This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kumar
Participant
‎2018-04-20 03:48 AM
Jump to solution

Default State table Timers on Checkpoint?

What is the default timeouts for TCP,UDP and other protocols on checkpoint state table?

1 Solution

Accepted Solutions
Whatcha_McCallu
Employee
Employee
‎2018-04-20 08:11 AM
Jump to solution

I don't remember these defaults ever changing going back to at least R55. I'd love to be corrected but this should be the defaults

TCP start timeout: 25

TCP session timeout: 3600

TCP end timeout: 20

UDP Virtual session timeout: 40

ICMP virtual session timeout: 30

Other IP Protocols virtual session timeout: 60

These are newish to me

SCTP start timeout: 30

SCTP session timeout: 3600

SCTP end timeout: 20

View solution in original post

8 Replies
Timothy_Hall
Legend Legend
Legend
‎2018-04-20 07:16 AM
Jump to solution

Policy Menu...Global Properties...Stateful Inspection screen in the SmartConsole/SmartDashboard.  Values may vary depending on your code version.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Champika_Gamage
Participant
‎2022-11-07 10:48 PM
In response to Timothy_Hall
Jump to solution

Hi Tim

I have seen different timers as below. When i checked with TAC, they insisted to change this to default of 3600s for TCP session timeout. Is this something that i should do or keep it that value? This is 26000 chassis running R81.10.

TCP start timeout: 25

TCP session timeout: 7800

TCP end timeout: 20

UDP Virtual session timeout: 40

ICMP virtual session timeout: 30

Other IP Protocols virtual session timeout: 60

SCTP start timeout: 30

SCTP session timeout: 3600

SCTP end timeout: 20

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-11-08 05:35 AM
In response to Champika_Gamage
Jump to solution

7800 instead of 3600 is fine unless your connection table is running out of memory.   That value must have been changed by someone for a reason, and changing it back might break some things such as long-running database connections that are left up for extended periods with little activity.  Possible it was determined at some point that whatever the application is it has some kind of keepalive every 120 minutes/2 hours, so the TCP idle timer was set to 2 hours 10 minutes (7800 sec) as a result.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Veldpworld
Explorer
‎2025-08-04 11:53 AM
In response to Timothy_Hall
Jump to solution

Hi,

We are facing connection reset very rarely in a day at random time.

 

K8s application apache http client connecto another k8s application via nva checkpoint.  Client and server has keep alive is 1min.

I seen default tcp session timeout is 3600s but keepalive is 7200s. Will this cause issue? Can we increase tcp session timeout around 7500s. So that idle connection will be in the table. Http client tries to reuse the same tcp connection. Can you please help me on this?

0 Kudos
PhoneBoy
Admin
Admin
4 weeks ago
In response to Veldpworld
Jump to solution

Please start a new thread on this issue with the exact symptoms, versions in use, etc.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-08 05:48 AM
In response to Champika_Gamage
Jump to solution

The question I always have to ask is: why are you looking to change the timeout in the first place?
In other words, is there a problem you’re trying to solve that you expect that adjusting that timeout might solve?
I presume this is the case if TAC is suggesting to change it, who should also be able to clarify why this change is being recommended.

0 Kudos
Champika_Gamage
Participant
‎2022-11-08 02:27 PM
In response to PhoneBoy
Jump to solution

Thanks Timothy/Phoneboy for your input.

It was actually a PS engagement from Checkpoint which did a health check n the gateways and identified this non standard value and asked to change it if not specifically changed for a reason. We could not find any change record as well to justify why it was changed from the default. 

I guess the more prudent thing to do is leave it as is if that is not causing any issues.

0 Kudos
Whatcha_McCallu
Employee
Employee
‎2018-04-20 08:11 AM
Jump to solution

I don't remember these defaults ever changing going back to at least R55. I'd love to be corrected but this should be the defaults

TCP start timeout: 25

TCP session timeout: 3600

TCP end timeout: 20

UDP Virtual session timeout: 40

ICMP virtual session timeout: 30

Other IP Protocols virtual session timeout: 60

These are newish to me

SCTP start timeout: 30

SCTP session timeout: 3600

SCTP end timeout: 20

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events