If the firewall receives a Reset (RST) packet that cannot
be verified (because it has an unexpected sequence number within
the TCP window or it is from an asymmetric path), the Unverified
RST timer controls the aging out of the session. It defaults to 30
seconds; the range is 1-600 seconds. The Unverified RST timer provides
an additional security measure, explained in the second bullet below.
A RST packet will have one of three possible outcomes:
A RST packet that falls outside the TCP window is dropped.
A RST packet that falls inside the TCP window but does not
have the exact expected sequence number is unverified and subject
to the Unverified RST timer setting. This behavior helps prevent
denial of service (DoS) attacks where the attack tries to disrupt
existing sessions by sending random RST packets to the firewall.
A RST packet that falls within the TCP window and has the
exact expected sequence number is subject to the TCP Time Wait timer