Maintain Custom Timeouts for Data Center Applications
Easily maintain custom timeouts for applications as you move from a port-based policy to an application-based policy. Use this method to maintain custom timeouts instead of overriding App-ID (losing application visibility) or creating a custom App-ID (expending time and research).
To get started, configure custom timeout settings as part of a service object:
Then add the service object in a policy rule to apply the custom timeouts to the application(s) the rule enforces.The following steps describe how apply custom timeouts to applications; to apply custom timeouts to user groups, you can follow the same steps but just make sure to add the service object to the security policy rule that enforces the users to whom you want the timeout to apply.
- Select ObjectsServices to add or modify a
service object.You can also create service objects as you are defining match criteria for a security policy rule: select PoliciesSecurityService/URL Category and Add a new Service object to apply to the application traffic the rule governs.
- Select the protocol for the service to use (TCP or UDP).
- Enter the destination port number or a range of port numbers used by the service.
- Define the session timeout for the service.
- Inherit from application (default)—No service-based timeouts are applied; instead, apply the application timeout.
- Override—Define a custom session timeout for the service.
- If you chose to override the application timeout and define
a custom session timeout, continue to:
- Enter a TCP Timeout value to set the Maximum length of time in seconds that a TCP session can remain open after data transmission has started. When this time expires, the session closes. The value range is 1 - 604800, and the default value is 3600 seconds.
- Enter a TCP Half Closed value to set the maximum length of time in seconds that a session remains in the session table between receiving the first FIN packet and receiving the second FIN packet or RST packet. If the timer expires, the session closes. The value range is 1 - 604800, and the default value is 120 seconds.
- Enter a TCP Wait Time value to set the maximum length of time in seconds that a session remains in the session table after receiving the second FIN packet or a RST packet. When the timer expires, the session closes. The value range is 1 - 600, and the default value is 15 seconds.
- Click OK to save the service object.
- Select PoliciesSecurity and Add or modify a policy rule to govern the application traffic you want to control.
- Select Service/URL Category and Add the service object you just created to the security policy rule.
- Click OK and Commit your changes.
Objects > Services
Objects > Services When you define security policies for specific applications, you can select one or more services to limit the port numbers the applications ...
Configure Session Timeouts
Configure Session Timeouts A session timeout defines the duration of time for which PAN-OS maintains a session on the firewall after inactivity in the session. ...
Session Timeouts Some session timeouts define the duration for which PAN-OS maintains a session on the firewall after inactivity in the session. By default, when ...
Defining Applications Select Objects Applications to Add a new custom application for the firewall to evaluate when applying policies. New Application Settings Description Configuration Tab ...
Guidelines for Setting Authentication Server Timeouts
Guidelines for Setting Authentication Server Timeouts The following are some guidelines for setting the timeouts for firewall attempts to connect with External Authentication Services . ...
Applications Overview The Applications page lists various attributes of each application definition, such as the application’s relative security risk (1 to 5). The risk value ...
How to Segment Data Center Applications
Prevent malware from moving between applications, between application tiers, and between server tiers. ...
Define the Initial Intra-Data-Center Traffic Security Polic...
Define the traffic that can flow between data center server tiers to provide application services. ...
Modify the Captive Portal Session Timeout
Modify the Captive Portal Session Timeout The Captive Portal session timeout must be the same as or greater than the PAN-OS web server timeout. For ...