Configure Session Settings (2024)

Configure Session Settings

Updated on

Mon Jul 01 15:37:28 UTC 2024

Focus

Download PDF

Updated on

Mon Jul 01 15:37:28 UTC 2024

Focus

  1. Home
  2. PAN-OS
  3. Session Settings and Timeouts
  4. Configure Session Settings

Download PDF

Table of Contents

Previous Configure Session Timeouts
Next Session Distribution Policies

This topic describes various settings forsessions other than timeout values. Perform these tasks if you need tochange the default settings.

  1. Change the session settings.

    Select

    Device

    Setup

    Session

    and edit the SessionSettings.

  2. Specify whether to apply newly configured Security policyrules to sessions that are in progress.

    Select

    Rematch all sessions on config policychange

    to apply newly configured Security policy rulesto sessions that are already in progress. This capability is enabledby default. If you clear this check box, any policy rule changesyou make apply only to sessions initiated after you commit the policychange.

    For example, if a Telnet session started while anassociated policy rule was configured that allowed Telnet, and yousubsequently committed a policy change to deny Telnet, the firewallapplies the revised policy to the current session and blocks it.

  3. Configure IPv6 settings.

    • ICMPv6 Token Bucket Size

      —Default:100 tokens. See the section ICMPv6Rate Limiting.

    • ICMPv6 Error Packet Rate (per sec)

      —Default:100. See the section ICMPv6Rate Limiting.

    • Enable IPv6 Firewalling

      —Enables firewallcapabilities for IPv6. All IPv6-based configurations are ignoredif IPv6 is not enabled. Even if IPv6 is enabled for an interface,the

      IPv6 Firewalling

      setting must also beenabled for IPv6 to function.

  4. Enable jumbo frames and set the MTU.

    1. Select

      Enable Jumbo Frame

      toenable jumbo frame support on Ethernet interfaces. Jumbo frameshave a maximum transmission unit (MTU) of 9,216 bytes and are availableon certain models.

    2. Set the

      Global MTU

      , dependingon whether or not you enabled jumbo frames:

      • If you did not enable jumbo frames, the

        GlobalMTU

        defaults to 1,500 bytes; the range is 576 to 1,500bytes.

      • If you enabled jumbo frames, the

        Global MTU

        defaultsto 9,192bytes; the range is 9,192 to 9,216bytes.

        JumboFrames can take up to five times more memory compared to normalpackets and can reduce the number of available packet-buffers by20%. This reduces the queue sizes dedicated for out of order, applicationidentification, and other such packet processing tasks. As of PAN-OS8.1, if you enable the jumbo frame global MTU configuration andreboot your firewall, packet buffers are then redistributed to processjumbo frames more efficiently.

      If you enablejumbo frames and you have interfaces where the MTU is not specificallyconfigured, those interfaces will automatically inherit the jumboframe size. Therefore, before you enable jumbo frames, if you haveany interface that you do not want to have jumbo frames, you mustset the MTU for that interface to 1500 bytes or another value.

      If you import (

      Device

      Setup

      Operations

      Import

      ) and load a configurationthat has Jumbo Frame enabled, and then commit to a firewall thatdoes not already have Jumbo Frame enabled, the

      EnableJumbo Frame

      setting is not committed to the configuration.You should first

      Enable Jumbo Frame

      , reboot,and then import, load and commit the configuration.

  5. Tune NAT session settings.

    • NAT64 IPv6 Minimum Network MTU

      —Setsthe global MTU for IPv6 translated traffic. The default of 1,280bytesis based on the standard minimum MTU for IPv6 traffic.

    • NAT Oversubscription Rate

      —If NAT is configuredto be Dynamic IP and Port (DIPP) translation, an oversubscriptionrate can be configured to multiply the number of times that thesame translated IP address and port pair can be used concurrently.The rate is 1, 2, 4, or 8. The default setting is based on the firewall model.

    • A rate of 1 means no oversubscription; each translated IPaddress and port pair can be used only once at a time.

    • If the setting is

      Platform Default

      ,user configuration of the rate is disabled and the default oversubscriptionrate for the model applies.

    Reducing the oversubscriptionrate decreases the number of source device translations, but provideshigher NAT rule capacities.

  6. Tune accelerated aging settings.

    Select

    Accelerated Aging

    to enablefaster aging-out of idle sessions. You can also change the threshold (%)and scaling factor:

    • Accelerated Aging Threshold

      —Percentageof the session table that is full when accelerated aging begins.The default is 80%. When the session table reaches this threshold(% full), PAN-OS applies the Accelerated Aging Scaling Factor tothe aging calculations for all sessions.

    • Accelerated Aging Scaling Factor

      —Scalingfactor used in the accelerated aging calculations. The default scalingfactor is 2, meaning that the accelerated aging occurs at a ratetwice as fast as the configured idle time. The configured idle time dividedby 2 results in a faster timeout of one-half the time. To calculatethe session’s accelerated aging, PAN-OS divides the configured idletime (for that type of session) by the scaling factor to determinea shorter timeout.

    For example, if the scaling factoris 10, a session that would normally time out after 3600 secondswould time out 10 times faster (in 1/10 of the time), which is 360seconds.

  7. Enable packet buffer protection.

    1. Select

      Packet Buffer Protection

      toenable the firewall to take action against sessions that can overwhelmthe its packet buffer and causes legitimate traffic to be dropped;enabled by default.

    2. If you enable packet buffer protection, you can tunethe thresholds and timers that dictate how the firewall responds topacket buffer abuse.

      • Alert (%)

        : When packet bufferutilization exceeds this threshold, the firewall creates a log event.The threshold is set to 50% by default and the range is 0% to 99%.If the value is set to 0%, the firewall does not create a log event.

      • Activate (%)

        : When a packet bufferutilization exceeds this threshold, the firewall applies random earlydrop (RED) to abusive sessions. The threshold is set to 80% by defaultand the range is 0% to 99%. If the value is set to 0%, the firewalldoes not apply RED.

      Alert events are recordedin the system log. Events for dropped traffic, discarded sessions,and blocked IP address are recorded in the threat log.

      • Block Hold Time (sec)

        : The amountof time a RED-mitigated session is allowed to continue before itis discarded. By default, the block hold time is 60 seconds. Therange is 0 to 65,535 seconds. If the value is set to 0, the firewalldoes not discard sessions based on packet buffer protection.

      • Block Duration (sec)

        : This settingdefines how long a session is discarded or an IP address is blocked.The default is 3,600 seconds with a range of 0 seconds to 15,999,999seconds. If this value is set to 0, the firewall does not discardsessions or block IP addresses based on packet buffer protection.

  8. Enable buffering of multicast route setup packets.

    1. Select

      Multicast Route SetupBuffering

      to enable the firewall to preserve the first packetin a multicast session when the multicast route or forwarding informationbase (FIB) entry does not yet exist for the corresponding multicastgroup. By default, the firewall does not buffer the first multicastpacket in a new session; instead, it uses the first packet to set upthe multicast route. This is expected behavior for multicast traffic.You only need to enable multicast route setup buffering if your contentservers are directly connected to the firewall and your custom applicationcannot withstand the first packet in the session being dropped.This option is disabled by default.

    2. If you enable buffering, you can also tune the

      BufferSize

      , which specifies the buffer size per flow. Thefirewall can buffer a maximum of 5,000 packets.

      You can also tune the duration, in seconds, for whicha multicast route remains in the routing table on the firewall afterthe session ends by configuring the multicast settings on the virtualrouter that handles your virtual router (set the

      MulticastRoute Age Out Time (sec)

      on the

      Multicast

      Advanced

      tab in the virtualrouter configuration.

  9. Save the session settings.

    Click

    OK

    .

  10. Tune the MaximumSegment Size (MSS) adjustment size settings for a Layer 3interface.

    1. Select

      Network

      Interfaces

      , select

      Ethernet

      ,

      VLAN

      ,or

      Loopback

      , and select a Layer 3 interface.

    2. Select

      Advanced

      Other Info

      .

    3. Select

      Adjust TCP MSS

      and entera value for one or both of the following:

      • IPv4 MSS Adjustment Size

        (rangeis 40 to 300 bytes; default is 40bytes).

      • IPv6 MSS Adjustment Size

        (range is60 to 300bytes; default is 60 bytes).

    4. Click

      OK

      .

  11. Commit your changes.

    Click

    Commit

    .

  12. Reboot the firewall after changing the jumbo frame configuration.

    1. Select

      Device

      Setup

      Operations

      .

    2. Click

      Reboot Device

      .

"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)

Previous Configure Session Timeouts
Next Session Distribution Policies

Recommended For You

{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}

{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}

{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}

{{ } else { }}

{{ } }} {{ } else { }}

{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}

{{ } else if (raw.objecttype == "Knowledge") { }}

{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}

{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}

{{ } else { }}

{{ } }} {{ } }}

{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}

{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

{{ } else { }}

{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

{{ } }}

{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}

{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}

{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

© 2024 Palo Alto Networks, Inc. All rights reserved.

Configure Session Settings (2024)

FAQs

What is session configuration? ›

A "session configuration file" is a text file with a . pssc file name extension that contains a hash table of session configuration properties and values. You can use a session configuration file to set the properties of a session configuration.

What are session settings in Salesforce? ›

Session settings are needed to protect the customer data from getting hacked. Imagine that your session timeout time is 2 hours; this implies that once an attacker obtains the session ID or once a session ID is generated, the session ID will remain active for 2 hours.

How do I view and edit session timeout settings in profiles? ›

Log in to Salesforce as an administrator.
  • Go to Setup > Users > Profiles.
  • Click on the profile being used by your users, e.g., Standard Platform User.
  • Scroll down to the section entitled Session Settings. Click to open the profile.
  • Click Edit. Select a new value for Session times out after from the list.
  • Click Save.

What is the session timeout setting? ›

The Session Timeout setting is found on the Global Settings page, in the Security tab. This setting is used to control how long a user session can be inactive in their browser before they are automatically redirected to a pop-up Login window.

What is server configuration settings? ›

A server configuration defines a specific database as the repository for its data. To prevent corruption, that database can be associated with only one server configuration. However, that database can be used by other applications.

What is configure mode? ›

Configuration Mode is an option available to all Administrators within the system. Configuration Mode provides an easier mechanism for accessing and editing fields. Admins can access the configuration from within a record. Users without an Administrator role are unable to use Configuration Mode.

How do I manage user sessions? ›

Best practices: implementing session management
  1. Set Secure/HttpOnly Flags on your Cookies. Refrain from sending sensitive traffic and tokens over an unencrypted channel (HTTP). ...
  2. Generate New Session Cookies. ...
  3. Configure Session Cookies Properly.
Sep 8, 2022

What is session and what is the use of session? ›

A session is a way to store information (in variables) to be used across multiple pages. Unlike a cookie, the information is not stored on the users computer.

What are settings in Salesforce? ›

Your personal settings help you customize your Salesforce experience. View or update your personal settings like your password and security question, email settings, and organize your tabs and pages.

How do I fix my session has timed out? ›

Applying the default settings in your web browser may resolve the issue. In order to do this:
  1. Open the Tools menu.
  2. Select Internet Options.
  3. Select the General tab.
  4. Click the Restore to Default button.
  5. Click OK.
  6. Try logging in again to see if the problem is resolved.

How do I change my session time out? ›

  1. Open the Integration Server Administrator.
  2. Go to Settings > Resources.
  3. Click Edit Resource Settings.
  4. Under Session in the Session Timeout field, enter maximum number of minutes an idle session can remain active (in other words, how long you want the server to wait before terminating an idle session).

How to increase session timeout in Salesforce? ›

  1. From Setup, in the Quick Find box, enter Profiles , and then select Profiles.
  2. Select a profile.
  3. Depending on which user interface you're using, take the corresponding step. ...
  4. For Session Times Out After, select a timeout value from the dropdown list.

What is a good session timeout? ›

For highly sensitive applications, a timeout of 5 to 15 minutes is advisable to enhance security. Applications with less sensitive data can have a longer timeout of 15 to 30 minutes. Crucially, after session expiry, the session token should be completely invalidated to prevent further use.

What is the limit of session timeout? ›

Session. Timeout has no hard-coded limit. Most Web administrators set this property to 8 minutes. It should not be set higher than 20 minutes (except in special cases) because every open session is holding onto memory.

What is the PS session configuration? ›

Every PSSession uses a session configuration. The session configuration determines the features of the PSSession, such as the modules that are available in the session, the cmdlets that are permitted to run, the language mode, quotas, and timeouts.

What is meant by session in networking? ›

A network session is a temporary and interactive information interchange between two or more devices communicating over a network. A session is established at a certain point in time, and then 'torn down' - brought to an end - at some later point.

What does session mean in web services? ›

A session is a group of user interactions with your website that take place within a given time frame. For example a single session can contain multiple page views, events, social interactions, and ecommerce transactions. Learn more about the different request types in Analytics.

What is the use of session in server? ›

The session ID allows the server to associate the user's requests with their specific session. Additionally, it also helps to retrieve and update the session data as needed. We can use sessions to provide a personalized experience for each user. We can display a user's name and preferences throughout the site.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Rev. Porsche Oberbrunner

Last Updated:

Views: 5945

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.