Recently, I encountered an issue where a VIP (Virtual IP) on my FortiGate firewall suddenly stopped working for no apparent reason. After making some modifications to both my firewall rule and the VIP configuration, the issue temporarily resolved itself, but something about the “fix” just didn’t sit right.
Since my changes didn’t logically explain the resolution, I started suspecting that my NAT session table might be getting filled up, causing the issue to recur. However, after searching extensively online, I struggled to find a straightforward way to adjust how long sessions remain open.
Eventually, I found the key setting that controls this behavior, so I’m documenting it here for future reference (and to help anyone else facing the same frustration).
Understanding FortiGate’s Session Timeout
By default, FortiGate maintains idle sessions in its session table for a specific duration. The default session-ttl (Time to Live) value is 3600 seconds (1 hour), but this can be adjusted.
Changing the Global Session Timeout
If you want to modify the default session timeout globally, you can do so with the following commands:
config system session-ttl
show full-configuration
set default 3600
end
However, changing this globally isn’t always ideal, as it can impact all sessions on your firewall. Instead, a better approach is to apply session timeout adjustments on a per-policy basis.
Setting Session Timeout Per Firewall Policy
To modify session timeouts for a specific firewall policy, use the following command:
set session-ttl <value> (Range: 300 - 2,764,800 seconds)
This allows you to fine-tune session persistence based on specific policies without affecting your entire firewall.
Final Thoughts
If you’re troubleshooting intermittent VIP connectivity issues, consider checking session timeouts as a potential culprit. Adjusting the session-ttl per policy can help maintain stable connections while avoiding unnecessary global changes.
Have you faced similar FortiGate quirks? Drop a comment and let’s discuss!
