Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
krajaa
Staff
Staff

Created on ‎12-23-2020 05:28 AM Edited on ‎08-20-2024 08:52 AM By Moderator

Article Id 192401

Technical Tip: Proxy users lifetime control

Description

 

This article describes that it is possible to control authenticated users' lifetime using the below options.

Solution

 

'proxy-auth-lifetime' is a cap on the total time a proxy user can be authenticated after which re-authentication will take place.
It is by, default, disabled.

Once enabled, set the lifetime timeout in minutes.
Set the range between 5-65535. The default is set to 480 (or 8 hours).

The timeout option is only available when proxy-auth-lifetime is set to enable.
Once enabled, set the timeout in minutes for authenticated users.

'proxy-re-authentication-mode' option decides when the Proxy re-authentication timeout begins.

Syntax.

 

config system global
    set proxy-auth-lifetime enable
    set proxy-auth-lifetime-timeout <minutes>
    set proxy-re-authentication-mode {session | traffic | absolute}
end

 

FGT91E-1 (global) # set proxy-re-authentication-mode
Session(default)                                          <- Proxy re-authentication timeout begins at the closure of the session.
traffic                                                   <- Proxy re-authentication timeout begins after traffic has not been received.
absolute                                                  <- Proxy re-authentication timeout begins when the user was first created.

 

In 7.0 and above commands have been changed :

 

config system global

    set proxy-keep-alive-mode

 

session                                  -> Proxy keep-alive timeout begins at the closure of the session.
traffic                                  -> Proxy keep-alive timeout begins after traffic has not been received.
re-authentication                        -> Proxy keep-alive timeout begins when the user is authenticated.

 

The difference between proxy-auth-lifetime-timeout and proxy-auth-timeout:

 

proxy-auth-lifetime-timeout: This command controls the duration for which the authenticated state is valid in proxy mode. This defines the maximum time that an authenticated user session is valid before the user needs to authenticate again. It is useful for managing how long a user can remain logged in before being forced to authenticate again.

 

proxy-auth-timeout: This command defines the time limit period for proxy authentication requests. Specifically, it controls how long the proxy will wait for the authentication response from the authentication server or client before reaching the time limit. It is crucial to ensure that authentication requests are not suspended indefinitely if the authentication server is slow or does not respond, or the client does not enter credentials.

7545
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.