Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ysatake
Staff
Staff

Created on ‎12-29-2025 05:17 AM

Article Id 424493

Troubleshooting Tip: Session-helper cannot be disabled per service in a hyperscale VDOM

Description

This article describes how, in a hyperscale VDOM, disabling the session-helper on a per-service basis using 'config firewall service custom' can be configured, but the setting is not applied to actual traffic processing.

 

In a hyperscale VDOM, session-helper behavior is controlled only by global configuration.

 

Scope

 

FortiGate with a hyperscale license applied.

 

Solution

 

On a FortiGate where VDOMs are configured, if different session-helper behavior per VDOM is required for a specific protocol, the following configuration can be used.

 

FGT# config vdom
FGT (vdom) # edit vdom1
FGT (vdom1) # config firewall service custom
FGT(custom) # edit FTP-disable
FGT (FTP-disable) # set helper disable
FGT (FTP-disable) # end

 

However, this behavior does not function in a hyperscale VDOM where a hyperscale license is applied due to NPU limitations.
Although the configuration can be created, all session-helper behavior in a hyperscale VDOM follows the global configuration.

Labels:
73
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.