Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
samfok
New Contributor

Trade-off of Never Session timeout

Hi All,

 

From below link, which states we can configure session timeout to Never:

http://help.fortinet.com/cli/fos50hlp/56/index.htm#FortiOS/fortiOS-cli-ref-56/config/system/session-...

[image]blob:https://forum.fortinet.co...4c6e-9a01-74ad251b6ecf[/image]

 

but it states it is 'not a secure configuration and should be avoided'.

 

Understand that having session never expires would hold firewall resources which is undesirable.

 

Other than this, would there any security features be turned off after configured 'system session-ttl timeout never'?

 

We just having some legacy applications need to hold the traffic unexpired, but just evaluate what is the trade-off. thx.

Sam

2 REPLIES 2
samfok
New Contributor

Any takers? Thx
neonbit
Valued Contributor

I can't see how any security features would be disabled with configuring this as never but you need to be very careful with enabling this. Like you've stated it can take all your firewalls memory if sessions are created and not cleared. It would eventually lead to the firewall running out of memory and not working anymore (big security problem).

 

The maximum value configurable is for 7 days. You can configure this for the services/policies that the legacy servers are using so that it's not a global value. I'd recommend doing this and seeing if the servers work with the 7day timeout first.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors