CBAC uses timeouts and thresholds to determine how long to manage
state information for a session, and to determine when to drop sessions that do
not become fully established. These timeouts and thresholds apply globally to
all sessions.
The default timeout and threshold values can be used, or
they can be changed to values more suitable to the network security
requirements. Any changes to the timeout and threshold values should be made
before continuing with the CBAC configuration.
TCP SYN and FIN Wait
Times
Use the ip inspect tcp synwait-time global
configuration command to define how long the software will wait for a TCP
session to reach the established state before dropping the session. Use the no
form of this command to reset the timeout to the default. The syntax of the
ip inspect tcp synwait-time command is shown in Figure
.
Use the
ip inspect tcp finwait-time global configuration command to
define how long a TCP session will still be managed after the firewall detects
a FIN exchange. Use the no form of this command to reset
the timeout to default. The syntax of the ip inspect tcp
finwait-time command is shown in Figure
.
TCP, UDP, and DNS Idle Times
Use the ip inspect tcp
idle-time global configuration command to specify the TCP idle
timeout (the length of time a TCP session will still be managed after no
activity). Use the no form of this command to reset the
timeout to default.
Use the ip inspect udp idle-time
global configuration command to specify the UDP idle timeout (the length of
time a UDP session will still be managed after no activity). Use the
no form of this command to reset the timeout to default.
The syntax for the ip inspect {tcp | udp} idle-time
commands is shown in Figure
.
Use the ip inspect dns-timeout global configuration
command to specify the DNS idle timeout (the length of time a DNS name lookup
session will still be managed after no activity). Use the
no form of this command to reset the timeout to the
default. The syntax for the ip inspect dns-timeout command
is shown in Figure
.