FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ymorohashi
Staff
Staff
Article Id 190539

Description

 

This article describes what is the meaning of 'admin-console-timeout 0'.

 

From the FortiOS Handbook, zero value is described as below:
'An idle timeout has been added for FortiGate console sessions (admin sessions connecting to a FortiGate console port or USB port).
By default the console timeout is set to 0 and console sessions will never timeout'.
 
The FortiGate CLI offers additional explanations:
'Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout'.

So the console session can still be disconnected even if configuring 'admin-console-timeout 0'.
The value of '0'  will make FortiGate consider the 'admintimeout' setting.


Scope

FortiGate

 

Solution

 

The expected behavior is as follows. Firstly, value '0' set for 'admin-console-timeout' means that the console timeout is not enabled.
In this case, 'admintimeout' is used as a console session idle timer. 
 
Example 1:
 
config system global
FortiGate (global) # show full-configuration | grep timeout
    set admin-console-timeout 0 -> This counter is in seconds.
    set admintimeout 1 -> This counter is in minutes.
    set device-idle-timeout 300 
-> This counter is in seconds.
    set proxy-auth-timeout 300 -> This counter is in minutes.
    set ldapconntimeout 500 -> This counter is in seconds.
    set remoteauthtimeout 5 -> This counter is in seconds.

 

Example:

'admin-console-timeout' is set as 0 s.

'admintimeout' is set as 1 min.

So the console session (0=not set) will be disconnected after 1 minute of idle time, following admintimeout.
'admin-console-timeout' is allowed to be configured in the range of 15-300 seconds from the CLI.
 
Example 2:
config system global
FortiGate (global) # show full-configuration | grep timeout
    set admin-console-timeout 20
    set admintimeout 1
    set explicit-proxy-auth-timeout 300
    set ldapconntimeout 500
    set remoteauthtimeout 5


'admin-console-timeout' is configured as 20 seconds in this example.

The console session idle timer is overwritten from 'admintimeout 1 (min)' to 20 sec.

 

This is intended to lower the timeout for a console session to a matter of seconds.

To extend the session duration past the maximum configurable value of 300, then this setting should be disabled (0), and the duration in this case will be given by the admintimeout value, in minutes.

admintimeout -> Enter an integer value from <1> to <480> (default = <5>).  -> This counter is in minutes.

 

Values minutes/seconds are described here:

Configure global attributes