Skip to main content
Vladimir_Ostrovsky
Vladimir_Ostrovsky
New Member
January 30, 2018
Question

Hard timeout for authenticated Explicit Web Proxy sessions

  • January 30, 2018
  • 2 replies
  • 9505 views

Good day, I'm using Explicit Web Proxy with Kerberos authentication, as described here. The authentication works, but I noticed that user session remains active as long as browser keeps sending queries via the proxy. Only after it doesn't deliver any traffic during period defined in this variable:

config system global

    ...

    proxy-auth-timeout NN

    ...

end

- only then the session is removed, so that at next request the authentication process will repeat and a list of groups will be fetched from LDAP.

 

I've set the timeout type to hard:

config user setting     set auth-timeout 3     set auth-timeout-type hard-timeout end

but it seems to be ignored, as well as auth-timeout value (and as authtimeout value at user group level).

My question is: is it possible to set hard timeout for Explicit Proxy sessions? So that after some time (say, 10 minutes) user's group memberships will be pulled from LDAP regardless to whether the user's browser is active or not? My FortiGate's firmware version is v5.6.3. Thanks, Vladimir.

    2 replies

    Fishbone_FTNT
    Staff
    Fishbone_FTNT
    Staff
    January 30, 2018

    Hello Vladimir,

    your observation is correct. The user identity is kept as long as the user IP has opened browser tcp session to the proxy.

     

    There will be more controls to this coming in new FortiOS versions, where you could enforce user reauthentication, regardless of user (in)activity. There will be also changes in detection modes how user is being detected as idle. At this time, if there is no session to the proxy, idle timeout is expiring.

    So I think better solution is on the way.

     

    Fishbone)(

    Vladimir_Ostrovsky
    Vladimir_OstrovskyAuthor
    New Member
    January 30, 2018

    Fishbone, thank you very much.

    FortiKoala
    Staff
    FortiKoala
    Staff
    January 31, 2018

    Please make sure the you have "Keep-alive" option is disabled in the Global config. The authentication keepalive page can be Disabled by the CLI command: # config system global # set auth-keepalive disable # end When enabled the HTML page will be displayed and the firewall authentication keepalive will prevent sessions from ending when the authentication timeout ends.

     

    This article may help http://kb.fortinet.com/kb....do?externalID=FD37221

    Vladimir_Ostrovsky
    Vladimir_OstrovskyAuthor
    New Member
    January 31, 2018

    Thank you, it's disabled (it's a default value, as I understand).

    Terms & ConditionsAccessibility statement