Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure ProxyHA Timeout Settings

  1. Last updated
  2. Save as PDF

When you run applications that process large amounts of data, such as database backends, you may experience disconnections after the default 120-second timeout.

To avoid this, you can extend the timeout for specific resources by using the Proxy Control event. This allows the SWG core process to keep the connection open for a defined period before closing it when the timeout is reached. This method works in standalone environments or with devices behind an external load balancer, but it does not apply in a Proxy HA setup.

In a Proxy HA environment, the system adds an HA Proxy process. Policy settings apply only to the MWG core process and do not affect the HA Proxy process. To manage timeouts in this scenario, you must configure the corresponding settings in the HA Proxy configuration.

Prerequisites

Make sure the following prerequisites are met before configuring ProxyHA timeout settings:

  • Deployment. Secure Web Gateway (SWG) on-premises.
  • Mode. Proxy HA or Transparent Router mode enabled.
  • Policy. Proxy Control event applied in the active policy.
  • Access. Administrator privileges to modify HA Proxy configuration on each cluster node.

To configure Proxy HA Timeout Settings, complete the following activities:

Configure the Proxy Control Event
  1. Open the Policy Editor.
  2. Create a new rule for the target application or domain. 
    Example:
    • Rule Criteria: URL.Host equals/matches "trellix.com"
    • Action: Continue
    • Event: Enable Proxy Control <trellix.com timeout>

      support client.png
  3. Set the required connection timeout value in the Proxy Control event.

NOTE: The MWG core process keeps the connection open longer with this policy setting. Do not extend the global connection timeout. Extending it increases connection times for long-running sessions and can cause port exhaustion. On busy systems such as proxies, set timeout values per resource instead of applying them globally.

Update Proxy HA Timeout Settings

If Proxy HA or Transparent Router mode is in use, configure the timeout on each HA node.

  1. On each node, open the HA Proxy configuration.
  2. Set the Inactivity Timeout to match the highest Proxy Control timeout value defined in your policy.
    • Example: If the Proxy Control event sets the timeout to 300 seconds, configure the HA inactivity timeout on each node to 300 seconds.
Verify the Configuration
  1. You can collect Rule Engine Traces to confirm that the Proxy Control event is applied correctly.
  2. You can collect Connection Traces for both the client (HTTP-123456-C.txt) and server (HTTP-123456-S.txt) connections.
  3. Compare timestamps of the last communication with the connection release or closure.

Example log sequence:

09:27:37.833: Send 29 bytes  
09:29:37.834: SSL Shutdown (fd = 140, 0)  
09:29:37.834: Releasing FD with pending data (fd = 140, 2)  

In this scenario, the request was sent at 09:27, followed by a 120-second wait, then the SSL shutdown and connection release.

  1. (Optional) You can use TCPdump with the IP and port from the trace to identify the FIN packet and confirm timeout behavior.
  2. Verify that the Proxy HA node received the updated timeout configuration.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.