Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎06-17-2009 09:23 AM Edited on ‎03-20-2025 08:30 AM By Moderator

Article Id 191711

Technical Tip: Changing the TCP session TTL (time to live) on a FortiGate

Description


This article describes that it is possible to change the TTL (time to live) for idle TCP sessions using the CLI. When the TTL limit is reached, the session is dropped.

 

Scope

 

FortiGate.


Solution

 

Firmware versions before v4.0 MR1.

This example shows how to set the default TCP TTL to 300 seconds and to set the TTL for TCP port 8787 to 3600 seconds.

 

config system session-ttl
(session-ttl) # set default 300
(session-ttl) # config port
(port) # edit 8787
(8787) # set timeout 3600
(8787) # next
(port) # end
(session-ttl) # end

Firmware versions 4.0 MR1 and above.

This example shows how to set the default TCP TTL to 300 seconds and the TTL for TCP port 443 to 3600 seconds.

 

config system session-ttl
(session-ttl) # set default 300
(session-ttl) # config port
(port) # edit 443
(443) # set protocol 6
(443) # set timeout 3600

(443) # set end-port 443
(443) # set start-port 443
(443) # next
(port) # end
(session-ttl) # end

 

On the latest version of the FortiOS, in this case v7.6.2, the options under this setting are as follows:

 

config system session-ttl

 (session-ttl) # set default 300

 (session-ttl) # config port

 (port) # edit 443
  new entry '443' added

 (443) # set protocol 6

 (443) # set timeout 3600

 (443) # set end-port 443

 (443) # set start-port 443

 (443) # set ?
*protocol Protocol (0 - 255).
*start-port Start port number.
*end-port End port number.
timeout Session timeout (TTL).
refresh-direction Configure refresh direction.

By default, the last entry is added to the configuration as 'both'.

The options in this case are:

 

(443) # set refresh-direction
both Refresh both directions.
outgoing Refresh outgoing direction (original).
incoming Refresh incoming direction (reply).

 

The same behavior is seen on version 7.4.7 of the FortiOS.

On older versions, such as v7.2.11 or v7.0.17, this option is not present.

 

# edit 443

(443) # set
*protocol Protocol (0 - 255).
*start-port Start port number.
*end-port End port number.
timeout Session timeout (TTL).

(443) # show full-configuration
config port
    edit 443
        set protocol 6
        set timeout 3600
        set start-port 443
        set end-port 443
    next
end

 

Note that if VDOM is enabled, depending on the FortiOS version, the command might be available at the global level or the VDOM level.

Related article:

“The system has entered conserve mode” FortiGate log message explanation

Labels:
27469
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.