Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jacky_Chiu
New Contributor

Setting ICMP/UDP Virtual Session Timeout

It's my first post just want to hello to all!

 

I have been analyzing the PCI compliance report for my Fortigate Firewall (100D).  It fails on the below item:

Check the ICMP Virtual Session Timeout is set 

Check the UDP Virtual Session Timeout is set

 

Is it referring to the session-ttl value or is it about something else?  The session-ttl is set to 3600s by default.

 

 

 

Check the ICMP Virtual Session Timeout is set Check the UDP Virtual Session Timeout is set 
3 REPLIES 3
vjoshi_FTNT
Staff
Staff

Hello Jacky,

 

Welcome to the Fortinet Forum.

 

I am not sure what exactly the PCI report is referring to.

 

However, on the Fortigate, both the UDP idle timer and ICMP ttl are different from the session-ttl.

 

For UDP, below takes effect:

config sys global set udp-idle-timer 180 end

 

And ICMP, by default, it is 60 seconds ttl.

 

Hope that helps

Jacky_Chiu

Thanks vjoshi.  I just got a reply from Fortigate support.  He suggests to apply the below config:

 

config firewall policy  edit <firewall policy ID)  set timeout-send-rst enable  set session-ttl <example: (300)> default value is 0  end 

 

I haven't applied the change yet.  I guess I will give it a try.  However, I still don't quite get what the report is complaining about, since I see that the icmp/udp sessions disappearing after the TTL count reaching 0.  

 

The PCI report is a feature for v5.4.  System > Advance > Compliance.

It generates a report and a list of items for us fine tune. 

http://docs.fortinet.com/uploaded/files/2874/fortigate-pci-dss-compliance-54.pdf

 

blewandowski

I am seeing a similar issue with version 6.0.2 for the same reason.

Did you end up applying that fix, some other, or just ignoring the issue in the report?

 

Thanks!

Labels
Top Kudoed Authors