Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sramesh1
Staff
Staff

Created on ‎08-19-2025 07:46 AM Edited on ‎08-19-2025 11:15 PM By Community Manager

Article Id 407206

Technical Tip: Understanding Action='Close', 'Reset', and 'Timeout' in FortiGate Forward Traffic Logs

Description This article describes when reviewing Forward Traffic logs in FortiGate, administrators may see different action values
such as close, reset, or timeout. These do not indicate UTM blocking, but instead describe how the session was terminated. This article explains the difference between them and how to interpret these log entries.
Scope

FortiGate, Forward Traffic logs (policy-accepted sessions), Applicable to flow-based and proxy-based inspection. 
Solution
  1. Action=Close:

The session ended normally. This typically happens when the client or server sends a TCP FIN to close the connection.

For example, the user browses to a website, the page loads fully, client closes the session.

 

Log Example:

 

date=2025-08-18 src=10.21.4.3 dst=172.217.163.110 service=HTTPS action=close

 

  1. Action= Reset:

The session was terminated using a TCP RST (reset) packet. The source of the TCP RST packet may originate from:

  • Client application (browser closed tab, plugin crash).
  • Server (rejecting malformed request).
  • FortiGate (if security profile blocks traffic or policy denies mid-session).

Key point: Not always a block: resets often originate from the endpoint, not the firewall.

 

Log Example:

 

date=2025-08-18 src=10.21.4.3 dst=10.200.150.19 service=HTTPS action=reset

 

  1. Action=Timeout:

The session remained idle or unresponsive longer than FortiGate’s session timeout threshold.

 

Possible Causes:

  1. No FIN or RST received before the idle timer expired.
  2. Application froze or client disconnected unexpectedly.
  3. Default session timeout values:
    • TCP: 3600 seconds (1 hour).
    • UDP: 60 seconds (configurable).
    • :Timeout values location (in order of precedence):

 

config system session-ttl.

    set session-ttl <----- For a custom services object defined under 'config firewall service custom'.

    set session-ttl <----- When defined in a firewall policy under 'config firewall policy'.

 

Log Example:

 

date=2025-08-18 src=10.21.4.3 dst=192.168.1.20 service=HTTPS action=timeout

 

Action Trigger Example Scenario
Close Normal TCP termination (FIN exchange) User closes browser after session ends
Reset Session aborted via TCP RST (client/server/FortiGate) process crash, invalid request, block page , TLS Encrypted alert.
Timeout No termination, session expired by timer Idle session, dropped Wi-Fi client

 

Troubleshooting Tips:
  • Use the following command to verify whether RST comes from the client or the server:

 

diagnose sniffer packet any "host <ip>" 4 0 l

 
  • Check debug flow:

 

diagnose debug reset
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow filter addr x.x.x.x     <----- The x.x.x.x should be the IP address to trace the flow for.
diagnose debug flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 100
diagnose debug enable
 
Perform these steps to confirm whether FortiGate injected the reset to (policy/UTM block).
 
Conclusion:
  • Close, reset, and timeout in Forward Traffic logs do not necessarily mean a firewall block.
  • They indicate how the session ended: normal closure, reset, or timeout.
  • For security enforcement decisions, always cross-check UTM/Security logs (Web Filter, IPS, AV).
1190
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.