Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Session Timeout Value Change
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 03-23-2004 08:07 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Session Timeout Value Change
Have any of you had trouble with applications running through your FG either via plain-text Internet or VPN?
My company has had several problems with the default session ttl of 300 seconds. Most of the problems deal with sessions to applications being run over VPN, but there is a circumstance that deals with FTP as well, i.e. someone tries to download a large (several hundred MB) file that takes longer than 300 seconds to download and gets disconnected. The VPN problems relate to Terminal Service sessions being disconnected after 300 seconds, Outlook MAPI connections that are being disconnected when running over VPN, etc...
I' ve decided to change the default 300 seconds to 14400 seconds with the command:
set system session_ttl default 14400I realize that this will result in more sessions being left open for longer than required in some circumstances, which will result in a loss of performance. However, we have an FG-300 which is capable of supporting 200,000 sessions. During an extremely heavy day, our company has at most 500 sessions going. That' s .25% of the boxes maximum capability. I think I have room to increase the session timeout a bit. ;-) Does anyone else have an opinion on this move? Has anyone else made a similar move with their FG?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Not applicable
Created on 04-04-2004 06:27 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, simlar here. Running a database app through IPSEC VPN to MS SQL Server.
Had to up the default timeout from 300 to 30000
Not applicable
Created on 04-05-2004 06:21 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I spoke to Tech Support about my question above. They recommended that I do not set the default that high. So, I have since put mine back to the default of 300 seconds. However, I have been increasing the ports that we use. For example, SQL Server uses port 1433. So, I have increased that to 14400. I have done the same with SSH port 22, Terminal Server port 3389, and Microsoft Outlook ports 1116 and 1160. It seems to be working out well that way. It just takes a bit more work.
Not applicable
Created on 04-05-2004 07:45 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two fg-60. the Sql Server is at site A. Clients who connec to the DB are at site B. Do I only need to up the session ttl on the fg-60 at site A, or at site B as well?
Not applicable
Created on 04-05-2004 09:08 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do both, since both FGs are going to track the session.
Not applicable
Created on 04-05-2004 10:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what' s the CLI syntax to set an individual port' s session_ttl?
Not applicable
Created on 04-05-2004 01:19 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To set the timeout to 4 hours for the terminal server port (3389) you can use the code below.
set system session_ttl port 3389 timeout 14400
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just an FYI, but I' m having the exact same problem you are talking about. I have 15 FG' s installed and I' ve had to adjust the ttl on all of them. The biggest problems I ran into were Outlook connections to a remote Exchange server and Citrix connections. I adjusted the ttl on both to 1800 and didn' t have as much of a problem. Outlook still hangs, but not very often.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you adjusting the default TTL, jce001? If not, what ports are you using for Outlook? I had a bear of a time figuring out what they were.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok,
Sorry for the delay, but here' s the skinny on what I have setup. First of all I' m connecting to a MS Exchange 2000 mail server. You need to extend the ttl for ports 135, 137, 138, & 139. I also created a service group called RPC_group. Then setup a int->ext policy using the RPC_group. I haven' t had any problems since this setup. Good Luck.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Session Timeout 109 Views
- external 2FA for ftgt ssl vpn 387 Views
- Full SSL Inspection Suddenly Slowing Performance. 271 Views
- token pop-up closes as soon as... 500 Views
- Why can my client device not... 174 Views
Labels
-
FortiGate
8,107 -
FortiClient
1,629 -
5.2
801 -
FortiManager
683 -
5.4
639 -
FortiAnalyzer
519 -
FortiAP
430 -
FortiSwitch
429 -
6.0
416 -
FortiClient EMS
366 -
5.6
362 -
FortiMail
302 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
181 -
FortiNAC
164 -
IPsec
155 -
6.4
128 -
FortiGuard
126 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
91 -
FortiToken
86 -
Customer Service
75 -
Wireless Controller
75 -
FortiAuthenticator
71 -
4.0MR3
64 -
Firewall policy
59 -
FortiProxy
53 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
High Availability
42 -
FortiDNS
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
DNS
34 -
LDAP
34 -
FortiSwitch v6.4
33 -
BGP
32 -
SAML
31 -
Interface
31 -
Certificate
30 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Logging
18 -
Traffic shaping
17 -
FortiPAM
17 -
FortiMonitor
16 -
FortiDDoS
15 -
SSL SSH inspection
15 -
FortiGate v5.0
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
System settings
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1529 | |
| 1027 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.