This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Help
Luis_Miguel_Mig
Luis_Miguel_Mig
Copper
‎2017-10-11 02:37 AM

time_wait

Hi,

I am thinking of changing time_wait value from 120 secs to 60secs at a proxy server.

I was wondering  of the implications of this change at our checkpoint gaia firewalls.

I have not been able to see if the checkpoint gaia has any setting configured for the time_wait.

As far as I can see at sk41248, checkpoint firewalls will close the session  20 secs after receiving two FIN or a RST packet.

Is this correct?

0 Kudos
Reply
3 Replies
Timothy_Hall
Timothy_Hall
Pearl
‎2017-10-11 07:20 AM

Re: time_wait

Edit: Removed paragraph discussing increasing time_wait after misreading initial post.

The equivalent timer on the Check Point firewall is the "TCP end timeout" in the Global Properties and I would not recommend increasing it beyond the default 20 seconds, unless you are being absolutely inundated with "TCP out of state" logs sporting FIN or RST flags.  Even then some more investigation is necessary to figure out the root cause of those logs, and increasing the TCP end timeout should be a last resort.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Reply
Luis_Miguel_Mig
Luis_Miguel_Mig
Copper
‎2017-10-11 07:29 AM

Re: time_wait

I think there was a misunderstanding there.  The idea is to change it from 120 to 60. 120 secs is the default value on a bluecoat proxysg.  The idea is to end up with 30 secs, but I will start changing it to 60 secs.

Ok, cool. 20 secs. But it is actually 20 secs after the second FIN, not the first one, right?

0 Kudos
Reply
Timothy_Hall
Timothy_Hall
Pearl
‎2017-10-11 07:35 AM

Re: time_wait

Yes it is 20 seconds after the second FIN.  If a FIN is only seen from one side of the connection the TCP Session Timeout still applies.  If you have IPS Aggressive Aging enabled the various TCP session timeouts (including the TCP end timeout) can be dynamically shortened if the gateway is under heavy load.  Also if SecureXL is enabled, it adds 5 seconds to the TCP end timeout to allow time for notifications to propagate between the acceleration layer and F2F.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Reply