Fortinet black logo

CLI Reference

config firewall global

Use this command to configure the timeout period for the connection tracking sessions for the firewall.

Syntax

config firewall global

edit <name>

set generic-timeout <integer>

set tcp-established-timeout <integer>

set tcp-syn-recv-timeout <integer>

set tcp-syn-sent-timeout <integer>

set tcp-close-timeout <integer>

set tcp-fin-wait-timeout <integer>

set tcp-last-ack-timeout <integer>

set udp-timeout <integer>

set udp-stream-timeout <integer>

next

end

generic-timeout

Specify the timeout of generic connections tracked by the netfilter connection tracking system. It determines how long the kernel will keep track of a connection that is considered idle, such as when it is not sending or receiving any traffic. Once the timeout period has elapsed, the connection tracking entry for that connection will be removed from the system.

Range is 1-86400 seconds. Default is 600 seconds.

tcp-established-timeout

Specify the timeout after which an established TCP connection that has not received any traffic will be considered inactive and removed from the connection tracking table.

Range is 1-86400 seconds. Default is 3600 seconds.

tcp-syn-recv-timeout

Specify the timeout after which a TCP SYN_RECV state connection entry will be removed from the connection tracking table.

Range is 1-86400 seconds. Default is 60 seconds.

tcp-syn-sent-timeout

Specify the timeout after which a TCP SYN_SENT connection entry will be removed from the connection tracking table.

Range is 1-86400 seconds. Default is 120 seconds.

tcp-close-timeout

Specify the timeout of TCP connections in CLOSE state.

Range is 1-86400 seconds. Default 3 seconds.

tcp-fin-wait-timeout

Specify the timeout for TCP connections in FIN_WAIT state.

Range is 1-86400 seconds. Default is 120 seconds.

tcp-last-ack-timeout

Specify the timeout after which a TCP LAST_ACK connection entry will be removed from the connection tracking table.

Range is 1-86400 seconds. Default is 30 seconds.

udp-timeout

Specify the timeout of UDP connections tracked by the netfilter connection tracking system.

Range is 1-86400 seconds. Default is 30 seconds.

udp-stream-timeout

Specify the timeout of UDP stream connections tracked by the netfilter connection tracking system.

Range is 1-86400 seconds. Default is 180 seconds.

Example

config firewall global

edit 1

set generic-timeout 600

set tcp-established-timeout 3600

set tcp-syn-recv-timeout 60

set tcp-syn-sent-timeout 120

set tcp-close-timeout 3

set tcp-fin-wait-timeout 120

set tcp-last-ack-timeout 30

set udp-timeout 30

set udp-stream-timeout 180

next

end

Use this command to configure the timeout period for the connection tracking sessions for the firewall.

Syntax

config firewall global

edit <name>

set generic-timeout <integer>

set tcp-established-timeout <integer>

set tcp-syn-recv-timeout <integer>

set tcp-syn-sent-timeout <integer>

set tcp-close-timeout <integer>

set tcp-fin-wait-timeout <integer>

set tcp-last-ack-timeout <integer>

set udp-timeout <integer>

set udp-stream-timeout <integer>

next

end

generic-timeout

Specify the timeout of generic connections tracked by the netfilter connection tracking system. It determines how long the kernel will keep track of a connection that is considered idle, such as when it is not sending or receiving any traffic. Once the timeout period has elapsed, the connection tracking entry for that connection will be removed from the system.

Range is 1-86400 seconds. Default is 600 seconds.

tcp-established-timeout

Specify the timeout after which an established TCP connection that has not received any traffic will be considered inactive and removed from the connection tracking table.

Range is 1-86400 seconds. Default is 3600 seconds.

tcp-syn-recv-timeout

Specify the timeout after which a TCP SYN_RECV state connection entry will be removed from the connection tracking table.

Range is 1-86400 seconds. Default is 60 seconds.

tcp-syn-sent-timeout

Specify the timeout after which a TCP SYN_SENT connection entry will be removed from the connection tracking table.

Range is 1-86400 seconds. Default is 120 seconds.

tcp-close-timeout

Specify the timeout of TCP connections in CLOSE state.

Range is 1-86400 seconds. Default 3 seconds.

tcp-fin-wait-timeout

Specify the timeout for TCP connections in FIN_WAIT state.

Range is 1-86400 seconds. Default is 120 seconds.

tcp-last-ack-timeout

Specify the timeout after which a TCP LAST_ACK connection entry will be removed from the connection tracking table.

Range is 1-86400 seconds. Default is 30 seconds.

udp-timeout

Specify the timeout of UDP connections tracked by the netfilter connection tracking system.

Range is 1-86400 seconds. Default is 30 seconds.

udp-stream-timeout

Specify the timeout of UDP stream connections tracked by the netfilter connection tracking system.

Range is 1-86400 seconds. Default is 180 seconds.

Example

config firewall global

edit 1

set generic-timeout 600

set tcp-established-timeout 3600

set tcp-syn-recv-timeout 60

set tcp-syn-sent-timeout 120

set tcp-close-timeout 3

set tcp-fin-wait-timeout 120

set tcp-last-ack-timeout 30

set udp-timeout 30

set udp-stream-timeout 180

next

end