Chapter 7 Firewall for FortiOS 5.0 : Firewall concepts : What is a Firewall? : Network Layer or Packet Filter Firewalls : Stateful Firewalls
  
Stateful Firewalls
Stateful firewalls retain packets in memory so that they can maintain context about active sessions and make judgements about the state of an incoming packet's connection. This enables Stateful firewalls to determine if a packet is the start of a new connection, a part of an existing connection, or not part of any connection. If a packet is part of an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing. If a packet does not match an existing connection, it will be evaluated according to the rules set for new connections. Predetermined rules are used in the same way as a stateless firewall but they can now work with the additional criteria of the state of the connection to the firewall.
 
 
Best Practices Tip for improving performance:
Blocking the packets in a denied session can take more cpu processing resources than passing the traffic through. By putting denied sessions in the session table, they can be kept track of in the same way that allowed session are so that the FortiGate unit does not have to redetermine whether or not to deny all of the packets of a session individually. If the session is denied all packets of that session are also denied.
In order to configure this you will need to use 2 CLI commands
config system setting
set ses-denied-traffic enable
set block-session-timer <integer 1 - 300> (this determines in seconds how long, in seconds, the session is kept in the table)
end