Created on
‎08-11-2022
07:18 AM
Edited on
‎08-11-2022
07:22 AM
By
Anthony_E
Description |
This article describes 'auth-timeout' setting for SSL-VPN. It cannot be changed using timeout settings from any User Group, 'auth-timeout' setting can only be changed via SSL-VPN setting 'auth-timeout'.
Related articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-connection-logout-after-8-hours/ta... |
Scope | Firmware 5.x, 6.x, 7.x. |
Solution |
- Can the SSL-VPN group timeout be set individually under each AD user group? - Is there a way to set the timeout per group?
Some users which need to stay on for 10-12 hours at a time and others which should not be on for more than 2 hours.
Answer: This is not possible for SSL-VPN.
'auth-timeout' will impact user authentication, for example in policies or captive portal. But it does not have any impact for SSL-VPN authentication. Local or LDAP groups' timeout values have no impact in SSL-VPN.
It is applicable to any user group.Verified in Lab.
CLI commands attached below. Even though user group timeout is set to 2 minutes, SSL-VPN user does not logout because SSL-VPN 'auth-timeout' is set to 0 (default):
FortiGate-80E-POE # config vpn ssl settings
FortiGate-80E-POE (settings) # get status : enable reqclientcert : disable ssl-max-proto-ver : tls1-3 ssl-min-proto-ver : tls1-2 banned-cipher : ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 ssl-insert-empty-fragment: enable https-redirect : disable x-content-type-options: enable ssl-client-renegotiation: disable force-two-factor-auth: disable servercert : Fortinet_Factory algorithm : high idle-timeout : 300 auth-timeout : 120 login-attempt-limit : 2 login-block-time : 60 login-timeout : 30 dtls-hello-timeout : 10 tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1" tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1" dns-suffix : dns-server1 : 0.0.0.0 dns-server2 : 0.0.0.0 wins-server1 : 0.0.0.0 wins-server2 : 0.0.0.0 ipv6-dns-server1 : :: ipv6-dns-server2 : :: ipv6-wins-server1 : :: ipv6-wins-server2 : :: url-obscuration : disable http-compression : disable http-only-cookie : enable port : 10443 port-precedence : enable auto-tunnel-static-route: enable header-x-forwarded-for: add source-interface : "wan1" source-address : "all" source-address-negate: disable source-address6 : "all" source-address6-negate: disable default-portal : full-access authentication-rule: == [ 1 ] id: 1 dtls-tunnel : enable check-referer : disable http-request-header-timeout: 20 http-request-body-timeout: 30 auth-session-check-source-ip: enable tunnel-connect-without-reauth: disable hsts-include-subdomains: disable transform-backward-slashes: disable encode-2f-sequence : disable encrypt-and-store-password: disable client-sigalgs : all dtls-max-proto-ver : dtls1-2 dtls-min-proto-ver : dtls1-0
FortiGate-80E-POE (settings) # set auth-timeout 0
FortiGate-80E-POE (settings) # end
Warning: One of the factory default certificates is used. For better security, use a proper signed certificate.
FortiGate-80E-POE # config user group
FortiGate-80E-POE (group) # edit Guest-group
FortiGate-80E-POE (Guest-group) # get name : Guest-group id : 1 group-type : firewall authtimeout : 2 auth-concurrent-override: disable http-digest-realm : member : "guest" "test_user" match:
FortiGate-80E-POE # config user group FortiGate-80E-POE (group) # edit Guest-group FortiGate-80E-POE (Guest-group) # show config user group edit "Guest-group" set authtimeout 2 set member "guest" "test_user" next end
FortiGate-80E-POE (Guest-group) # end
FortiGate-80E-POE # get vpn ssl monitor SSL-VPN Login Users: Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth 0 test_user Guest-group 1(1) 214 2147483647 10.9.x.x 0/0 0/0 0
SSL-VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP |