目次
【Paloalto】セッションのタイムアウトを確認・変更する方法
paloalto(PA-200)で検証を行っています。
今回はPaloalto(PA-200)で、セッションのタイムアウトを確認・変更する方法(CLI、GUI)をまとめていきます!
- 機種はPA-200
- OSのバージョンはsw-version: 8.0.19
CLI
【CLI】セッションのタイムアウトを確認する方法
↓CLIでセッションのタイムアウトを確認するコマンド
<オペレーションモード>
show session info【Paloalto公式】Tips & Tricks: Session Timeouts
いくつか確認できる重要項目をまとめておきます。
詳しい設定項目の内容は公式サイトで対象の管理者ガイドを確認してください。
| Number of active TCP sessions: XX | ActiveなTCPセッションの数 |
| Session table utilization: XX% | セッションテーブルの使用率 |
| Throughput: XX kbps | スループット。ただshow system statistics sessionのがより正確な値。 「show session info」では単一のデータプレーン(↓の表示のdp0)のスループットしか表示されていない。 各コマンドの違いはリンク参照 |
| TCP default timeout: XX secs | TCPのデフォルトのタイムアウト値 |
| UDP default timeout: XX secs | UDPのデフォルトのタイムアウト値 |
| ICMP default timeout: XX secs | ICMPのデフォルトのタイムアウト値 |
↓セッションのタイムアウト確認コマンドの出力結果となります。
admin@PA-200-first>admin@PA-200-first> show session info
target-dp: *.dp0
--------------------------------------------------------------------------------
Number of sessions supported: 65534
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Session table utilization: 0%
Number of sessions created since bootup: 0
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0
--------------------------------------------------------------------------------
admin@PA-200-first>
【CLI】セッションタイムアウトの変更方法【一時的】
一時的にセッションタイムアウトの変更するコマンドは以下のとおりです。
<オペレーションモード>
set session timeout-tcp <1-15999999>
set session timeout-udp <1-15999999>
set session timeout-icmp <1-15999999>
set session timeout-default <1-15999999>
set session timeout-tcpinit <1-60>
set session timeout-tcphandshake <1-60>
set session timeout-tcp-half-closed <1-604800>
set session timeout-tcp-unverified-rst <1-600>
set session timeout-tcp-time-wait <1-600>
set session timeout-captive-portal <1-15999999>
set session timeout-scan <5-30>
set session timeout-discard-tcp <1-15999999>
set session timeout-discard-udp <1-15999999>
set session timeout-discard-default <1-15999999>以下は実行結果になります。例では、TCPを3600から3000秒、UDPを30秒から20秒、ICMPを6秒から5秒に変更しています。※再起動をすると設定が消えます。なおGUIの表示には反映されません。
test-user@PA-200-first(active)> set session timeout-udp 20
test-user@PA-200-first(active)> set session timeout-tcp 3000
test-user@PA-200-first(active)> set session timeout-icmp 5
■変更がcommitせずとも反映された
test-user@PA-200-first(active)> show session info
target-dp: *.dp0
--------------------------------------------------------------------------------
Number of sessions supported: 65534
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Session table utilization: 0%
Number of sessions created since bootup: 0
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3000 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 20 secs
ICMP default timeout: 5 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0
--------------------------------------------------------------------------------
test-user@PA-200-first(active)>【CLI】セッションタイムアウトの変更方法【恒久】
恒久的にセッションタイムアウトの変更するコマンドは以下のとおりです。
configure
set deviceconfig setting session timeout-tcp 3000
set deviceconfig setting session timeout-udp 20
set deviceconfig setting session timeout-icmp 5
run show config diff
commit以下は実行結果になります。例では、TCPを3600から3000秒、UDPを30秒から20秒、ICMPを6秒から5秒に変更しています。
test-user@PA-200-first(active)> configure
Entering configuration mode
[edit]
test-user@PA-200-first(active)# set deviceconfig setting session timeout-tcp 3000
[edit]
test-user@PA-200-first(active)# set deviceconfig setting session timeout-udp 20
[edit]
test-user@PA-200-first(active)# set deviceconfig setting session timeout-icmp 5
[edit]
test-user@PA-200-first(active)# run show config diff
set config devices localhost.localdomain deviceconfig setting config rematch yes
set config devices localhost.localdomain deviceconfig setting management hostname-type-in-syslog FQDN
set config devices localhost.localdomain deviceconfig setting management admin-lockout failed-attempts 5
+set config devices localhost.localdomain deviceconfig setting session timeout-tcp 3000
+set config devices localhost.localdomain deviceconfig setting session timeout-udp 20
+set config devices localhost.localdomain deviceconfig setting session timeout-icmp 5
set config devices localhost.localdomain deviceconfig high-availability group 10 peer-ip 192.168.2.151
set config devices localhost.localdomain deviceconfig high-availability group 10 peer-ip-backup 10.0.0.2
set config devices localhost.localdomain deviceconfig high-availability group 10 mode active-passive passive-link-state auto
[edit]
test-user@PA-200-first(active)# commit
WARNING: The running configuration is not currently synchronized to the HA peer, and therefore, this commit will only be applied to the local device.
Please synchronize the peers by running 'request high-availability sync-to-remote running-config' first.
Would you like to proceed with commit? (y or n)
Commit job 2 is in progress. Use Ctrl+C to return to command prompt
..................................55%.....70%...98%.................100%
Configuration committed successfully
When High-availability ha1/ha1-backup port is configured to 'management', the 'heartbeat-backup' configuration is unnecessary and therefore ignored(Module: ha_agent)
[edit]
test-user@PA-200-first(active)#
test-user@PA-200-first(active)# run show session info
target-dp: *.dp0
--------------------------------------------------------------------------------
Number of sessions supported: 65534
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Session table utilization: 0%
Number of sessions created since bootup: 0
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3000 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 20 secs
ICMP default timeout: 5 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0
--------------------------------------------------------------------------------
[edit]
test-user@PA-200-first(active)#GUI
【GUI】セッションのタイムアウトを確認する方法
↓「Device」 → 「セットアップ」 → 「セッション」に移動し、「セッションタイムアウト」で現在の値を確認できます。
【GUI】セッションタイムアウトの変更方法【恒久】
「Device」 → 「セットアップ」 → 「セッション」に移動し、「セッションタイムアウト」の右上の歯車をクリックし、該当の項目の値を変更します。
例では、TCPを3600から3000秒、UDPを30秒から20秒、ICMPを6秒から5秒に変更しています。
セッションタイムアウトを変更されました。
コンフィグの差分比較をして、問題なければcommitをすれば完了です。
まとめ
最後にまとめになります!
- 「show session info」でセッションタイムアウトの値を確認可能!
- CLIでは一時的なタイムアウト値の設定と恒久的な設定が可能!
- GUIでは恒久的な設定のみが可能!
以上!
