Description
This article talks about the default timeout value (session-ttl) for on FortiGate.
Scope
FortiGate.
Solution
FortiGate will keep the session in its session table for a specific time when the session is IDLE. The default value of session-ttl is 3600 seconds which can be modified.
Global Timeout: Adjust the global session-ttl via CLI:
show full-configuration system session-ttl
config system session-ttl
set default 3600 (Range: 300 - 2764800 seconds)
end
However, the default value of specific protocols can be modified as follows:
FGT #config system session-ttl
FGT (session-ttl) #config port
FGT (port) #edit 1
new entry '1' added
FGT (1) #set protocol
protocol Enter an integer value from <0> to <255>.
FGT (1) #set protocol 1 <--- protocol 1 is ICMP. More protocol numbers can be found in related link.
FGT (1) #end
FGT (session-ttl) #end
FGT #show full-configuration system session-ttl
config system session-ttl
set default 3600
config port
edit 1
set protocol 1
set timeout 300 <--- default is 300 seconds
next
end
Policy-Specific Timeout: Specific policies can override the global TTL:
config firewall policy
edit <policy-id>
set session-ttl 7200 <----- Example: Set it to 7200 seconds (2 hours).
next
end
Related document:
Protocol Numbers
