Technical Tip: Default session timeout value (session-ttl)

skaneria · ‎10-19-2020

Description

This article talks about the default timeout value (session-ttl) for on FortiGate.

Scope

FortiGate.

Solution

FortiGate will keep the session in its session table for a specific time when the session is IDLE. The default value of session-ttl is 3600 seconds which can be modified.

Global Timeout: Adjust the global session-ttl via CLI:

show full-configuration system session-ttl
config system session-ttl
set default 3600 (Range: 300 - 2764800 seconds)
end

However, the default value of specific protocols can be modified as follows:

FGT #config system session-ttl
FGT (session-ttl) #config port
FGT (port) #edit 1
new entry '1' added
FGT (1) #set protocol
protocol Enter an integer value from <0> to <255>.
FGT (1) #set protocol 1 <--- protocol 1 is ICMP. More protocol numbers can be found in related link.
FGT (1) #end
FGT (session-ttl) #end

FGT #show full-configuration system session-ttl
config system session-ttl
set default 3600

config port

edit 1
set protocol 1
set timeout 300 <--- default is 300 seconds

next
end

Policy-Specific Timeout: Specific policies can override the global TTL:

config firewall policy
edit <policy-id>
set session-ttl 7200 <----- Example: Set it to 7200 seconds (2 hours).
next
end

Related document:
Protocol Numbers

Technical Tip: Default session timeout value (session-ttl)

Description

You are leaving our website