Change to Global Properties – Session Timeout Sett...

RemoteUser · ‎2025-05-13

Hi all,

I need to make a change in the Global Properties, based on a guide that suggests updating the following values under the Session Timeout section:

Change the TCP session timeout from 3600 seconds to 60 seconds
Change the TCP session end timeout from 20 seconds to 5 seconds

There are about 20 other gateways managed by this CMA.
My question is: Is there a way to apply these changes only to the specific gateway concerned? If so, how?

If not, should I be concerned about applying these changes globally? Could they have a negative impact on the other gateways?

Thanks a lot!

the_rock · ‎2025-05-13

I would be careful, as Im fairly sure there is no way to apply these things to specific gateways. Below is explanation in case you need it.

Andy

Default Session Time-outs

TCP start timeout - A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds.
TCP session timeout is the length of time an idle connection will remain in the Security Gateway connections table.
TCP end timeout - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet.
When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
UDP Virtual Session Timeout - Specifies the amount of time a UDP reply channel may remain open without any packets being returned.
ICMP Virtual Session Timeout - An ICMP virtual session will be considered to have timed out after this time period.
Other IP protocols virtual session timeout - A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period.
SCTP start timeout - SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value.
SCTP session timeout - Time an idle connection will remain in the Security Gateway connections table.
SCTP end timeout - SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late.

RemoteUser · ‎2025-05-13

Hi Andy,
Thank you for the response.

Isn't there some kind of workaround then?

the_rock · ‎2025-05-13

Not that Im aware off. You can only add specific gateways at the bottom for out of state drops exceptions.

Why do you need this to begin with? Whats the issue? I always ask this question regardless of the problem, because I personally believe understanding the reason for anything is the first step.

Andy

the_rock · ‎2025-05-13

Actually, I apologize, I believe I was wrong, my bad, Appears can be done via mgmt cli.

Andy

mgmt_cli set gateway name <gateway_name> session-timeout <timeout_value> --user <username> --password <password>

the_rock · ‎2025-05-13

@RemoteUser Nm, disregard that, just tried it in my lab, does not recognize the paramater, so not sure if it is doable, but will keep trying.

Andy

[Expert@CP-MANAGEMENT:0]# mgmt_cli set simple-gateway name CP-GW session-timeout 4000
Username: admin
Password:
code: "generic_err_invalid_parameter_name"
message: "Unrecognized parameter [session-timeout]"

Executed command failed. Changes are discarded.

RemoteUser · ‎2025-05-13

also because management in this case is S1C...

the_rock · ‎2025-05-13

That would be least of your worries. honestly. If there is mgmt cli command to do this, you could just open TAC case, provide service identifier and someone can log into backend and do it for you.

Andy

PhoneBoy · ‎2025-05-13

The closest thing to what you tried to do is here: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-simple-gateway~v2%20
As these are global properties (applies to all gateways managed in the same domain), there is no way to set a per-gateway basis that I'm aware of.

And yeah, setting the session timeout from 3600 (one hour) to 60 (one minute) might cause some performance issues related to sync as well as some issues with applications that can't handle such a short timeout.
What is the specific reason for setting this so short?

RemoteUser · ‎2025-05-13

Hi PhoneBoy.
Thank you...
because we have configured a gw in monitor mode and the guide requires that we have these parameters...

Configure the required Global Properties for the Security Gateway in SmartConsole

Step

Instructions

1

Connect with SmartConsole to the Security Management Server or Target Domain Management Server that manages this Security Gateway.

2

In the top left corner, click Menu > Global properties.

3

From the left tree, click the Stateful Inspection pane and configure:

In the Default Session Timeouts section:
1. Change the value of the TCP session timeout from the default 3600 to 60 seconds.
2. Change the value of the TCP end timeout from the default 20 to 5 seconds.
In the Out of state packets section, you must clear all the boxes.

Otherwise, the Security Gateway drops the traffic as out of state (because the traffic does not pass through the Security Gateway, it does not record the state information for the traffic).

Lesley · ‎2025-05-13

Global properties as the name suggest are global for all gateways that are on that SMS.

I might have another option that will get you close:

Global properties -> Stateful Inspection -> Out of state packets -> Exceptions -> add here the relevant monitor only gateway.

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock · ‎2025-05-13

That was my thought as well.

Andy

PhoneBoy · ‎2025-05-13

Those settings should definitely not be on gateways passing regular traffic.

Short of using a different management domain for the gateway, you can make the changes temporarily, push policy to the monitor mode gateway, change them back, and publish changes.

the_rock · ‎2025-05-13

Sounds very logical to me.

RemoteUser · ‎2025-05-14

So, just to recap: if I change these settings in the Global Properties:

Change the value of the TCP session timeout from the default 3600 to 60 seconds.
Change the value of the TCP end timeout from the default 20 to 5 seconds.

but then I go to:

Global Properties → Stateful Inspection → Out of State Packets → Exceptions,
and add only the relevant gateway to "monitor only"...

When I install the policy, will these changes apply only to the gateway added to the exceptions, or will they be applied globally anyway?

the_rock · ‎2025-05-14

It will be applied globally.

Andy

RemoteUser · ‎2025-05-14

thanks Man

the_rock · ‎2025-05-14

You bet.

Lesley · ‎2025-05-14

So, just to recap: if I change these settings in the Global Properties:

Change the value of the TCP session timeout from the default 3600 to 60 seconds.
Change the value of the TCP end timeout from the default 20 to 5 seconds.

but then I go to:

Global Properties → Stateful Inspection → Out of State Packets → Exceptions,
and add only the relevant gateway to "monitor only"...

What is marked is maybe an alternative for the first option (TCP timeout). Because those are global and apply to all firewalls managed by the system.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Are you a member of CheckMates?

Change to Global Properties – Session Timeout Settings