system session-ttl
Use this command to configure port-range-based session timeouts by setting the session time to live (TTL) for multiple TCP, UDP, or SCTP port number ranges. The session TTL is the length of time a TCP, UDP, or SCTP session can be idle before being dropped by the FortiGate unit. You can add multiple port number ranges. For each range, you can configure the protocol (TCP, UDP, or SCTP) and start and end numbers of the port number range.
config system session-ttl set default {string} Default timeout. config port edit {id} # Session TTL port. set id {integer} Table entry ID. range[0-65535] set protocol {integer} Protocol (0 - 255). range[0-255] set start-port {integer} Start port number. range[0-65535] set end-port {integer} End port number. range[0-65535] set timeout {string} Session timeout (TTL). next end
Additional information
The following section is for those options that require additional explanation.
default <seconds>
Enter the default session timeout, in seconds. This affects TCP and SCTP sessions that do not have a timeout specified in a defined config port
entry.
Possible values: 300 to 604800 seconds. The default value is 3600.
end-port <port_number>
Enter the end port number of the port number range. You must configure both the start-port
and end-port
. To specify a range, the start-port
value must be lower than the end-port
value. To specify a single port, the start-port
value must be identical to the end-port
value.
Possible values: 0 to 65535.
id <entry_id>
Enter an entry ID. This is an identifier only and does not assign the port number.
Possible values: 0 to 65535.
protocol <protocol_number>
Enter the protocol number to match the protocol of the sessions that you want to configure a session TTL range for.
The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. To enter a port number range you must set protocol
to 6 for TCP sessions, 17 for UDP sessions, and 132 for SCTP sessions.
Possible values: 0 to 255.
start-port <port_number>
Enter the start port number of the port number range. You must configure both the start-port
and end-port
. To specify a range, the start-port
value must be lower than the end-port
value. To specify a single port, the start-port
value must be identical to the end-port
value.
Possible values: 0 to 65535.
timeout {<seconds> | never}
Enter the number of seconds the session can be idle for on this port. If you do not want the session to ever expire, you can enter never
, instead of specifying the number of seconds.
While it is possible to set the timeout to never
, this is not a secure configuration and should be avoided.
Possible values: 1 to 604800 seconds. The default is 300.