Session Timers define how long a session is maintained on the firewall after inactivity in the session.

About this task

On the firewall, you can define timeouts for TCP, UDP, and ICMP sessions for a set of user defined VMs or vNICS. The default timer is global, meaning that it applies to all virtual machines protected by firewall .

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Firewall.
  2. Ensure that you are in the Settings tab. If there is more than one NSX Manager available, select one from the drop-down list.
  3. Click the Add (add icon) icon.

    The Add a Timeout Configuration dialogue box appears, populated with the default values.

  4. Enter a name (required) and a description (optional) for the session timer.
  5. Select the protocol. Accept the default values or enter your own values.

    TCP Variables

    Description

    First Packet

    The timeout value for the connection after the first packet has been sent. The default is 120 seconds.

    Open

    The timeout value for the connection after a second packet has been transferred. The default is 30 seconds.

    Established

    The timeout value for the connection once the connection has become fully established.

    Closing

    The timeout value for the connection after the first FIN has been sent. The default is 120 seconds.

    Fin Wait

    The timeout value for the connection after both FINs have been exchanged and the connection is closed. The default is 45 seconds.

    Closed

    The timeout value for the connection after one endpoint sends an RST. The default is 20 seconds.

    UDP Variables

    Description

    First Packet

    The timeout value for the connection after the first packet is sent. This will be the initial timeout for the new UDP flow. The default is 60 seconds.

    Single

    The timeout value for the connection if the source host sends more than one packet and the destination host has not sent one back. The default is 30 seconds.

    Multiple

    The timeout value for the connection if both hosts have sent packets. The default is 60 seconds.

    ICMP Variables

    Description

    First Packet

    The timeout value for the connection after the first packet is sent. This is the initial timeout for the new ICMP flow. The default is 20 seconds.

    Error reply

    The timeout value for the connection after an ICMP error is returned in response to an ICMP packet. The default is 10 seconds.

  6. Select the object type, vNIC or VM.

    The Available Objects list is automatically populated.

  7. Select one or more objects and click the arrow to move them to the Selected Objects column.
  8. Click OK.

Results

A timer has been created to apply to set of user defined hosts.