Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Session Timeout Behavior on Custom Services

0

0

Article ID: KB6674 KB Last Updated: 20 Feb 2013Version: 5.0
Summary:

Session Timeout Behavior on Custom Services

Symptoms:

  • Session does not terminate after the Custom Service timeouts are reached
  • Session terminates before the Custom Service timeouts are reached
  • How do Custom Service Timeouts work?
  • When same destination port is defined in multiple services with custom timeout

Cause:

Solution:

Notes:

  • This article applies to ScreenOS 5.3r3 and below.
  • In ScreenOS 5.3r4 and above, policies with service ANY will always use the timeout defined by the predefined service for a specific port when a specific predefined service exists.  If no specific predefined service exists, ScreenOS will use the last specific custom service defined for the port.  If no specific custom service exists, then the TCP or UDP any service timeouts are used.  For more information refer to KB11970 - What is the logic for service timeout lookup in ScreenOS; how is the timeout set when a session is created? 


When you create multiple custom services with destination port of a predefined/user-defined service (for example: port 22 for SSH is defined under multiple custom services: ssh-5min, ssh-10min, ssh-100min), when these services are loaded into the system's memory, the system knows by port numbers. and not by service names (service names are for people), it associates a timeout value for the port.

Below is the example of how the service timeout will behave when it is defined in multiple policies:

Custom Services:

ssh-5min port 22, timeout 5 min

ssh-10min port 22, timeout 10 min

ssh-100min port 22, timeout 100 min

Policies where the above custom services are used:

policy id 1 from zone1 to zone2 10.1.10.0/24 1.1.1.0/24 ssh-10min permit

policy id 2 from zone1 to zone2 10.2.2.0/24 any ssh-100min permit

policy id 3 from zone1 to zone2 10.5.5.0/24 any ssh-5min permit

policy id 4 from zone1 to zone2 any any any permit

When happens when traffic is generated for above policies:

a packet hitting policy 1 on port 22 will have a service timeout of 10min

a packet hitting policy 2 on port 22 will have a service timeout of 100min

a packet hitting policy 3 on port 22 will have a service timeout of 5min

a packet hitting policy 4 on port 22 will use the custom SSH service configured/loaded last on the firewall memory.

A custom service group, containing predefined and/or custom services, will always use the timeout setting with the service configured/loaded last on the firewall memory. For example, if a custom service group contains both the predefined SSH, "ssh-5min", and "ssh-100min", the timeout setting with ssh-100min will still be used if it's the very last one loaded on the firewall.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search