Threat Defender uses connection tracking to enforce rules and to monitor network traffic.

The size of the connection tracking table depends on the memory available in your system. On small systems with 8GB RAM, for example, it can hold around 60,000 entries. As each entry represents a connection, 60,000 concurrent connections are possible.

Entries in the table may timeout and are removed after a certain period of time. Currently, the following timeouts exist:

  • 1 hour (3600 s) for established connections (including QUIC connections)
  • 60 seconds for flows that triggered a policy with a drop action
  • 5 seconds for connectionless flows, such as UDP or stateful connections in unconnected state (like TCP reset)

When a timeout expires, the corresponding connection is removed from the table. Therefore, any new data on this connection is considered a new connection.

When the connection tracking table is full, Threat Defender does no longer accept any new connections.