Technical Tip: Default session timeout value (session-ttl)
Description
This article talks about the default timeout value (session-ttl) on FortiGate.
Scope
FortiGate.
Solution
FortiGate will keep the session in its session table for a specific time when the session is IDLE. The default value of session-ttl is 3600 seconds, which can be modified.
Global Timeout: Adjust the global session-ttl via CLI:
show full-configuration system session-ttl
config system session-ttl
set default 3600 (Range: 300 - 2764800 seconds)
end
However, the default value of specific protocols can be modified as follows:
FGT #config system session-ttl
FGT (session-ttl) #config port
FGT (port) #edit 1
new entry '1' added
FGT (1) #set protocol
protocol Enter an integer value from <0> to <255>.
FGT (1) #set protocol 1 <----- Protocol 1 is ICMP. More protocol numbers can be found in the related articles at the bottom of this one.
FGT (1) #end
FGT (session-ttl) #end
FGT #show full-configuration system session-ttl
config system session-ttl
set default 3600
config port
edit 1
set protocol 1
set timeout 300 <----- Default is 300 seconds.
next
end
Firewall policy and firewall service object TTL timeout: Specifying the session-ttl timeout on the firewall policy and or service object level can override the global TTL:
config firewall policy
edit <policy-id>
set session-ttl 7200 <----- Example: Set it to 7200 seconds (2 hours).
next
end
config firewall service custom
edit <name>
set session-ttl 7200 <----- Example: Set it to 7200 seconds (2 hours).
next
end
Note: The firewall checks the TTL in the following order:
- Service object.
- Policy.
- Config system session-ttl.
Related document: