|
- Can the SSL-VPN group timeout be set individually under each AD user group?
- Is there a way to set the timeout per group?
Some users which need to stay on for 10-12 hours at a time and others which should not be on for more than 2 hours.
Answer: This is not possible for SSL-VPN.
'auth-timeout' will impact user authentication, for example in policies or captive portal.
But it does not have any impact for SSL-VPN authentication.
This is controlled for all SSL-VPN users with the 'auth-timeout' value in SSL-VPN settings.
Local or LDAP groups' timeout values have no impact in SSL-VPN.
It is applicable to any user group.Verified in Lab.
CLI commands attached below. Even though user group timeout is set to 2 minutes, SSL-VPN user does not logout because SSL-VPN 'auth-timeout' is set to 0 (default):
FortiGate-80E-POE # config vpn ssl settings
FortiGate-80E-POE (settings) # get
status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-2
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : Fortinet_Factory
algorithm : high
idle-timeout : 300
auth-timeout : 120
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 10
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix :
dns-server1 : 0.0.0.0
dns-server2 : 0.0.0.0
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 10443
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "wan1"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : full-access
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0
FortiGate-80E-POE (settings) # set auth-timeout 0
FortiGate-80E-POE (settings) # end
Warning: One of the factory default certificates is used.
For better security, use a proper signed certificate.
FortiGate-80E-POE # config user group
FortiGate-80E-POE (group) # edit Guest-group
FortiGate-80E-POE (Guest-group) # get
name : Guest-group
id : 1
group-type : firewall
authtimeout : 2
auth-concurrent-override: disable
http-digest-realm :
member : "guest" "test_user"
match:
FortiGate-80E-POE # config user group
FortiGate-80E-POE (group) # edit Guest-group
FortiGate-80E-POE (Guest-group) # show
config user group
edit "Guest-group"
set authtimeout 2
set member "guest" "test_user"
next
end
FortiGate-80E-POE (Guest-group) # end
FortiGate-80E-POE # get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 test_user Guest-group 1(1) 214 2147483647 10.9.x.x 0/0 0/0 0
SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
|
