Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jacky_Chiu
New Contributor

Setting ICMP/UDP Virtual Session Timeout

It's my first post just want to hello to all!

 

I have been analyzing the PCI compliance report for my Fortigate Firewall (100D).  It fails on the below item:

Check the ICMP Virtual Session Timeout is set 

Check the UDP Virtual Session Timeout is set

 

Is it referring to the session-ttl value or is it about something else?  The session-ttl is set to 3600s by default.

 

 

 

Check the ICMP Virtual Session Timeout is set Check the UDP Virtual Session Timeout is set 
3 REPLIES 3
vjoshi_FTNT
Staff
Staff

Hello Jacky,

 

Welcome to the Fortinet Forum.

 

I am not sure what exactly the PCI report is referring to.

 

However, on the Fortigate, both the UDP idle timer and ICMP ttl are different from the session-ttl.

 

For UDP, below takes effect:

config sys global set udp-idle-timer 180 end

 

And ICMP, by default, it is 60 seconds ttl.

 

Hope that helps

Jacky_Chiu

Thanks vjoshi.  I just got a reply from Fortigate support.  He suggests to apply the below config:

 

config firewall policy  edit <firewall policy ID)  set timeout-send-rst enable  set session-ttl <example: (300)> default value is 0  end 

 

I haven't applied the change yet.  I guess I will give it a try.  However, I still don't quite get what the report is complaining about, since I see that the icmp/udp sessions disappearing after the TTL count reaching 0.  

 

The PCI report is a feature for v5.4.  System > Advance > Compliance.

It generates a report and a list of items for us fine tune. 

http://docs.fortinet.com/uploaded/files/2874/fortigate-pci-dss-compliance-54.pdf

 

blewandowski

I am seeing a similar issue with version 6.0.2 for the same reason.

Did you end up applying that fix, some other, or just ignoring the issue in the report?

 

Thanks!