[j-nsp] Security-flow TCP idle timeout at SRX
Misha Gzirishvili
misha.gzirishvili at gmail.com
Wed Feb 6 06:09:01 EST 2013
As Anton mentioned, you should use custom defined application in security
policy.
Or you can alter default application, by creating custom application, by
the same name. (for example: set applications application junos-http
protocol tcp destination port 80 inactivity-timeout 84600) This method
allows you to avoid changing application names in policies.
And value 100000 is out of range if memory serves. maximum is 24 hours on
Junos 11.1
On Fri, Feb 1, 2013 at 12:28 PM, Robert Hass <robhass at gmail.com> wrote:
> Hi
>
> I have issue with one of our applications. We have two security zones: LAN
> and Servers. Computers from LAN are connecting to Servers to port TCP/2020
> (it's CTI application). Users reported that they have to re-logon due to
> idle timeout - I checked security logs on SRX and sessions was disconnected
> due to tcp idle-timeout which default is 30 minutes. How I can increase
> this timeout for connections TCP/2020 ?
>
> Will below configuration will be sufficient :
>
> security {
> policies {
> from-zone lan to-zone servers {
> policy 1 {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> log {
> session-init;
> session-close;
> }
> count;
> }
> }
> }
> from-zone servers to-zone lan {
> policy 1 {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> log {
> session-init;
> session-close;
> }
> count;
> }
> }
> }
> }
> }
> applications {
> application myapp {
> protocol tcp;
> destination-port 2020;
> inactivity-timeout 100000;
> }
> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list