|
In a normal TCP session, both sides eventually send a FIN packet to close the connection gracefully.
However, in some cases, one side may close it's half of the connection while the other remains open - known as a half-close or half-open state.
FortiGate maintains these sessions for a configurable duration before timing them out to free system resources.
When FortiGate detects a TCP FIN packet from one side, it marks the session as half-closed.
The session remains active until:
- The opposite side also sends a FIN (normal closure), or
- The half-close timer expires.
If the half-close timeout expires, FortiGate removes the session entry from the session table.
Typical default timer values (these may vary by FortiOS version):
|
Timer Type
|
Description
|
Default Value (seconds)
|
|
tcp-timeout-session
|
Normal TCP established session timeout
|
3600
|
|
tcp-halfclose-timer
|
Time after one side closes (FIN received)
|
120
|
|
tcp-halfopen-timer
|
Time before handshake completes (SYN state)
|
10
|
|
tcp-timewait-timer
|
Time after both sides close (TIME_WAIT)
|
5
|
- View Current session TTL Configuration:
config system session-ttl
show
end
- Set Global Half-Close Timeout:
config system global
set tcp-halfclose-timer 300
end
This example increases the half-close timer to 300 seconds (5 minutes).
Note: The per-policy TTL affects the total session timeout, not specifically the half-close timer. The half-close timer remains global.
|
