Adjusting the Session Aging Time of Security Policies

Through this configuration, you can adjust the connection duration of a security policy session.

Choose Policy > Security Policy > Security Policy.
Click Add Security Policy or enter the view of an existing security policy rule.
Configure the session aging time.
Set the session aging time in Session Aging Time.
Configure a user-defined persistent connection.
Select Enable for User-Defined Persistent Connection to enable the user-defined persistent connection function and configure the aging time of the persistent connection.
Click OK.

Access the security policy view from the system view.
security-policy
Create a security policy rule and access the security policy rule view.
rule name rule-name
Configure the session aging time.
session aging-time interval
Set the aging time for the sessions that are already blocked by policies.
firewall session aging-time sa-block { tcp | udp } aging-time

Once a packet matches an application-based security policy and the action defined in the policy is block, the current session cannot be aged and is retained for a while. This is because the FW identifies application protocols based on the initial packets in each data flow. If the session is aged, subsequent packets in the data flow initiate new sessions. However, the FW may not identify the application protocol based on the subsequent packets and therefore fails to block the data flow.

By default, TCP and UDP sessions are aged within 120 seconds. For certain applications that continue to send packets after the FW blocks the traffic, run the firewall session aging-time sa-block command to adjust the aging time.
Configure a user-defined persistent connection.
1. Enable the policy-based persistent connection function.
  long-link enable
2. Set the aging time for the policy-based persistent connection.
  long-link aging-time interval