FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vvarangoulis
Staff
Staff
Description
This article describes how to adjust sessions TTL values in case port ranges and custom services are configured concurrently.

Solution
1) Session TTL can be set globally using the ‘default’ variable of the ‘config system session-ttl’ command.  The default session timeout set in the ‘default’ variable can range from 300 to 604,800 seconds.  It is 3,600 seconds by default.

2)  It is possible to override this default session TTL value for specific ports or port ranges using the ‘timeout’ variable’ of the ‘config port’ command.  The ‘timeout’ variable can be set to a value ranging from 1 to 604,800 seconds.  It is 300 seconds by default.

3)  It is also possible to define a custom service to either specify a new service or refine an existing service.  In this case, the value set in the ‘session-ttl’ variable of the ‘config firewall service custom’ command supersedes the session TTL value that was defined in 2).

4)  The ‘config firewall service custom’ command also allows modifying of the UDP session timeout via the ‘udp-idle-timer’ variable.  The value set in this variable supersedes the global value set in the ‘udp-idle-timer’ variable of the ‘config system global’ command which is 180 seconds per default.

In the following example, TCP port 1194 traffic is applied a session TTL of 310 seconds while for UDP port 1194 traffic is applied a session TTL of 60 seconds.

Note:  If VDOMs are enabled the command needs to be performed per VDOM (exclude Global).
# config system session-ttl
    set default 300
# config port
    edit 1194
        set protocol 6                            <----- This command will enable the start-port and end-port commands.
        set timeout 50
        set start-port 1194
        set end-port 1194
    next
end
end

# config firewall service custom
    edit "UDP_1194"                               <----- Spaces are not valid.
        set udp-portrange 1194
        set udp-idle-timer 60
        set session-ttl 310
    next
end
Related link about 'protocol numbers'.

Contributors