There is an article: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47803
I want to know what is the situation from a general viewpoint.
1. If FGT sends RST packet and the SEQ number is wrong and the packet is discarded by the server and client, then why is there such situation at all? Is this a fundamental flaw in the FGT design by using NPU's and this can't be made any better, or is this a Fortigate-specific problem that could be solved somehow, eg using only NPU for all (needed) traffic (but there are reasons why this is not done so far)? Not using offloading to NPU makes the traffic go slower in general, isn't it, that's why there is the NPU in the first place?
2. I think most sessions through FGT are finished based on RST packets sent by the client or the server and only in some rare cases neither of them finishes the tcp session (eg http/s) this way, and then the session is waiting for the timeout in the FGT and eventually when this is finished by the FGT, the RST is not sent by default. Is this a bug or is this so by design, is there any reason for this?
3. How is NPU/ASIC used in other firewalls made by other vendors? Do they have similar problems or have they solved this in a certain way?
It would be nice to know the situation from somebody who has had more experience with these details.