ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
homealone
Visitor
homealone
Posts: 6
Registered: ‎11-20-2007
0

What is Idle timeouts when Any service set

Options

‎11-20-2007 05:03 PM

I found that when we use the any service idle timeouts on the firewalls differ from what has been set in the predefined services.

How does the OS set the idle timeout?

Does it look if a custom service has been set for the port and then uses the longest configured idle timeout from those configured?
Message 1 of 3 (18,754 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007
0

Re: What is Idle timeouts when Any service set

Options

‎11-28-2007 11:07 AM

For single service entries, service timeout lookup proceeds as follows:

  1. The specified timeout in the service entry database, if set.
  2. The default timeout in the service entry database, if specified in the predefined service.
  3. The protocol-based default timeout table.

Services with multiple rule entries share the same timeout value. If multiple services share the same protocol and destination port range, all services share the last timeout value configured.

The protocol-based defaults are as follows:

  • TCP - 30 minutes
  • UDP - 1 minute
  • ICMP - 1 minute
  • Other - 30 minutes

For service groups and for the predefined service “ANY” (if timeout is not set), the service timeout lookup proceeds as follows:

1. The vsys TCP and UDP port-based timeout table, if a timeout is set.

2. The protocol-based default timeout table.

There are quite a few caveats you should examine to ensure you get the appropriate behavior.  Take a look at the Concepts and Examples Guide, Volume 2: Fundamentals, chapter 5 under the heading of 'Setting a Service Timeout'.

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Message 2 of 3 (18,708 Views)
 
Reply
kiteboy
New User
kiteboy
Posts: 2
Registered: ‎02-17-2012
0

Re: What is Idle timeouts when Any service set

[ Edited ]
Options

‎02-17-2012 06:11 AM - edited ‎02-17-2012 06:15 AM

hi,

 

how do you explain that closeage out could be appear, before timer 30 min regarding a TCP session ?

 

it seems the case , for us on a cluster ISG2k.

 

regards.

 

 

Message 3 of 3 (2,753 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.