Fortinet white logo
Fortinet white logo

Administration Guide

Refreshing active sessions for specific protocols and port ranges per VDOM in a specified direction

Refreshing active sessions for specific protocols and port ranges per VDOM in a specified direction

Active sessions can be refreshed for specific protocols and port ranges per VDOM in a specified direction. This option can help prevent potential denial of service (DoS) attacks by controlling the direction of traffic that refreshes existing sessions.

config system session-ttl
    config port
        edit <id>
            set protocol <integer>
            set timeout <timeout_value>
            set refresh-direction {both | outgoing | incoming}
        next
    end
end

Setting the refresh-direction to outgoing will use the original direction, while incoming will use the reply direction. To refresh in both directions, select both.

Example

In this example, active sessions for UDP port 5001 will be refreshed in the incoming direction.

To refresh active sessions for UDP port 5001 in the incoming direction:
  1. Configure the global session TTL timer:

    config system session-ttl
        set default 3600
        config port
            edit 5001
                set protocol 17
                set timeout 5001
                set refresh-direction incoming
                set start-port 5001
                set end-port 5001
            next
        end
    end
  2. Send UDP 5001 traffic from the client to the server.

  3. Verify the session table:

    # diagnose sys session list
    session info: proto=17 proto_state=00 duration=77 expire=4923 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=log may_dirty f00
    statistic(bytes/packets/allow_err): org=58/2/1 reply=0/0/0 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/0.0.0.0
    hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458)
    hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041)
    src_mac=00:0c:29:b6:e8:be  dst_mac=00:0c:29:92:89:96
    misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0
    serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x000001 no_offload
    no_ofld_reason:  disabled-by-policy
    total session: 1

    The timeout and refresh for the reply direction are attached to the session.

  4. Send UDP 5001 traffic again from the client to the server.

  5. Verify the diagnostics.

    1. Run the sniffer trace:

      # diagnose sniffer packet any 'udp and port 5001' 4
      interfaces=[any]
      filters=[udp and port 5001]
      3.387747 wan2 in 10.1.100.41.2041 -> 172.16.200.55.5001: udp 1
      3.387757 wan1 out 172.16.200.10.62458 -> 172.16.200.55.5001: udp 1
      ^C
      2 packets received by filter
      0 packets dropped by kernel
    2. Verify the session table:

      # diagnose sys session list
      session info: proto=17 proto_state=00 duration=119 expire=4881 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
      origin-shaper=
      reply-shaper=
      per_ip_shaper=
      class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
      state=log may_dirty f00
      statistic(bytes/packets/allow_err): org=116/4/1 reply=0/0/0 tuples=2
      tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
      orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/0.0.0.0
      hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458)
      hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041)
      src_mac=00:0c:29:b6:e8:be  dst_mac=00:0c:29:92:89:96
      misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0
      serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0
      rpdb_link_id=00000000 ngfwid=n/a
      npu_state=0x000001 no_offload
      no_ofld_reason:  disabled-by-policy
      total session: 1

    As the traffic flows from the client to the server (outgoing), the expiration timer continues to count down and is not refreshed.

  6. Send reverse UDP 5001 traffic from the server to the client.

  7. Verify the diagnostics again.

    1. Run the sniffer trace:

      # diagnose sniffer packet any 'udp and port 62458 or port 2041' 4
      interfaces=[any]
      filters=[udp and port 62458 or port 2041]
      3.237328 wan1 in 172.16.200.55.5001 -> 172.16.200.10.62458: udp 1
      3.237339 wan2 out 172.16.200.55.5001 -> 10.1.100.41.2041: udp 1
      ^C
      2 packets received by filter
      0 packets dropped by kernel
    2. Verify the session table:

      # diagnose sys session list
      session info: proto=17 proto_state=01 duration=1710 expire=4995 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
      origin-shaper=
      reply-shaper=
      per_ip_shaper=
      class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
      state=log may_dirty f00
      statistic(bytes/packets/allow_err): org=116/4/1 reply=116/4/1 tuples=2
      tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
      orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/10.1.100.41
      hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458)
      hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041)
      src_mac=00:0c:29:b6:e8:be  dst_mac=00:0c:29:92:89:96
      misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0
      serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0
      rpdb_link_id=00000000 ngfwid=n/a
      npu_state=0x000001 no_offload
      no_ofld_reason:  disabled-by-policy
      total session: 1

    As the traffic flows from the server to the client (incoming), the expiration timer is refreshed.

Refreshing active sessions for specific protocols and port ranges per VDOM in a specified direction

Refreshing active sessions for specific protocols and port ranges per VDOM in a specified direction

Active sessions can be refreshed for specific protocols and port ranges per VDOM in a specified direction. This option can help prevent potential denial of service (DoS) attacks by controlling the direction of traffic that refreshes existing sessions.

config system session-ttl
    config port
        edit <id>
            set protocol <integer>
            set timeout <timeout_value>
            set refresh-direction {both | outgoing | incoming}
        next
    end
end

Setting the refresh-direction to outgoing will use the original direction, while incoming will use the reply direction. To refresh in both directions, select both.

Example

In this example, active sessions for UDP port 5001 will be refreshed in the incoming direction.

To refresh active sessions for UDP port 5001 in the incoming direction:
  1. Configure the global session TTL timer:

    config system session-ttl
        set default 3600
        config port
            edit 5001
                set protocol 17
                set timeout 5001
                set refresh-direction incoming
                set start-port 5001
                set end-port 5001
            next
        end
    end
  2. Send UDP 5001 traffic from the client to the server.

  3. Verify the session table:

    # diagnose sys session list
    session info: proto=17 proto_state=00 duration=77 expire=4923 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=log may_dirty f00
    statistic(bytes/packets/allow_err): org=58/2/1 reply=0/0/0 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/0.0.0.0
    hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458)
    hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041)
    src_mac=00:0c:29:b6:e8:be  dst_mac=00:0c:29:92:89:96
    misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0
    serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x000001 no_offload
    no_ofld_reason:  disabled-by-policy
    total session: 1

    The timeout and refresh for the reply direction are attached to the session.

  4. Send UDP 5001 traffic again from the client to the server.

  5. Verify the diagnostics.

    1. Run the sniffer trace:

      # diagnose sniffer packet any 'udp and port 5001' 4
      interfaces=[any]
      filters=[udp and port 5001]
      3.387747 wan2 in 10.1.100.41.2041 -> 172.16.200.55.5001: udp 1
      3.387757 wan1 out 172.16.200.10.62458 -> 172.16.200.55.5001: udp 1
      ^C
      2 packets received by filter
      0 packets dropped by kernel
    2. Verify the session table:

      # diagnose sys session list
      session info: proto=17 proto_state=00 duration=119 expire=4881 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
      origin-shaper=
      reply-shaper=
      per_ip_shaper=
      class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
      state=log may_dirty f00
      statistic(bytes/packets/allow_err): org=116/4/1 reply=0/0/0 tuples=2
      tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
      orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/0.0.0.0
      hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458)
      hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041)
      src_mac=00:0c:29:b6:e8:be  dst_mac=00:0c:29:92:89:96
      misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0
      serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0
      rpdb_link_id=00000000 ngfwid=n/a
      npu_state=0x000001 no_offload
      no_ofld_reason:  disabled-by-policy
      total session: 1

    As the traffic flows from the client to the server (outgoing), the expiration timer continues to count down and is not refreshed.

  6. Send reverse UDP 5001 traffic from the server to the client.

  7. Verify the diagnostics again.

    1. Run the sniffer trace:

      # diagnose sniffer packet any 'udp and port 62458 or port 2041' 4
      interfaces=[any]
      filters=[udp and port 62458 or port 2041]
      3.237328 wan1 in 172.16.200.55.5001 -> 172.16.200.10.62458: udp 1
      3.237339 wan2 out 172.16.200.55.5001 -> 10.1.100.41.2041: udp 1
      ^C
      2 packets received by filter
      0 packets dropped by kernel
    2. Verify the session table:

      # diagnose sys session list
      session info: proto=17 proto_state=01 duration=1710 expire=4995 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
      origin-shaper=
      reply-shaper=
      per_ip_shaper=
      class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
      state=log may_dirty f00
      statistic(bytes/packets/allow_err): org=116/4/1 reply=116/4/1 tuples=2
      tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
      orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/10.1.100.41
      hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458)
      hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041)
      src_mac=00:0c:29:b6:e8:be  dst_mac=00:0c:29:92:89:96
      misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0
      serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0
      rpdb_link_id=00000000 ngfwid=n/a
      npu_state=0x000001 no_offload
      no_ofld_reason:  disabled-by-policy
      total session: 1

    As the traffic flows from the server to the client (incoming), the expiration timer is refreshed.