Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shlee
Staff
Staff

Created on ‎09-27-2015 09:59 PM

Article Id 193696

Technical Note: Priority of session-ttl settings in FortiGate

Description
There are three places where session-ttl can be configured. Priority will be in the order 1 > 2 > 3 as shown below. Session-ttl under firewall service will override settings under firewall policy, and session-ttl under firewall policy will override settings under config system session-ttl.

1. Under firewall service configuration
config firewall service custom
    edit "FTP"
        set category "File Access"
        set tcp-portrange 21
        set session-ttl 4800
    next
end

2. Under firewall policy
config firewall policy
    edit 4
        set srcintf "mgmt1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "FTP"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set session-ttl 3600
    next
end

3. Under config system session-ttl
 config system session-ttl
        config port
            edit 1
                set protocol 6
                set timeout 28800
                set start-port 21
                set end-port 21
            next
        end
end

Solution
It is recommended to avoid configuring session ttl at multiple locations as they may override each other thus providing wrong timeout values and affecting traffic flow.

8010
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.