How the Symantec Endpoint Protection client with Network Threat Protection maintains its stateful connection table
search cancel

How the Symantec Endpoint Protection client with Network Threat Protection maintains its stateful connection table

book

Article ID: 177706

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Established connections expire, time out, or are closed with the firewall component of Symantec Endpoint Protection (SEP), called Network Threat Protection (NTP), enabled.


Symptoms
Citrix clients can connect to the Citrix server, but will disconnect after a period of idle time, where the Citrix client does not send any traffic, including TCP keep-alive packets.
Remote Desktop sessions (RDP) are terminated or disconnected
Secure Shell (SSH) sessions are disconnected
Lotus Notes clients stop receiving new email after periods of idle time where no traffic is sent. 

Cause

The Symantec Endpoint Protection Network Threat Protection firewall does maintain stateful session tables for both TCP and pseudo UDP connections. This design improves the performance of the firewall. If a TCP/UDP connection, which is initiated from the client side, is allowed by an existing firewall rule, this session will be put into the session table. The next time when a packet in which the source/destination IP and port is a match with the one in the session table, the firewall engine will pass it to the upper level application directly without checking it against the firewall rules.

The firewall engine does "age out" inactive sessions periodically to maintain the state table for security and performance reasons. Removing an inactive or idle session from the state table means that any return traffic/packets will not automatically be allowed and now must be passed through the firewall engine and be matched to a rule to be allowed. Once the packet is allowed, it will be put into the session table again. The expire time for a TCP session is 300 seconds (5 minutes).  The expire time for a UDP session is 40 seconds.

The are also some additional situations where the state table which maintains the connection information may be periodically cleared. For example, it will be cleared when a firewall policy update is processed or if Symantec Endpoint Protection services are restarted.

Resolution

To prevent idle sessions from expiring prematurely from the state table, you can implement the use of TCP keep-alive packets with an interval of less than 5 minutes. Additionally, you can create application firewall rules to match the application traffic. When creating the rule you need to specify the application rule to match its outbound port with the specific protocol(s) the application(s) use. This will create a stateful entry for that Application. When the application is closed, this will begin the countdown timer to expire the stateful connections from the table.

Note that the SEP firewall can only create a state table entry for application rules with specific TCP/UDP ports or port ranges- SEP cannot match applications with generic TCP/UDP (no ports specified) or other protocols.


References
RFC 1122 - Requirements for Internet Hosts -- Communication Layers 4.2.3.6 TCP Keep-alives

 


Additional Information

Configuring the Symantec Endpoint Protection TCP session timeout