Description
This article describes how to adjust session TTL values if port ranges and custom services are configured concurrently.
Scope
FortiGate.
Solution
- Session TTL can be set globally using the ‘default’ variable of the ‘config system session-ttl’ command. The default session timeout set in the ‘default’ variable can range from 300 to 604,800 seconds. It is 3,600 seconds by default.
- It is possible to override this default session TTL value for specific ports or port ranges using the ‘timeout’ variable’ of the ‘config port’ command. The ‘timeout’ variable can be set to a value ranging from 1 to 604,800 seconds. It is 300 seconds by default.
- It is also possible to define a custom service to either specify a new service or refine an existing service. In this case, the value set in the ‘session-ttl’ variable of the ‘config firewall service custom’ command supersedes the session TTL value that was defined in 2).
- The ‘config firewall service custom’ command also allows modifying of the UDP session timeout via the ‘udp-idle-timer’ variable. The value set in this variable supersedes the global value set in the ‘udp-idle-timer’ variable of the ‘config system global’ command which is 180 seconds per default.
- The session ttl value can be modified under the firewall policy as well. This would be applied to any traffic handled by the firewall policy. An illustration is shown below:
config firewall policy
edit <policy_id>
set session-ttl <>
next
end
In the following example, TCP port 1194 traffic is applied a session TTL of 310 seconds while for UDP port 1194 traffic is applied a session TTL of 60 seconds.
Note:
If VDOMs are enabled the command needs to be performed per VDOM (exclude Global).
config system session-ttl
set default 300
config port
edit 1194
set protocol 6 <------ This command will enable the start-port and end-port commands.
set timeout 50
set start-port 1194
set end-port 1194
next
end
end
config firewall service custom
edit "UDP_1194" <- Spaces are not valid.
set udp-portrange 1194
set udp-idle-timer 60
set session-ttl 310
next
end