Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff

Created on ‎01-07-2026 12:20 AM Edited on ‎01-08-2026 02:19 AM By Community Manager

Article Id 425165

Technical Tip: How to check TCP half close and half open session on FortiGate CLI

Description This article describes how to check the TCP half-open/close sessions on FortiGate.
Scope FortiGate.
Solution

In some situations, it is necessary to verify an incomplete TCP handshake.

For example, a SYN packet may be sent, but no SYN-ACK response is received. The other possibility would be that a SYN-ACK response is received, but the final ACK is missing. In other cases, the SYN-ACK might be received on a different interface and subsequently dropped.

 

A TCP half-open session generally refers to a TCP connection attempt that was never fully established, meaning the three-way handshake was not complete.

 

The following filters can be used on FortiGate CLI to see the TCP half-open sessions:

 

diagnose sys session filter proto 6

diagnose sys session filter proto-state 2

diagnose sys session list

 

Or:

 

diagnose sys session filter proto 6

diagnose sys session filter proto-state 3

diagnose sys session list

 

An example of a FortiGate session showing an incomplete TCP handshake (proto_state=02 means SYN sent but no SYN-ACK received).

 

session info: proto=6 proto_state=02 duration=8 expire=1 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=0/255
state=log local nds
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 0/0

 

A TCP half-close session refers to the situation where one end has closed the connection while the other still keeps the session active.

The following filters can be used on FortiGate CLI to see the TCP half-close sessions:

 

diagnose sys session filter proto 6

diagnose sys session filter proto-state 4

diagnose sys session list

 

Or:

 

diagnose sys session filter proto 6

diagnose sys session filter proto-state 7

diagnose sys session list

 

Note: If TCP connectivity between two Layer 3 devices is in question, always verify the TCP states on both ends. A TCP half-close condition can occur if a FIN packet is lost during transmission, leaving one side unaware that the connection has been closed.

 

Related articles

Technical Tip: Check the session list and filter by IP address or port using the 'grep'

Technical Tip: FortiGate Session Timers, Handling TCP Half-Closed Connections 

Troubleshooting Tip: FortiGate session table information
Labels:
106
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.