FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 220586

This article describes 'auth-timeout' setting for SSL-VPN.

It cannot be changed using timeout settings from any User Group, 'auth-timeout' setting can only be changed via SSL-VPN setting 'auth-timeout'. 


Related articles:
Scope Firmware 5.x, 6.x, 7.x.

- Can the SSL-VPN group timeout be set individually under each AD user group?

- Is there a way to set the timeout per group?


Some users which need to stay on for 10-12 hours at a time and others which should not be on for more than 2 hours.


AnswerThis is not possible for SSL-VPN.


'auth-timeout' will impact user authentication, for example in policies or captive portal.

But it does not have any impact for SSL-VPN authentication.

This is controlled for all SSL-VPN users with the 'auth-timeout' value in SSL-VPN settings.

Local or LDAP groups' timeout values have no impact in SSL-VPN.


It is applicable to any user group.Verified in Lab.


CLI commands attached below. Even though user group timeout is set to 2 minutes, SSL-VPN user does not logout because SSL-VPN 'auth-timeout' is set to 0 (default):


FortiGate-80E-POE # config vpn ssl settings


FortiGate-80E-POE (settings) # get

status              : enable

reqclientcert       : disable

ssl-max-proto-ver   : tls1-3

ssl-min-proto-ver   : tls1-2

banned-cipher       :

ciphersuite         : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

ssl-insert-empty-fragment: enable

https-redirect      : disable

x-content-type-options: enable

ssl-client-renegotiation: disable

force-two-factor-auth: disable

servercert          : Fortinet_Factory

algorithm           : high

idle-timeout        : 300

auth-timeout        : 120

login-attempt-limit : 2

login-block-time    : 60

login-timeout       : 30

dtls-hello-timeout  : 10

tunnel-ip-pools     : "SSLVPN_TUNNEL_ADDR1"

tunnel-ipv6-pools   : "SSLVPN_TUNNEL_IPv6_ADDR1"

dns-suffix          :

dns-server1         :

dns-server2         :

wins-server1        :

wins-server2        :

ipv6-dns-server1    : ::

ipv6-dns-server2    : ::

ipv6-wins-server1   : ::

ipv6-wins-server2   : ::

url-obscuration     : disable

http-compression    : disable

http-only-cookie    : enable

port                : 10443

port-precedence     : enable

auto-tunnel-static-route: enable

header-x-forwarded-for: add

source-interface    : "wan1"

source-address      : "all"

source-address-negate: disable

source-address6     : "all"

source-address6-negate: disable

default-portal      : full-access


    == [ 1 ]

    id:     1

dtls-tunnel         : enable

check-referer       : disable

http-request-header-timeout: 20

http-request-body-timeout: 30

auth-session-check-source-ip: enable

tunnel-connect-without-reauth: disable

hsts-include-subdomains: disable

transform-backward-slashes: disable

encode-2f-sequence  : disable

encrypt-and-store-password: disable

client-sigalgs      : all

dtls-max-proto-ver  : dtls1-2

dtls-min-proto-ver  : dtls1-0


FortiGate-80E-POE (settings) # set auth-timeout 0


FortiGate-80E-POE (settings) # end


Warning: One of the factory default certificates is used.

For better security, use a proper signed certificate.


FortiGate-80E-POE # config user group


FortiGate-80E-POE (group) # edit Guest-group


FortiGate-80E-POE (Guest-group) # get

name                : Guest-group

id                  : 1

group-type          : firewall

authtimeout         : 2

auth-concurrent-override: disable

http-digest-realm   :

member              : "guest" "test_user"



FortiGate-80E-POE # config user group

FortiGate-80E-POE (group) # edit Guest-group

FortiGate-80E-POE (Guest-group) # show

config user group

    edit "Guest-group"

        set authtimeout 2

        set member "guest" "test_user"




FortiGate-80E-POE (Guest-group) # end


FortiGate-80E-POE # get vpn ssl monitor

SSL-VPN Login Users:

 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth

 0       test_user         Guest-group    1(1)             214    2147483647       10.9.x.x     0/0     0/0     0


SSL-VPN sessions:

 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP