In certain scenarios, an external server, service, or appliance may send a FIN or RST packet, but rather than immediately close the session, the session will remain open for a longer-than-expected time.
In PAN-OS 6.0, the default timer for a session to be closed after receiving a FIN/RST packet is 30 seconds.
> show session info | match timeout
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP session timeout after FIN/RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
This timeout can be increased to up to 600 seconds:
# set deviceconfig setting session timeout-tcpwait
<value> <1-600> set session tcp wait timeout (after receiving FIN/RST) value in seconds
> show session info | match FIN
TCP session timeout after FIN/RST: 150 secs
In PAN-OS 6.1 and later, a new feature was introduced called 'half-closed session timeout' which uses two different timers to allow more time before closing sessions where only one FIN/RST has been received, and allow quicker closure when both sides have sent a FIN/RST. In case only one FIN/RST is received, the timeout is already set to 120 seconds by default, while the timer for session termination after both sides send a FIN/RST is a swift 15 seconds.
> show session info | match timeout
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
To allow for even more leniency in the abovementioned scenario, the half-closed time ceiling has been increased up to 604800 seconds or a full 7 days, whereas the time-wait, after receiving a FIN/RST from both sides, can still be increased up to 600 seconds or lowered to 1 second for even quicker session termination.
# set deviceconfig setting session timeout-tcp-half-closed
<value> <1-604800> set session tcp half close timeout (after receiving first FIN/RST) value in seconds
# set deviceconfig setting session timeout-tcp-time-wait
<value> <1-600> set session tcp time wait timeout (after receiving second FIN/RST) value in second