Description
This article describes an issue where the user entry gets removed before the configured auth timeout value.
Scope
FortiGate.
Solution
This article assumes the timeout type is set to hard timeout and the authtimeout value is set to 30 days.
Based on the timeout type, the user entry should be removed after the configured auth-timeout value. However, the auth entry is removed after 12 hours in some cases.
Verify this using the command 'diag firewall auth list' or by navigating to the firewall user monitor in the dashboard.
Configuration:
config user setting
set auth-timeout-type hard-timeout
set auth-timeout 1 to 10080 (Current Max Value 1440)
end
config user group
edit "LDAP"
set group-type firewall
set authtimeout 43200 ( max value 30 days set for group)
set member "LDAP"
next
end
The auth session gets removed if Fortigate receives a DHCP lease. In this case, the lease-time was 43200, which means a renewal will occur every 12 hours.
The solution is to increase the DHCP lease time as required.
A valid example value is a lease-time of 2592000, which will renew DHCP IP in 30 days.
Related articles: