Description
This article explains a new CLI parameter that can be activated on a policy to send a TCP RST packet on session timeout.
Scope
Any supported version of FortiGate.
Solution
There are frequent use cases where a TCP session created on the firewall has a smaller session TTL than the client PC initiating the TCP session or the target device.
The underlying issue is that when the TCP session expires on the FortiGate, the client PC is not aware and might try to use the previosly existing session again, as it is considered to still be 'alive' on the client side.
This will generate useless attempts and traffic until the client PC resets the session on its side to create a new one.
To avoid this behavior, configure the FortiGate to send a TCP RST packet to the source and the destination when the correponding established TCP session expires due to inactivity.
The client and the server will be informed that the session does not exist anymore on the FortiGate and they will not try to re-use the old session. Instead, they will create a new session.
# config firewall policy
edit <ID>
set timeout-send-rst enable
Note: Carefully read and understand the effects of this setting before enabling it globally. It is recommended to enable it only in a required policy.
To enable globally:
# config system global
set reset-sessionless-tcp enable
end
Enabling this option may help resolve issues with a problematic server, but it can make the FortiGate unit more vulnerable to denial of service attacks.
If reset-sessionless-tcp is enabled, the FortiGate unit sends a RESET packet to the packet originator. The packet originator ends the current session, but it will try to establish a new session.
This setting is available in NAT/Route mode only. It is disabled by default.
