如何在不进行全局更改的情况下覆盖应用程序的会话超时

如何在不进行全局更改的情况下覆盖应用程序的会话超时

7339
Created On 01/02/23 23:46 PM - Last Modified 01/07/25 13:23 PM


Objective


  • 本文档介绍如何覆盖应用程序的会话超时,而无需覆盖全局默认值
  • 覆盖会话超时取决于应用程序的流量,该应用程序与包含已修改超时值的服务对象的安全规则匹配
  • 对于TCP,除了覆盖会话超时值之外,您还可以根据需要覆盖会话的半关闭和等待时间

Environment


  • 适用于使用TCP或UDP会话的应用程序
  • PAN-OS 8.1 及以上版本
  • 所有平台

Procedure


Steps
1. Go to 对象 > 服务
2. Click 添加 and name the service
3. Select the Protocol and 添加 目的港 (and Source Port if necessary)
4. Modify TCP or UDP Timeout values
a. For TCP you can also modify TCP Half Closed and TCP Time Wait as needed. Example
service-object.PNG
注意: TCP超时、半关闭和时间等待的默认值分别为 3600、120 和 15 秒

b. For UDP you can modify only timeout value as shown in example
udp.PNG
注意: UDP超时的默认值为 60 秒

5. Add 服务对象 to 安全策略
sec-policy-ssh.PNG

6. 犯罪 the changes

Note: To configure the above from cli you can run the following commands
To create and override TCP service object: 
set service <service object name> protocol tcp override yes timeout <timeout value>
set service <service object name> protocol tcp override yes halfclose-timeout <timeout value>
set service <service object name> protocol tcp override yes timewait-timeout <timeout value>
set service <service object name> protocol tcp port <port number>

To create and override UDP service object: 
set service <service object name> protocol udp override yes timeout <timeout value>
set service <service object name> protocol udp port <port number>

To add the service object to the security policy: 
set rulebase security rules <security policy name> service <service object name>
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saHuCAI&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language