ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

What is Idle timeouts when Any service set

11.20.07   |  
‎11-20-2007 05:03 PM
I found that when we use the any service idle timeouts on the firewalls differ from what has been set in the predefined services.

How does the OS set the idle timeout?

Does it look if a custom service has been set for the port and then uses the longest configured idle timeout from those configured?
2 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: What is Idle timeouts when Any service set

11.28.07   |  
‎11-28-2007 11:07 AM

For single service entries, service timeout lookup proceeds as follows:

  1. The specified timeout in the service entry database, if set.
  2. The default timeout in the service entry database, if specified in the predefined service.
  3. The protocol-based default timeout table.

Services with multiple rule entries share the same timeout value. If multiple services share the same protocol and destination port range, all services share the last timeout value configured.

The protocol-based defaults are as follows:

  • TCP - 30 minutes
  • UDP - 1 minute
  • ICMP - 1 minute
  • Other - 30 minutes

For service groups and for the predefined service “ANY” (if timeout is not set), the service timeout lookup proceeds as follows:

1. The vsys TCP and UDP port-based timeout table, if a timeout is set.

2. The protocol-based default timeout table.

There are quite a few caveats you should examine to ensure you get the appropriate behavior.  Take a look at the Concepts and Examples Guide, Volume 2: Fundamentals, chapter 5 under the heading of 'Setting a Service Timeout'.

Stefan Fouant
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-SEC, JNCI, CISSP, PCNSE, VCP-DV

Check out my blog at ShortestPathFirst

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)

Re: What is Idle timeouts when Any service set

[ Edited ]
02.17.12   |  
‎02-17-2012 06:11 AM

hi,

 

how do you explain that closeage out could be appear, before timer 30 min regarding a TCP session ?

 

it seems the case , for us on a cluster ISG2k.

 

regards.