Guidelines for Setting Authentication Server Timeouts
The following are some guidelines for setting the timeouts for firewall attempts to connect with External Authentication Services.
- In addition to the timeouts you set in server profiles for specific servers, the firewall has a global PAN-OS web server timeout. This global timeout applies when the firewall connects to any external server for authenticating administrative access to the firewall web interface or PAN-OS XML API and end user access to applications or services through Captive Portal. The global timeout is 30 seconds by default (range is 3 to 125). It must be the same as or greater than the total time that any server profile allows for connection attempts. The total time in a server profile is the timeout value multiplied by the number of retries and the number of servers. For example, if a RADIUS server profile specifies a 3-second timeout, 3 retries, and 4 servers, the total time that the profile allows for connection attempts is 36 seconds (3 x 3 x 4). Modify the PAN-OS Web Server Timeout if necessary.Do not change the PAN-OS web server timeout unless you see authentication failures. Setting the timeout too high could degrade the performance of the firewall or cause it to drop authentication requests. You can review authentication failures in Authentication logs.
- The firewall applies a Captive Portal session timeout that defines how long end users can take to respond to the authentication challenge in a Captive Portal web form. The web form displays when users request services or applications that match an Authentication policy rule. The session timeout is 30 seconds by default (range is 1 to 1,599,999). It must be the same as or greater than the PAN-OS web server timeout. Modify the Captive Portal Session Timeout if necessary. Keep in mind that increasing the PAN-OS web server and Captive Portal session timeouts might degrade the performance of the firewall or cause it to drop authentication requests.The Captive Portal session timeout is not related to the timers that determine how long the firewall retains IP address-to-username mappings.
- Timeouts are cumulative for authentication sequences. For example, consider the case of an authentication sequence with two authentication profiles. One authentication profile specifies a RADIUS server profile with a 3-second timeout, 3 retries, and 4 servers. The other authentication profile specifies a TACACS+ server profile with a 3-second timeout and 2 servers. The longest possible period in which the firewall can try to authenticate user accounts with that authentication sequence is 42 seconds: 36 seconds for the RADIUS server profile plus 6 seconds for the TACACS+ server profile.
- The non-configurable timeout for Kerberos servers is 17 seconds for each server specified in the Kerberos server profile.