Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Palo Alto Networks ALG Security Technical Implementation Guide
SRG-NET-000213-ALG-000107
The Palo Alto Networks security platform must terminate communications sessions after 15 minutes of inactivity.
The Palo Alto Networks security platform must terminate communications sessions after 15 minutes of inactivity.
An XCCDF Rule
Details
Profiles
Prose
The Palo Alto Networks security platform must terminate communications sessions after 15 minutes of inactivity.
Medium Severity
<VulnDiscussion>Idle sessions can accumulate, leading to an exhaustion of memory in network elements processing traffic flows. Note that the 15 minute period is a maximum value; Administrators can choose shorter timeout values to account for system- or network-specific requirements. On a Palo Alto Networks security platform, a session is defined by two uni-directional flows, each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone. Besides the six attributes that identify a session, each session has few more notable identifiers: end hosts - the source IP and destination IP which will be marked as client(source IP) and server(destination IP) and flow direction - each session is bi-directional and is identified by a two uni-directional flows, the first flow is client-to-server(c2s) and the returning flow is server-to-client(s2c). Sessions between endpoints are kept active by either normal traffic or by keepalive messages (also sometimes referred to as heartbeat messages). On the Palo Alto Networks security platform, the session timeout period is the time (seconds) required for the application to time out due to inactivity. Session timeouts are configured globally and on a per-application basis. When configured, timeouts for an application override the global TCP or UDP session timeouts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>