Technical Tip: Session timeout settings

vvarangoulis · ‎12-18-2017

Description

This article describes how to adjust session TTL values if port ranges and custom services are configured concurrently.

Scope

FortiGate.

Solution

Session TTL can be set globally using the ‘default’ variable of the ‘config system session-ttl’ command. The default session timeout set in the ‘default’ variable can range from 300 to 2764800 seconds. It is 3,600 seconds by default.

config system session-ttl
set default ?

<integer> value range (300 - 2764800)

It is possible to override this default session TTL value for specific ports or port ranges using the ‘timeout’ variable’ of the ‘config port’ command. The ‘timeout’ variable can be set to a value ranging from 1 to 2764800 seconds. It is 300 seconds by default.

config system session-ttl
config port
edit <>
set timeout ?

integer> value range (1 - 2764800)
It is also possible to define a custom service to either specify a new service or refine an existing service. In this case, the value set in the ‘session-ttl’ variable of the ‘config firewall service custom’ command supersedes the session TTL value that was defined in 2).

config firewall service custom
edit <>
set session-ttl ?
session-ttl Enter an integer value from <300> to <2764800> or (special = <0>)
The ‘config firewall service custom’ command also allows modifying of the UDP session timeout via the ‘udp-idle-timer’ variable. The value set in this variable supersedes the global value set in the ‘udp-idle-timer’ variable of the ‘config system global’ command which is 180 seconds per default.
The session TTL value can be modified under the firewall policy as well. This would be applied to any traffic handled by the firewall policy. An illustration is shown below:

config firewall policy
edit <>

set session-ttl ?
session-ttl Enter an integer value from <300> to <2764800> or (special = <0>).

When a firewall policy has "set session-ttl" to 0, it will use the global TTL setting in ‘config system session-ttl'.

In the following example, global session-ttl is 1200, policy setting is 0, so the TTL for that policy will be 1200.

config system session-ttl
set default 1200
end

Config firewall policy
edit 3

set session-ttl 0

end

In the following example, TCP port 1194 traffic is applied a session TTL of 310 seconds while UDP port 1194 traffic is applied a session TTL of 60 seconds.

Note:

If VDOMs are enabled the command needs to be performed per VDOM (exclude Global).

config system session-ttl

set default 300

config port
edit 1194
set protocol 6 <- This command will enable the start-port and end-port commands.
set timeout 50
set start-port 1194
set end-port 1194
next
end

end

config firewall service custom
    edit "UDP_1194"            <- Spaces are not valid.
        set udp-portrange 1194
        set udp-idle-timer 60
        set session-ttl 310
    next
end

Session TTL can also be set to never which allows the FortiGate to keep the session without timeout which is only recommended for specific legacy applications.

Related documents:

Technical Tip: Session timeout settings

You are leaving our website