Configure Session Settings
Updated on
Mon Jul 01 15:37:28 UTC 2024
Focus
Download PDF
Updated on
Mon Jul 01 15:37:28 UTC 2024
Focus
- Home
- PAN-OS
- Session Settings and Timeouts
- Configure Session Settings
Download PDF
Table of Contents
This topic describes various settings forsessions other than timeout values. Perform these tasks if you need tochange the default settings.
Change the session settings.
Select
and edit the SessionSettings.Device
Setup
Session
Specify whether to apply newly configured Security policyrules to sessions that are in progress.
Select
Rematch all sessions on config policychange
to apply newly configured Security policy rulesto sessions that are already in progress. This capability is enabledby default. If you clear this check box, any policy rule changesyou make apply only to sessions initiated after you commit the policychange.For example, if a Telnet session started while anassociated policy rule was configured that allowed Telnet, and yousubsequently committed a policy change to deny Telnet, the firewallapplies the revised policy to the current session and blocks it.
Configure IPv6 settings.
ICMPv6 Token Bucket Size
—Default:100 tokens. See the section ICMPv6Rate Limiting.ICMPv6 Error Packet Rate (per sec)
—Default:100. See the section ICMPv6Rate Limiting.Enable IPv6 Firewalling
—Enables firewallcapabilities for IPv6. All IPv6-based configurations are ignoredif IPv6 is not enabled. Even if IPv6 is enabled for an interface,theIPv6 Firewalling
setting must also beenabled for IPv6 to function.
Enable jumbo frames and set the MTU.
Select
Enable Jumbo Frame
toenable jumbo frame support on Ethernet interfaces. Jumbo frameshave a maximum transmission unit (MTU) of 9,216 bytes and are availableon certain models.Set the
Global MTU
, dependingon whether or not you enabled jumbo frames:If you did not enable jumbo frames, the
GlobalMTU
defaults to 1,500 bytes; the range is 576 to 1,500bytes.If you enabled jumbo frames, the
Global MTU
defaultsto 9,192bytes; the range is 9,192 to 9,216bytes.JumboFrames can take up to five times more memory compared to normalpackets and can reduce the number of available packet-buffers by20%. This reduces the queue sizes dedicated for out of order, applicationidentification, and other such packet processing tasks. As of PAN-OS8.1, if you enable the jumbo frame global MTU configuration andreboot your firewall, packet buffers are then redistributed to processjumbo frames more efficiently.
If you enablejumbo frames and you have interfaces where the MTU is not specificallyconfigured, those interfaces will automatically inherit the jumboframe size. Therefore, before you enable jumbo frames, if you haveany interface that you do not want to have jumbo frames, you mustset the MTU for that interface to 1500 bytes or another value.
If you import (
) and load a configurationthat has Jumbo Frame enabled, and then commit to a firewall thatdoes not already have Jumbo Frame enabled, theDevice
Setup
Operations
Import
EnableJumbo Frame
setting is not committed to the configuration.You should firstEnable Jumbo Frame
, reboot,and then import, load and commit the configuration.
Tune NAT session settings.
NAT64 IPv6 Minimum Network MTU
—Setsthe global MTU for IPv6 translated traffic. The default of 1,280bytesis based on the standard minimum MTU for IPv6 traffic.NAT Oversubscription Rate
—If NAT is configuredto be Dynamic IP and Port (DIPP) translation, an oversubscriptionrate can be configured to multiply the number of times that thesame translated IP address and port pair can be used concurrently.The rate is 1, 2, 4, or 8. The default setting is based on the firewall model.
A rate of 1 means no oversubscription; each translated IPaddress and port pair can be used only once at a time.
If the setting is
Platform Default
,user configuration of the rate is disabled and the default oversubscriptionrate for the model applies.
Reducing the oversubscriptionrate decreases the number of source device translations, but provideshigher NAT rule capacities.
Tune accelerated aging settings.
Select
Accelerated Aging
to enablefaster aging-out of idle sessions. You can also change the threshold (%)and scaling factor:Accelerated Aging Threshold
—Percentageof the session table that is full when accelerated aging begins.The default is 80%. When the session table reaches this threshold(% full), PAN-OS applies the Accelerated Aging Scaling Factor tothe aging calculations for all sessions.Accelerated Aging Scaling Factor
—Scalingfactor used in the accelerated aging calculations. The default scalingfactor is 2, meaning that the accelerated aging occurs at a ratetwice as fast as the configured idle time. The configured idle time dividedby 2 results in a faster timeout of one-half the time. To calculatethe session’s accelerated aging, PAN-OS divides the configured idletime (for that type of session) by the scaling factor to determinea shorter timeout.
For example, if the scaling factoris 10, a session that would normally time out after 3600 secondswould time out 10 times faster (in 1/10 of the time), which is 360seconds.
Enable packet buffer protection.
Select
Packet Buffer Protection
toenable the firewall to take action against sessions that can overwhelmthe its packet buffer and causes legitimate traffic to be dropped;enabled by default.If you enable packet buffer protection, you can tunethe thresholds and timers that dictate how the firewall responds topacket buffer abuse.
Alert (%)
: When packet bufferutilization exceeds this threshold, the firewall creates a log event.The threshold is set to 50% by default and the range is 0% to 99%.If the value is set to 0%, the firewall does not create a log event.Activate (%)
: When a packet bufferutilization exceeds this threshold, the firewall applies random earlydrop (RED) to abusive sessions. The threshold is set to 80% by defaultand the range is 0% to 99%. If the value is set to 0%, the firewalldoes not apply RED.
Alert events are recordedin the system log. Events for dropped traffic, discarded sessions,and blocked IP address are recorded in the threat log.
Block Hold Time (sec)
: The amountof time a RED-mitigated session is allowed to continue before itis discarded. By default, the block hold time is 60 seconds. Therange is 0 to 65,535 seconds. If the value is set to 0, the firewalldoes not discard sessions based on packet buffer protection.Block Duration (sec)
: This settingdefines how long a session is discarded or an IP address is blocked.The default is 3,600 seconds with a range of 0 seconds to 15,999,999seconds. If this value is set to 0, the firewall does not discardsessions or block IP addresses based on packet buffer protection.
Enable buffering of multicast route setup packets.
Select
Multicast Route SetupBuffering
to enable the firewall to preserve the first packetin a multicast session when the multicast route or forwarding informationbase (FIB) entry does not yet exist for the corresponding multicastgroup. By default, the firewall does not buffer the first multicastpacket in a new session; instead, it uses the first packet to set upthe multicast route. This is expected behavior for multicast traffic.You only need to enable multicast route setup buffering if your contentservers are directly connected to the firewall and your custom applicationcannot withstand the first packet in the session being dropped.This option is disabled by default.If you enable buffering, you can also tune the
BufferSize
, which specifies the buffer size per flow. Thefirewall can buffer a maximum of 5,000 packets.You can also tune the duration, in seconds, for whicha multicast route remains in the routing table on the firewall afterthe session ends by configuring the multicast settings on the virtualrouter that handles your virtual router (set the
MulticastRoute Age Out Time (sec)
on the
tab in the virtualrouter configuration.Multicast
Advanced
Save the session settings.
Click
OK
.Tune the MaximumSegment Size (MSS) adjustment size settings for a Layer 3interface.
Select
, selectNetwork
Interfaces
Ethernet
,VLAN
,orLoopback
, and select a Layer 3 interface.Select
.Advanced
Other Info
Select
Adjust TCP MSS
and entera value for one or both of the following:IPv4 MSS Adjustment Size
(rangeis 40 to 300 bytes; default is 40bytes).IPv6 MSS Adjustment Size
(range is60 to 300bytes; default is 60 bytes).
Click
OK
.
Commit your changes.
Click
Commit
.Reboot the firewall after changing the jumbo frame configuration.
Select
.Device
Setup
Operations
Click
Reboot Device
.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}