting a value too
high could delay failure detection.
Session Timeouts
Settings | Description |
|---|---|
Default | Maximum length of time, in seconds, that
a non-TCP/UDP or non-ICMP session can be open without a response
(range is 1 to 15,999,999; default is 30). |
Discard Timeouts | PAN-OS applies the discard timeout when
denying a session based on security policies configured on the firewall. |
Discard Default | Applies only to non-TCP/UDP traffic (range
is 1 to 15,999,999; default is 60). |
Discard TCP | Applies to TCP traffic (range is 1 to 15,999,999;
default is 90). |
Discard UDP | Applies to UDP traffic (range is 1 to 15,999,999;
default is 60). |
ICMP | Maximum length of time that an ICMP session
can be open without an ICMP response (range is 1 to 15,999,999;
default is 6). |
Scan | Maximum length of time, in seconds, that
any session remains open after it is considered inactive. PAN-OS
regards an application as inactive when it exceeds the trickling
threshold defined for the application (range is 5 to 30; default
is 10). |
TCP | Maximum length of time that a TCP session
remains open without a response, after a TCP session is in the Established
state (after the handshake is complete and/or data transmission
has started); (range is 1 to 15,999,999; default is 3,600). |
TCP handshake | Maximum length of time, in seconds, between
receiving the SYN-ACK and the subsequent ACK to fully establish
the session (ranges is 1 to 60; default is 10). |
TCP init | Maximum length of time, in seconds, between
receiving the SYN and SYN-ACK before starting the TCP handshake
timer (ranges is 1 to 60; default is 5). |
TCP Half Closed | Maximum length of time, in seconds, between
receiving the first FIN and receiving the second FIN or a RST (range
is 1 to 604,800; default is 120). |
TCP Time Wait | Maximum length of time, in seconds, after
receiving the second FIN or a RST (range is 1 to 600; default is
15). |
Unverified RST | Maximum length of time, in seconds, after
receiving a RST that cannot be verified (the RST is within the TCP
window but has an unexpected sequence number, or the RST is from
an asymmetric path); (ranges is 1 to 600; default is 30). |
UDP | Maximum length of time, in seconds, that
a UDP session remains open without a UDP response (range is 1 to
1,599,999; default is 30). |
Captive Portal | The authentication session timeout in seconds
for the Captive Portal web form (default is 30, range is 1 to 1,599,999).
To access the requested content, the user must enter the authentication
credentials in this form and be successfully authenticated. To
define other Captive Portal timeouts, such as the idle timer and
the expiration time before the user must be re-authenticated, use
the DeviceUser IdentificationCaptive Portal Settings tab.
See Device>
User Identification > Captive Portal Settings. |
Related Documentation
Configure Session Timeouts
Configure Session Timeouts A session timeout defines the duration of time for which PAN-OS maintains a session on the firewall after inactivity in the session. ...
Applications Overview
Applications Overview The Applications page lists various attributes of each application definition, such as the application’s relative security risk (1 to 5). The risk value ...
Defining Applications
Defining Applications Select Objects Applications to Add a new custom application for the firewall to evaluate when applying policies. New Application Settings Description Configuration Tab ...
Guidelines for Setting Authentication Server Timeouts
Guidelines for Setting Authentication Server Timeouts The following are some guidelines for setting the timeouts for firewall attempts to connect with External Authentication Services . ...
Session Settings and Timeouts
Session Settings and Timeouts This section describes the global settings that affect TCP, UDP, and ICMPv6 sessions, in addition to IPv6, NAT64, NAT oversubscription, jumbo ...
Configure Cache Timeouts for User Mapping Entries
Configure Cache Timeouts for User Mapping Entries Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Cache To ensure ...
Session Settings
Session Settings The following table describes session settings. Session Settings Description Rematch Sessions Click Edit and select Rematch Sessions to cause the firewall to apply ...
Device > Setup > Content-ID
Device > Setup > Content-ID Use the Content-ID ™ tab to define settings for URL filtering, data protection, and container pages. Content-ID Settings Description URL ...