Logging out???

Hi, and welcome, I think you have to enable a " keepalive" webpage from the CLI, check the documentation at docs.fortinet.com its a small webpage that will be running in the background, and i think it has a " logout" button on it.

Authentication happens at various places in FortiOS. As you can authenticate via HTTP (browser) but also via telnet or ftp, there is no general " logout" feature. Instead, disconnection is done via timeouts. For firewall auth (identity based policy), - the auth-timeout which prompts the user to re-authenticate anyway, idle or not.

config user setting      set auth-timeout <minutes_int>  end  

or in the GUI: User>User>Authentication: Authentication Timeout (1-480 min) For SSL VPN, there are 2 timeouts: - the idle timeout which disconnects the user if there is no traffic - the auth-timeout which prompts the user to re-authenticate anyway, idle or not. Both can be set in the CLI:

config vpn ssl settings  set idle-timeout <seconds_int>  set auth-timeout <seconds_int>  end

or in the GUI: VPN>SSL>Config: Idle Timeout (1-28800 sec).

I made the activation of auth-keepalive as follow config system global set auth-keepalive enable end and my conf now is config system global set auth-keepalive enable set auth-secure-http enable set auth-type http https set authtimeout 10 set dst enable set hostname " FG100Axxxxxxxxx" set ntpserver " pool.ntp.org" set syncinterval 60 set timezone 26 end but none windows show the logout link. Can you help me... Best regards Renzo

The question is as follows: I have to configure access to a laboratory used by students for access to the Internet. Authentication is done through an external RADIUS server and works fine. When a student sits at the station is authenticated, browse, and then goes away. If you do not log out, when another student sits down, the session is still active and continues to browse with the credentials of other students. Best regards Renzo Rucco

Excuse me but what is the logout url?; how made it is? Anyone can help me? Best regards Renzo Rucco

Excuse me, but it is possible that there is no way to directly call a url to do a logout from the authenticated session ? Excuse me if I insist but are completely blocked at this stage that if I fail, I will be forced to leave the FortiGate. Best regards Renzo

Authentication happens at various places in FortiOS. As you can authenticate via HTTP (browser) but also via telnet or ftp, there is no general " logout" feature. Instead, disconnection is done via timeouts.

Sorry for quoting myself. This is the answer to your question, and the reason for it. It is true that during SSL VPN a second browser window is opened. In this window a small script is executing which keeps the auth timeout from expiring. If you close that window the auth timeout will expire and the user will be forced to re-authenticate. This is not what you were looking for but as it was mentioned I thought to clarify this. What you could do is set the auth timeout quite short - but this will annoy users that are on longer sessions. There is no " session tear-down" when an authenticated user quits as the firewall will never know he quit - there is no feedback from the user.

Would another option be to use FSAE? If the user is authenticated to the AD domain or eDir, then it allows access. If the user logs out of the AD domain or eDir, then it deauthenticates them from the firewall. Correct? follow up: I do think Fortinet should put a " logout" process in it for firewall authentication. They do it for SSL VPN and for admin access so why not for end users.

They do it for SSL VPN and for admin access so why not for end users.

Because in the case of SSL VPN or admin access the ' stateful' device is the FG itself. It has full control over the session it has allowed. So when you click the ' logout' button it kills the corresponding session. For IBPs, the first problem is how to authenticate: it takes an interactive process to enter credentials. So you can use HTTP, HTTPS, ftp or telnet. How would a user notify the FG that he/she wants to log out? After all, traffic from the user is authenticated and the firewall is no longer watching it. I am still trying to think of a decent way how to handle a logout request interactively if all the FG sees is a data stream. And when the user logs out and somehow notifies the FG of this fact, should all of his sessions be killed? Or certain protocols only, or sessions from a certain host only? Ain' t that easy.

The authentication process is successful through a web page. All you need is a direct address url, for example http://192.168.1.1/logout (as many other manufacturers do it: for example D-link DFL210), which is communicated to client through which make a logout. Best regards. Renzo Rucco