Technical Note : Changing the TCP session TTL (time to live) on a FortiGate

最新推荐文章于 2024-06-16 16:20:39 发布

weixin_33674976

最新推荐文章于 2024-06-16 16:20:39 发布

阅读量112

点赞数

文章标签：网络

原文链接：http://blog.51cto.com/3layer/882065

版权

Technical Note : Changing the TCP session TTL (time to live) on a FortiGate

Products

FortiGate

Description

You can change the TTL (time to live) for idle TCP sessions using the CLI. When the TTL limit is reached, the session is dropped.

Solution

Firmware versions prior to 4.0 MR1

This example shows how to set the default TCP TTL to 300 seconds and to set the TTL for TCP port 8787 to 3600 seconds.

config system session-ttl
   set default 300
     config port
       edit 8787
       set timeout 3600
       next
   end
end

Firmware versions 4.0 MR1 and above

This example shows how to set the default TCP TTL to 300 seconds and the TTL for TCP port 443 to 3600 seconds.

config system session-ttl
   set default 300
     config port
       edit 443
     set protocol 6
         set timeout 3600
         set end-port 443
         set start-port 443
        next
      end
end

Note that if VDOM is enabled, depending on the FortiOS version, the command might be available at global level or at VDOM level (v3.00 MR6 and above).

MR3 已经可以基于防火墙策略修改 session 的 TTL 值。

转载于:https://blog.51cto.com/3layer/882065