Setting ICMP/UDP Virtual Session Timeout

Jacky_Chiu · ‎03-21-2017

It's my first post just want to hello to all!

I have been analyzing the PCI compliance report for my Fortigate Firewall (100D). It fails on the below item:

Check the ICMP Virtual Session Timeout is set

Check the UDP Virtual Session Timeout is set

Is it referring to the session-ttl value or is it about something else? The session-ttl is set to 3600s by default.

Check the ICMP Virtual Session Timeout is set Check the UDP Virtual Session Timeout is set

vjoshi_FTNT · ‎03-22-2017

Hello Jacky,

Welcome to the Fortinet Forum.

I am not sure what exactly the PCI report is referring to.

However, on the Fortigate, both the UDP idle timer and ICMP ttl are different from the session-ttl.

For UDP, below takes effect:

config sys global set udp-idle-timer 180 end

And ICMP, by default, it is 60 seconds ttl.

Hope that helps

Jacky_Chiu · ‎03-22-2017

Thanks vjoshi. I just got a reply from Fortigate support. He suggests to apply the below config:

config firewall policy edit <firewall policy ID) set timeout-send-rst enable set session-ttl <example: (300)> default value is 0 end

I haven't applied the change yet. I guess I will give it a try. However, I still don't quite get what the report is complaining about, since I see that the icmp/udp sessions disappearing after the TTL count reaching 0.

The PCI report is a feature for v5.4. System > Advance > Compliance.

It generates a report and a list of items for us fine tune.

http://docs.fortinet.com/uploaded/files/2874/fortigate-pci-dss-compliance-54.pdf

blewandowski · ‎02-22-2021

I am seeing a similar issue with version 6.0.2 for the same reason.

Did you end up applying that fix, some other, or just ignoring the issue in the report?

Thanks!

Setting ICMP/UDP Virtual Session Timeout

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website