How To Override Session Timeout For An Application Without Changing It Globally
7325
Created On 01/02/23 23:46 PM - Last Modified 08/16/24 19:50 PM
Objective
- This document describes how to override the Session timeout for an application without have to override the global default value
- Overriding the session timeout is based on traffic for the application matching a security rule containing a service object with modified timeout values
- For TCP, in addition to overriding the session timeout value you can also override Half Closed and Wait Time of the session as needed
Environment
- Applies to applications using TCP or UDP sessions
- PAN-OS 8.1 and above
- All Platforms
Procedure
Steps
1. Go to Objects > Services
2. Click Add and name the service
3. Select the Protocol and add Destination Port (and Source Port if necessary)
4. Modify TCP or UDP Timeout values
a. For TCP you can also modify TCP Half Closed and TCP Time Wait as needed. Example
Note: Default values for TCP Timeout, Half Closed and Time Wait are 3600, 120 and 15 seconds respectively
b. For UDP you can modify only timeout value as shown in example
Note: Default value for UDP Timeout is 60 seconds
5. Add Service Object to Security Policy
6. Commit the changes
Note: To configure the above from cli you can run the following commands
To create and override TCP service object:
set service <service object name> protocol tcp override yes timeout <timeout value> set service <service object name> protocol tcp override yes halfclose-timeout <timeout value> set service <service object name> protocol tcp override yes timewait-timeout <timeout value> set service <service object name> protocol tcp port <port number>
To create and override UDP service object:
set service <service object name> protocol udp override yes timeout <timeout value> set service <service object name> protocol udp port <port number>
To add the service object to the security policy:
set rulebase security rules <security policy name> service <service object name>