The tcp-halfopen-timer defines the number of seconds the FortiGate should wait before closing a session after one peer has sent an open session packet (SYN), but the other peer has not responded.

TCP halfopen can lead to:

• Exhaustion of connection memory.
• Denial of Service.

Scenario:

There are two FortiGates and a Linux client/server setup are used: 

Client === FortiGate1===FortiGate2===Server

• The client uses a Python script to generate a high rate of TCP SYN packets to the server on port 5211.
• FortiGate-1 is configured with the default tcp-halfopen-timer of 10 seconds.
• FortiGate-2 is configured with a custom tcp-halfopen-timer of 50 seconds.

FortiGate-1:

config firewall service custom
    edit "tcp_syn_only"
        set tcp-portrange 5211
    next
end

FortiGate-2:

config firewall service custom
    edit "tcp_syn_only"
        set tcp-portrange 5211

        set tcp-halfopen-timer 50
    next
end

Python code:

This Python script generates TCP SYN packets per second from the client IP to the server IP on port 5211:

• send_syn_flood(): Generates 100 x packets from client to server with SYN flag set.
• main body: Loop send_syn_flood() untill keyboard interupt.

Link to python code on GitHub: https://github.com/maritpra/kl_lab/blob/master/tcp_halfopen.py

Observation:

Fortigate-1: The number of sessions increases briefly, then stops due to the tcp-halfopen-timer expiring at 10 seconds.

Fortigate-2: The number of sessions continues growing because the tcp-halfopen-timer is set to 50 seconds, allowing half-open sessions to persist longer.