Description

This article describes how to change session TTL for all traffic matching a firewall policy, as it is sometimes required.

Scope

FortiGate.

Solution

This change can be made by CLI:

config firewall policy
    edit [rule number]
        set session-ttl [seconds]
end

Example:

config firewall policy
    edit 1
        set session-ttl 1500
end

Note:

This configuration only affects traffic or connections that match the policy.  It will override the global timeout setting if defined by using 'config system session-ttl'.
Also session-ttl-> Enter an integer value from <300> to <2764800> or (special = <0>).
Numbers defined are in seconds as mentioned above.

When Central-SNAT is enabled and FortiGate is operating in Policy-Based mode, the session-ttl must be configured within the Firewall Policy, not the Security Policy. In this mode, firewall policies can only be managed through the CLI. To apply a custom TTL, you must create a new firewall policy and position it before the default policy.

Example:

config firewall policy
     edit 1
         set name "Default"
         set srcintf "any"
         set dstintf "any"
         set srcaddr "all"
         set dstaddr "all"
         set srcaddr6 "all"
         set dstaddr6 "all"
         set service "ALL"
         set ssl-ssh-profile "certificate-inspection"
    next
end

config firewall policy

    edit 2
        set name "Custom_Policy"
        set srcintf "LAN"
        set dstintf "WAN"
        set srcaddr "HostX"
        set dstaddr "HostY"
        set service "TCP_1555_TTL_24hrs"
        set session-ttl 86400
        set ssl-ssh-profile "certificate-inspection"
    next
    move 2 before 1
end

Related article:

Technical Tip: Customizing Session TTL in FortiOS