Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎01-05-2011 01:10 AM

How to reduce TTL sessions ?

Hello, On a fortigate 310b (3.0 mr7), I am trying to reduce the ttl session timeout. But I can' t set it under 300s. What i am doing : #config system session-ttl # config port #edit 53 # set timeout 100 The value must be between 300 and 604800 node_check_object fail! for timeout 100 value parse error before ' 100' Command fail. Return code -2 Any ideas ? 300s is way to much for a dns session :(
6387
0 Kudos
8 REPLIES 8
Carl_Wallmark
Valued Contributor

Created on ‎01-05-2011 01:42 AM

300 is the lowest you can go for session TTL

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
4060
0 Kudos
Not applicable

Created on ‎01-05-2011 01:45 AM

Thanks for the quick answer. Is the lowest still 300s for newer fortigate ?
4060
0 Kudos
FortiRack_Eric
New Contributor III

Created on ‎01-05-2011 02:50 AM

You' re looking at the TCP timers. Giving port 53 you want to eliminate the pseudo for sessions for DNS sessions. This is configured as follows: config system global set udp-idle-timer 30 end udp idle timeout: 1-86400s, default 180s Cheers Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
4060
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎01-05-2011 05:44 AM

Bear in mind that this affects all UDP traffic, including NTP, IPSec/IKE, streaming. I agree that the majority of idling sessions often is UDP DNS because resolving is pretty fast. Session setup and tear-down is ressource costly, though. What exactly is wrong with a TTL of 300s? Do you feel the number of sessions is too high on your FG? About what numbers are we talking here?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4060
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎01-05-2011 05:52 AM

just curious, this is what I can do in v4.00: 
 config system session-ttl
     set default 3600     # good to know...
     edit 0 # 0==next available
         set protocol 17   # 6=tcp, 17=udp
         set timeout 90   #  in seconds
         set end-port 53  # for tcp and udp only
         set start-port 53
     end
 ...
This gives you a lot more options.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4060
0 Kudos
Not applicable

Created on ‎01-05-2011 06:21 AM

Thanks for your answer. I am talking about 30k udp (no vpn, mainly dns) sessions over 120k. So setting a timer of 90s, may lead to a reduction of 10% of sessions. Do you know how the firewall handles the session ? Each seconds, it checks its tables and to some cleaning ? So I guess, the smaller the table is, the faster it will be to process this timer, no ? I don' t see how changing idling sessions timer may increase cpu ressources :(
4060
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎01-05-2011 06:42 AM

Just a quick thought on how the number of idling sessions is calculated... I think it depends on the rate of new sessions per second. Let' s look at the equilibrium state, i.e. the table size is constant (more or less). If you have a rate of 100 new sessions/sec, and wait for 300 seconds, then you have 30k sessions in the table. From the next second on, 100 sessions are timing out each second - the rates of new sessions and deleted sessions must be equal or else the table size would grow/shrink. So if you change the lifetime of this kind of session from 300 to 90 seconds, you should end up at an equilibrium of 9k sessions. Which is 70% less. If you have 120k sessions in all before, you' ll have 99k sessions after, a reduction of 17.5%. Please give me an idea if this is all wrong, and what the real reduction looks like in a couple of minutes. Back to your questions. When the firewall records a new session it has to allocate memory for it, write the table entry, start a session timer (it won' t go through all session entries sequentially - not scaleable), and probably some more effort. All of this is handled by the CPU. If you have sessions that are used only once (like NTP) during their lifetime, shorter lifetime means less CPU handling the session timers. But if sessions could be reused, like DNS when you load a web page with multiple requests, but have expired already, the FG would have to create more sessions than before, increasing CPU load. I' ve been told once by a Fortinet SE that you could choke a firewall by a high rate of new sessions. I' ve seen 500 sessions opened by a single user on regular web traffic. So with enough users I can imagine you could really load a Fortigate if the session lifetime was really short (not with 90s).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4060
0 Kudos
Not applicable

Created on ‎01-05-2011 07:49 AM

I will update this post as soon as I get some numbers. sessions, cpu & co :)
4060
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.