Understanding Policy Application Timeout Configuration and Lookup

The application timeout value you set for an application determines the session timeout. You can set the timeout threshold for a predefined or custom application; you can use the application default timeout, specify a custom timeout, or use no timeout at all. Application timeout behavior is the same in virtual systems (vsys) security domains as at the root level.

Application timeout values are stored in the application entry database and in the corresponding vsys TCP and UDP port-based timeout tables. When you set a application timeout value, JUNOS Software updates these tables with the new value. There are also default timeout values in the applications entry database, which are taken from predefined applications. You can set a timeout, but you cannot alter the default values.

Applications with multiple rule entries share the same timeout value. If multiple applications share the same protocol and destination port range, all applications share the last timeout value configured.

For single application entries, an application timeout lookup proceeds as follows:

  1. The specified timeout in the application entry database, if set.
  2. The default timeout in the application entry database, if specified in the predefined application.
  3. The protocol-based default timeout table. See Table 13.

    Table 13: Protocol-Based Default Timeout

    Protocol

    Default Timeout (minutes)

    TCP

    30

    UDP

    1

    ICMP

    1

    OSPF

    1

    Other

    30

For application groups, including hidden groups created in multicell policy configurations, and for the predefined application ANY (if timeout is not set), application timeout lookup proceeds as follows:

  1. The vsys TCP and UDP port-based timeout table, if a timeout is set.
  2. The protocol-based default timeout table.

Related Topics