This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2017-10-11 02:37 AM

time_wait

Hi,

I am thinking of changing time_wait value from 120 secs to 60secs at a proxy server.

I was wondering  of the implications of this change at our checkpoint gaia firewalls.

I have not been able to see if the checkpoint gaia has any setting configured for the time_wait.

As far as I can see at sk41248, checkpoint firewalls will close the session  20 secs after receiving two FIN or a RST packet.

Is this correct?

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2017-10-11 07:20 AM

Edit: Removed paragraph discussing increasing time_wait after misreading initial post.

The equivalent timer on the Check Point firewall is the "TCP end timeout" in the Global Properties and I would not recommend increasing it beyond the default 20 seconds, unless you are being absolutely inundated with "TCP out of state" logs sporting FIN or RST flags.  Even then some more investigation is necessary to figure out the root cause of those logs, and increasing the TCP end timeout should be a last resort.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Luis_Miguel_Mig
Advisor
‎2017-10-11 07:29 AM
In response to Timothy_Hall

I think there was a misunderstanding there.  The idea is to change it from 120 to 60. 120 secs is the default value on a bluecoat proxysg.  The idea is to end up with 30 secs, but I will start changing it to 60 secs.

Ok, cool. 20 secs. But it is actually 20 secs after the second FIN, not the first one, right?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-10-11 07:35 AM
In response to Luis_Miguel_Mig

Yes it is 20 seconds after the second FIN.  If a FIN is only seen from one side of the connection the TCP Session Timeout still applies.  If you have IPS Aggressive Aging enabled the various TCP session timeouts (including the TCP end timeout) can be dynamically shortened if the gateway is under heavy load.  Also if SecureXL is enabled, it adds 5 seconds to the TCP end timeout to allow time for notifications to propagate between the acceleration layer and F2F.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events