Connection timeout log messages are generated for inactive connections that the Firewall clears out from its connection tracking table.
Connections are inactive when the hosts involved in the connection stop transmitting packets between each other.
Most connection timeouts are normal and necessary to ensure that the Firewall cleans up inactive connections from its records, freeing up the resources. However, sometimes the timeout can prevent communications from continuing.
Steps
-
If some application in your network leaves connections inactive for long periods of time before continuing again, you can increase the timeout for those connections. You can change the timeout in the Action options for the Access rule that allows the connection. The rule-specific timeouts override the global timeouts that are set per connection state in the Firewall element’s properties (Advanced Settings).
CAUTION:
Setting long timeouts for a high number of connections considerably increases the resource consumption of the Firewall and can even lead to performance problems. This issue applies especially to non-TCP protocols that do not include connection closing messages, because such virtual connections are never closed before the timeout is reached.
-
If the protocol is not connection-oriented (for example, if the protocol is SNMP), you can disable connection tracking for the traffic in the Access rule’s Action options. Disabling connection tracking requires that you explicitly allow both directions of the communications in the rule, since without connection tracking, reply packets cannot be automatically allowed. NAT rules are not applied to connections that are not tracked. We recommend that you deactivate logging in rules that have connection tracking off, since these rules create a separate log entry for each packet transmitted. The number of log entries generated greatly increases, and can potentially lead to an unmanageable level of logging traffic.