@stnz wrote:
Thanks, although I did check that out before asking the question, and it did not exactly fit the need. It does not set any recommended timeout values or anything like that, for example.
I don't think there's really any one definitive answer for that question.
It's universally-agreed that firewalls need to time out idle sessions at some point, but it's not universally-agreed what that point should be.
It all comes down to the people who make the firewalls and the judgement calls of their engineers as to what a reasonable timeout is.
Cisco's defaults are not the same as Juniper's, which are not the same as Palo Alto's, which are not the same as Checkpoint's... etc.
Different firewalls have different capabilities and limits on concurrent sessions, and some are more aggressive than others on aging out idle sessions to free up space in the session tables.
I usually just use the simplest answer I can when I get a question like that -- "All firewalls must age out idle sessions at some point, because they have finite resources. The engineers make a judgement as to the optimal way to tune their particular devices as best as they can."
Beyond that, defaults can be modified to work around edge cases -- but that's not a replacement for smarter application design. It's not that hard to send a keepalive, or close your TCP session after you're done with it for a while and open another one next time you need it... or at least CHECK if the connection is still there before assuming it is and just sending data over a TCP connection you opened 8 hours ago... LOL