Session Timeouts
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Session Timeouts
Some session timeouts define the duration for which
PAN-OS maintains a session on the firewall after inactivity in the session.
By default, when the session timeout for the protocol expires, PAN-OS
closes the session. The Discard session timeouts define the maximum
time that a session remains open after PAN-OS denies the session
based on Security policy rules.
On the firewall, you can define a number of timeouts for TCP,
UDP, ICMP, and SCTP sessions in particular. The Default timeout
applies to any other type of session. All of these timeouts are
global, meaning they apply to all of the sessions of that type on
the firewall.
In addition to the global settings, you have the flexibility
to define timeouts for an individual application in the ObjectsApplications tab.
The timeouts available for that application appear in the Options
window. The firewall applies application timeouts to an application
that is in Established state. When configured, timeouts for an application
override the global TCP, UDP, or SCTP session timeouts.
Use the options in this section to configure global session timeout settings—specifically for TCP,
UDP, ICMP, SCTP, and for all other types of sessions.
The defaults are optimal values and the best practice is to use
the default values. However, you can modify these according to your network
needs. Setting a value too low could cause sensitivity to minor
network delays and could result in a failure to establish connections with
the firewall. Setting a value too high could delay failure detection.
Session Timeouts Settings | Description |
---|---|
Default | Maximum length of time, in seconds, that
a non-TCP/UDP, non-SCTP, or non-ICMP session can be open without
a response (range is 1 to 15,999,999; default is 30). |
Discard Default | Maximum length of time (in seconds) that
a non-TCP/UDP/SCTP session remains open after PAN-OS denies the
session based on Security policy rules configured on the firewall
(range is 1 to 15,999,999; default is 60). |
Discard TCP | Maximum length of time (in seconds) that
a TCP session remains open after PAN-OS denies the session based
on Security policy rules configured on the firewall (range is 1
to 15,999,999; default is 90). |
Discard UDP | Maximum length of time (in seconds) that
a UDP session remains open after PAN-OS denies the session based
on Security policy rules configured on the firewall (range is 1
to 15,999,999; default is 60). |
ICMP | Maximum length of time that an ICMP session
can be open without an ICMP response (range is 1 to 15,999,999;
default is 6). |
Scan | Maximum length of time, in seconds, that
a session can be inactive before the firewall clears the session
and recovers the buffer resources the session was using. The inactive
time is the length of time that has passed since the session was
last refreshed by a packet or an event. Range is 5 to 30; default
is 10. |
TCP | Maximum length of time that a TCP session
remains open without a response, after a TCP session is in the Established
state (after the handshake is complete and/or data transmission
has started); (range is 1 to 15,999,999; default is 3,600). |
TCP handshake | Maximum length of time, in seconds, between
receiving the SYN-ACK and the subsequent ACK to fully establish
the session (ranges is 1 to 60; default is 10). |
TCP init | Maximum length of time, in seconds, between
receiving the SYN and SYN-ACK before starting the TCP handshake
timer (ranges is 1 to 60; default is 5). |
TCP Half Closed | Maximum length of time, in seconds, between
receiving the first FIN and receiving the second FIN or a RST (range
is 1 to 604,800; default is 120). |
TCP Time Wait | Maximum length of time, in seconds, after
receiving the second FIN or a RST (range is 1 to 600; default is
15). |
Unverified RST | Maximum length of time, in seconds, after
receiving a RST that cannot be verified (the RST is within the TCP
window but has an unexpected sequence number, or the RST is from
an asymmetric path); (ranges is 1 to 600; default is 30). |
UDP | Maximum length of time, in seconds, that
a UDP session remains open without a UDP response (range is 1 to
1,599,999; default is 30). |
Captive Portal | The authentication session timeout in seconds
for the Captive Portal web form (default is 30, range is 1 to 1,599,999).
To access the requested content, the user must enter the authentication
credentials in this form and be successfully authenticated. The
authentication session timeout in seconds for the Captive Portal
web form (default is 30, range is 1 to 1,599,999). To access the requested
content, the user must enter the authentication credentials in this
form and be successfully authenticated. |
SCTP INIT | Maximum length of time, in seconds, from
receiving an SCTP INIT chunk that the firewall must receive the
INIT ACK chunk before the firewall stops the SCTP association initiation (range is
1 to 60; default is 5). |
SCTP COOKIE | Maximum length of time, in seconds, from
receiving an SCTP INIT ACK chunk with the state COOKIE parameter
that the firewall must receive the COOKIE ECHO chunk with the cookie
before the firewall stops the SCTP association initiation (range
is 1 to 600; default is 60). |
Discard SCTP | Maximum length of time, in seconds, that
an SCTP association remains open after PAN-OS
denies the session based on Security policy rules configured on
the firewall (range is 1 to 604,800; default is 30). |
SCTP | Maximum length of time, in seconds, that
can elapse without SCTP traffic for an association before
all sessions in the association time out (range is 1 to 604,800;
default is 3,600). |
SCTP Shutdown | Maximum length of time, in seconds, that
the firewall waits after an SCTP SHUTDOWN chunk to receive a SHUTDOWN ACK
chunk before the firewall disregards the SHUTDOWN chunk (range is
1 to 600; default is 30). |