Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aseques
New Contributor

Configure session ttl limit between two interfaces?

I had to lower the value for the session-ttl because the fw was having issues with memory. But now, I'm suffering issues when the traffic is going from DMZ to internal (due to interrupted connections).

Is there any way to configure the session-ttl per interface? I see there are four modes here

[ul]
  • Application Control Sensor entry (if applicable)
  • Custom Service (if applicable)
  • Policy (if applicable)
  • System #   <--- Lowest level[/ul]

    Any ideas?

     

  • 4 REPLIES 4
    jintrah_FTNT
    Staff
    Staff

    No, session-ttl settings are not available at interface level. You can apply the ttl on those policies using the dmz and internal interfaces

    aseques

    Ok, I feared that, but can I add the "set timeout-send-rst enable" globally? Does it have any side issues, because so far all the issues I had are because of the endpoint not being notified of the closed connection.

    ede_pfau
    Esteemed Contributor III

    Hmm, session timeout settings are available

    - globally in

    config system session-ttl
    AND

    - per policy in

    config firewall policy

       set session-ttl

     

    So you can set a short idle timeout globally and prolong it in each policy where you need it. The service field in the policy determines on which protocol and port the session-ttl is changed.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    aseques

    Yes, that's the current approach I'm using, the only problem is having to add the rules in the  CLI (AFAIK it can't be done in the gui), and since the traffic between dmz and internal is important I'd have liked being able to set a default value (such as a rule that was neither pass not drop or another mechanism)

    Thanks anyway