Technical Tip: Priority of session-ttl settings in FortiGate
Description
This article describes how there are three places where session-ttl can be configured. Priority will be in the order 1 > 2 > 3 as shown below. Session-ttl under firewall service will override settings under firewall policy, and session-ttl under firewall policy will override settings under config system session-ttl.
Scope
FortiGate.
Solution
- Under firewall service configuration.
config firewall service custom
edit "FTP"
set category "File Access"
set tcp-portrange 21
set session-ttl 4800
next
end
edit "FTP"
set category "File Access"
set tcp-portrange 21
set session-ttl 4800
next
end
- Under firewall policy.
config firewall policy
edit 4
set srcintf "mgmt1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "FTP"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set session-ttl 3600
next
end
edit 4
set srcintf "mgmt1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "FTP"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set session-ttl 3600
next
end
- Under config system session-ttl.
config system session-ttl
config port
config port
edit 1
set protocol 6
set timeout 28800
set start-port 21
set end-port 21
next
end
end
end
It is recommended to avoid configuring session TTL at multiple locations as they may override each other, thus providing wrong timeout values and affecting traffic flow.
Note: When investigating session timeout issues, always confirm whether session-ttl is configured in more than one location. Since FortiGate may apply a more specific timeout definition, such as one configured under a custom service, the effective timeout seen in the session table can differ from the value expected at the policy or system level. Reviewing the configuration in priority order helps identify which setting is taking effect and avoids incorrect troubleshooting assumptions.
Related articles: