Question 1 - Fortinet EMEA-Advanced-Support Real Exam Questions [Jan 2026 Update]

Q: 1

A firewall receives an out-of-order packet in a TCP session after the FIN/ACK and the packet is dropped as expected. What parameter can be changed to prevent such drops?

Options

Correct Answer:

Explanation

The TCP TIMEWAIT state is a standard mechanism designed to ensure any delayed or out-of-order packets from a recently closed connection are handled correctly. On a FortiGate, the tcp-time-wait timer under config system session-ttl dictates how long a session remains in the session table after the final FIN/ACK has been observed. The default value is very short (1 second). If a late packet arrives after this timer expires, the session entry will have been deleted, causing the packet to be dropped. Increasing the tcp-time-wait timer extends the life of the session entry, allowing such late packets to be properly processed.

Why Incorrect

A. TCP close-wait timer: This timer applies to sessions in the CLOSEWAIT state, which is an earlier phase of connection termination, before the final FIN is sent by the passive closer.

C. Enable TCP option: This is too vague. While TCP options like SACK exist, they address packet reordering during an active session, not the firewall's session state lifetime after termination.

D. TCP MSS: The Maximum Segment Size (MSS) is negotiated during the initial TCP handshake to define the largest packet size. It does not influence session teardown timers or late packet handling.

References

1. Fortinet FortiOS CLI Reference (7.2.1): The config system session-ttl command set includes the tcp-time-wait parameter. The documentation states: "Time in seconds that a TCP session is kept in the session table after the final ACK is seen (1 - 86400 sec

default = 1)." This directly confirms its role in post-closure session lifetime. (See config system session-ttl section).

2. Fortinet FortiOS Handbook - Firewall (7.2.1): In the "Session TTL" section

the handbook explains the various timers that FortiOS uses to manage session lifetimes. It describes how tcp-time-wait specifically manages the state after a graceful TCP close

which is the exact scenario described in the question.

3. Fortinet Knowledge Base Article ID: FD30039: This article

"Troubleshooting Tip: First packet dropped (denied) by firewall policy

" explains how session timers

including tcp-time-wait

affect packet handling. It clarifies that if a session is timed out

subsequent packets will be dropped. Increasing the relevant timer can resolve this.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE