Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vvarangoulis
Staff
Staff

Created on ‎12-18-2017 01:04 AM Edited on ‎12-07-2023 09:48 PM By Community Manager

Article Id 191228

Technical Tip: Session timeout settings

Description

 
This article describes how to adjust session TTL values if port ranges and custom services are configured concurrently.
 
Scope
 
FortiGate.


Solution

 

  1. Session TTL can be set globally using the ‘default’ variable of the ‘config system session-ttl’ command. The default session timeout set in the ‘default’ variable can range from 300 to 604,800 seconds. It is 3,600 seconds by default.
  2.  It is possible to override this default session TTL value for specific ports or port ranges using the ‘timeout’ variable’ of the ‘config port’ command. The ‘timeout’ variable can be set to a value ranging from 1 to 604,800 seconds. It is 300 seconds by default.
  3. It is also possible to define a custom service to either specify a new service or refine an existing service. In this case, the value set in the ‘session-ttl’ variable of the ‘config firewall service custom’ command supersedes the session TTL value that was defined in 2).
  4. The ‘config firewall service custom’ command also allows modifying of the UDP session timeout via the ‘udp-idle-timer’ variable. The value set in this variable supersedes the global value set in the ‘udp-idle-timer’ variable of the ‘config system global’ command which is 180 seconds per default.
  5. The session ttl value can be modified under the firewall policy as well. This would be applied to any traffic handled by the firewall policy. An illustration is shown below:

          config firewall policy
                edit <policy_id>
                        set session-ttl <>
                next
           end

 
In the following example, TCP port 1194 traffic is applied a session TTL of 310 seconds while for UDP port 1194 traffic is applied a session TTL of 60 seconds.
 
Note: 
If VDOMs are enabled the command needs to be performed per VDOM (exclude Global).
 
config system session-ttl
set default 300
config port
    edit 1194
        set protocol 6     <------ This command will enable the start-port and end-port commands.
        set timeout 50
        set start-port 1194
        set end-port 1194
    next
end
end

config firewall service custom
    edit "UDP_1194"            <- Spaces are not valid.
        set udp-portrange 1194
        set udp-idle-timer 60
        set session-ttl 310
    next
end
199124
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.