VPN Session Settings
Select Session, and in VPN Session Settings, configure global settings related to the firewall establishing a VPN session. The following table describes the settings.
VPN Session Settings
Cookie Activation Threshold
Specify a maximum number of IKEv2 half-open IKE SAs allowed per firewall, above which cookie validation is triggered. When the number of half-open IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie. If the cookie validation is successful, another SA session can be initiated.
A value of 0 means that cookie validation is always on.
The Cookie Activation Threshold is a global firewall setting and should be lower than the Maximum Half Opened SA setting, which is also global (range is 0 to 65535; default is 500).
Maximum Half Opened SA
Specify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the firewall without getting a response. Once the maximum is reached, the firewall will not respond to new IKE_SA_INIT packets (range is 1 to 65535; default is 65535).
Maximum Cached Certificates
Specify the maximum number of peer certificate authority (CA) certificates retrieved via HTTP that the firewall can cache. This value is used only by the IKEv2 Hash and URL feature (range is 1 to 4000; default is 500).
Cookie Activation Threshold and Strict Cookie Validation
Cookie Activation Threshold and Strict Cookie Validation Cookie validation is always enabled for IKEv2; it helps protect against half-SA DoS attacks. You can configure the ...
Change the Cookie Activation Threshold for IKEv2
Change the Cookie Activation Threshold for IKEv2 Perform the following task if you want a firewall to have a threshold different from the default setting ...
IKE Gateway Advanced Options Tab
IKE Gateway Advanced Options Tab Network > Network Profiles > IKE Gateways > Advanced Options Configure advanced IKE gateway settings such as passive mode, NAT ...
IKEv2 An IPSec VPN gateway uses IKEv1 or IKEv2 to negotiate the IKE security association (SA) and IPSec tunnel. IKEv2 is defined in RFC 5996 ...
Set Up an IKE Gateway
Set Up an IKE Gateway To set up a VPN tunnel, the VPN peers or gateways must authenticate each other—using pre-shared keys or digital certificates—and ...
Session Timeouts Some session timeouts define the duration for which PAN-OS maintains a session on the firewall after inactivity in the session. By default, when ...
Cookie Authentication on the Portal or Gateway
Cookie Authentication on the Portal or Gateway Cookie authentication simplifies the authentication process for end users because they will no longer be required to log ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users. ...
Timeout Settings Tab
Connection Settings Tab Network GlobalProtect Gateways Agent Connection Settings Select the Connection Settings tab to define the timeout settings and authentication cookie usage restrictions for ...