NSX 6.3: Configure Session Timers

One of the new features which silently became available with NSX 6.3 which I think it’s a great enhancement it’s Session Timers. See https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.3/rn/releasenotes_nsx_vsphere_630.html#whatsnew 

Why would I need to extend session timers?

Having been on the field, I know from experience customers have asked/needed this; use cases are varied, for instance an application might require an indefinite amount of time (persistent connections) such as LDAP bindings or some kind of sticky sessions on Load Balancers.
Session Timers define how long a session is maintained on the firewall after inactivity. When the session timeout for the protocol expires, the session closes. Sessions supported are TCP, UDP and ICMP. By default, there is a global session timer to which all VMs / vNICs will be part of. It’s not possible to define a subset of VMs with customised session timeouts.

Configure Session Timers

1. From the Web Client, go to Firewall on the Networking & Security NSX plug-in.
   
2. Click on the + symbol to start the wizard for a new session timer policy
3. Customise the timers according to your application needs. Typically you will need to simply extend the Established timer which defaults to 43200 seconds (12 hours). In this example I have extended it to 604800 seconds which is 7 days. The policy can be either applied to a set of VMs or vNICs. I find the latter to be extremely useful; indeed a customer of mine had a dual-home VM and just the “management” NIC needed timers extension.The screenshot below showcase this, where I have selected Network Adapter 2 from Win2008 VM.
   You can also mix&match different type of objects, which is nice.
   
4. Hit OK to complete the configuration.
5. Here you can see the new policy configured and Applied-To
   

Official documentation: https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.3/com.vmware.nsx.admin.doc/GUID-1E54457A-016D-42AB-9368-BF3FD3005DC7.html