UsingActivityTimeoutsinAccessRules Introduction This technote will show users how to create access rules for specific services with known ports (e.g. PCAnywhere, Citrix, PPTP, and Microsoft Terminal Services) and for services with dynamic ports (e.g. Outlook/Exchange) in order to increase the activity timeouts for these services. By increasing the activity timeouts, it allows the user longer periods of inactivity (no data being sent) without the connection being dropped, and thus eliminates the need to frequently have to start the service again. Recommended Versions SonicOS Enhanced 2.0.1.5 or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days. Caveats On the Firewall → Advanced page there is a Default Connection Timeout. The Default Connection Timeout value will be used for every rule you create. By default, it is set to 5 minutes. Changing this value will only change the activity timeout for rules added after it is changed. It will not change the value of any previously created rules. SonicWALL recommends keeping this value at 5 minutes and creating specific rules to increase the activity timeout when the service uses static ports. When increasing the activity timeout for VPN tunnels, bear in mind that you might need to increase the activity timeout on the LAN to VPN as well as the VPN to LAN rule in order to avoid timeout conditions. Increasing the activity timeout on access rules increases the time that connections associated with that rule remain open without any activity. This can lead to increased resource consumption, and a possible security risk. Although it is possible to increase the activity timeout on the default rules (LAN to WAN, LAN to VPN, etc…) instead of writing service specific rules, SonicWALL recommends against this. Increasing the activity timeout on the default rules increases the activity timeout for every connection that is handled by the rules, thereby increasing resource consumption and introducing possible security risks. With services that use dynamic ports, you may have to modify the default rule. Even though it is possible to allow a service in from the WAN to the LAN (opening a hole), SonicWALL does not recommend doing this. Allowing access this way creates a security risk. SonicWALL recommends creating a VPN tunnel when WAN to LAN access is required. This can be accomplished by using two SonicWALLs or a SonicWALL and SonicWALL’s Global VPN Client. Definitions Activity Timeout – The amount of time without activity before a TCP connection disconnects. Before You Begin Know the service you wish to increase the timeout for. Can you write a service specific rule, or do you need to modify the default rule? Determine the points of origination and destination for the traffic For example, it is originating from the LAN and destined to a VPN tunnel or WAN. Decide which address object/group you will use in the rule. Such as LAN Primary Subnet object or LAN Subnets group object Decide what value you want to make the activity timeout 1 Setup Steps Example of VPN to LAN modification of default rule: for services that have dynamic ports (e.g. Outlook/Exchange) Select Access Rules under the Firewall menu Select VPN to LAN Click Edit on the VPN Rule you wish to modify. It will list the VPN remote end networks (tz170lan) as the source and LAN Subnets as the destination. Note: this will increase the activity timeout for all connections through this VPN Tunnel 2 On the Advanced Tab: Enter the TCP Activity Timeout Select OK Repeat this process for the opposite LAN to VPN rule. Example of LAN to WAN rule creation of a specific rule: for services using static ports Select Access Rules under the Firewall menu Select LAN to WAN Click Add On the General Tab: Select Allow Select a Service (e.g. Citrix, PPTP, Microsoft Terminal Services, or PCAnywhere) Select Source Any Select Destination Any 3 On the Advanced Tab: Enter the TCP Activity Timeout Select OK Verify that the new rule is above the default LAN to WAN rule Repeat this process for all Services that you want to have an increased Activity Timeout Testing/Troubleshooting FTP will be used as the test service: To test LAN to WAN activity timeout: From a PC on the LAN, start an ftp session to an ftp server on the WAN. Let the session sit idle for about a minute less than your activity timeout. Then try to use the FTP session you should be able to. The SonicWALL should have maintained the connection. To test WAN to LAN activity timeout: From a PC on the WAN, start an ftp session to an ftp server on the LAN. Let the session sit idle for about a minute less than your activity timeout. Then try to use the FTP session you should be able to. The SonicWALL should have maintained the connection. Make sure the activity timeout of the ftp server is not less than the activity timeout on the SonicWALL. Created: 04/01/2004 Updated: 04/15/2004 Version 1.2 4
© Copyright 2026 Paperzz