Paloalto

【Paloalto】セッションのタイムアウトを確認・変更する方法【CLI,GUI】

【Paloalto】セッションのタイムアウトを確認・変更する方法

paloalto(PA-200)で検証を行っています。
今回はPaloalto(PA-200)で、セッションのタイムアウトを確認・変更する方法(CLI、GUI)をまとめていきます!

  • 機種はPA-200
  • OSのバージョンはsw-version: 8.0.19

CLI

【CLI】セッションのタイムアウトを確認する方法

↓CLIでセッションのタイムアウトを確認するコマンド

<オペレーションモード>
show session info

【Paloalto公式】Tips & Tricks: Session Timeouts

↓コマンドの出力結果となります。いくつか確認できる重要項目をまとめておきます。
詳しい設定項目の内容は公式サイトで対象の管理者ガイドを確認してください。

Number of active TCP sessions: XXActiveなTCPセッションの数
Session table utilization: XX%セッションテーブルの使用率
Throughput: XX kbpsスループット。ただshow system statistics sessionのがより正確な値。「show session info」では単一のデータプレーン(↓の表示のdp0)のスループットしか表示されていない。各コマンドの違いはリンク参照
TCP default timeout: XX secsTCPのデフォルトのタイムアウト値
UDP default timeout: XX secsUDPのデフォルトのタイムアウト値
ICMP default timeout: XX secsICMPのデフォルトのタイムアウト値
admin@PA-200-first>admin@PA-200-first> show session info

target-dp:                                       *.dp0
--------------------------------------------------------------------------------
Number of sessions supported:                    65534
Number of allocated sessions:                    0
Number of active TCP sessions:                   0
Number of active UDP sessions:                   0
Number of active ICMP sessions:                  0
Number of active GTPc sessions:                  0
Number of active GTPu sessions:                  0
Number of pending GTPu sessions:                 0
Number of active BCAST sessions:                 0
Number of active MCAST sessions:                 0
Number of active predict sessions:               0
Session table utilization:                       0%
Number of sessions created since bootup:         0
Packet rate:                                     0/s
Throughput:                                      0 kbps
New connection establish rate:                   0 cps
--------------------------------------------------------------------------------
Session timeout
  TCP default timeout:                           3600 secs
  TCP session timeout before SYN-ACK received:      5 secs
  TCP session timeout before 3-way handshaking:    10 secs
  TCP half-closed session timeout:                120 secs
  TCP session timeout in TIME_WAIT:                15 secs
  TCP session delayed ack timeout:                250 millisecs
  TCP session timeout for unverified RST:          30 secs
  UDP default timeout:                             30 secs
  ICMP default timeout:                             6 secs
  other IP default timeout:                        30 secs
  Captive Portal session timeout:                  30 secs
  Session timeout in discard state:
    TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging:                       True
  Accelerated aging threshold:                   80% of utilization
  Scaling factor:                                2 X
--------------------------------------------------------------------------------
Session setup
  TCP - reject non-SYN first packet:             True
  Hardware session offloading:                   True
  Hardware UDP session offloading:               True
  IPv6 firewalling:                              True
  Strict TCP/IP checksum:                        True
  Strict TCP RST sequence:                       True
  Reject TCP small initial window:               False
  ICMP Unreachable Packet Rate:                  200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
  Timeout to determine application trickling:    10 secs
  Resource utilization threshold to start scan:  80%
  Scan scaling factor over regular aging:        8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate                         : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session   : 0
--------------------------------------------------------------------------------

admin@PA-200-first>

【CLI】セッションタイムアウトの変更方法【一時的】

<オペレーションモード>
set session timeout-tcp <1-15999999>
set session timeout-udp <1-15999999>
set session timeout-icmp <1-15999999>
set session timeout-default <1-15999999>
set session timeout-tcpinit <1-60>
set session timeout-tcphandshake <1-60>
set session timeout-tcp-half-closed <1-604800>
set session timeout-tcp-unverified-rst <1-600>
set session timeout-tcp-time-wait <1-600>
set session timeout-captive-portal <1-15999999>
set session timeout-scan <5-30>
set session timeout-discard-tcp <1-15999999>
set session timeout-discard-udp <1-15999999>
set session timeout-discard-default <1-15999999>

以下は実行結果になります。

例では、TCPを3600から3000秒、UDPを30秒から20秒、ICMPを6秒から5秒に変更しています。※再起動をすると設定が消えます。なおGUIの表示には反映されません。

test-user@PA-200-first(active)> set session timeout-udp 20 
test-user@PA-200-first(active)> set session timeout-tcp 3000 
test-user@PA-200-first(active)> set session timeout-icmp 5


■変更がcommitせずとも反映された
test-user@PA-200-first(active)> show session info 
target-dp:                                       *.dp0 
-------------------------------------------------------------------------------- 
Number of sessions supported:                    65534 
Number of allocated sessions:                    0 
Number of active TCP sessions:                   0 
Number of active UDP sessions:                   0 
Number of active ICMP sessions:                  0 
Number of active GTPc sessions:                  0 
Number of active GTPu sessions:                  0 
Number of pending GTPu sessions:                 0 
Number of active BCAST sessions:                 0 
Number of active MCAST sessions:                 0 
Number of active predict sessions:               0 
Session table utilization:                       0% 
Number of sessions created since bootup:         0 
Packet rate:                                     0/s 
Throughput:                                      0 kbps 
New connection establish rate:                   0 cps 
-------------------------------------------------------------------------------- 
Session timeout 
  TCP default timeout:                           3000 secs 
  TCP session timeout before SYN-ACK received:      5 secs 
  TCP session timeout before 3-way handshaking:    10 secs 
  TCP half-closed session timeout:                120 secs 
  TCP session timeout in TIME_WAIT:                15 secs 
  TCP session delayed ack timeout:                250 millisecs 
  TCP session timeout for unverified RST:          30 secs 
  UDP default timeout:                             20 secs 
  ICMP default timeout:                             5 secs 
  other IP default timeout:                        30 secs 
  Captive Portal session timeout:                  30 secs 
  Session timeout in discard state: 
    TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs 
-------------------------------------------------------------------------------- 
Session accelerated aging:                       True 
  Accelerated aging threshold:                   80% of utilization 
  Scaling factor:                                2 X 
-------------------------------------------------------------------------------- 
Session setup 
  TCP - reject non-SYN first packet:             True 
  Hardware session offloading:                   True 
  Hardware UDP session offloading:               True 
  IPv6 firewalling:                              True 
  Strict TCP/IP checksum:                        True 
  Strict TCP RST sequence:                       True 
  Reject TCP small initial window:               False 
  ICMP Unreachable Packet Rate:                  200 pps 
-------------------------------------------------------------------------------- 
Application trickling scan parameters: 
  Timeout to determine application trickling:    10 secs 
  Resource utilization threshold to start scan:  80% 
  Scan scaling factor over regular aging:        8 
-------------------------------------------------------------------------------- 
Session behavior when resource limit is reached: drop 
-------------------------------------------------------------------------------- 
Pcap token bucket rate                         : 10485760 
-------------------------------------------------------------------------------- 
Max pending queued mcast packets per session   : 0 
-------------------------------------------------------------------------------- 
test-user@PA-200-first(active)>

【CLI】セッションタイムアウトの変更方法【恒久】

configure
set deviceconfig setting session timeout-tcp 3000
set deviceconfig setting session timeout-udp 20
set deviceconfig setting session timeout-icmp 5
run show config diff
commit

以下は実行結果になります。

例では、TCPを3600から3000秒、UDPを30秒から20秒、ICMPを6秒から5秒に変更しています。

test-user@PA-200-first(active)> configure 
Entering configuration mode 
[edit] 
test-user@PA-200-first(active)# set deviceconfig setting session timeout-tcp 3000 
[edit] 
test-user@PA-200-first(active)# set deviceconfig setting session timeout-udp 20 
[edit] 
test-user@PA-200-first(active)# set deviceconfig setting session timeout-icmp 5 
[edit] 
test-user@PA-200-first(active)# run show config diff 
 set config devices localhost.localdomain deviceconfig setting config rematch yes 
 set config devices localhost.localdomain deviceconfig setting management hostname-type-in-syslog FQDN 
 set config devices localhost.localdomain deviceconfig setting management admin-lockout failed-attempts 5 
+set config devices localhost.localdomain deviceconfig setting session timeout-tcp 3000 
+set config devices localhost.localdomain deviceconfig setting session timeout-udp 20 
+set config devices localhost.localdomain deviceconfig setting session timeout-icmp 5 
 set config devices localhost.localdomain deviceconfig high-availability group 10 peer-ip 192.168.2.151 
 set config devices localhost.localdomain deviceconfig high-availability group 10 peer-ip-backup 10.0.0.2 
 set config devices localhost.localdomain deviceconfig high-availability group 10 mode active-passive passive-link-state auto 
[edit] 
test-user@PA-200-first(active)# commit 
WARNING: The running configuration is not currently synchronized to the HA peer, and therefore, this commit will only be applied to the local device. 
Please synchronize the peers by running 'request high-availability sync-to-remote running-config' first. 
Would you like to proceed with commit? (y or n) 
Commit job 2 is in progress. Use Ctrl+C to return to command prompt 
..................................55%.....70%...98%.................100% 
Configuration committed successfully 
When High-availability ha1/ha1-backup port is configured to 'management', the 'heartbeat-backup' configuration is unnecessary and therefore ignored(Module: ha_agent) 
[edit] 
test-user@PA-200-first(active)#

test-user@PA-200-first(active)# run show session info 
target-dp:                                       *.dp0 
-------------------------------------------------------------------------------- 
Number of sessions supported:                    65534 
Number of allocated sessions:                    0 
Number of active TCP sessions:                   0 
Number of active UDP sessions:                   0 
Number of active ICMP sessions:                  0 
Number of active GTPc sessions:                  0 
Number of active GTPu sessions:                  0 
Number of pending GTPu sessions:                 0 
Number of active BCAST sessions:                 0 
Number of active MCAST sessions:                 0 
Number of active predict sessions:               0 
Session table utilization:                       0% 
Number of sessions created since bootup:         0 
Packet rate:                                     0/s 
Throughput:                                      0 kbps 
New connection establish rate:                   0 cps 
-------------------------------------------------------------------------------- 
Session timeout 
  TCP default timeout:                           3000 secs 
  TCP session timeout before SYN-ACK received:      5 secs 
  TCP session timeout before 3-way handshaking:    10 secs 
  TCP half-closed session timeout:                120 secs 
  TCP session timeout in TIME_WAIT:                15 secs 
  TCP session delayed ack timeout:                250 millisecs 
  TCP session timeout for unverified RST:          30 secs 
  UDP default timeout:                             20 secs 
  ICMP default timeout:                             5 secs 
  other IP default timeout:                        30 secs 
  Captive Portal session timeout:                  30 secs 
  Session timeout in discard state: 
    TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs 
-------------------------------------------------------------------------------- 
Session accelerated aging:                       True 
  Accelerated aging threshold:                   80% of utilization 
  Scaling factor:                                2 X 
-------------------------------------------------------------------------------- 
Session setup 
  TCP - reject non-SYN first packet:             True 
  Hardware session offloading:                   True 
  Hardware UDP session offloading:               True 
  IPv6 firewalling:                              True 
  Strict TCP/IP checksum:                        True 
  Strict TCP RST sequence:                       True 
  Reject TCP small initial window:               False 
  ICMP Unreachable Packet Rate:                  200 pps 
-------------------------------------------------------------------------------- 
Application trickling scan parameters: 
  Timeout to determine application trickling:    10 secs 
  Resource utilization threshold to start scan:  80% 
  Scan scaling factor over regular aging:        8 
-------------------------------------------------------------------------------- 
Session behavior when resource limit is reached: drop 
-------------------------------------------------------------------------------- 
Pcap token bucket rate                         : 10485760 
-------------------------------------------------------------------------------- 
Max pending queued mcast packets per session   : 0 
-------------------------------------------------------------------------------- 
[edit] 
test-user@PA-200-first(active)#

GUI

【GUI】セッションのタイムアウトを確認する方法

「Device」 → 「セットアップ」 → 「セッション」に移動し、「セッションタイムアウト」で現在の値を確認できます。

【GUI】セッションタイムアウトの変更方法【恒久】

「Device」 → 「セットアップ」 → 「セッション」に移動し、「セッションタイムアウト」の右上の歯車をクリックし、該当の項目の値を変更します。

例では、TCPを3600から3000秒、UDPを30秒から20秒、ICMPを6秒から5秒に変更しています。

セッションタイムアウトを変更されました。
コンフィグの差分比較をして、問題なければcommitをすれば完了です。

まとめ

最後にまとめになります!

  • 「show session info」でセッションタイムアウトの値を確認可能!
  • CLIでは一時的なタイムアウト値の設定と恒久的な設定が可能!
  • GUIでは恒久的な設定のみが可能!

以上!

おすすめの関連記事