Technical Tip: Configure FSSO user timeout when connection to collector agent fails

Description

This article describes how to configure timeout for how long FSSO users on the FortiGate will be retained in the firewall authentication list once the connection to collector agent fails.

Scope

FortiGate.

Solution

• Previously, the FSSO logons on FortiGate were removed immediately if the collector agent gets disconnected on FortiGate.
• From FortiOS  v6.4.7 and v7.0.1 onwards, it is possible to control how long these FSSO logons would be retained by FortiGate in the event of a Collector agent disconnection by using the settings below.

config user fsso
    edit CA

        set server <server-IP>

        set password <string>

        set logon-timeout <in minutes> /// (1 - 2880, default = 5)

    next
end

The traffic from the SSO users will still be processed by the SSO policies within the specified timeout even if the connection to the Collector Agent is lost.