Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
DavidCY
Staff
Staff

Created on ‎11-20-2025 01:41 PM

Article Id 417950

Technical Tip: FortiWeb sessions remains active with zero KB sent/received

Description This article describes a scenario when FortiWeb sessions remain active with zero KB sent/received, even when the client timeout is configured. 
Scope FortiWeb.
Solution

In some scenarios, a user might observe established sessions on FortiWeb without any traffic going through them, but the session is not timed out.

It can happen even with configuring client-timeout under the server policy.

 

Whenever a client opens a TCP 3-way handshake session with a server behind FortiWeb, but does not send http request, the session will not timeout automatically, and the session will remain active with zero KB sent/received.

This happens because by default, FortiWeb sends keepalives every 60 seconds to each session. It will keep the session alive until a closure is received from the client's end.

 

To close such idle sessions, another command is needed under the server policy:

'tcp-recv-timeout' will cause the session to be closed after the threshold when no HTTPS request is received:

 

config server-policy policy

    edit "<policy_name>"

        set tcp-recv-timeout <seconds_int>

end
29
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.