Description
This article describes that it is possible to control authenticated users' lifetime using the below options.
Solution
'proxy-auth-lifetime' is a cap on the total time a proxy user can be authenticated after which re-authentication will take place.
It is by, default, disabled.
Once enabled, set the lifetime timeout in minutes.
Set the range between 5-65535. The default is set to 480 (or 8 hours).
The timeout option is only available when proxy-auth-lifetime is set to enable.
Once enabled, set the timeout in minutes for authenticated users.
'proxy-re-authentication-mode' option decides when the Proxy re-authentication timeout begins.
Syntax.
config system global
set proxy-auth-lifetime enable
set proxy-auth-lifetime-timeout <minutes>
set proxy-re-authentication-mode {session | traffic | absolute}
end
FGT91E-1 (global) # set proxy-re-authentication-mode
Session(default) <- Proxy re-authentication timeout begins at the closure of the session.
traffic <- Proxy re-authentication timeout begins after traffic has not been received.
absolute <- Proxy re-authentication timeout begins when the user was first created.
In 7.0 and above commands have been changed :
config system global
set proxy-keep-alive-mode
session -> Proxy keep-alive timeout begins at the closure of the session.
traffic -> Proxy keep-alive timeout begins after traffic has not been received.
re-authentication -> Proxy keep-alive timeout begins when the user is authenticated.
The difference between proxy-auth-lifetime-timeout and proxy-auth-timeout:
proxy-auth-lifetime-timeout: This command controls the duration for which the authenticated state is valid in proxy mode. This defines the maximum time that an authenticated user session is valid before the user needs to authenticate again. It is useful for managing how long a user can remain logged in before being forced to authenticate again.
proxy-auth-timeout: This command defines the time limit period for proxy authentication requests. Specifically, it controls how long the proxy will wait for the authentication response from the authentication server or client before reaching the time limit. It is crucial to ensure that authentication requests are not suspended indefinitely if the authentication server is slow or does not respond, or the client does not enter credentials.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.