Hot!Setting ICMP/UDP Virtual Session Timeout

Author
Jacky Chiu
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/21 02:36:53
  • Status: offline
2017/03/21 10:10:28 (permalink)
0

Setting ICMP/UDP Virtual Session Timeout

It's my first post just want to hello to all!
 
I have been analyzing the PCI compliance report for my Fortigate Firewall (100D).  It fails on the below item:
Check the ICMP Virtual Session Timeout is set 
Check the UDP Virtual Session Timeout is set
 
Is it referring to the session-ttl value or is it about something else?  The session-ttl is set to 3600s by default.
 
 
 
Check the ICMP Virtual Session Timeout is set Check the UDP Virtual Session Timeout is set 
#1

3 Replies Related Threads

    vjoshi_FTNT
    Gold Member
    • Total Posts : 135
    • Scores: 6
    • Reward points: 0
    • Joined: 2015/02/02 21:28:20
    • Status: offline
    Re: Setting ICMP/UDP Virtual Session Timeout 2017/03/22 01:34:49 (permalink)
    0
    Hello Jacky,
     
    Welcome to the Fortinet Forum.
     
    I am not sure what exactly the PCI report is referring to.
     
    However, on the Fortigate, both the UDP idle timer and ICMP ttl are different from the session-ttl.
     
    For UDP, below takes effect:
    config sys global
    set udp-idle-timer 180
    end
     
    And ICMP, by default, it is 60 seconds ttl.
     
    Hope that helps
    #2
    Jacky Chiu
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/03/21 02:36:53
    • Status: offline
    Re: Setting ICMP/UDP Virtual Session Timeout 2017/03/22 02:28:13 (permalink)
    0
    Thanks vjoshi.  I just got a reply from Fortigate support.  He suggests to apply the below config:
     
    config firewall policy 
    edit <firewall policy ID) 
    set timeout-send-rst enable 
    set session-ttl <example: (300)> default value is 0 
    end 
     
    I haven't applied the change yet.  I guess I will give it a try.  However, I still don't quite get what the report is complaining about, since I see that the icmp/udp sessions disappearing after the TTL count reaching 0.  
     
    The PCI report is a feature for v5.4.  System > Advance > Compliance.
    It generates a report and a list of items for us fine tune. 
    http://docs.fortinet.com/uploaded/files/2874/fortigate-pci-dss-compliance-54.pdf
     
    #3
    blewandowski@silverwoodthemepark.com
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/02/22 14:17:54
    • Status: offline
    Re: Setting ICMP/UDP Virtual Session Timeout 2021/02/22 14:21:01 (permalink)
    0
    I am seeing a similar issue with version 6.0.2 for the same reason.
    Did you end up applying that fix, some other, or just ignoring the issue in the report?
     
    Thanks!
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5