Technical Tip: Keeping an active session when 'Schedule expiration' is disabled

irodriguez_FTNT · ‎08-05-2016

Description

This article describes that with the firewall policy rule setting 'set schedule-timeout enable', a FortiGate immediately forces the session to end when the 'Stop Time' of a recurring 'schedule' object is reached.

Additional configuration steps are required to keep the session active until is finished or expired.

Scope

FortiGate.

Solution

Disabling the schedule-timeout would allow the session to remain open after the schedule has expired. The session will end by a time-out or if any FIN or RST are seen.

For example, in an office environment, YouTube use is allowed between noon and 2 PM. During that time, any YouTube traffic continues. As long as that session is open, after 2 PM end time, the existing YouTube traffic can continue, yet new sessions will be blocked. With setting 'set schedule-timeout enable',

FortiGate will terminate all the sessions when the end time of the schedule is reached.

Through the CLI, the firewall policy firewall-session-dirty option is only available after changing the system settings:

Edit system settings:

config system settings
set firewall-session-dirty check-policy-option
end

Edit the firewall policy rule:

config firewall policy
edit <ID of the policy>
set schedule-timeout disable

set firewall-session-dirty check-new
end

The status of the session will change to 'persistent' once the end time of the schedule is reached and the traffic continues flowing.

Related documents:

CLI Guide - system settings

CLI Guide - firewall policy

Technical Tip: Keeping an active session when 'Schedule expiration' is disabled

You are leaving our website