FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article explains 'policy-auth-concurrent' utilization from CLI and clarifies its default value.
Solution The option 'policy-auth-concurrent' under the system global profile is used to control if the same user can be authenticated for multiple sources at the same time.
Default value for this setting is '0' which means there is no concurrent login limit for users. If this value is set to '1' one user can only be authenticated for one source IP. That means, if a user has already been authenticated, the auth request for the same user from other sources will be denied.
# config system global set policy-auth-concurrent (0-100) end
Example.
# config system global set policy-auth-concurrent 1 end
With the auth-concurrent limit is set to 1, user can login from only 1 source IP.
Auth-concurrent setting can also be configured at user group or user level. If the concurrent setting is set at user or group level, it will have precedence over the global setting.
# config user local edit <name> set auth-concurrent-override enable set auth-concurrent-value (1-100) end
# config user group edit "fortilab_exchange" set auth-concurrent-override enable set auth-concurrent-value (1-100) end
Note. The priority of the auth-concurrent setting is User group -> User -> Global setting. The auth-concurrent setting applies per VDOM. If the user is authenticated in one firewall policy, it will not be allowed to authenticated. Auth-concurrent setting only applies to firewall authentication or captive portal authentication users.
