TCP Timeout on Fortigate Firewall

Use Case:

Municipality Customer. Has a Fire station app that runs through a Fortigate to a server behind the Fortigate. This application is used to monitor some “Fire Thingy” (A technical term for I don’t know or care the particular of the application). However it runs off of TCP 4099 over a telnet like connection.

The situation occurred when the user would walk away from the terminal.

Steps we took:
Set up a packet capture to capture anything destined to the DST IP and on TCP 4099. We sew the three-way handshake (SYN, SYN-ACK, ACK) and after an hour, we saw ACK packets with the FIN flag set being dropped. It was obvious that the TCP session had timed out.

By default on the Fortigate, a session will remain open for 1 hour afterwhich it will be closed. To be clear, this is an established TCP session and should not be confused with half-open sessions. The Fortigate can control this setting on a per-policy basis.

Final Outcome:

We created a policy that was very specific with source and destination as well as service being defined in the policy. We then right-clicked on the policy in the GUI and clicked ‘edit in cli’.

Once in the CLI, you can run the following command:

LAB-FW (57) # set session-ttl
session-ttl Enter an integer value from <300> to <604800> or (special = <0>).

As you can see, the default is 0 which is one hour. You CAN do up to 168 hours. Once you enter the command with the desired time in seconds, hit enter and then ‘end’.Hope this helps.

UPDATE: You can also set the ’session-ttl’ in the service as well

config firewall service custom
edit "TCP-4098"
set tcp-portrange 4098
set session-ttl 28800
next