Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kumar
Participant
Jump to solution

Default State table Timers on Checkpoint?

What is the default timeouts for TCP,UDP and other protocols on checkpoint state table?

1 Solution

Accepted Solutions
Whatcha_McCallu
Employee
Employee

I don't remember these defaults ever changing going back to at least R55. I'd love to be corrected but this should be the defaults

TCP start timeout: 25

TCP session timeout: 3600

TCP end timeout: 20

UDP Virtual session timeout: 40

ICMP virtual session timeout: 30

Other IP Protocols virtual session timeout: 60

These are newish to me

SCTP start timeout: 30

SCTP session timeout: 3600

SCTP end timeout: 20

View solution in original post

6 Replies
Timothy_Hall
Champion
Champion

Policy Menu...Global Properties...Stateful Inspection screen in the SmartConsole/SmartDashboard.  Values may vary depending on your code version.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

IPS/AV/ABOT Immersion & Max Capture: Know your Packets
Self-Guided Video Series available at www.maxpowerfirewalls.com
Champika_Gamage
Explorer

Hi Tim

I have seen different timers as below. When i checked with TAC, they insisted to change this to default of 3600s for TCP session timeout. Is this something that i should do or keep it that value? This is 26000 chassis running R81.10.

TCP start timeout: 25

TCP session timeout: 7800

TCP end timeout: 20

UDP Virtual session timeout: 40

ICMP virtual session timeout: 30

Other IP Protocols virtual session timeout: 60

SCTP start timeout: 30

SCTP session timeout: 3600

SCTP end timeout: 20

 

 

0 Kudos
Timothy_Hall
Champion
Champion

7800 instead of 3600 is fine unless your connection table is running out of memory.   That value must have been changed by someone for a reason, and changing it back might break some things such as long-running database connections that are left up for extended periods with little activity.  Possible it was determined at some point that whatever the application is it has some kind of keepalive every 120 minutes/2 hours, so the TCP idle timer was set to 2 hours 10 minutes (7800 sec) as a result.

IPS/AV/ABOT Immersion & Max Capture: Know your Packets
Self-Guided Video Series available at www.maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

The question I always have to ask is: why are you looking to change the timeout in the first place?
In other words, is there a problem you’re trying to solve that you expect that adjusting that timeout might solve?
I presume this is the case if TAC is suggesting to change it, who should also be able to clarify why this change is being recommended.

0 Kudos
Champika_Gamage
Explorer

Thanks Timothy/Phoneboy for your input.

It was actually a PS engagement from Checkpoint which did a health check n the gateways and identified this non standard value and asked to change it if not specifically changed for a reason. We could not find any change record as well to justify why it was changed from the default. 

I guess the more prudent thing to do is leave it as is if that is not causing any issues.

0 Kudos
Whatcha_McCallu
Employee
Employee

I don't remember these defaults ever changing going back to at least R55. I'd love to be corrected but this should be the defaults

TCP start timeout: 25

TCP session timeout: 3600

TCP end timeout: 20

UDP Virtual session timeout: 40

ICMP virtual session timeout: 30

Other IP Protocols virtual session timeout: 60

These are newish to me

SCTP start timeout: 30

SCTP session timeout: 3600

SCTP end timeout: 20