Session Settings
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Session Settings
The following table describes session settings.
Session Settings | Description |
---|---|
Rematch Sessions | Click Edit and select Rematch
Sessions to cause the firewall to apply newly configured
security policies to sessions that are already in progress. This
capability is enabled by default. If this setting is disabled, any
policy change applies only to sessions initiated after the policy change
was committed. For example, if a Telnet session started while
an associated policy was configured that allowed Telnet, and you
subsequently committed a policy change to deny Telnet, the firewall
applies the revised policy to the current session and blocks it. Enable Rematch Sessions to
apply your latest Security policy to currently active sessions. |
ICMPv6 Token Bucket Size | Enter the bucket size for rate limiting
of ICMPv6 error messages. The token bucket size is a parameter of
the token bucket algorithm that controls how bursty the ICMPv6 error
packets can be (range is 10–65,535 packets; default 100). |
ICMPv6 Error Packet Rate | Enter the average number of ICMPv6 error
packets per second allowed globally through the firewall (range
is 10–65,535 packets/second; default is 100 packets/second). This
value applies to all interfaces. If the firewall reaches the ICMPv6
error packet rate, the ICMPv6 token bucket is used to enable throttling
of ICMPv6 error messages. |
Enable IPv6 Firewalling | To enable firewall capabilities for IPv6,
click Edit and select IPv6 Firewalling. All
IPv6-based configurations are ignored if IPv6 is not enabled. Even
if IPv6 is enabled for an interface, the IPv6 Firewalling option
must also be enabled for IPv6 to function. |
Enable Jumbo Frame Global MTU | Select to enable jumbo frame support on
Ethernet interfaces. Jumbo frames have a maximum transmission unit
(MTU) of 9192 bytes and are available on certain models.
If you enable
jumbo frames and you have interfaces where the MTU is not specifically
configured, those interfaces will automatically inherit the jumbo
frame size. Therefore, before you enable jumbo frames, if you have
any interface that you do not want to have jumbo frames, you must
set the MTU for that interface to 1500 bytes or another
value. To configure the MTU for the interface (NetworkInterfacesEthernet),
see PA-7000 Series Layer 3 Interface. |
NAT64 IPv6 Minimum Network MTU | Enter the global MTU for IPv6 translated
traffic. The default of 1,280 bytes is based on the standard minimum
MTU for IPv6 traffic. Range is 1,280-9,216. |
NAT Oversubscription Rate | Select the DIPP NAT oversubscription rate,
which is the number of times that the same translated IP address
and port pair can be used concurrently. Reducing the oversubscription
rate will decrease the number of source device translations, but
will provide higher NAT rule capacities.
|
ICMP Unreachable Packet Rate (per sec) | Define the maximum number of ICMP Unreachable
responses that the firewall can send per second. This limit is shared
by IPv4 and IPv6 packets. Default value is 200 messages per
second (range is 1–65,535). |
Accelerated Aging | Enables accelerated aging-out of idle sessions. Select
this option to enable accelerated aging and specify the threshold
(%) and scaling factor. When the session table reaches the Accelerated Aging
Threshold (% full), PAN-OS applies the Accelerated
Aging Scaling Factor to the aging calculations for all
sessions. The default scaling factor is 2, meaning that accelerated
aging occurs at a rate twice as fast as the configured idle time.
The configured idle time divided by 2 results in a faster timeout
of one-half the time. To calculate the session’s accelerated aging,
PAN-OS divides the configured idle time (for that type of session) by
the scaling factor to determine a shorter timeout. For example,
if the scaling factor is 10, a session that would normally time
out after 3600 seconds would time out 10 times faster (in 1/10 of
the time), which is 360 seconds. Enable
an accelerated aging threshold and set an acceptable scaling factor
to free up session table space faster when the session table begins
to fill up. |
Packet Buffer Protection | As a best practice, enable packet buffer
protection globally and on each zone to protect the firewall buffers
from DoS attacks and aggressive sessions and sources. This option
protects the receive buffers on the firewall from attacks or abusive
traffic that causes system resources to back up and legitimate traffic
to be dropped. Packet buffer protection identifies offending sessions,
uses Random Early Detection (RED) as a first line of defense, and
discards the session or blocks the offending IP address if abuse
continues. If the firewall detects many small sessions or rapid
session creation (or both) from a particular IP address, it blocks
that IP address. Take baseline measurements of firewall packet
buffer utilization to understand the firewall capacity and ensure
that the firewall is properly sized so that only an attack causes
a large spike in buffer usage.
Network
Address Translation can increase packet buffer utilization. If this
affects the buffer utilization, reduce the Block Hold Time to block
individual sessions faster and reduce the Block Duration so other
sessions from the underlying IP address aren’t unduly penalized. |
Multicast Route Setup Buffering | Select this option (disabled by default)
to enable multicast route setup buffering, which allows the firewall
to preserve the first packet in a multicast session when the multicast
route or forwarding information base (FIB) entry does not yet exist
for the corresponding multicast group. By default, the firewall
does not buffer the first multicast packet in a new session; instead,
it uses the first packet to set up the multicast route. This is
expected behavior for multicast traffic. You only need to enable
multicast route setup buffering if your content servers are directly
connected to the firewall and your custom application cannot withstand
the first packet in the session being dropped. |
Multicast Route Setup Buffer Size | If you enable Multicast Route Setup Buffering,
you can tune the buffer size, which specifies the buffer size per
flow (range is 1 to 2,000; default is 1,000.) The firewall can buffer
a maximum of 5,000 packets. |