cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

TCP start timeout per gateway / service - override global properies

Hello community,

there are various timeouts set for the firewall state machine in global properties of the management domain.

TCP start
TCP session
TCP end
UDP virtual session
ICMP virtual session
Other IP virtual session
SCTP start
SCTP session
SCTP end

I know that we can override the session timeouts for TCP, UDP, ICMP, other IP and SCTP by modifying the advanced properties of the service object used in the relevant firewall rule.

I have a specific usecase, where I want to override the TCP start timeout, without changing it for all gateways in this management domain. Override per gateway would be nice, override per service object even better.

As far as I know, this is not possible. Am I right with that? Does anyone know a way to do so?

R80.30 T200 Jumbo HFA T50

Thank you for your thoughts!

0 Kudos
5 Replies
Admin
Admin

Re: TCP start timeout per gateway / service - override global properies

Pretty sure you’re correct this is a per SMS/CMA setting
0 Kudos

Re: TCP start timeout per gateway / service - override global properies

Actually it is possible to locally override the TCP start and end timeouts out on the gateway with the following kernel variables:

tcp_local_start_timeout

tcp_local_end_timeout

These are mentioned here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

There is very little documentation for these variables outside of the fact that they exist.  The default value of both variables is 0, which I assume means that these values are inherited from the corresponding Stateful Inspection settings that are part of the SMS/Domain/CMA.  I would also assume that setting these to a nonzero value overrides that, and that the units to use with these variables is seconds.  I suppose it could be milliseconds though, so I would strongly advise getting this clarified with TAC or trying it in a lab first before tampering with these variables on a production firewall.  If the units do happen to be milliseconds, setting these variables to 1 would probably cause a major outage.

There does not seem to be a way to locally override the start and end timeout variables for individual service objects that I can see.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: TCP start timeout per gateway / service - override global properies

Thank you, Tim!

I will ask TAC referring to this sk and share the answer here later.

0 Kudos

Re: TCP start timeout per gateway / service - override global properies

I got the confirmation from TAC.

Quote:

These values are in seconds and you need to change it for all the gateway individually.
Note : Please change the values in lean hours.

Re: TCP start timeout per gateway / service - override global properies

Maybe you guys know it, but TAC missed to tell us and sk33285 (and sk26202) also don't drop a hint, so I want to share this:

Changing this kernel parameter requires an access policy install on this gateway to take effect.

0 Kudos