Understanding Policy Application Timeouts

The application timeout value you set for an application determines the session timeout. You can set the timeout threshold for a predefined or custom application; you can use the application default timeout, specify a custom timeout, or use no timeout at all. Application timeout behavior is the same in virtual systems (vsys) security domains as at the root level.

This topic covers:

• Application Timeout Configuration and Lookup
• Contingencies
• Related Topics

Application Timeout Configuration and Lookup

Application timeout values are stored in the application entry database and in the corresponding vsys TCP and UDP port-based timeout tables. When you set a application timeout value, JUNOS Software updates these tables with the new value. There are also default timeout values in the applications entry database, which are taken from predefined applications. You can set a timeout, but you cannot alter the default values.

Applications with multiple rule entries share the same timeout value. If multiple applications share the same protocol and destination port range, all applications share the last timeout value configured.

For single application entries, an application timeout lookup proceeds as follows:

1. The specified timeout in the application entry database, if set.
2. The default timeout in the application entry database, if specified in the predefined application.
3. The protocol-based default timeout table. See Table 90.

   Table 90: Protocol-Based Default Timeout

   Protocol	Default Timeout (minutes)
   TCP	30
   UDP	1
   ICMP	1
   OSPF	1
   Other	30

For application groups, including hidden groups created in multi-cell policy configurations, and for the predefined application ANY (if timeout is not set), application timeout lookup proceeds as follows:

1. The vsys TCP and UDP port-based timeout table, if a timeout is set.
2. The protocol-based default timeout table.

Contingencies

When setting timeouts, be aware of the following contingencies:

• If an application contains several application rule entries, all rule entries share the same timeout. The timeout table is updated for each rule entry that matches the protocol (for UDP and TCP—other protocols use the default). You need to define the application timeout only once. For example, if you create an application with two rules, the following commands will set the timeout to 20 minutes for both rules:
  
  

  user@host# set applications application test protocol tcp destination-port 1035-1035 inactivity-timeout 20

  
  

  user@host# set applications application test term test protocol udp

  
  

  user@host# set applications application test term test source-port 1-65535

  
  

  user@host# set applications application test term test destination-port 1111-1111
• If multiple applications are configured with the same protocol and overlapping destination ports, the latest application timeout configured overrides the others in the port-based table. For example:
  
  

  user@host# set applications application ftp-1 protocol tcp source-port 0-65535 destination-port 2121-2121 inactivity-timeout 10

  
  

  user@host# set applications application telnet-1 protocol tcp source-port 0-65535 designating-port 2100-2148 inactivity-timeout 20

  With this configuration, JUNOS Software applies the 20-minute timeout for destination port 2121 in an application group, because the destination port numbers for telnet-1 (2100-2148) overlap those for ftp-1 (2121), and you defined telnet-1 after you defined ftp-1.

  To modify an application timeout when multiple applications use the same protocol and an overlapping destination port range, you must unset the application and reset it with the new timeout value. This is because, during reboot, applications are loaded according to creation time, not modification time.

  To avoid the unintended application of the wrong timeout to an application, do not create applications with overlapping destination port numbers.

• If you unset an application timeout, the default protocol-based timeout in the application entry database is used, and the timeout values in both the application entry and port-based timeout tables are updated with the default value.

  If the modified application has overlapping destination ports with other applications, the default protocol-based timeout might not be the desired value. In that case, reboot JUNOS Software, or set the application timeout again for the desired timeout to take effect.

• When you modify a predefined application and reboot, the modified application might not be the last one in the configuration. This is because predefined applications are loaded before custom applications, and any change made to a custom application, even if made earlier, will show as later than the predefined application change when you reboot.

  For example, if suppose you create the following application:

  
  

  user@host# set applications application my-application protocol tcp destination-port 179-179 inactivity-timeout 20

  Later you modify the timeout of the predefined application BGP as follows:

  
  

  user@host# set applications application bgp inactivity-timeout 75

  The BGP application will use the 75-minute timeout value, because it is now written to the application entry database. But the timeout for port 179, the port BGP uses, is also changed to 75 in the TCP port-based timeout table. After you reboot, the BGP application will continue to use the 75-minute timeout which, as a single application, it gets from the application entry database. But the timeout in the TCP port-based table for port 179 will now be 60. You can verify this by entering the show applications application bgp command.

  The BGP application has no effect on single applications. But if you add BGP or my_application to an application group, the 60-minute timeout value will be used for destination port 179. This is because application group timeout is taken from the port-based timeout table, if one is set.

  To ensure predictability when you modify a predefined application timeout, therefore, you can create a similar application, for example:

  
  

  user@host# set applications application my-bgp protocol tcp destination-port 179-179 inactivity-timeout 75

Related Topics

• Setting a Policy Application Timeout
• Understanding Policies
• Policy Application Sets Overview