|
The client authentication timeout controls how long an authenticated user will remain connected to the SSL VPN connection. When this time expires, the system forces the remote client to authenticate again.
This is not to be confused with 'auth-timeout' for firewall authenticated users, as described in Technical Tip: Explanation of auth-timeout types for Firewall authentication users.
The 'auth-timeout' value described in the above article will impact user authentication, such as in policies or captive portal.
However, it does not have any impact on SSL VPN authentication.
The ssl-vpn 'auth-timeout' setting cannot be changed using timeout settings on separate User Groups; rather, it can only be changed via the SSL VPN setting 'auth-timeout'. It impacts all SSL VPN users.
CLI commands attached below. Even though the user group timeout is set to 2 minutes, SSL VPN user does not log out because SSL VPN 'auth-timeout' is set to 0 (default):
FortiGate-80E-POE # config vpn ssl settings
FortiGate-80E-POE (settings) # get
status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-2
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : Fortinet_Factory
algorithm : high
idle-timeout : 300
auth-timeout : 120
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 10
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix :
dns-server1 : 0.0.0.0
dns-server2 : 0.0.0.0
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 10443
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "wan1"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : full-access
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0
FortiGate-80E-POE (settings) # set auth-timeout 0
FortiGate-80E-POE (settings) # end
Warning: One of the factory default certificates is used. For better security, use a properly signed certificate.
FortiGate-80E-POE # config user group
FortiGate-80E-POE (group) # edit Guest-group
FortiGate-80E-POE (Guest-group) # get
name : Guest-group
id : 1
group-type : firewall
authtimeout : 2
auth-concurrent-override: disable
http-digest-realm :
member : "guest" "test_user"
match:
FortiGate-80E-POE # config user group
FortiGate-80E-POE (group) # edit Guest-group
FortiGate-80E-POE (Guest-group) # show
config user group
edit "Guest-group"
set authtimeout 2
set member "guest" "test_user"
next
end
FortiGate-80E-POE (Guest-group) # end
FortiGate-80E-POE # get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 test_user Guest-group 1(1) 214 2147483647 10.9.x.x 0/0 0/0 0
SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
Related articles:
VPN SSL idle timeout vs auth timeout - Fortinet Support Forum
Technical Tip: SSL VPN connection logout after 8 hours
|
