Configure timeouts

Configure timeout values for console sessions and protocol connections in a Threat Defense policy to manage session durations and optimize device resource usage.

You can set the global idle timeout durations for the connection and translation slots of various protocols. If the slot has not been used for the idle time specified, the resource is returned to the free pool.

You can also set a timeout for console sessions on the device.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select Timeouts.

Step 3

Configure the timeouts you want to change.

For any setting, select Custom to specify your own value or Default to use the system default value. In most cases, the maximum timeout is 1193 hours.

You can disable some timeouts by selecting Disable.

  • Console Timeout—The idle time until a connection to the console is closed, range is 0 or 5 to 1440 minutes. The default is 0, which means the session does not time out. If you change the value, existing console sessions will continue to use the previous timeout value. The updated timeout will apply only to new connections.

  • Translation Slot (xlate)The idle time until a NAT translation slot is freed. This duration must be at least 1 minute. The default is 3 hours.

  • Connection (Conn)The idle time until a connection slot is freed. This duration must be at least 5 minutes. The default is 1 hour.

  • Half-ClosedThe idle time until a TCP half-closed connection closes. A connection is considered half-closed if both the FIN and FIN-ACK have been seen. If only the FIN has been seen, the regular connection timeout applies. The minimum is 30 seconds. The default is 10 minutes.

  • UDPThe idle time until a UDP connection closes. This duration must be at least 1 minute. The default is 2 minutes.

  • ICMPThe idle time after which general ICMP states are closed. The default (and minimum) is 2 seconds.

  • RPC/Sun RPCThe idle time until a SunRPC slot is freed. This duration must be at least 1 minute. The default is 10 minutes.

    In a Sun RPC-based connection, if the parent connection is deleted or times out, a new child connection might not be treated as part of the parent–child relationship. As a result, the new connection could be evaluated according to the system's policy or rules. After the parent connection times out, existing child connections remain valid only until their own timeout value is reached.

  • H.225The idle time until an H.225 signaling connection closes. The default is 1 hour. To close a connection immediately after all calls are cleared, a timeout of 1 second (0:0:1) is recommended.

  • H.323The idle time after which H.245 (TCP) and H.323 (UDP) media connections close. The default (and minimum) is 5 minutes. Because the same connection flag is set on both H.245 and H.323 media connections, the H.245 (TCP) connection shares the idle timeout with the H.323 (RTP and RTCP) media connection.

  • SIPThe idle time until a SIP signaling port connection closes. This duration must be at least 5 minutes. The default is 30 minutes.

  • SIP MediaThe idle time until a SIP media port connection closes. This duration must be at least 1 minute. The default is 2 minutes. The SIP media timer is used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout.

  • SIP DisconnectThe idle time after which SIP session is deleted if the 200 OK is not received for a CANCEL or a BYE message, between 0:0:1 and 0:10:0. The default is 2 minutes (0:2:0).

  • SIP InviteThe idle time after which pinholes for PROVISIONAL responses and media xlates will be closed, between 0:1:0 and 00:30:0. The default is 3 minutes (0:3:0).

  • SIP Provisional MediaThe timeout value for SIP provisional media connections, between 1 and 30 minutes. The default is 2 minutes.

  • Floating ConnectionWhen multiple routes exist to a network with different metrics, the system uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To make it possible to use better routes, set the timeout to a value between 0:0:30 and 1193:0:0. This timer does not apply to connections through virtual tunnel interfaces (VTI). If a connection through a VTI gets stuck, you must manually clear it.

  • Xlate PATThe idle time until a PAT translation slot is freed, between 0:0:30 and 0:5:0. The default is 30 seconds. You may want to increase the timeout if upstream routers reject new connections using a freed PAT port because the previous connection might still be open on the upstream device.

  • TCP Proxy ReassemblyThe idle timeout after which buffered packets waiting for reassembly are dropped, between 0:0:10 and 1193:0:0. The default is 1 minute (0:1:0).

  • ARP Timeout—The number of seconds between ARP table rebuilds, from 60 to 4294967. The default is 14,400 seconds (4 hours).

Step 4

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

The configured timeout values are applied to the Threat Defense policy. Sessions and protocol connections will now use the specified timeout durations after you deploy the policy.