Technical Tip: Customizing Session TTL in FortiOS

Markus_M · ‎02-22-2010

Description
Customizing Session TTL on the FortiGate.

Scope

Solution
Customize the session timeout for a particular port on the FortiGate unit with the following CLI commands:

# config system session-ttl
# config port
     edit <port_range_index>
         set end-port <port_number_int>
         set protocol <protocol_int>
         set start-port <port_number_int>
   set timeout {<timeout_int> | never}
      end
end

It is necessary to configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value. The range is 0 to 65535.

To enter a port number range you must set protocol to 6 for TCP sessions or to 17 for UDP sessions.

This can be used if stale TCP sessions need to be timed out faster, or should stay alive longer as certain software might need a longer session-ttl to keep functioning.
Note: Changing this without being aware of the consequences might though have negative impact.

For the port numbers:
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Related Articles

Technical Tip: Change session ttl on firewall policy

Technical Tip: Customizing Session TTL in FortiOS

You are leaving our website