Session Timers define how long a session is maintained on the firewall after inactivity in the session.

When the session timeout for the protocol expires, the session closes. On the firewall, several timeouts for TCP, UDP, and ICMP sessions can be specified to apply to a user-defined group or a Tier-0 or Tier-1 gateway. Default session values can be modified depending on your network needs. Note that setting a value too low might cause frequent timeouts, and setting a value too high might delay failure detection. See Default Session Timer Values for more information.

Session timers are supported on ESXi and KVM hosts.

Procedure

  1. Navigate to Security > General Settings > Firewall > Session Timer.
  2. Click Add Profile.
    The Profile screen appears, populated with the default values.
  3. Enter a name and a description (optional) for the timer profile.
  4. Click Set to select the Tier-0 or Tier-1 gateway or group to apply the timer profile.
  5. Select the protocol. Accept the default values or enter your own values.
    TCP Variables Description
    First Packet The timeout value for the connection after the first packet has been sent. The default is 120 seconds.
    Opening The timeout value for the connection after a second packet has been transferred. The default is 30 seconds.
    Established The timeout value for the connection once the connection has become fully established.
    Closing The timeout value for the connection after the first FIN has been sent. The default is 120 seconds.
    Fin Wait The timeout value for the connection after both FINs have been exchanged and the connection is closed. The default is 45 seconds.
    Closed The timeout value for the connection after one endpoint sends an RST. The default is 20 seconds.
    UDP Variables Description
    First Packet The timeout value for the connection after the first packet is sent. This is the initial timeout for the new UDP flow. The default is 60 seconds.
    Single The timeout value for the connection if the source host sends more than one packet and the destination host has not sent one back. The default is 30 seconds.ESXi hosts only. KVM hosts use the UDP first packet.
    Multiple The timeout value for the connection if both hosts have sent packets. The default is 60 seconds.
    ICMP Variables Description
    First Packet The timeout value for the connection after the first packet is sent. This is the initial timeout for the new ICMP flow. The default is 20 seconds.
    Error reply The timeout value for the connection after an ICMP error is returned in response to an ICMP packet. The default is 10 seconds. ESXi hosts only. KVM hosts use the ICMP first packet.
  6. Click Save.

What to do next

After saving, click Manage Group to Profile Precedence to manage group to profile binding precedence.