This article provides information about the service timeout lookup logic and how the timeout is set, when a session is created. Starting with ScreenOS version 5.3.r3, the logic for service timeout lookup has changed.
Prior to ScreenOS 5.3r3 (version 5.3r2 or earlier), the last configured service timeout was considered for overlap services, when the policy is configured with multicell or service groups.
The new logic for the service timeout lookup, when a session is created with ScreenOS 5.3r3 or later, is as follows:
- In the policy, if the first packet that matches is using a specified service entry other than Any, ScreenOS will directly obtain the timeout value from the service entry. For example:
set policy from trust to untrust any any telnet permit
If the policy is using a service group or is a multi-cell service policy, go to step (C).
- In the policy, if the first packet that matches is using the Any service and its timeout value is configured by the user, ScreenOS will directly obtain the value from the Any service. For example:
set service any timeout 20
set policy from trust to untrust any any any permit
Otherwise, go to step (C)
- ScreenOS looks up the service timeout in the service timeout table according to the destination-port. If the port is not overlapped with multiple service timeouts, ScreenOS will directly obtain the value. If the port is overlapped, go to step (D).
- If the logic is at this step, it means that the policy is using a service group, with which the port is overlapped or is using the Any service; If so, go to step (E). Otherwise, ScreenOS will try to find the matched service in the group, which is referenced by the matched policy, according to the destination port.
- Go through all the service entries on the group. If ScreenOS finds a match, ScreenOS will get the service timeout value.
- Go through each sub group and match the all the service entries in the sub group. If ScreenOS finds a match, ScreenOS will get the service timeout value.
Note: The service or services in the group are selected based on the alphabetic order of the service names defined and not on the last configured service timeout.
For example:
- Create services for a port range 50 to 100, with three different service names (such as Aservice, Bservice and Cservice) with the protocol TCP/UDP and ports ranging between 50 - 100, and add these services in a group or just use them as multiple services in the policy.
- Now, target the traffic destined to port 80 to match the policy.
- The three services that are configured will then have an overlap timeout, as port 80 is part of the range 50-100 in all the defined services.
- In this scenario, ScreenOS selects the service timeout of Aservice, as it is the first service as per the alphabetical order.
- It does not matter which service was added first or last.
To check whether the service has an overlap timeout, type the following command, based on the port you are looking for. In this example, port 80 is used and the output will show it as overlap timeout:
Test-> get service timeout tcp port 80
overlap timeout
If there is no overlap timeout, then you will see the following output with the exact timeout value for the service:
Test-> get service timeout tcp port 22
30 : port timeout (minutes)
- The default timeout value of a user-defined service is zero. If ScreenOS obtains a zero value for the service timeout, ScreenOS will obtain the system default service timeout value, as per the TCP or UDP protocol.
The following flow chart shows how the lookup process works:
Note: Refer to the following article for a condition that does not follow the above logic:
KB17508 - Service timeout assigned to custom services other than TCP/UDP is not working as expected
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.