Understanding Policy Application Timeout Configuration and Lookup

The application timeout value you set for an application determines the session timeout. You can set the timeout threshold for a predefined or custom application; you can use the application default timeout, specify a custom timeout, or use no timeout at all. Application timeout behavior is the same in virtual systems (vsys) security domains as at the root level.

Application timeout values are stored in the application entry database and in the corresponding vsys TCP and UDP port-based timeout tables. When you set an application timeout value, Junos OS updates these tables with the new value. There are also default timeout values in the applications entry database, which are taken from predefined applications. You can set a timeout, but you cannot alter a default value.

Applications with multiple rule entries share the same timeout value. If multiple applications share the same protocol and destination port range, all applications share the last timeout value configured.

For single application entries, an application timeout lookup proceeds as follows:

  1. The specified timeout in the application entry database, if set.
  2. The default timeout in the application entry database, if specified in the predefined application.
  3. The protocol-based default timeout table. See Table 15.

    Table 15: Protocol-Based Default Timeout

    Protocol

    Default Timeout (seconds)

    TCP

    1800

    UDP

    60

    ICMP

    60

    OSPF

    60

    Other

    1800

For application groups, including hidden groups created in multicell policy configurations, and for the predefined application ANY (if timeout is not set), application timeout lookup proceeds as follows:

  1. The vsys TCP and UDP port-based timeout table, if a timeout is set.
  2. The protocol-based default timeout table.

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.