FGT# show full-configuration user settingset auth-timeout 5
The authentication timeout can be changed globally.
FG100D3G16xxxxxx # config user settingFG100D3G16xxxxxx (setting) # set auth-timeout<timeout_integer> The auth time-out range is 1-1440 minutes (24 hours)FG100D3G16xxxxxx (Guest-group) # end
By default all user groups use the global auth timeout value. In case this value is to be changed for a particular user group, use:
FG100D3G16xxxxxx # config user groupFG100D3G16xxxxxx (group) # edit Guest-groupFG100D3G16xxxxxx (Guest-group) # set authtimeout<integer> The auth time-out range is 0-1440 minutes (0 = use global authtimeout value)FG100D3G16xxxxxx (Guest-group) # end
The 'auth-timeout type' global setting controls how the authentication entry is removed.
# config user settingset auth-timeout-type ?idle-timeout Idle timeout.hard-timeout Hard timeout.new-session New session timeout.
By default, authentication timeout type is set to "idle-timeout".Idle timeout: User entry will be removed if there is no traffic received for configured idle time (5 minutes by default).ExampleUser1 authenticated by identity based policy and granted to access resources.Now the User1 idle timer can be triggered if there is no traffic received from the user, this can happen in one of the following scenarios;- User locked the computer- User logged out of the computer.- User PC disconnected from network.- User PC shutdown or put to standby mode.If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed.If the user tries to access resources now, FortiGate will prompt the user to authenticate again.Hard timeout: User entry will be removed after the configured auth- timeout valueExampleUser1 authenticated by identity based policy and granted to access resources.FortiGate will forcefully remove the user authentication entry after configured auth-timeout setting (5 minutes by default). This is done irrespective of traffic received or not from the user.Once the authentication entry is removed, user will be prompted to authenticate for further requests.New-session timeout: User will be prompted to authenticate for new sessions after the configured auth-timeout timer.ExampleUser1 authenticated by identity based policy and generate a request to www.fortinet.com.User will start a download from www.fortinet.com and does not generate further requests.After 5 minutes (default auth-timeout), user tries to access www.google.com, now FortiGate will ask the user to authenticate again but the existing download to www.fortinet.com will not be terminated.Configuration CLI.# config user settingset auth-timeout-typeidle-timeout Idle timeout.hard-timeout Hard timeout.new-session New session timeout.