In broad scope, session TTL (Time-to-live) defines the amount of time that FortiGate keeps a session in its session information table before purging it; though it's not as straightforward (simple) as this when examined in detail.

It is important to understand what factor determines whether a session is qualified to live-on (persists) or has to be purged from the session information table since Network Administrators sometimes need to manipulate sessions’ lifetime to achieve the desired result on the network.

Use case:

The scenario considered in this article is that of CGNAT PBA (Port Block Allocation) implementation:

PBA uses user sessions as they are initiated to determine which port blocks in a NAT IP address pool are allocated to the user.

When this session(s) timed out, PBA allocates another port block to the new session initiated by the same user or device (a PC, a Smart Phone, etc.), this can sometimes make the rate at which address blocks are being allocated and de-allocated (withdrawn) too frequent, which is not desired result for many reasons.

Therefore, the need to keep the session longer (persists) in the 'session information table' after it became inactive, arises.

To achieve desired session persistence, the traffic in question must be identified (whether is UDP or TCP), followed by addressing the condition for the session persistence.

The factor that determines UDP session timeout is not the same as that of TCP session; as UDP is connectionless, while TCP is connection-oriented.

For a UDP packet, the 'lifetime of the session' is controlled by the value configured in 'session ttl' for the UDP. For example, the TTL value configured under the UDP protocol parameters or TTL value configured under Firewall policy, etc.

The session of a UDP packet will be maintained (remains) in the session table for the configured period or value; it is stateless.

Session ttl configuration under the firewall policy:

config firewall policy

    edit xx

        set session-ttl xxx (in seconds) <-- Configured period.

end

Session TTL configuration under custom service:

config firewall service custom
    edit "my_UDP"
        set udp-portrange xxx
        set session-ttl xxxx   <-- Configured period.
    next
end

For a TCP session, the configured TTL value is NOT solely responsible for determining how long a TCP session persists following inactivity or when it timed-out and got purged from the session information table; the timeout in TIME_WAIT state is what determines how long a TCP session continues to live (persists) in the session table after the session became inactive, this is not controlled by TTL.