A session timeout defines the duration of
time for which PAN-OS maintains a session on the firewall after
inactivity in the session. By default, when the session timeout
for the protocol expires, PAN-OS closes the session. You can define
a number of timeouts for TCP, UDP, and ICMP sessions in particular.
The Default timeout applies to any other type of session. The timeouts
are global, meaning they apply to all of the sessions of that type
on the firewall.
You can also configure a global ARP cache
timeout setting, which controls how long the firewall keeps ARP
entries (IP address-to-hardware addresses mappings) in its cache.
In
addition to the global settings, you can define timeouts for an
individual application in the tab. The firewall
applies application timeouts to an application that is in established
state. When configured, timeouts for an application override the
global TCP or UDP session timeouts.
If
you change the TCP or UDP timers at the application level, these
timers for predefined applications and shared custom applications
will be implemented across all virtual systems. If you need an application’s
timers to be different for a virtual system, you must create a custom
application, assign it unique timers, and then assign the custom application
to a unique virtual system.
Perform the following task
if you need to change default values of the global session timeout
settings for TCP, UDP, ICMP, Authentication Portal authentication,
or other types of sessions. All values are in seconds.
The
defaults are optimal values. However, you can modify these according
to your network needs. Setting a value too low could cause sensitivity
to minor network delays and could result in a failure to establish
connections with the firewall. Setting a value too high could delay
failure detection.