Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎09-03-2009 04:35 PM Edited on ‎07-15-2023 03:08 AM By Staff

Article Id 194732

Technical Tip: Configuring session TTL timers for particular ports or services

 

  

 

The system session TTL sets a value for all session time to live. A value of 1800 for example, changes system session TTL to 30 minutes (1800/60).

Note: The protocol value has been set at 6 for TCP. If no value is set, it is set for all protocols with a value of 0.

 

Verification:

 

The CLI commands below show the default system TTL.

 

FortiGate # show system session-ttl

config system session-ttl

set default 1800
config port
edit 1

set protocol 6
set timeout 3600 (this is the only timeout that can be changed here)
set start-port 3389
set end-port 3389

next

end

end  

 

Note: The default value (3600) is not visible when it is left unchanged.

 

Description

 
This article explains how to change the time to live (TTL) for a service/port. A FortiGate unit's default system TTL is configurable globally (default values are stated in the TCP RFC). The TTL values can be set globally, but can also be changed for individual services, and in each firewall policy.
 
This article uses an example to show the use of 'start' and 'end' ports and how to set a protocol value. A demonstration is given of how to change the default system time to live and the TTL value for the RDP service, which uses the logical port 3389. 
 
Scope
 
FortiGate.


Solution

 

Enter the following CLI commands:

 

# config system session-ttl

   set default 1800 (default is 3600)

   config port
       edit 1
         set protocol 6
         set timeout 3600
         set start-port 3389
         set end-port 3389
       next
end

 

In the firewall policy:

        #config firewall policy

           edit "id"

       set  session-ttl  ---> Enter an integer value from <300> to <2764800> or (special = <0>)

 

 

For other timeout values, please check the global settings:

 

FortiGate # config system global
FortiGate (global) # show full | grep timer

set block-session-timer 30
set tcp-halfclose-timer 120
set tcp-halfopen-timer 10
set tcp-rst-timer 5
set tcp-timewait-timer 1
set udp-idle-timer 180

 

See Technical Tip: FortiGate CPU resource optimization configuration steps

 

Alternatively, check the specific service settings.

See Technical Tip: How to extend the TCP Half-Close timer for specific TCP services.

 

Related article:

 

Technical Tip: Session timeout settings

Labels:
19375
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.