[轉貼]设置FortiGate TCP会话TTL
http://support.fortinet.com.cn/document/doc09071702.html<div><br></div><div>mr3 patch 10 . 設定session timeout , 在web 管理介面沒有, 只能在command 下設定, 請參考步驟三</div><div><br></div><div><b style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">说明: </b><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">本文档针对所有FortiGate设备的会话TTL(生存时间)配置进行说明。默认情况下FortiGate维护的会话TTL为3600秒。当TTL超时,防火墙就丢弃该会话。会话TTL可以全局设定,也可以基于端口号或策略设定。将TTL设置为较少的时间可以节省系统资源。 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><b style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">步骤一:</b><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"> </span><b style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">全局设置 </b><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">在CLI下输入:config system session-ttl</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">set default 300 将时间设备为300秒(可选300 - 604800) </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">end</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><b style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">步骤二:基于端口号设置 </b><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">OS2.8,OS3.0:能设定TCP端口,本例将TCP80端口TTL设为1000秒 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">config system session-ttl</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">config port</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">edit 80 指定TCP80端口 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">set timeout 1000 将时间设备为1000秒(可选300 - 604800) </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">next</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">end</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">end</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">OS4.0:可以设定多协议端口,本例将TCP80—800端口TTL设为2000秒 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">config system session-ttl</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">config port</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">edit 1 指定名称 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">set protocol 6 指定协议号 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">set timeout 2000 指定时间2000秒 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">set end-port 800 指定结束端口 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">set start-port 80 指定开始端口 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">next</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">end</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">end</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><b style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">步骤三:基于策略设置 </b><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">OS4.0:支持基于策略设置TTL,本例将策略1的TTL设置为500秒 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">config firewall policy</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">edit 1</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">set session-ttl 500</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">end</span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><b style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">步骤四:察看 </b><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">diagnose sys session ttl 察看全局和端口配置 </span><br style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;"><span style="color: rgb(68, 80, 85); font-family: Arial; font-size: 12px; line-height: 18px;">show firewall policy policyid 察看策略配置</span></div>