FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
duenlim
Staff
Staff
Article Id 229982
Description This article describes how the Explicit Proxy authentication timeout works.
Scope FortiGate.
Solution

Related article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeout-types-for-Fire...

 

The following Authentication timeout timer is applied to Explicit Proxy Authentication. For information, proxy user list, and firewall user list are separate user lists, therefore there could be some misunderstandings. The link above explains timeouts for 'Firewall user list'.

 

# config system global
proxy-auth-timeout <----- Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).

 

# config system global
proxy-re-authentication-mode

 

Control users must re-authenticate after a session if it is closed if traffic has been idle, or from the point at which the user was first created.


- session: Proxy re-authentication timeout begins at the closure of the session.
- traffic: Proxy re-authentication timeout begins after traffic has not been received.
- absolute: Proxy re-authentication timeout begins when the user was first created.

 

Refer to the below article for Proxy user's lifetime control:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Proxy-users-lifetime-control/ta-p/192401

 

Examples:


proxy-auth-lifetime : enable <----- It is disabled by default.
proxy-auth-lifetime-timeout: 720
proxy-auth-timeout : 300
proxy-re-authentication-mode: traffic

 

- If no traffic for 5 hours (300/60), the user will time-out, and need end-user auth again.
- Even if the traffic is always there, (like playing online music), after 12 hours (720/60), still forces end-user auth again.

 

1) When 'proxy-auth-lifetime' is enabled and 'proxy-auth-lifetime-timeout' is set to a certain value, 'all' user information in wad will be removed when the 'proxy-auth-lifetime-timeout' timer expires. This timer starts ticking down when the user is created in wad.

 

2) The granularity of the 'proxy-auth-lifetime-timeout' timer is 5 minutes. That means if setting it to 5 minutes, the timer may time out after 5+5=10 minutes, if setting it to 30 minutes, it may time out after 30+5=35 minutes.

 

Where a scenario of LDAP authentication and FSSO CA exist to support authentication for none domain machines and joined domain machines, the 'proxy-auth-lifetime' will eventually conflict with the FSSO CA timer.

 

3) Starting FortiOS 7.0.1 there is an option to cache for a long time Windows LDAP user (for other vendors' LDAP server it is not acceptable). 

 

# config web-proxy global
    set ldap-user-cache [enable|disable]  <---- disabled by default.
end

 

If the option above is enabled, 'proxy-lifetime-timeout' will not make any effects, because it will relay to cached info on the firewall itself.