Skip to main content
sramesh1
Staff
sramesh1
Staff
August 19, 2025

Technical Tip: Understanding Action='Close', 'Reset', and 'Timeout' in FortiGate Forward Traffic Logs

  • August 19, 2025
  • 0 replies
  • 17390 views
Description This article describes when reviewing Forward Traffic logs in FortiGate, administrators may see different action values
such as close, reset, or timeout. These do not indicate UTM blocking, but instead describe how the session was terminated. This article explains the difference between them and how to interpret these log entries.
Scope

FortiGate, Forward Traffic logs (policy-accepted sessions), Applicable to flow-based and proxy-based inspection. 
Solution
  1. Action=Close:

The session ended normally. This typically happens when the client or server sends a TCP FIN to close the connection.

For example, the user browses to a website, the page loads fully, client closes the session.

 

Log Example:

 

date=2025-08-18 src=10.21.4.3 dst=172.217.163.110 service=HTTPS action=close

 

  1. Action= Reset:

The session was terminated using a TCP RST (reset) packet. The source of the TCP RST packet may originate from:

  • Client application (browser closed tab, plugin crash).
  • Server (rejecting malformed request).
  • FortiGate (if security profile blocks traffic or policy denies mid-session).

Key point: Not always a block: resets often originate from the endpoint, not the firewall.

 

Log example:

 

date=2025-08-18 src=10.21.4.3 dst=10.200.150.19 service=HTTPS action=reset

 

  1. Action= Timeout: The session remained idle or unresponsive longer than FortiGate's session timeout threshold.

     

  2. Action= Pending: FortiOS is still processing the traffic against the policy, which means it was not allowed or denied yet.
 

 Possible Causes:

  1. No FIN or RST received before the idle timer expired.
  2. Session expired in Half-Open (no SYN/ACK received) or Half-Closed state (no FIN/ACK received).
  3. Application froze or client disconnected unexpectedly.
  4. Default session timeout values:
    • TCP: 3600 seconds (1 hour).
    • TCP half-close timer: 120 seconds.
    • TCP half-open timer: 10 seconds.
    • UDP: 60 seconds (configurable).
    • :Timeout values location (in order of precedence):

 

config system session-ttl.

    set session-ttl <----- For a custom services object defined under 'config firewall service custom'.

    set session-ttl <----- When defined in a firewall policy under 'config firewall policy'.

 

Log example:

 

date=2025-08-18 src=10.21.4.3 dst=192.168.1.20 service=HTTPS action=timeout

 

Action Trigger Example Scenario
Close Normal TCP termination (FIN exchange) User closes browser after session ends
Reset Session aborted via TCP RST (client/server/FortiGate) process crash, invalid request, block page, TLS Encrypted alert.
Timeout No termination, session expired by timer Idle session, dropped Wi-Fi client

 

Troubleshooting Tips:
  • Use the following command to verify whether RST comes from the client or the server:

 

diagnose sniffer packet any "host <ip>" 4 0 l

 
  • Check debug flow:

 

diagnose debug reset
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow filter addr x.x.x.x     <----- The x.x.x.x should be the IP address to trace the flow for.
diagnose debug flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 100
diagnose debug enable
 
Perform these steps to confirm whether FortiGate injected the reset to (policy/UTM block).
 
Conclusion:
  • Close, reset, and timeout in Forward Traffic logs do not necessarily mean a firewall block.
  • They indicate how the session ended: normal closure, reset, or timeout.
  • For security enforcement decisions, always cross-check UTM/Security logs (Web Filter, IPS, AV).
    Terms & ConditionsAccessibility statement