Technical Tip: Authentication timeout value for firewall user
Description
This article describes the available options and explains how the user 'authtimeout' is actually enforced.
There are many places in the configuration to set 'authtimeout' to force the reauthentication of a user.
Scope
FortiGate.
Solution
The value is actually applied to specific hierarchical rules outlined below.
'authtimeout' values are selected in the following order.
- User # (a specific user) <----- Highest level.
- User group.
- User setting (global level setting).
By default, the user and user group 'authtimeout' values are 0, and hence the user setting 'authtimeout' value will take precedence.
When 'authtimeout' is configured, upper levels override lower levels.
authtimeout value is in minutes.
Sample configurations:
- If the specific timeout value is configured for the user, then it needs to set the user's 'authtimeout' at the user level.
config user local
edit <username>
set authtimeout xx <----- Integer value from <0> to <43200>.
end
With this setting, user authentication will get authtimeout at xx minutes depending on 'auth-timeout-type'.
- If the specific timeout value is configured for the user group, then it needs to set the user's 'authtimeout' at the user group level.
config user group
edit <user group name>
set authtimeout xx <----- Integer value from <0> to <43200>.
end
With this setting, user authentication belonging to a specific user group will get an authtimeout at xx minutes, depending on auth-timeout-type.
- If authtimeout is not set at the user/user group level, then the authtimeout value in the user setting will be applied for all users.
config user setting
set authtimeout xx <----- Integer value from <0> to <43200>.
end
Related articles:
Technical Tip: Change session ttl on firewall policy
Technical Tip: Stop FortiClient from attempting AutoConnect when there is Always-Up + auth-timeout setup from FortiGate