How to reduce the number of Concurrent Decryption Sessions on the Firewall
11447
Created On 02/06/23 10:15 AM - Last Modified 08/23/24 08:07 AM
Objective
- To Check the maximum capacity of the Firewall in the number of Concurrent Decryption Sessions.
- To Check the current number of configured Concurrent Decryption Sessions on the Firewall.
- To Shorten timeout settings to reduce the Concurrent Decryption Sessions of a Firewall.
Environment
- Palo Alto Firewalls
- Supported PAN-OS.
- Maximum concurrent decryption sessions
Procedure
Attention Strata Cloud Manager Users: If you've been redirected to this knowledge article, please skip ahead and start with Step 3 .
- Check the maximum capacity of Concurrent Decryption Session for your Firewall
- For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command:
> show system info
- For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command:
- Check the current number of Concurrent Decryption Sessions using Number of SSL Decrypted Sessions from SNMP OIDs and CLI Command,
- Adjust the timeout settings to control the number of concurrent SSL sessions the Firewall maintains. Below are the different procedures you can use. Please note that the items below will give you control from broad to specific timeout settings.
- Tune accelerated aging settings from GUI: Device > Setup > Session
- Accelerated Aging
- Accelerated Aging Threshold
- Accelerated Aging Scaling Factor
- Go to Objects > Applications, search for SSL, and adjust the Timeout Settings highlighted below to a lower value.
- Tune accelerated aging settings from GUI: Device > Setup > Session
- Use Tips & Tricks: How to Create an Application Override. Under Step 3, adjust the Timeout settings accordingly, and you can use the above screenshot's Options as a baseline for where to start your Timeout values.
- If the number of concurrent decrypted sessions cannot be reduced below the capacity limit after following the above recommendations:
- For a hardware FW consider upgrading your FW to a higher capacity platform.
- For a VM-Flex FW if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.