Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
duenlim
Staff
Staff

Created on ‎11-15-2022 10:07 PM Edited on ‎05-11-2025 10:32 PM By Community Manager

Article Id 229982

Technical Tip: How the Explicit Proxy authentication timeout works

Description This article explains the different timeout mechanisms available for Explicit Proxy authentication in FortiGate, including proxy-auth-timeout, proxy-auth-lifetime, and proxy-re-authentication-mode. It clarifies how these settings affect user re-authentication behavior based on session activity, traffic, and absolute lifetime.
Scope FortiGate.
Solution

Related article:

Technical Tip: Explanation of auth-timeout types for Firewall authentication users

 

The following Authentication timeout timer is applied to Explicit Proxy Authentication. For information, the proxy user list and the firewall user list are separate user lists, therefore, there could be some misunderstandings. The link above explains timeouts for 'Firewall user list'.

 

config system global
proxy-auth-timeout <----- Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10 | starting v 7.6.3: config system global: max value was expanded from 300 to 10000).

 

config system global
proxy-re-authentication-mode

 

Control users must re-authenticate after a session if it is closed, if traffic has been idle, or from the point at which the user was first created.

  • session: Proxy re-authentication timeout begins at the closure of the session.
  • traffic: Proxy re-authentication timeout begins after traffic has not been received.
  • absolute: Proxy re-authentication timeout begins when the user was first created.

 

Refer to the below article for Proxy users' lifetime control: Technical Tip: Proxy users lifetime control

 

Examples:


proxy-auth-lifetime : enable <----- It is disabled by default.
proxy-auth-lifetime-timeout: 720
proxy-auth-timeout : 300
proxy-re-authentication-mode: traffic

 

  • If no traffic for 5 hours (300/60), the user will time out and need end-user auth again.
  • Even if the traffic is always there (like playing online music), after 12 hours (720/60), it still forces end-user auth again.

 

  1. When 'proxy-auth-lifetime' is enabled and 'proxy-auth-lifetime-timeout' is set to a certain value, all user information in wad will be removed when the 'proxy-auth-lifetime-timeout' timer expires. This timer starts ticking down when the user is created in WAD.
  2. The granularity of the 'proxy-auth-lifetime-timeout' timer is 5 minutes. That means if setting it to 5 minutes, the timer may time out after 5+5=10 minutes, if setting it to 30 minutes, it may time out after 30+5=35 minutes. Where a scenario of LDAP authentication and FSSO CA exists to support authentication for non-domain machines and joined domain machines, the 'proxy-auth-lifetime' will eventually conflict with the FSSO CA timer.
9761
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.