system : session-ttl
 
session-ttl
Use this command to configure port-range based session timeouts by setting the session time to live (ttl) for multiple TCP, UDP, or SCTP port number ranges. The session ttl is the length of time a TCP, UDP, or SCTP session can be idle before being dropped by the FortiGate unit. You can add multiple port number ranges. For each range you can configure the protocol (TCP, UDP, or SCTP) and start and end numbers of the port number range.
Syntax
config system session-ttl
set default <seconds>
config port
edit <entry_id>
set end-port <port_number_int>
set protocol <protocol_int>
set start-port <port_number_int>
set timeout {<timeout_int> | never}
end
end
 
Variable
Description
Default
default <seconds>
Enter the default session timeout in seconds. The valid range is from 300 - 604 800 seconds. This affects only TCP and SCTP sessions that do not have a timeout specified in a defined config port entry.
3600
<entry_id>
Enter an entry ID. Range 0-65535. This is just an identifier, and does not assign the port number.
No default.
end-port <port_number_int>
The end port number of the port number range. You must configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value. The range is 0 to 65 535.
0
protocol <protocol_int>
Enter the protocol number to match the protocol of the sessions for which to configure a session ttl range. The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. The range is from 0 to 255.
To enter a port number range you must set protocol to 6 for TCP sessions, to 17 for UDP sessions, or to 132 for SCTP sessions.
0
start-port <port_number_int>
The start port number of the port number range. You must configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value. The range is 0 to 65 535.
0
timeout {<timeout_int> | never}
Enter the number of seconds the session can be idle for on this port. The valid range is from 1 - 604800 seconds. Optionally you can enter never instead of specifying the number of seconds if you want the session to never expire.
Caution: While it is possible to set timeout to never, this is not a secure configuration and should be avoided.
300