Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎09-03-2009 04:35 PM Edited on ‎01-07-2026 02:14 AM By Community Manager

Article Id 194732

Technical Tip: Configuring session TTL timers for particular ports or services

Description

 
This article describes how to change the time to live (TTL) for a service/port. A FortiGate unit's default system TTL is configurable globally (default values are stated in the TCP RFC). The TTL values can be set globally, but can also be changed for individual services and in each firewall policy.
 
This article uses an example to show the use of 'start' and 'end' ports and how to set a protocol value. A demonstration is given of how to change the default system time to live and the TTL value for the RDP service, which uses the logical port 3389. 
 
Scope
 
FortiGate.


Solution

 

The system session TTL sets a value for all session time to live. A value of 1800, for example, changes the system session TTL to 30 minutes (1800/60).

Note: The protocol value has been set at 6 for TCP. If no value is set, it is set for all protocols with a value of 0.

 

Verification:

The CLI commands below show the default system TTL.

 

FortiGate # show system session-ttl

config system session-ttl

    set default 1800
        config port

            edit 1

                set protocol 6
                set timeout 3600 <- This is the only timeout that can be changed here.
                set start-port 3389
                set end-port 3389

            next

        end

end  

 

Note: The default value (3600) is not visible when it is left unchanged.

 

Enter the following CLI commands:

 

config system session-ttl

    set default 1800 (default is 3600)

        config port
            edit 1
                set protocol 6
                set timeout 3600
                set start-port 3389
                set end-port 3389
           next
end

 

In the firewall policy:

 

config firewall policy

    edit "id"

        set  session-ttl  ---> Enter an integer value from <300> to <2764800> or (special = <0>).

 

For other timeout values, please check the global settings:

 

FortiGate # config system global
FortiGate (global) # show full | grep timer

    set block-session-timer 30
    set tcp-halfclose-timer 120
    set tcp-halfopen-timer 10
    set tcp-rst-timer 5
    set tcp-timewait-timer 1
    set udp-idle-timer 180

 

See this article: Technical Tip: FortiGate CPU resource optimization configuration steps.

 

Alternatively, check the specific service settings.

See this article: Technical Tip: How to extend the TCP Half-Close timer for specific TCP services.

 

Related article:

Technical Tip: Session timeout settings

Labels:
21033
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.