Description

This article describes how to change the session TTL value for idle TCP sessions using the CLI.

Scope

FortiGate.

Solution

This article describes that when the session TTL limit is reached, an established idle session is removed from the FortiGate session table.

If new packets for this session are received, the idle status is reset and the session TTL is counted again down from the configured value.

In environments with a lot of open sessions, it might be required to reduce the default session TTL to a lower value to make sure idle sessions are closed faster to free up used resources like system memory.

By default, each session uses the default TTL value in the global/system-wide session-ttl setting.

The global session TTL value can be configured as shown below.

config system session-ttl
    set default <value>        
    <integer>                                 <----- Value range (300 - 2764800).
end

To see all configurable values, the '?' parameter can be used.

config system session-ttl
    set default ?       
<integer> value range (300 - 2764800)
end

On FortiGate, a different session-ttl is configurable under each firewall policy.

config firewall policy
    edit <policyID>
        set session-ttl <value>                        <----- Enter an integer value from <300> to <2764800> or (special = <0>).
end

Note:

The session-ttl value cannot be changed via the WebGUI, which is designed for easier configuration.

Advanced tuning (like TTL or kernel-level settings) is only possible through the CLI.