Configure VPN Session Settings

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure Session Timeout

Manage Local Firewall Configuration

Configure VPN Session Settings

Modify the default VPN session settings for your firewall.

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
`NGFW (Managed by Strata Cloud Manager)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use the Strata Cloud Manager app)`

Configure the VPN session settings for your firewall to define the global settings related to the firewall establishing a VPN session. You can configure some or all of the VPN session settings for your firewall as needed.

Log in to Strata Cloud Manager.
Select ManageConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupSession and select the Configuration Scope where you want to configure the VPN session settings.

You can select a folder or firewall from your Folders or select Snippets to configure the VPN session settings in a snippet.
Click the cog wheel to edit the VPN Session Settings and Customize.

If you modified the VPN Session Settings for a nested folder or individual device, you can Revert to Inherited to revert the VPN Session Settings configuration from the Customized configuration to that inherited from the parent folder of the nester folder or that inherited from the folder the firewall is associated with.
Set the Cookie Activation Threshold to specify a maximum number of IKEv2 half-open IKE SAs allowed per firewall, above which cookie validation is triggered.

When the number of half-open IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie. If the cookie validation is successful, another SA session can be initiated.

Range is 0 to 65535; default is 500. A value of 0 means that cookie validation is always on.

The Cookie Activation Threshold is a global firewall setting and should be lower than the Maximum Half Opened SA setting, which is also global.
Set the Maximum Halfway Opened SA to specify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the firewall without getting a response.

Once the maximum is reached, the firewall won’t respond to new IKE_SA_INIT packets.

Range is 0 to 65535; default is 65535.
Set the Maximum Cached Certificates to specify the maximum number of peer certificate authority (CA) certificates retrieved via HTTP that the firewall can cache.

This value is used only by the IKEv2 Hash and URL feature.

Range is 0 to 4000; default is 500.
Save.
(Optional) Configure the remaining firewall session settings.
- Configure Session Settings
- Configure Session Timeout
Push Config to push your configuration changes.

Configure Session Timeout

Manage Local Firewall Configuration

Next-Generation Firewall Docs

Configure VPN Session Settings

Next-Generation Firewall Docs

Configure VPN Session Settings

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner