Setting ICMP/UDP Virtual Session Timeout

Forum|Forum|9 years ago
March 21, 2017
1 reply
24387 views

It's my first post just want to hello to all!

I have been analyzing the PCI compliance report for my Fortigate Firewall (100D). It fails on the below item:

Check the ICMP Virtual Session Timeout is set

Check the UDP Virtual Session Timeout is set

Is it referring to the session-ttl value or is it about something else? The session-ttl is set to 3600s by default.

Check the ICMP Virtual Session Timeout is set Check the UDP Virtual Session Timeout is set

vjoshi_FTNT

Staff

Hello Jacky,

Welcome to the Fortinet Forum.

I am not sure what exactly the PCI report is referring to.

However, on the Fortigate, both the UDP idle timer and ICMP ttl are different from the session-ttl.

For UDP, below takes effect:

config sys global set udp-idle-timer 180 end

And ICMP, by default, it is 60 seconds ttl.

Hope that helps

Jacky_ChiuAuthor

New Member

Thanks vjoshi. I just got a reply from Fortigate support. He suggests to apply the below config:

config firewall policy edit <firewall policy ID) set timeout-send-rst enable set session-ttl <example: (300)> default value is 0 end

I haven't applied the change yet. I guess I will give it a try. However, I still don't quite get what the report is complaining about, since I see that the icmp/udp sessions disappearing after the TTL count reaching 0.

The PCI report is a feature for v5.4. System > Advance > Compliance.

It generates a report and a list of items for us fine tune.

http://docs.fortinet.com/uploaded/files/2874/fortigate-pci-dss-compliance-54.pdf

blewandowski

New Member

I am seeing a similar issue with version 6.0.2 for the same reason.

Did you end up applying that fix, some other, or just ignoring the issue in the report?

Thanks!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded