Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Setting ICMP/UDP Virtual Session Timeout

It's my first post just want to hello to all!


I have been analyzing the PCI compliance report for my Fortigate Firewall (100D).  It fails on the below item:

Check the ICMP Virtual Session Timeout is set 

Check the UDP Virtual Session Timeout is set


Is it referring to the session-ttl value or is it about something else?  The session-ttl is set to 3600s by default.




Check the ICMP Virtual Session Timeout is set Check the UDP Virtual Session Timeout is set 

Hello Jacky,


Welcome to the Fortinet Forum.


I am not sure what exactly the PCI report is referring to.


However, on the Fortigate, both the UDP idle timer and ICMP ttl are different from the session-ttl.


For UDP, below takes effect:

config sys global set udp-idle-timer 180 end


And ICMP, by default, it is 60 seconds ttl.


Hope that helps


Thanks vjoshi.  I just got a reply from Fortigate support.  He suggests to apply the below config:


config firewall policy  edit <firewall policy ID)  set timeout-send-rst enable  set session-ttl <example: (300)> default value is 0  end 


I haven't applied the change yet.  I guess I will give it a try.  However, I still don't quite get what the report is complaining about, since I see that the icmp/udp sessions disappearing after the TTL count reaching 0.  


The PCI report is a feature for v5.4.  System > Advance > Compliance.

It generates a report and a list of items for us fine tune.



I am seeing a similar issue with version 6.0.2 for the same reason.

Did you end up applying that fix, some other, or just ignoring the issue in the report?



Top Kudoed Authors