- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Default State table Timers on Checkpoint?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Default State table Timers on Checkpoint?
What is the default timeouts for TCP,UDP and other protocols on checkpoint state table?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't remember these defaults ever changing going back to at least R55. I'd love to be corrected but this should be the defaults
TCP start timeout: 25
TCP session timeout: 3600
TCP end timeout: 20
UDP Virtual session timeout: 40
ICMP virtual session timeout: 30
Other IP Protocols virtual session timeout: 60
These are newish to me
SCTP start timeout: 30
SCTP session timeout: 3600
SCTP end timeout: 20
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy Menu...Global Properties...Stateful Inspection screen in the SmartConsole/SmartDashboard. Values may vary depending on your code version.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tim
I have seen different timers as below. When i checked with TAC, they insisted to change this to default of 3600s for TCP session timeout. Is this something that i should do or keep it that value? This is 26000 chassis running R81.10.
TCP start timeout: 25
TCP session timeout: 7800
TCP end timeout: 20
UDP Virtual session timeout: 40
ICMP virtual session timeout: 30
Other IP Protocols virtual session timeout: 60
SCTP start timeout: 30
SCTP session timeout: 3600
SCTP end timeout: 20
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7800 instead of 3600 is fine unless your connection table is running out of memory. That value must have been changed by someone for a reason, and changing it back might break some things such as long-running database connections that are left up for extended periods with little activity. Possible it was determined at some point that whatever the application is it has some kind of keepalive every 120 minutes/2 hours, so the TCP idle timer was set to 2 hours 10 minutes (7800 sec) as a result.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question I always have to ask is: why are you looking to change the timeout in the first place?
In other words, is there a problem you’re trying to solve that you expect that adjusting that timeout might solve?
I presume this is the case if TAC is suggesting to change it, who should also be able to clarify why this change is being recommended.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Timothy/Phoneboy for your input.
It was actually a PS engagement from Checkpoint which did a health check n the gateways and identified this non standard value and asked to change it if not specifically changed for a reason. We could not find any change record as well to justify why it was changed from the default.
I guess the more prudent thing to do is leave it as is if that is not causing any issues.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't remember these defaults ever changing going back to at least R55. I'd love to be corrected but this should be the defaults
TCP start timeout: 25
TCP session timeout: 3600
TCP end timeout: 20
UDP Virtual session timeout: 40
ICMP virtual session timeout: 30
Other IP Protocols virtual session timeout: 60
These are newish to me
SCTP start timeout: 30
SCTP session timeout: 3600
SCTP end timeout: 20