Configuring hyperscale TCP timeout profiles

If your FortiGate is licensed for hyperscale firewall features, you can use the following command to create one or more TCP timeout profiles. Once you have created TCP timeout profiles, in a firewall policy in a hyperscale firewall VDOM, you can use the tcp-timeout-pid firewall policy option to select a TCP timeout profile to apply to traffic accepted by the hyperscale firewall policy.

config system npu

config tcp-timeout-profile

edit {6 | 7 | 8 | ... | 47}

set tcp-idle <seconds>

set fin-wait <seconds>

set close-wait <seconds>

set time-wait <seconds>

set syn-sent <seconds>

set syn-wait <seconds>

end

tcp-idle TCP idle timeout in seconds. Range 1 to 86400, default 3600.

fin-wait fin-wait timeout in seconds. Range 1 to 86400, default 120.

close-wait close-wait timeout in seconds. Range 1 to 86400, default 120.

time-wait time-wait timeout in seconds. Range 1 to 300, default 1.

syn-sent syn-sent timeout in seconds. Range 1 to 86400, default 10.

syn-wait syn-wait timeout in seconds. Range 1 to 86400, default 10.

For example, use the following command to create TCP timeout profile number 10:

config global

config system npu

config tcp-timeout-profile

edit 10

set tcp-idle 10

set fin-wait 20

set close-wait 10

set time-wait 5

end

Use the following command to apply TCP timeout profile number 10 to a hyperscale firewall policy:

config vdom

edit <hyperscale-firewall-vdom-name>

config firewall policy

edit 1

set action accept

set policy-offload enable

...

set tcp-timout-pid 10

...

end