Technical Tip: Unexpected Behavior of UDP Session Duration in Forward Traffic Logs on FortiGate

Although UDP session duration is designed to follow the configured udp-idle-timer parameter, instances have been identified where the duration reported in Forward Traffic logs exceeds the defined threshold.

config system global
    set udp-idle-timer 180
end

Forward Traffic logs have displayed session durations greater than 180 seconds. Further verification via the session table revealed that the expire value was negative, resulting in session durations surpassing the configured idle timer.

diagnose sys session list | grep duration
session info: proto=17 ... duration=182 expire=-2 ...
session info: proto=17 ... duration=183 expire=-3 ...

Root cause and resolution:

• This behavior is associated with an anomaly present in versions earlier than v7.4.2.

• The issue does not occur in v7.4.5 and has been confirmed as resolved beginning with v7.4.2.

Recommended action:
Users observing this anomaly are advised to perform a firmware upgrade to  v7.4.2 or later to ensure consistency between configured UDP idle timers and the reported session durations in logs.