Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
patras
Staff
Staff

Created on ‎12-22-2021 12:15 AM

Article Id 201710

Technical Tip: Replacement of Auth-Keepalive Page

Description

This article describes how we administrators can disable the auth-keepalive page and still be able to provide users with a logout option.

 

When a user is authenticated successfully, The default behaviour is FortiGate will redirect the user to the original page.

Users cannot log out by themselves in that case.


Administrators can enable the 'auth-keepalive option to open a keepalive page after the user is authenticated.

The keepalive page periodically refreshes the user's timeout period and should not be closed.

 

The user needs to open a new browser window for original page access.

 

This can be configured here:

 

# config system global
    set auth-keepalive enable
end

 

Chrome version 88 introduced a change in how background tabs are handled.
In particular, they will be throttled, causing any scripts running on them to be executed much more slowly: https://developer.chrome.com/blog/timer-throttling-in-chrome-88/

The keepalive page FortiGate provides for authentication consists of a javascript that triggers a burst of traffic to the FortiGate to keep the connection up and running.


With the change in Chrome, this script becomes too slow and the FortiGate recognizes that a keepalive message is missing.

It will remove the user from authentication. 

The user will need to authenticate again on the next connection attempt, triggering the redirect to the authentication portal.
Scope FortiOS
Solution

For a few environments the logout option is important as logging out a user manually will not be possible every time.

So below settings is applied to make things work.

 

First, the admin has to disable the keepalive page in the FortiGate. 

 

Scenario 1:
If the captive portal is enabled on the interface like below:

 

# config system interface
    edit "port2"
        set security-mode captive-portal
        set security-groups "User Group"
    next
end


Then, it is possible to add the redirection on the same setting:


# config system interface
    edit "port2"
        set security-redirect-url "http://FGTLANIP:1000/portal?"
end


Scenario 2:
If the authentication portal is enabled in a firewall policy, instead of a LAN interface like below:


# config firewall policy
    edit 1
        set name "Internet"
        set nat enable
        set groups "User Group"
    next
end


Then, it is possible to add the redirection like below:


# config firewall policy
    edit 1
        set redirect-url "http://FGTLANIP:1000/portal?"
    next
end

 

Tips.

The '?' symbol cannot be copy-pasted as its primary purpose is to show the next options in the CLI. 

To enter the symbol, take SSH access of the FortiGate using Putty (not from GUI) and the Press Ctrl+V and then the '?'. 

The key should be entered quickly as it allows only a second or two to enter it.


Note.

It is possible to use port 1003 if the HTTPS redirect is enabled in the user setting. 

With the keepalive disabled, FortiGate will instead apply configured timeouts. 

The default configuration is an idle timeout of five minutes; if the FortiGate did not receive any traffic from the user in the last five minutes, the user is de-authenticated.


This can require re-authentication after a coffee or lunch break, for example.

 

Labels:
4590
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.