Description

This article describes that it is possible to control authenticated users' lifetime using the below options.

Solution

'proxy-auth-lifetime' is a cap on the total time a proxy user can be authenticated after which re-authentication will take place.
It is by, default, disabled.

Once enabled, set the lifetime timeout in minutes.
Set the range between 5-65535. The default is set to 480 (or 8 hours).

The timeout option is only available when proxy-auth-lifetime is set to enable.
Once enabled, set the timeout in minutes for authenticated users.

'proxy-re-authentication-mode' option decides when the Proxy re-authentication timeout begins.

Syntax.

config system global
    set proxy-auth-lifetime enable
    set proxy-auth-lifetime-timeout <minutes>
    set proxy-re-authentication-mode {session | traffic | absolute}
end

FGT91E-1 (global) # set proxy-re-authentication-mode
Session(default)                                          <- Proxy re-authentication timeout begins at the closure of the session.
traffic                                                   <- Proxy re-authentication timeout begins after traffic has not been received.
absolute                                                  <- Proxy re-authentication timeout begins when the user was first created.

In 7.0 and above commands have been changed :

config system global

    set proxy-keep-alive-mode

session                                  -> Proxy keep-alive timeout begins at the closure of the session.
traffic                                  -> Proxy keep-alive timeout begins after traffic has not been received.
re-authentication                        -> Proxy keep-alive timeout begins when the user is authenticated.

The difference between proxy-auth-lifetime-timeout and proxy-auth-timeout:

proxy-auth-lifetime-timeout: This command controls the duration for which the authenticated state is valid in proxy mode. This defines the maximum time that an authenticated user session is valid before the user needs to authenticate again. It is useful for managing how long a user can remain logged in before being forced to authenticate again.

proxy-auth-timeout: This command defines the time limit period for proxy authentication requests. Specifically, it controls how long the proxy will wait for the authentication response from the authentication server or client before reaching the time limit. It is crucial to ensure that authentication requests are not suspended indefinitely if the authentication server is slow or does not respond, or the client does not enter credentials.