https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7396#M891 <HTML><HEAD></HEAD><BODY><P>Yes it is 20 seconds after the second FIN.&nbsp; If a FIN is only seen from one side of the connection the TCP Session Timeout still applies.&nbsp; If you have IPS Aggressive Aging enabled the various TCP session timeouts (including the TCP end timeout) can be dynamically shortened if the gateway is under heavy load.&nbsp; Also if SecureXL is enabled, it adds 5 seconds to the TCP end timeout to allow time for notifications to propagate between the acceleration layer and F2F.</P><P></P><P>--<BR /> My book "Max Power: Check Point Firewall Performance Optimization" <BR /> now available via <A class="" href="http://maxpowerfirewalls.com" rel="nofollow">http://maxpowerfirewalls.com</A>.</P></BODY></HTML> Wed, 11 Oct 2017 14:35:14 GMT Timothy_Hall 2017-10-11T14:35:14Z https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7393#M888 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I am thinking of changing time_wait value from 120 secs to 60secs at a proxy server.</P><P>I was wondering&nbsp; of the implications of this change at our checkpoint gaia firewalls.</P><P>I have not been able to see if the checkpoint gaia has any setting configured for the time_wait.</P><P>As far as I can see at sk41248, checkpoint firewalls will close the session&nbsp; 20 secs after receiving two FIN or a RST packet.</P><P>Is this correct?</P></BODY></HTML> Wed, 11 Oct 2017 09:37:09 GMT https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7393#M888 Luis_Miguel_Mig 2017-10-11T09:37:09Z https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7394#M889 <HTML><HEAD></HEAD><BODY><P><STRONG>Edit: Removed paragraph discussing increasing time_wait after misreading initial post.</STRONG></P><P></P><P>The equivalent timer on the Check Point firewall is the "TCP end timeout" in the Global Properties and I would not recommend increasing it beyond the default 20 seconds, unless you are being absolutely inundated with "TCP out of state" logs sporting FIN or RST flags.&nbsp; Even then some more investigation is necessary to figure out the root cause of those logs, and increasing the TCP end timeout should be a last resort.</P><P></P><P>--<BR /> My book "Max Power: Check Point Firewall Performance Optimization" <BR /> now available via <A href="http://maxpowerfirewalls.com" target="_blank">http://maxpowerfirewalls.com</A>.</P></BODY></HTML> Wed, 11 Oct 2017 14:20:59 GMT https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7394#M889 Timothy_Hall 2017-10-11T14:20:59Z https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7395#M890 <HTML><HEAD></HEAD><BODY><P><IMG src="https://community.checkpoint.com/legacyfs/online/checkpoint/emoticons/wink.png" /> I think there was a misunderstanding there.&nbsp; The idea is to change it from 120 to 60. 120 secs is the default value on a bluecoat proxysg.&nbsp; The idea is to end up with 30 secs, but I will start changing it to 60 secs.</P><P>Ok, cool. 20 secs. But it is actually 20 secs after the second FIN, not the first one, right?</P></BODY></HTML> Wed, 11 Oct 2017 14:29:16 GMT https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7395#M890 Luis_Miguel_Mig 2017-10-11T14:29:16Z https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7396#M891 <HTML><HEAD></HEAD><BODY><P>Yes it is 20 seconds after the second FIN.&nbsp; If a FIN is only seen from one side of the connection the TCP Session Timeout still applies.&nbsp; If you have IPS Aggressive Aging enabled the various TCP session timeouts (including the TCP end timeout) can be dynamically shortened if the gateway is under heavy load.&nbsp; Also if SecureXL is enabled, it adds 5 seconds to the TCP end timeout to allow time for notifications to propagate between the acceleration layer and F2F.</P><P></P><P>--<BR /> My book "Max Power: Check Point Firewall Performance Optimization" <BR /> now available via <A class="" href="http://maxpowerfirewalls.com" rel="nofollow">http://maxpowerfirewalls.com</A>.</P></BODY></HTML> Wed, 11 Oct 2017 14:35:14 GMT https://community.checkpoint.com/t5/General-Topics/time-wait/m-p/7396#M891 Timothy_Hall 2017-10-11T14:35:14Z