Description

This article describes how to configure the keepalive page to be shown when the user accesses the internet.

Scope

FortiGate.

Solution

By default, the authentication portal expires after the login prompt. Enabling the keepalive feature through a global setting makes it possible to maintain a session on the portal page and achieve a logout feature.

Authentication keep-alive is disabled by default. Enable it in a global setting via CLI.

config system global

    set auth-keepalive enable

end

After the login attempt, keepalive with the logout button will be displayed. The session time depends on the user's settings and global settings.

It is possible to modify the user auth timeout and session time for more granularity.

config user setting

    set auth-cert "Fortinet_Factory"

    set auth-on-demand always

    set auth-timeout 1440

    set auth-timeout-type new-session

end

config sys global

(global) set auth-session-limit block-new 

block-new          <----- Block new user authentication attempts.

logout-inactive    <----- Logout the most inactive user authenticated sessions.

It is possible to view the authenticated user inside the Dashboard 'User & Device' on the Firewall Users section.

Note: It is also possible to disable the auth-keepalive page and still be able to provide users with a logout option using the below article:
Technical Tip: Replacement of Auth-Keepalive Page

Related article:
Technical Tip: Captive portal user logout from the client machine and direct url to login to captive...