Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nradia_FTNT
Staff
Staff

Created on ‎08-11-2022 07:18 AM Edited on ‎08-11-2022 07:22 AM By Community Manager

Article Id 220586

Technical Tip: 'auth-timeout' setting for SSL-VPN

Description

This article describes 'auth-timeout' setting for SSL-VPN.

It cannot be changed using timeout settings from any User Group, 'auth-timeout' setting can only be changed via SSL-VPN setting 'auth-timeout'. 

 

Related articles:

 

https://community.fortinet.com/t5/Fortinet-Forum/VPN-SSL-idle-timeout-vs-auth-timeout/m-p/79997#:~:t....

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-connection-logout-after-8-hours/ta...
Scope Firmware 5.x, 6.x, 7.x.
Solution

- Can the SSL-VPN group timeout be set individually under each AD user group?

- Is there a way to set the timeout per group?

 

Some users which need to stay on for 10-12 hours at a time and others which should not be on for more than 2 hours.

 

AnswerThis is not possible for SSL-VPN.

 

'auth-timeout' will impact user authentication, for example in policies or captive portal.

But it does not have any impact for SSL-VPN authentication.

This is controlled for all SSL-VPN users with the 'auth-timeout' value in SSL-VPN settings.

Local or LDAP groups' timeout values have no impact in SSL-VPN.

 

It is applicable to any user group.Verified in Lab.

 

CLI commands attached below. Even though user group timeout is set to 2 minutes, SSL-VPN user does not logout because SSL-VPN 'auth-timeout' is set to 0 (default):

 

FortiGate-80E-POE # config vpn ssl settings

 

FortiGate-80E-POE (settings) # get

status              : enable

reqclientcert       : disable

ssl-max-proto-ver   : tls1-3

ssl-min-proto-ver   : tls1-2

banned-cipher       :

ciphersuite         : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

ssl-insert-empty-fragment: enable

https-redirect      : disable

x-content-type-options: enable

ssl-client-renegotiation: disable

force-two-factor-auth: disable

servercert          : Fortinet_Factory

algorithm           : high

idle-timeout        : 300

auth-timeout        : 120

login-attempt-limit : 2

login-block-time    : 60

login-timeout       : 30

dtls-hello-timeout  : 10

tunnel-ip-pools     : "SSLVPN_TUNNEL_ADDR1"

tunnel-ipv6-pools   : "SSLVPN_TUNNEL_IPv6_ADDR1"

dns-suffix          :

dns-server1         : 0.0.0.0

dns-server2         : 0.0.0.0

wins-server1        : 0.0.0.0

wins-server2        : 0.0.0.0

ipv6-dns-server1    : ::

ipv6-dns-server2    : ::

ipv6-wins-server1   : ::

ipv6-wins-server2   : ::

url-obscuration     : disable

http-compression    : disable

http-only-cookie    : enable

port                : 10443

port-precedence     : enable

auto-tunnel-static-route: enable

header-x-forwarded-for: add

source-interface    : "wan1"

source-address      : "all"

source-address-negate: disable

source-address6     : "all"

source-address6-negate: disable

default-portal      : full-access

authentication-rule:

    == [ 1 ]

    id:     1

dtls-tunnel         : enable

check-referer       : disable

http-request-header-timeout: 20

http-request-body-timeout: 30

auth-session-check-source-ip: enable

tunnel-connect-without-reauth: disable

hsts-include-subdomains: disable

transform-backward-slashes: disable

encode-2f-sequence  : disable

encrypt-and-store-password: disable

client-sigalgs      : all

dtls-max-proto-ver  : dtls1-2

dtls-min-proto-ver  : dtls1-0

 

FortiGate-80E-POE (settings) # set auth-timeout 0

 

FortiGate-80E-POE (settings) # end

 

Warning: One of the factory default certificates is used.

For better security, use a proper signed certificate.

 

FortiGate-80E-POE # config user group

 

FortiGate-80E-POE (group) # edit Guest-group

 

FortiGate-80E-POE (Guest-group) # get

name                : Guest-group

id                  : 1

group-type          : firewall

authtimeout         : 2

auth-concurrent-override: disable

http-digest-realm   :

member              : "guest" "test_user"

match:

 

FortiGate-80E-POE # config user group

FortiGate-80E-POE (group) # edit Guest-group

FortiGate-80E-POE (Guest-group) # show

config user group

    edit "Guest-group"

        set authtimeout 2

        set member "guest" "test_user"

    next

end

 

FortiGate-80E-POE (Guest-group) # end

 

FortiGate-80E-POE # get vpn ssl monitor

SSL-VPN Login Users:

 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth

 0       test_user         Guest-group    1(1)             214    2147483647       10.9.x.x     0/0     0/0     0

 

SSL-VPN sessions:

 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
39351
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.