cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


560
Views
0
Helpful
3
Replies
Highlighted
Beginner

Threat Defense Connection timeout

Two Questions:

 

In previous ASA Version ( v8 ) there was a "Dead Connection Detection" ( DCD) - Function to Keep inactive but already existent Connections open.

Is DCD behavior also supportet in FTD ?

 

Background: Using a "foreign " Firewall Connections from Client to SAP Server becomes disconnected after a longer time of inactivity and people have to relogin  into the server. Replacing this foreign Firewall with a asa5510 the Connection keeps established and people can continue working without a relogin.

 

How do the Timeout Settings in FTD in  "Network Analysis Policy / TCP Stream Configuration" and the Timeout Setting in "Device Platform Settings" play togther ?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: Threat Defense Connection timeout

Hi

Have you tried configuring dcd using flexconfig?
You can put your asa config into a flexconfig object and deploy if.
I haven't tried yet myself for dcd (don't had the use case yet).
If commands are protected and not able to get pushed over flexconfig then you will get an error message right away at the deployment for fmc and at the config for fdm.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
3 REPLIES 3
VIP Advisor

Re: Threat Defense Connection timeout

Hi

Have you tried configuring dcd using flexconfig?
You can put your asa config into a flexconfig object and deploy if.
I haven't tried yet myself for dcd (don't had the use case yet).
If commands are protected and not able to get pushed over flexconfig then you will get an error message right away at the deployment for fmc and at the config for fdm.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: Threat Defense Connection timeout

Hi Francesco,

thank you for your answer.

I did not ever deal with flexconfig before. I searched how to do that and found a hint that the Connection timeout is now configurable using Service policies from Version 3.0 . So i will update fmc and sensor and hope to easyly solve my Problem .

Thank you again - this help me.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/threat_defense_service_policies.html

 

VIP Advisor

Re: Threat Defense Connection timeout

Yeah a some configs are still not configurable over the normal and standard GUI but there are through Flexconfig.
Test and let me know if that worked.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question