This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2017-10-11 02:37 AM

time_wait

Hi,

I am thinking of changing time_wait value from 120 secs to 60secs at a proxy server.

I was wondering  of the implications of this change at our checkpoint gaia firewalls.

I have not been able to see if the checkpoint gaia has any setting configured for the time_wait.

As far as I can see at sk41248, checkpoint firewalls will close the session  20 secs after receiving two FIN or a RST packet.

Is this correct?

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion
‎2017-10-11 07:20 AM

Edit: Removed paragraph discussing increasing time_wait after misreading initial post.

The equivalent timer on the Check Point firewall is the "TCP end timeout" in the Global Properties and I would not recommend increasing it beyond the default 20 seconds, unless you are being absolutely inundated with "TCP out of state" logs sporting FIN or RST flags.  Even then some more investigation is necessary to figure out the root cause of those logs, and increasing the TCP end timeout should be a last resort.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Luis_Miguel_Mig
Advisor
‎2017-10-11 07:29 AM
In response to Timothy_Hall

I think there was a misunderstanding there.  The idea is to change it from 120 to 60. 120 secs is the default value on a bluecoat proxysg.  The idea is to end up with 30 secs, but I will start changing it to 60 secs.

Ok, cool. 20 secs. But it is actually 20 secs after the second FIN, not the first one, right?

0 Kudos
Timothy_Hall
Champion
Champion
‎2017-10-11 07:35 AM
In response to Luis_Miguel_Mig

Yes it is 20 seconds after the second FIN.  If a FIN is only seen from one side of the connection the TCP Session Timeout still applies.  If you have IPS Aggressive Aging enabled the various TCP session timeouts (including the TCP end timeout) can be dynamically shortened if the gateway is under heavy load.  Also if SecureXL is enabled, it adds 5 seconds to the TCP end timeout to allow time for notifications to propagate between the acceleration layer and F2F.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Labels