FWSM and advanced connection/protocol timeout settings
am 30.09.2006 09:09:54 von st.john.gogartyThis FWSM is in single mode, we when I speak of context below I mean
only CLI contexts.
Does anyone know of a way to change conn timeouts within a specific
"object-group service" module and restrict their scope to that custom
object-group? I'm able to change the timeouts without a complaint from
the FWSM, but even in the "object-group service" context the changes
are applied globally and I'm dropped out of "(config-service)" context
and back to (config). This leads me to believe that these timeouts can
only be set globally. This is not at all what I want, but rather to
change the con timeout for a object-group service, then use that
service with a set of restricted hosts within an ACL to manipulate
connection timers for these specified hosts.
I have, on Netscreen's and Checkpoints, been able to specify even the
specific protocol timeout by creating a "custom service", and defining
TCP characteristics such as timeouts. These modified timeouts applied
only to the defined "custom service". I can't imagine this is
impossible to do this on an FWSM... but I don't see that it can be
done in the case of the transport protocols themselves, only for the
connection states and then only if I can accept that the results will
apply globally.
dj