The Fortinet platform like most other stateful firewalls keeps track of open TCP connections. Each established session is assigned a timer which gets reset every time there is activity. If the timer expires due to inactivity the session is removed from the firewall tables and you will have to re-establish the connection. The session can also be cleared without waiting for the timer to expire if the firewall sees a FIN or RST packet for a given session.
Imagine you have a telnet connection on port 23 to a server in your DMZ. There is a script which executes periodically to poll some data using the telnet session. You notice that when the script hasn't executed in 60 minutes the telnet session is lost and you have to re-establish the session.
The easy answer is to increase the session ttl (time-to-live or timeout). This can be done on the CLI on a global basis for all ports or only for specific ports. Keep in mind that raising the timeout values for all ports can significantly increase the amount of system resources (especially RAM) consumed. This is due to the fact that the firewall now has to potentially keep track of the same number of sessions for a longer period of time. The default value of 60 minutes/3600 seconds should be ok for most applications.
The following example sets the timeout value for all TCP services to 3000 seconds but increases the timeout for telnet (port 23) to 7200 seconds.
config system session-ttl
set default 3000
config port
edit 23
set timeout 7200
next
end
end
I would recommend not doing this in a enterprise environment. Pressure needs to be put on the vendors or application developers to regulate their keep-alives on the local side.
ReplyDeleteThat's great, in theory. When you have 100 users calling you because they get disconnected after being inactive for a 'short' time (60 minutes), fighting the software company for a fix (for something they don't consider broken) is not exactly the fastest solution.
ReplyDeleteLong-term it's certainly something to consider.
I want to check the timeout interval for my firewall fortigate 200, Can you please guide me how this is done. And also how to change the value? Thanks in advance...
ReplyDeletelogin into the Fortinet. Go into the CLI (easy from the dashboard) then:
ReplyDeleteconfig system session-ttl
show
output:
FG310B-01 (session-ttl) # show
config system session-ttl
set default 300
config port
edit 1
set protocol 6
set timeout 1000
set end-port 524
set start-port 524
next
edit 2
set protocol 6
set timeout 65535
set end-port 1521
set start-port 1521
next
end
end
then you can just:
ReplyDeleteset default 'n'
end
Hello!
ReplyDeleteCan you also define this session timeout on a "per-policy" basis? I've seen that in the policies there is (via CLI) such a parameter...
Thanks,
F.
My question is, is there a way to disconnect a session after a specific period of time, whether they are idle or not. For example, we have people that stream internet radio and I would like to disconnect them after an hour in case they leave it running when they leave for lunch or the day.
ReplyDeleteI'd like to echo Anon's question. In my case I need to close a session so that my scheduled traffic shaping policies work correctly.
ReplyDeleteAnyone know of a way to force close a session from the Fortigate's side?
This is an awesome post. Just one of the very best post I've ever seen. What a really good and awesome post. Keep up your work on articles
ReplyDeletesee this