14 Ara 2013

Fortinet Fortigate session-ttl

Fortigate cihazına bağlanan bazı uygulamarda kopma sorunları yaşanıyorsa

uygulamanın kullandığı port için time to live (ttl) süresini uzatmak gerekebilir.Fortigate standart olarak 1800 saniye oturumu açık tutabilir eğer session yenilenmiyorsa bağlantıyı keser.Budurumda yapılıcak işlem bağlantısı kopan port oturumu için ttl süresini uzatmak gerekecektir.Aşağıda nasıl uzatacağınıza dair örnek Fortigate Cli komutları bulunmaktadır.

Syntax
config system session-ttl
set default <seconds>
config port
edit <entry_id>
set end-port <port_number_int>
set protocol <protocol_int>
set start-port <port_number_int>
set timeout {<timeout_int> | never}
end
end

SAP portu için Fortigate Session Ttl Sample

config system session-ttl
set default 1800
config port
edit 1992  (bu sap portu)
set timeout 7200  (ttl süresi)
next
end
end

Oracle örneği Fortigate Oracle Sssion Ttl Sample

config system session-ttl
set default 1800
config port
edit 1521 (oracle port bu tcp ve udp )
set timeout 7200
next
end
end

Variable
Description
Default
default <seconds>
Enter the default session timeout in seconds. The valid range is from 300 – 604 800 seconds.
3600
<entry_id>
Enter an entry ID. Range 0-65535. This is just an identifier, and does not assign the port number.
No default.
end-port <port_number_int>
The end port number of the port number range. You must configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value. The range is 0 to 65 535.
0
protocol <protocol_int>
Enter the protocol number to match the protocol of the sessions for which to configure a session ttl range. The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. The range is from 0 to 255.
To enter a port number range you must set protocol to 6 for TCP sessions, to 17 for UDP sessions, or to 132 for SCTP sessions.
0
start-port <port_number_int>
The start port number of the port number range. You must configure both the start-port and end-port. To specify a range, the start-port value must be lower than the end-port value. To specify a single port, the start-port value must be identical to the end-port value. The range is 0 to 65 535.
0
timeout {<timeout_int> | never}
Enter the number of seconds the session can be idle for on this port. The valid range is from 1 – 604800 seconds. Optionally you can enter never instead of specifying the number of seconds if you want the session to never expire.
Caution: While it is possible to set timeout to never, this is not a secure configuration and should be avoided.
300