Technical Tip: Explanation of auth-timeout types for Firewall authentication users

ppatel · ‎09-21-2015

Description

This article discusses the different types of authentication timeout types available in FortiOS.

Authentication timeout is applicable only for firewall authenticated users, not for SSO users.

Solution

By default the authentication timeout is set to 5 minutes.

FGT# show full-configuration user setting
set auth-timeout 5

The authentication timeout can be changed globally.

FG100D3G16xxxxxx # config user setting
FG100D3G16xxxxxx (setting) # set auth-timeout
<timeout_integer> The auth time-out range is 1-1440 minutes (24 hours)
FG100D3G16xxxxxx (Guest-group) # end

By default all user groups use the global auth timeout value. In case this value is to be changed for a particular user group, use:

FG100D3G16xxxxxx # config user group
FG100D3G16xxxxxx (group) # edit Guest-group
FG100D3G16xxxxxx (Guest-group) # set authtimeout
<integer> The auth time-out range is 0-1440 minutes (0 = use global authtimeout value)
FG100D3G16xxxxxx (Guest-group) # end

The 'auth-timeout type' global setting controls how the authentication entry is removed.

# config user setting
set auth-timeout-type ?
idle-timeout Idle timeout.
hard-timeout Hard timeout.
new-session New session timeout.

By default, authentication timeout type is set to "idle-timeout".

Idle timeout: User entry will be removed if there is no traffic received for configured idle time (5 minutes by default).
Example

User1 authenticated by identity based policy and granted to access resources.
Now the User1 idle timer can be triggered if there is no traffic received from the user, this can happen in one of the following scenarios;

- User locked the computer
- User logged out of the computer.
- User PC disconnected from network.
- User PC shutdown or put to standby mode.

If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed.

If the user tries to access resources now, FortiGate will prompt the user to authenticate again.

Hard timeout: User entry will be removed after the configured auth- timeout value
Example

User1 authenticated by identity based policy and granted to access resources.
FortiGate will forcefully remove the user authentication entry after configured auth-timeout setting (5 minutes by default). This is done irrespective of traffic received or not from the user.
Once the authentication entry is removed, user will be prompted to authenticate for further requests.

New-session timeout: User will be prompted to authenticate for new sessions after the configured auth-timeout timer.
Example

User1 authenticated by identity based policy and generate a request to www.fortinet.com.
User will start a download from www.fortinet.com and does not generate further requests.
After 5 minutes (default auth-timeout), user tries to access www.google.com, now FortiGate will ask the user to authenticate again but the existing download to www.fortinet.com will not be terminated.

Configuration CLI.

# config user setting
set auth-timeout-type
idle-timeout Idle timeout.
hard-timeout Hard timeout.
new-session New session timeout.