Can the Symantec Endpoint Protection (SEP) firewall TCP session timeout be configured?
For basic information about the Symantec Endpoint Protection (SEP) firewall stateful connection handling see the following KB article:
TECH94334 How the Symantec Endpoint Protection client with Network Threat Protection maintains its stateful connection table
The expire time for a TCP session is 300 seconds (5 minutes). The expire time for a UDP session is 40 seconds. There should typically be little reason to change these values, and they cannot be configured from the Symantec Endpoint Protection Manager (SEPM) side, but they can however be changed in the client registry.
The registry value is located under this key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\TSE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE]
The values names are TcpSession and UdpSession, TcpSession is a DWORD that can be set between 60 and 600 (60 seconds to 10 minutes), and UdpSession is a DWORD that can be set between 30 and 600 (30 seconds and 10 minutes).
Making the sessions longer than 10 minutes is not possible.
The SEP firewall stateful session cache can also be cleared if:
- the screensaver starts (from 12.1 RU6 this only applies if screensaver-specific firewall rules are configured).
- a new policy is received from the SEPM.
- an RST packet is received, clearing out the session from the cache.
Typically for applications that struggle to maintain a session it is preferable to configure firewall rules that allow the traffic with no prior session open, using rules based on the port, address etc., rather than increasing the session timeout. Depending on the application it might also be possible to configure it to send keepalive packets to maintain the session.