Skip to main content
samfok
samfok
New Member
March 31, 2018
Question

Trade-off of Never Session timeout

  • March 31, 2018
  • 1 reply
  • 5881 views

Hi All,

 

From below link, which states we can configure session timeout to Never:

http://help.fortinet.com/cli/fos50hlp/56/index.htm#FortiOS/fortiOS-cli-ref-56/config/system/session-ttl.htm

[image]blob:https://forum.fortinet.co...4c6e-9a01-74ad251b6ecf[/image]

 

but it states it is 'not a secure configuration and should be avoided'.

 

Understand that having session never expires would hold firewall resources which is undesirable.

 

Other than this, would there any security features be turned off after configured 'system session-ttl timeout never'?

 

We just having some legacy applications need to hold the traffic unexpired, but just evaluate what is the trade-off. thx.

Sam

    1 reply

    samfok
    samfokAuthor
    New Member
    April 1, 2018
    Any takers? Thx
    neonbit
    neonbit
    New Member
    April 1, 2018

    I can't see how any security features would be disabled with configuring this as never but you need to be very careful with enabling this. Like you've stated it can take all your firewalls memory if sessions are created and not cleared. It would eventually lead to the firewall running out of memory and not working anymore (big security problem).

     

    The maximum value configurable is for 7 days. You can configure this for the services/policies that the legacy servers are using so that it's not a global value. I'd recommend doing this and seeing if the servers work with the 7day timeout first.

    Terms & ConditionsAccessibility statement