- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure session ttl limit between two interfaces?
I had to lower the value for the session-ttl because the fw was having issues with memory. But now, I'm suffering issues when the traffic is going from DMZ to internal (due to interrupted connections).
Is there any way to configure the session-ttl per interface? I see there are four modes here
[ul]Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, session-ttl settings are not available at interface level. You can apply the ttl on those policies using the dmz and internal interfaces
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I feared that, but can I add the "set timeout-send-rst enable" globally? Does it have any side issues, because so far all the issues I had are because of the endpoint not being notified of the closed connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, session timeout settings are available
- globally in
config system session-ttlAND
- per policy in
config firewall policy
set session-ttl
So you can set a short idle timeout globally and prolong it in each policy where you need it. The service field in the policy determines on which protocol and port the session-ttl is changed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that's the current approach I'm using, the only problem is having to add the rules in the CLI (AFAIK it can't be done in the gui), and since the traffic between dmz and internal is important I'd have liked being able to set a default value (such as a rule that was neither pass not drop or another mechanism)
Thanks anyway