Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Configure session ttl limit between two interfaces?

I had to lower the value for the session-ttl because the fw was having issues with memory. But now, I'm suffering issues when the traffic is going from DMZ to internal (due to interrupted connections).

Is there any way to configure the session-ttl per interface? I see there are four modes here

  • Application Control Sensor entry (if applicable)
  • Custom Service (if applicable)
  • Policy (if applicable)
  • System #   <--- Lowest level[/ul]

    Any ideas?


  • 4 REPLIES 4

    No, session-ttl settings are not available at interface level. You can apply the ttl on those policies using the dmz and internal interfaces


    Ok, I feared that, but can I add the "set timeout-send-rst enable" globally? Does it have any side issues, because so far all the issues I had are because of the endpoint not being notified of the closed connection.

    Esteemed Contributor III

    Hmm, session timeout settings are available

    - globally in

    config system session-ttl

    - per policy in

    config firewall policy

       set session-ttl


    So you can set a short idle timeout globally and prolong it in each policy where you need it. The service field in the policy determines on which protocol and port the session-ttl is changed.


    "Kernel panic: Aiee, killing interrupt handler!"

    Yes, that's the current approach I'm using, the only problem is having to add the rules in the  CLI (AFAIK it can't be done in the gui), and since the traffic between dmz and internal is important I'd have liked being able to set a default value (such as a rule that was neither pass not drop or another mechanism)

    Thanks anyway