Technical Note : Changing the TCP session TTL (time to live) on a FortiGate

Technical Note : Changing the TCP session TTL (time to live) on a FortiGate

Products

FortiGate

Description

You can change the TTL (time to live) for idle TCP sessions using the CLI. When the TTL limit is reached, the session is dropped.

Solution

Firmware versions prior to 4.0 MR1

This example shows how to set the default TCP TTL to 300 seconds and to set the TTL for TCP port 8787 to 3600 seconds.

config system session-ttl

   set default 300

     config port

       edit 8787

       set timeout 3600

       next

   end

end

Firmware versions 4.0 MR1 and above

This example shows how to set the default TCP TTL to 300 seconds and the TTL for TCP port 443 to 3600 seconds.

       edit 443

         set protocol 6

         set timeout 3600

         set end-port 443

         set start-port 443

        next

      end

Note that if VDOM is enabled, depending on the FortiOS version, the command might be available at global level or at VDOM level (v3.00 MR6 and above).

MR3 已经可以基于防火墙策略修改 session 的 TTL 值。