CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 Platforms > Crossbeam
Session timeout in crossbeam Session timeout in crossbeam
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-03-12
Junior Member
  
Join Date: 2007-02-21
Posts: 1
Rep Power: 0
Davidg has an average reputation (10+)
Default Session timeout in crossbeam
Even if I define the TCP Session Timeout of a protocol to be something like 2 hours, crossbeam always reports the maximum is 10 minutes (TTL). After these 10 min., the connections get dropped, although they are listed in the checkpoint's connection table (with the correct timeout).

Code:
CBS# sh flow active source-address 10.10.0.1 destination-address  10.10.0.194

This command may take a few minutes.  Do you want to continue? <Y or N> [Y]:

Module  Source                  Destination             Protocol    Domain  TTL
np1           10.10.0.1: 5886     10.10.0.194: 3927    6          1      0m 15s
   Rx Modules fw_2
   Ageout 4, Skip Ports, Skip Protocol
Is this the correct behavior? Is there any way to override this TTL (Time To Live?) to be the same as it is defined in Smart Dashboard?

Thanks
Reply With Quote
  #2 (permalink)  
Old 2008-01-08
Junior Member
  
Join Date: 2006-03-13
Posts: 13
Rep Power: 0
cjbischoff has an average reputation (10+)
Default Re: Session timeout in crossbeam
Flow Rules Priority: Modifying default values for Flow Rules

When modifying default values, do not forget to do it for both directions. The Flow Rules are unidirectional, most of the time, depending on which criteria you are playing with (i.e. source add, source TCP port, …)

The example here shows that if you want to shorter the life of HTTP traffic in the X series Active Flow Table, (default TCP being 10mn, which is quite long for short HTTP transactions, which will result with a AFT table full of aged out HTTP connections), you need to do it on both ways.

Overriding default timeout

When overriding the default timeout value, ensure that the timeout is set properly for all return flows
Example:
HTTP tends to run short and can have quick timeouts
Useless HTTP flows (because already aged-out on the client/server transaction), can pollute the Active Flow Table
Create a higher priority rule with
dest. port = 80 and timeout = 3mn
The return flow, which is not bound for dest. port = 80, resets the timeout of the AFT entry from 3 minutes to the default (10 mn)
Original and return flow share the same AFT entry
You must now create a source flow rule using:
src. port = 80 and timeout = 3mn
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 10:55.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0