FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191776

This article illustrates a known issue with chromium-based browsers (Chrome, Edge etc) and Captive Portal authentication on FortiGate that can cause unintended authentication timeouts.

For Captive Portal authentication, FortiGate offers a keepalive page to keep authentication active instead of timeouts.

This can be configured here:

# config system global
    set auth-keepalive enable

With this configured, users are presented with a keepalive page post-authentication, and directed to start browsing in a new tab, retaining the keepalive page in the background. However, this can cause unintended authentication timeouts with Chrome and chromium-based browsers.

Chrome version 88 introduced a change in how background tabs are handled.
In particular, they will be throttled, causing any scripts running on them to be executed much more slowly:

The keepalive page FortiGate provides for authentication consists of a javascript that triggers a burst of traffic to the FortiGate to keep the connection up and running.
With the change in Chrome, this script becomes too slow and the FortiGate recognizes that a keepalive message is missing.

It will remove the user from authentication.
The user will need to authenticate again on the next connection attempt, triggering the redirect to the authentication portal.

There are a few workarounds available:

1) Use a non-chromium browser.

Any browser using a recent chromium codebase may be affected, such as Edge or Opera.
Browsers such as Firefox, using a different codebase, should not be affected unless a similar change is introduced to them at a later date.

2) Disable keepalive.

# config system global
    set auth-keepalive disable

With the keepalive disabled, FortiGate will instead apply configured timeouts.
The default configuration is an idle-timeout of five minutes; if the FortiGate did not receive any traffic from the user in the last five minutes, the user is de-authenticated.

This can require re-authentication after a coffee or lunch break, for example.

Related Articles

Technical Tip: Explanation of auth-timeout types for Firewall authentication users