PANW-AG-000052 - The Palo Alto Networks security platform must terminate communications sessions after 15 minutes of inactivity.

Information

Idle sessions can accumulate, leading to an exhaustion of memory in network elements processing traffic flows.
Note that the 15 minute period is a maximum value; Administrators can choose shorter timeout values to account for system- or network-specific requirements.

On a Palo Alto Networks security platform, a session is defined by two uni-directional flows, each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone. Besides the six attributes that identify a session, each session has few more notable identifiers: end hosts - the source IP and destination IP which will be marked as client(source IP) and server(destination IP) and flow direction - each session is bi-directional and is identified by a two uni-directional flows, the first flow is client-to-server(c2s) and the returning flow is server-to-client(s2c).

Sessions between endpoints are kept active by either normal traffic or by keepalive messages (also sometimes referred to as heartbeat messages). On the Palo Alto Networks security platform, the session timeout period is the time (seconds) required for the application to time out due to inactivity. Session timeouts are configured globally and on a per-application basis. When configured, timeouts for an application override the global TCP or UDP session timeouts.

Solution

To configure the global values:
Go to Device >> Setup >> Session
In the 'Session Timeouts' pane, select the 'Edit' icon (the gear symbol in the upper-right corner of the pane).
In the 'TCP' field, enter '900'.
Select 'OK'.

To configure application-specific values:
Go to Objects >> Applications
Select an application name to view additional details about the application.
To search for a specific application, enter the 'application name' or 'description' in the 'Search' field.
In the 'Application' window, in the 'Options' pane, in the 'TCP Timeout' field, select 'Customize'.
In the Application specific window, in the 'TCP' and 'UDP Timeout' fields, enter '900' if the existing value is greater than '900'. Many applications will not have one of these two fields.
Select 'OK'.
Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-10, CAT|II, CCI|CCI-001133, Rule-ID|SV-228846r971530_rule, STIG-ID|PANW-AG-000052, STIG-Legacy|SV-77065, STIG-Legacy|V-62575, Vuln-ID|V-228846

Plugin: Palo_Alto

Control ID: 347752d61c7bb77478c5f571dc6b28c442cc0e595c735c85720f6d5b6cbfdb36