[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] tcp session timeout
An article at www.phoneboy.com gives the same solution for the timeout
problem but slightly different. Here is a copy of that article.
David
<<tcp-timeout.txt>>
> -----Original Message-----
> From: Joe Matusiewicz [SMTP:[email protected]]
> Sent: Thursday, January 25, 2001 10:03 AM
> To: Johan Strom; Quentin Antrim;
> [email protected]
> Subject: Re: [FW1] tcp session timeout
>
>
>
> I'm having a similar problem with users who are using SecuRemote
> complaining that their sqlnet2 sessions are timing out prematurely even
> though I have the SecuRemote timeout set to two hours. Does anyone know
> if
> the following fix may solve this problem?
>
>
> -- Joe
>
>
> At 05:21 AM 1/25/01, Johan Strom wrote:
>
> >Hi Quentin.
> >
> >We had the same problem and the session drop after 1 hour. Yes the policy
> >properteries has an entry tcp sesion timeout 3600 sec.
> >What we did was a change in the init.def file as follows:
> >
> >#define ADD_TCP_TIMEOUT(port,to) (record <port;to> in tcp_timeouts)
> >
> >(
> > <0> in tcp_timeouts
> >) or (
> > ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
> > ADD_TCP_TIMEOUT(1521,28800), **** add this line and the
> timeout
> >will be 8 hours instead
> > ADD_TCP_TIMEOUT(0,0)
> >);
> >
> >
> >#endif /* __init_def__ */
> >
> >The init.def file is located in $FWDIR/lib/
> >
> >This is the only way to change the tcp timeout for a specific port.
> >
> >I hope this help.
> >
> >Regards
> >
> >Johan
> >----- Original Message -----
> >From: "Quentin Antrim" <[email protected]>
> >To: <[email protected]>
> >Sent: Wednesday, January 24, 2001 10:59 PM
> >Subject: [FW1] tcp session timeout
> >
> >
> > >
> > > I've got a problem with what I think is a TCP session timeout between
> two
> >servers on either side of a Checkpoint Firewall. Here's the scenario:
> > > Checkpoint FW-1 SP3. Web server on one side of the firewall, an
> oracle
> >database on the other side using Net8. Have a rule allowing the web
> >server to contact the oracle server via sqlnet2 service.
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
[ManagedFirewall.com powered by Salinas Group]
TCP Timeout for a Specific Service
Q:
Is there a way to set the timeout for a specific service? For instance, I
want to make the timeout value for an HTTP connection 100 seconds whereas
I'd like to have the rest of my services have a timeout value of 1800
seconds.
A:
This can be done for simple TCP services. For non-simple TCP services that
FireWall-1 handles (e.g. RealAudio or SQLNet 2), you will need to search
through $FWDIR/lib/*.def (and $FWDIR/lib30/*.def in FireWall-1 4.x) for
code that relates to that service and change occurances of TCP_TIMEOUT to
whatever value (in seconds) you want the service to have. Once the
prerequisite changes have been made on the management console, you will
need to re-install your security policy for this to take effect.
* FireWall-1 3.x
* FireWall-1 4.x
* Timeouts Beyond 2 Hours
* Additional Changes for NAT
* Verifying Changes
FireWall-1 3.x
In FireWall-1 3.0, the base.def, the following macro will need to be
changed:
#define TCP_ESTABLISHED_RECORD(con,key,type) \
( \ \
((type & _TCP_ESTABLISHED) = 0, not_first, \
set type (type | _TCP_ESTABLISHED), \
record <con;key,type @TCP_TIMEOUT > in connections \
) or 1 \ \
)
This macro establishes the TCP Timeout for simple TCP connections. For the
connection, it records TCP_TIMEOUT as the timeout value for the connection
in this case, it will be 1800 seconds as set by the GUI.
If you want http to have a timeout of 100 seconds, change it so it reads:
#define TCP_ESTABLISHED_RECORD(con,key,type) \
( \
((type & _TCP_ESTABLISHED) = 0, not_first, \
set type (type | _TCP_ESTABLISHED), \
((dport = 80, record <con;key,type @100 > in connections) \
or record <con;key,type @TCP_TIMEOUT> in connections) \
) or 1 \
)
This means:
* When the destination port is 80 (i.e. HTTP connections), set the
timeout to 100 seconds.
* For all other connections, set the timeout to TCP_TIMEOUT seconds
FireWall-1 4.x
In FireWall-1 4.0, if you want to set the FTP Control Connection timeout,
edit the following line in $FWDIR/lib/init.def:
#define FTP_CONTROL_TIMEOUT timeout
where timeout is the timeout value in seconds. For other services, add the
following line (including the comma) in $FWDIR/lib/init.def:
ADD_TCP_TIMEOUT(port,timeout),
Right before the line that says:
ADD_TCP_TIMEOUT(0,0)
Where port specifies the TCP port and timeout specifies the number of
seconds.
Timeouts Beyond 2 Hours
I've had problems setting timeouts beyond two hours. You may be able to get
around this limitation by specifying the timeout as 3600 * n above (not the
actual result of the multiplication, but actually using 3600*n), where n is
the number of hours.
Additional Changes for NAT
If you are also doing NAT and you are increasing a timeout for a service
past 2 hours, you also need to perform the following additional
modifications on your firewall module. The following can be done on a
Solaris machine (Check Point has yet to tell me how to do this on an NT
box, so don't ask. ;-)
echo "fwx_tcp_expiration?W 0x<num>" | adb -w -k /dev/ksyms /dev/mem
echo "fwx_udp_expiration?W 0x<num>" | adb -w -k /dev/ksyms /dev/mem
where <num> is the number of seconds you'd like to keep hidden connections,
converted to hex.
For example, to make the tcp timeout 14,000 seconds type:
echo "fwx_tcp_expiration?W 0x36B0" | adb -w -k /dev/ksyms /dev/mem
Verifying Changes
If you look at the output of 'fw tab -u -t connections', the last column
shows you the connection timeout value.
------------------------------------------------------------------------
Last Modified: Sunday, 09-Jan-2000 12:33:44 PST
(C)2000 Dameon D. Welch, All Rights Reserved. [ Go Back ]
Your corrections, suggestions, and submissions are welcome. Email to
[email protected].