Tuesday, March 25, 2008

Session Timeouts

The Fortinet platform like most other stateful firewalls keeps track of open TCP connections. Each established session is assigned a timer which gets reset every time there is activity. If the timer expires due to inactivity the session is removed from the firewall tables and you will have to re-establish the connection. The session can also be cleared without waiting for the timer to expire if the firewall sees a FIN or RST packet for a given session.

Imagine you have a telnet connection on port 23 to a server in your DMZ. There is a script which executes periodically to poll some data using the telnet session. You notice that when the script hasn't executed in 60 minutes the telnet session is lost and you have to re-establish the session.

The easy answer is to increase the session ttl (time-to-live or timeout). This can be done on the CLI on a global basis for all ports or only for specific ports. Keep in mind that raising the timeout values for all ports can significantly increase the amount of system resources (especially RAM) consumed. This is due to the fact that the firewall now has to potentially keep track of the same number of sessions for a longer period of time. The default value of 60 minutes/3600 seconds should be ok for most applications.

The following example sets the timeout value for all TCP services to 3000 seconds but increases the timeout for telnet (port 23) to 7200 seconds.

config system session-ttl
set default 3000
config port
edit 23
set timeout 7200
next
end
end

9 comments:

Eric Gadson said...

I would recommend not doing this in a enterprise environment. Pressure needs to be put on the vendors or application developers to regulate their keep-alives on the local side.

Anonymous said...

That's great, in theory. When you have 100 users calling you because they get disconnected after being inactive for a 'short' time (60 minutes), fighting the software company for a fix (for something they don't consider broken) is not exactly the fastest solution.

Long-term it's certainly something to consider.

Anonymous said...

I want to check the timeout interval for my firewall fortigate 200, Can you please guide me how this is done. And also how to change the value? Thanks in advance...

Jon said...

login into the Fortinet. Go into the CLI (easy from the dashboard) then:

config system session-ttl
show

output:

FG310B-01 (session-ttl) # show
config system session-ttl
set default 300
config port
edit 1
set protocol 6
set timeout 1000
set end-port 524
set start-port 524
next
edit 2
set protocol 6
set timeout 65535
set end-port 1521
set start-port 1521
next
end
end

Jon said...

then you can just:

set default 'n'
end

FlavioB said...

Hello!

Can you also define this session timeout on a "per-policy" basis? I've seen that in the policies there is (via CLI) such a parameter...

Thanks,
F.

Anonymous said...

My question is, is there a way to disconnect a session after a specific period of time, whether they are idle or not. For example, we have people that stream internet radio and I would like to disconnect them after an hour in case they leave it running when they leave for lunch or the day.

Anonymous said...

I'd like to echo Anon's question. In my case I need to close a session so that my scheduled traffic shaping policies work correctly.

Anyone know of a way to force close a session from the Fortigate's side?

Unknown said...

This is an awesome post. Just one of the very best post I've ever seen. What a really good and awesome post. Keep up your work on articles
see this