Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Miguel_Mig
Advisor

time_wait

Hi,

I am thinking of changing time_wait value from 120 secs to 60secs at a proxy server.

I was wondering  of the implications of this change at our checkpoint gaia firewalls.

I have not been able to see if the checkpoint gaia has any setting configured for the time_wait.

As far as I can see at sk41248, checkpoint firewalls will close the session  20 secs after receiving two FIN or a RST packet.

Is this correct?

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

Edit: Removed paragraph discussing increasing time_wait after misreading initial post.

The equivalent timer on the Check Point firewall is the "TCP end timeout" in the Global Properties and I would not recommend increasing it beyond the default 20 seconds, unless you are being absolutely inundated with "TCP out of state" logs sporting FIN or RST flags.  Even then some more investigation is necessary to figure out the root cause of those logs, and increasing the TCP end timeout should be a last resort.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Luis_Miguel_Mig
Advisor

I think there was a misunderstanding there.  The idea is to change it from 120 to 60. 120 secs is the default value on a bluecoat proxysg.  The idea is to end up with 30 secs, but I will start changing it to 60 secs.

Ok, cool. 20 secs. But it is actually 20 secs after the second FIN, not the first one, right?

0 Kudos
Timothy_Hall
Champion
Champion

Yes it is 20 seconds after the second FIN.  If a FIN is only seen from one side of the connection the TCP Session Timeout still applies.  If you have IPS Aggressive Aging enabled the various TCP session timeouts (including the TCP end timeout) can be dynamically shortened if the gateway is under heavy load.  Also if SecureXL is enabled, it adds 5 seconds to the TCP end timeout to allow time for notifications to propagate between the acceleration layer and F2F.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events