Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff

Created on ‎12-20-2019 02:55 AM Edited on ‎12-11-2024 07:45 AM By Moderator

Article Id 191661

Troubleshooting Tip: SSL VPN and two-factor expiry timers

Description


This article describes possible issues with SSLVPN and two-factor authentication expiry timers.

Fortinet Documentation:
SSL VPN authentication

 

Scope

 

FortiGate.

Solution


When SSL VPN is configured with two-factor authentications (email, SMS, FortiToken), under some circumstances a longer token expiry can be required than the default 60 seconds.


Expiry timers can be configured as follows:

 

config system global
    set two-factor-ftk-expiry <in s>
    set two-factor-ftm-expiry <in hr>
    set two-factor-sms-expiry <in s>
    set two-factor-fac-expiry <in s>
    set two-factor-email-expiry <in s>
end

 

If the FortiToken is not activated withintwo-factor-ftm-expiry then the activation code will be expired. This is not used for authentication.

However, while these timers apply to the tokens themselves (and the token codes will stay valid for as long as configured), SSL VPN does not necessarily accept it for the entire duration the tokens are valid.


To ensure SSL VPN accepts the token, another timer needs to be configured:

 

config system global
    set remoteauthtimeout <1-300s>
end

 

The maximum configurable timeout for this is five minutes. 
SSL VPN waits 10x remotetimeout +30 (s) for a valid token code to be provided before closing down the connection, even if the token code is valid for longer. 

 

Example: If 240s is set for two-factor-email-expiryso, the remote timeout must be greater or equals 21.

240 = 10x remotetimeout + 30 <=> remotetimeout = 21.

 

Note 1:
The remoteauthtimout setting does not only show how long SSL VPN waits for the token to be provided but also for other remote authentication, like authentication against LDAP, RADIUS, etc.
That means an increased timer can lead to the FortiGate.
The server is not reachable if the increased timer takes too long to lead the FortiGate.

For SSL VPN authentication with Azure SAML, the remoteauthtimeout is doubled. For example, when set as 30 seconds those will become 60 seconds when the client waits for the password.

 

Note 2

remoteauthtimeouttwo-factor-xxx-expiry then the FortiGate uses 2FA expiry as timeout to verify the token.

57318
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.