Description
This article describes how to adjust session TTL values if port ranges and custom services are configured concurrently.
Scope
FortiGate.
Solution
- Session TTL can be set globally using the ‘default’ variable of the ‘config system session-ttl’ command. The default session timeout set in the ‘default’ variable can range from 300 to 2764800 seconds. It is 3,600 seconds by default.
config system session-ttl
set default ?
<integer> value range (300 - 2764800)
-
It is possible to override this default session TTL value for specific ports or port ranges using the ‘timeout’ variable’ of the ‘config port’ command. The ‘timeout’ variable can be set to a value ranging from 1 to 2764800 seconds. It is 300 seconds by default.
config system session-ttl
config port
edit <>
set timeout ?
integer> value range (1 - 2764800)
-
It is also possible to define a custom service to either specify a new service or refine an existing service. In this case, the value set in the ‘session-ttl’ variable of the ‘config firewall service custom’ command supersedes the session TTL value that was defined in 2).
config firewall service custom
edit <>
set session-ttl ?
session-ttl Enter an integer value from <300> to <2764800> or (special = <0>)
-
The ‘config firewall service custom’ command also allows modifying of the UDP session timeout via the ‘udp-idle-timer’ variable. The value set in this variable supersedes the global value set in the ‘udp-idle-timer’ variable of the ‘config system global’ command which is 180 seconds per default.
-
The session TTL value can be modified under the firewall policy as well. This would be applied to any traffic handled by the firewall policy. An illustration is shown below:
config firewall policy
edit <>
set session-ttl ?
session-ttl Enter an integer value from <300> to <2764800> or (special = <0>).
When a firewall policy has "set session-ttl" to 0, it will use the global TTL setting in ‘config system session-ttl'.
In the following example, global session-ttl is 1200, policy setting is 0, so the TTL for that policy will be 1200.
config system session-ttl
set default 1200
end
Config firewall policy
edit 3
set session-ttl 0
end
In the following example, TCP port 1194 traffic is applied a session TTL of 310 seconds while UDP port 1194 traffic is applied a session TTL of 60 seconds.
Note:
If VDOMs are enabled the command needs to be performed per VDOM (exclude Global).
config system session-ttl
set default 300
config port
edit 1194
set protocol 6 <- This command will enable the start-port and end-port commands.
set timeout 50
set start-port 1194
set end-port 1194
next
end
end
config firewall service custom
edit "UDP_1194" <- Spaces are not valid.
set udp-portrange 1194
set udp-idle-timer 60
set session-ttl 310
next
end
Session TTL can also be set to never which allows the FortiGate to keep the session without timeout which is only recommended for specific legacy applications.
Related documents:
