Fortinet black logo

CLI Reference

Home FortiGate / FortiOS 6.0.0 CLI Reference

system session-ttl

6.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.0.0
5.6.0
5.4.0
5.2.0
5.0.0
Copy Link
Copy Doc ID c287b6bf-a995-11e9-81a4-00505692583a:476602
Download PDF

system session-ttl

Use this command to configure port-range-based session timeouts by setting the session time to live (TTL) for multiple TCP, UDP, or SCTP port number ranges. The session TTL is the length of time a TCP, UDP, or SCTP session can be idle before being dropped by the FortiGate unit. You can add multiple port number ranges. For each range, you can configure the protocol (TCP, UDP, or SCTP) and start and end numbers of the port number range.

config system session-ttl
    set default {string}   Default timeout.
    config port
        edit {id}
        # Session TTL port.
            set id {integer}   Table entry ID. range[0-65535]
            set protocol {integer}   Protocol (0 - 255). range[0-255]
            set start-port {integer}   Start port number. range[0-65535]
            set end-port {integer}   End port number. range[0-65535]
            set timeout {string}   Session timeout (TTL).
        next
end

Additional information

The following section is for those options that require additional explanation.

default <seconds>

Enter the default session timeout, in seconds. This affects TCP and SCTP sessions that do not have a timeout specified in a defined config port entry.

Possible values: 300 to 604800 seconds. The default value is 3600.

end-port <port_number>

Enter the end port number of the port number range. You must configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value.

Possible values: 0 to 65535.

id <entry_id>

Enter an entry ID. This is an identifier only and does not assign the port number.

Possible values: 0 to 65535.

protocol <protocol_number>

Enter the protocol number to match the protocol of the sessions that you want to configure a session TTL range for.

The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. To enter a port number range you must set protocol to 6 for TCP sessions, 17 for UDP sessions, and 132 for SCTP sessions.

Possible values: 0 to 255.

start-port <port_number>

Enter the start port number of the port number range. You must configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value.

Possible values: 0 to 65535.

timeout {<seconds> | never}

Enter the number of seconds the session can be idle for on this port. If you do not want the session to ever expire, you can enter never , instead of specifying the number of seconds.

While it is possible to set the timeout to never, this is not a secure configuration and should be avoided.

Possible values: 1 to 604800 seconds. The default is 300.

Previous
Next

system session-ttl

Use this command to configure port-range-based session timeouts by setting the session time to live (TTL) for multiple TCP, UDP, or SCTP port number ranges. The session TTL is the length of time a TCP, UDP, or SCTP session can be idle before being dropped by the FortiGate unit. You can add multiple port number ranges. For each range, you can configure the protocol (TCP, UDP, or SCTP) and start and end numbers of the port number range.

config system session-ttl
    set default {string}   Default timeout.
    config port
        edit {id}
        # Session TTL port.
            set id {integer}   Table entry ID. range[0-65535]
            set protocol {integer}   Protocol (0 - 255). range[0-255]
            set start-port {integer}   Start port number. range[0-65535]
            set end-port {integer}   End port number. range[0-65535]
            set timeout {string}   Session timeout (TTL).
        next
end

Additional information

The following section is for those options that require additional explanation.

default <seconds>

Enter the default session timeout, in seconds. This affects TCP and SCTP sessions that do not have a timeout specified in a defined config port entry.

Possible values: 300 to 604800 seconds. The default value is 3600.

end-port <port_number>

Enter the end port number of the port number range. You must configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value.

Possible values: 0 to 65535.

id <entry_id>

Enter an entry ID. This is an identifier only and does not assign the port number.

Possible values: 0 to 65535.

protocol <protocol_number>

Enter the protocol number to match the protocol of the sessions that you want to configure a session TTL range for.

The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. To enter a port number range you must set protocol to 6 for TCP sessions, 17 for UDP sessions, and 132 for SCTP sessions.

Possible values: 0 to 255.

start-port <port_number>

Enter the start port number of the port number range. You must configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value.

Possible values: 0 to 65535.

timeout {<seconds> | never}

Enter the number of seconds the session can be idle for on this port. If you do not want the session to ever expire, you can enter never , instead of specifying the number of seconds.

While it is possible to set the timeout to never, this is not a secure configuration and should be avoided.

Possible values: 1 to 604800 seconds. The default is 300.

Previous
Next