Technical Tip: Configuring session TTL timers for particular ports or services

Description

Solution

The system session TTL sets a value for all session time to live. A value of 1800, for example, changes the system session TTL to 30 minutes (1800/60).

Note: The protocol value has been set at 6 for TCP. If no value is set, it is set for all protocols with a value of 0.

Verification:

The CLI commands below show the default system TTL.

FortiGate # show system session-ttl

config system session-ttl

    set default 1800
        config port

            edit 1

                set protocol 6
                set timeout 3600 <- This is the only timeout that can be changed here.
                set start-port 3389
                set end-port 3389

            next

        end

end  

Note: The default value (3600) is not visible when it is left unchanged.

Enter the following CLI commands:

config system session-ttl

    set default 1800 (default is 3600)

        config port
            edit 1
                set protocol 6
                set timeout 3600
                set start-port 3389
                set end-port 3389
           next
end

In the firewall policy:

config firewall policy

    edit "id"

        set  session-ttl  ---> Enter an integer value from <300> to <2764800> or (special = <0>).

For other timeout values, please check the global settings:

FortiGate # config system global
FortiGate (global) # show full | grep timer

    set block-session-timer 30
    set tcp-halfclose-timer 120
    set tcp-halfopen-timer 10
    set tcp-rst-timer 5
    set tcp-timewait-timer 1
    set udp-idle-timer 180

See this article: Technical Tip: FortiGate CPU resource optimization configuration steps.

Alternatively, check the specific service settings.

See this article: Technical Tip: How to extend the TCP Half-Close timer for specific TCP services.

Related article:

Technical Tip: Session timeout settings