- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi,
I am thinking of changing time_wait value from 120 secs to 60secs at a proxy server.
I was wondering of the implications of this change at our checkpoint gaia firewalls.
I have not been able to see if the checkpoint gaia has any setting configured for the time_wait.
As far as I can see at sk41248, checkpoint firewalls will close the session 20 secs after receiving two FIN or a RST packet.
Is this correct?
Edit: Removed paragraph discussing increasing time_wait after misreading initial post.
The equivalent timer on the Check Point firewall is the "TCP end timeout" in the Global Properties and I would not recommend increasing it beyond the default 20 seconds, unless you are being absolutely inundated with "TCP out of state" logs sporting FIN or RST flags. Even then some more investigation is necessary to figure out the root cause of those logs, and increasing the TCP end timeout should be a last resort.
--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
I think there was a misunderstanding there. The idea is to change it from 120 to 60. 120 secs is the default value on a bluecoat proxysg. The idea is to end up with 30 secs, but I will start changing it to 60 secs.
Ok, cool. 20 secs. But it is actually 20 secs after the second FIN, not the first one, right?
Yes it is 20 seconds after the second FIN. If a FIN is only seen from one side of the connection the TCP Session Timeout still applies. If you have IPS Aggressive Aging enabled the various TCP session timeouts (including the TCP end timeout) can be dynamically shortened if the gateway is under heavy load. Also if SecureXL is enabled, it adds 5 seconds to the TCP end timeout to allow time for notifications to propagate between the acceleration layer and F2F.
--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY