Quantcast
Channel: VMware Communities : All Content - vCloud Networking and Security
Viewing all articles
Browse latest Browse all 890

vShield Edge firewall: Connection state tracking table timeout adjustable?

$
0
0

I am surprised that this is not mentioned anywhere but network security folks here may know that stateful firewalls such as vShield Edge need to maintain a table of all known established (accepted) sessions so that related packets can be accepted. To avoid this table growing into infinity, a timer is associated with each entry in this table which gets refreshed every time a related packet passes through. If a connection stays silent past a defined 'timeout' value, its entry is removed from the state table.

 

This works fairly well for protocols which establish sessions on the fly as they are needed, and tear them down immediately afterwards. It works less well with protocols that are long-lived but low frequency, such as an SSH connection. Hence, commercial firewalls have a tunable setting for this timeout value which can (and often is) be set to many hours.

 

However, in vShield Edges case there is no documented way to tweak this setting, and it is indeed quite low - it seems to be around 5 minutes which is an old default from many other implementations. 5 minutes is extremely aggressive however, and causes all sorts of annoyances including the need to constantly restart SSH connections (5 minutes timeout means that a coffee break is enough to drop your SSH session).

 

Does anyone know where this value is stored and if perhaps there is a way of adjusting it?


Viewing all articles
Browse latest Browse all 890

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>