Description
This article describes how to set TTL value.
Scope
FortiGate.
Solution
To allow clients to permanently connect with legacy medical applications and systems that do not have keepalive or auto-reconnect features, the session timeout can be set to 'never' for firewall services, policies, and VDOMs.
The options to disable session timeout are hidden in the CLI.
To set the session TTL value of a custom service to 'never':
config firewall service custom
edit "tcp_23"
set tcp-portrange 23
set session-ttl never <---- Set to 'never'.
next
end
To set the session TTL value of a policy to 'never':
# config firewall policy
edit 201
set srcintf "wan1"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "TCP_8080"
set logtraffic disable
set session-ttl never <----- Set to 'never'.
set nat enable
next
end
To set the session TTL value of a VDOM to 'never':
config system session-ttl
set default never <----- Set to 'never'.
config port
edit 1
set protocol 6
set timeout never <----- Set to 'never'.
set start-port 8080
set end-port 8080
next
end
end
Enable this feature for many applications like live streams, medical applications, etc where the session will be ended for idle and timeouts configured.
To view a session list with the timeout set to never:
diagnose sys session list
session info: proto=6 proto_state=01 duration=9 expire=never timeout=never flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
Note that setting the 'never' value on one of either the service (config firewall service custom) or under the Firewall policy (config firewall policy) will suffice.
Additionally, FortiOS context-sensitive help will not autocomplete the parameters. They must be entered manually.
