Technical Note: Priority of session-ttl settings in FortiGate

shlee · ‎09-27-2015

Description

There are three places where session-ttl can be configured. Priority will be in the order 1 > 2 > 3 as shown below. Session-ttl under firewall service will override settings under firewall policy, and session-ttl under firewall policy will override settings under config system session-ttl.

1. Under firewall service configuration

config firewall service custom
    edit "FTP"
        set category "File Access"
        set tcp-portrange 21
        set session-ttl 4800
    next
end

2. Under firewall policy

config firewall policy
    edit 4
        set srcintf "mgmt1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "FTP"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set session-ttl 3600
    next
end

3. Under config system session-ttl

config system session-ttl
        config port
            edit 1
                set protocol 6
                set timeout 28800
                set start-port 21
                set end-port 21
            next
        end
end

Solution

It is recommended to avoid configuring session ttl at multiple locations as they may override each other thus providing wrong timeout values and affecting traffic flow.

Technical Note: Priority of session-ttl settings in FortiGate

You are leaving our website