This blog article on distributed firewall (DFW) timers has been contributed by Suma Gundaiah. Suma is a VCI certified, Senior Technical Training Specialist who specializes in VMware NSX technology and Cisco IP networking. In her free time, Suma loves exploring the wilderness of the Himalayas.
A session timeout defines the duration of time a session on the firewall is maintained after inactivity. By default, when the session timeout for the protocol expires, firewall closes the session.
From NSXv 6.3.0 it is possible to customize the duration of a protocol session timeout on firewall after inactivity. This can be done from both, the GUI and CLI.
Most of the customers today have a mix of legacy and newer applications in the same datacenter, where the session timers are different for different applications. Here are two such scenarios where it is required to change the DFW timers.
When a customer needs the legacy applications talking to the database, to have the TCP established state as ON for, let’s say, 15 days.
A customer has a requirement to set the TCP established state timeout to 5 minutes, as this is the minimum requirement to talk to certain devices on their datacenter.
Editing DFW Timers from the GUI
- Go to Networking & Security > Firewall. Clicking the Settings tab lists the “Default Session Timers” for TCP, UDP and ICMP sessions that apply to a user defined set of VMs or vNICs.
- Select Default Session Timers and click the pencil icon to edit the timers.
- A new window opens as shown in the screenshot below. The Timer values for TCP , UDP and ICMP can be edited here.
- To define a new session timer, click the + icon.
Editing DFW Timers using CLI Commands
- SSH to the ESXi host on which the timers need to be edited.
- Enter the command vsipioctl getfilters to find out the filtername. In this case the filter applied is
- The command vsipioctl gettimeout –f nic-72557-eth0-vmware-sfw.2 lists all the timer details configured.
- For listing a specific timer suffix the command with the timer name vsipioctl gettimeout –f nic-72557-eth0-vmware-sfw.2 –t dfw.tcp.first_packet. The default value for dfw.tcp.first_packet is 120 secs.
- To set the new value for this timer enter the following command: vsipioctl gettimeout –f nic-72557-eth0-vmware-sfw.2 –t dfw.tcp.first_packet=200
- The new value of the timer is now set to 200 secs as shown below.