Change UDP timeout on only one policy?
Related to this thread https://community.watchguard.com/watchguard-community/discussion/1943/voip-phones-and-a-recommendation-to-enable-consistent-nat#latest, is there a way in the CLI or otherwise, to change the UDP timeout only on one policy? I know how to change the global timeout via CLI.
Gregg Hill
0
Sign In to comment.
Comments
A little more information:
EDIT: Sorry for multiple edits, but this STUPID forum alters what I actually type.
After setting the custom idle timeout value for my "VoIP-Obi202.Out" policy to 2771 seconds (just so I could find it easily in Notepad++), the XML file shows (with "--" replacing the "less-than-sign" and "greater-than-sign" because the forum EATS what I type):
--idle-timeout--2771--idle-timeout--
It does not say if that is TCP or UDP. My understanding is that the custom idle timeout value is only applied to TCP. Is that correct? If it's correct, why don't we get a UDP timeout setting, or at least change the description to "Specify Custom TCP Idle Timeout"?
EDIT: Also, is there a way to just post a dang message without it thinking that everything I type needs to be fancy HTML? It COMPLETELY BOTCHED what I actually entered so I had to delete that part.
Gregg Hill
I've asked before - a good while back, and apparently there is NO WAY to turn off Markdown on this Forum by us, which causes messing up certain characters in a post. Bad option to have it turned on by default IMHO for this forum.
I've also asked before about the Custom idle timeout on a policy and was told that it is only for TCP. No idea why then one can set a Custom idle timeout on a UDP policy if it has no effect. Guess that it is just another "feature".
Also the docs do not say the the Custom idle timeout is limited to TCP, which leads one to believe that it could be also for UDP on a UDP policy. Haha.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/custom_idle_timeout_c.html
As I recall, the default UDP timeout is 30 seconds.
Many versions back (probably for WFS - 7.5 and older) it was recommended to increase the idle timeout on outgoing DNS policies if one was seeing DNS servers ending up on the temp Blocked Sites list because the "Auto-block source of packets not handled" was selected. Seems some DNS server responses were quite slow at times.
That recommendation is no longer in the FAQs.
The inability to post a plain-text message is a HUGE pain in the rear. In a separate response, I am going to try the choice for Code on the paragraph sign drop-down to see if that allows it.
"No idea why then one can set a Custom idle timeout on a UDP policy"...I never even thought about that!
I have had the issue with DNS servers ending up on the temp Blocked Sites list because the "Auto-block source of packets not handled" was selected. I also had other problems with it and turned it off many years ago.
The docs do not say the the Custom idle timeout is limited to TCP, but tech support has stated that was the case many years ago.
Gregg Hill
Test to see how it shows up on the forum.
<policy> <name>VoIP-OBi202.Out-00</name> <description>Policy added on 2020-02-29T14:34:46-08:00.</description> <property>0</property> <service>VoIP</service> <firewall>1</firewall> <reject-action>1</reject-action> <from-alias-list> <alias>VoIP-OBi202.Out.1.from</alias> </from-alias-list> <to-alias-list> <alias>VoIP-OBi202.Out.1.to</alias> </to-alias-list> <proxy></proxy> <traffic-mgmt></traffic-mgmt> <qos-marking> <marking-field>1</marking-field> <marking-method> <marking-type>0</marking-type> </marking-method> <priority-method>2</priority-method> </qos-marking> <nat></nat> <schedule>Always On</schedule> <connection-rate>0</connection-rate> <connection-rate-alarm></connection-rate-alarm> <log>0</log> <log-for-report>0</log-for-report> <enable>1</enable> <idle-timeout>2771</idle-timeout> <user-firewall>0</user-firewall> <ips-monitor-enabled>0</ips-monitor-enabled> <quota-enabled>0</quota-enabled> <alarm></alarm> <send-tcp-reset>1</send-tcp-reset> <policy-routing></policy-routing> <using-global-sticky-setting>1</using-global-sticky-setting> <policy-sticky-timer>0</policy-sticky-timer> <global-1to1-nat>1</global-1to1-nat> <global-dnat>1</global-dnat> <geo-action></geo-action> </policy>Gregg Hill
Well, that post using the paragraph symbol's drop-down and "Code" choice worked a little bit. If it honored line breaks, it would be usable.
Gregg Hill