I have a problem on setting tcp-halfclose-timer and would like to seek for advice.
I suppose the tcp-halfclose-timer should affect half-close applications like rsh or sqlnet and should have no effect on, say https. But I find that even though a https connection has been terminated completely with fin and fin/ack, the Fortigate still
keeps its session entries with the expiry time = tcp-halfclose-timer value and did not age out faster.
So if I set the tcp-halfclose-timer to a high value (say 6 hours), then the session table will grow very large, which is undesirable. But I must set it as there' re half-close applications in my company.
So does anyone know if there is a solution? Or it' s a known issue? BTW, the FortiOS that I use is 3.0MR3 patch 9. I didn' t find the same problem when I was using version 2.8 MR11.
Thanks a lot.
tcp-halfclose-timer global system parameter has the same meaning in 2.80 and 3.0;
you cannot set it in a per protocol basis, just globally to all TCP conections. (default 120 seg)
I' m not sure completely if things works as you posted:
" ..still keeps its session entries with the expiry time = tcp-halfclose-timer value.."
Anyway, keep in mind that you can control table' s sessions timeouts in a protocol basis with CLI, i.e. you need 8 hours SSH sessions, but the others keep default (1hour):
config system session-ttl
set default 3600
set timeout 28800
Thanks for your reply.
I set the tcp-halfclose-timer to 300 and session-ttl to 3600. And then I make a few http connections.
After that, I check the session entries via the web GUI and find that the expiry
time of the http connections are set to 300 seconds.
I suppose that once the http connections are finished after the client and server send the FIN packets, Fortigate should set the expiry time to a value other than 300 seconds.
Since my company still uses old applications with half-close features, I need to set the timer to a large value. But if I do that, then normal applications will stay
in the session table for a very long time as well.
Interesting issue, but I cannot reproduce here with MR3, MR4 3.0 boxes [:( ] ;
in my webGUI all TCP sessions have expiration time controlled by ' default' system session-ttl value and only the tcp protocols specially configured (as ssh port 22 example
of above) has special different values for timeout
Docs says this about ' tcp-halfclose-timer' :
" Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded"
The key part here seems to be ' sent a FIN packet but the other has not responded'
I' ll try other tests with 2.80 to try to catch any difference
Thanks guys for providing details about this behaviour. I am a support engineer working at Fortinet. Just got word from QA that this has been reported as a bug and will be fixed for the next MR. So you can expect this to be fixed in MR6.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.