Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Session duration longer than timeout

We use LDAP (firewall) authentication for non AD devices with a captive portal. Under "User and Device" -> "Authentication" -> "Settings" we have "Authentication Timeout" set to 120. According to the user guide and help this is in mins. We have several user accounts remaning logged in however for very long periods of time (days). Right now I have more than 10 users with a firewall duration from 1 day to 18 days...


As a result if another device comes on campus and gets the same address days later via DHCP then they are "already authenticated" as the previous user?


What am I missing? How can I stop this from happening?


Honored Contributor

pmit wrote:

What am I missing? How can I stop this from happening?

Maybe take a look at schedule-timeout under Firewall Policy.





NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C




User authentication timeout is idle timeout by default which means the user/host should not generate any traffic for xxx number of minutes minutes configured under user authentication timeout. In case if any application is generating traffic from user PC, user entry will be kept as long as there is an active session from the host.


You can consider configuring keep alive setting. Whit keepalvie page, user will be redirected to a keepalive page after successful authentication. The keepalive page gives users the option to logout so users can logout before closing their browser/leaving their machines, so Fortigate will automatically de-authenticates the user when user clicks on logout button in keep alive page.


# config system global

# set auth-keepalive enable

# end


Note : If the user closes the keepalive page accidentally, user entry will be de-authenticated as per the configured timeout value, which is 120mins as per your config.



Contributor II



as written in the previous post, the auth timeout is an idle timeout per default.


But this can be changed in the CLI:

config user setting     set auth-timeout-type ? idle-timeout    Idle timeout. hard-timeout    Hard timeout. new-session     New session timeout. With the hard-timeout the user will be logged out after the configured amount of time - no matter if he is idle or not...




Esteemed Contributor III


Hi! 'schedule-timeout' only determines what action to take if a policy schedule expires. Without that parameter enabled, the session remains active. With this param enable the session is terminated immediately after the schedule has timed out.

New sessions are not affected - they are not allowed if the schedule has expired, in any case.


But all of this in unrelated to the auth timeout. Sylvia pointed out the method how to 'enforce' the auth-timeout as a duration, and not as an idle period.


"Kernel panic: Aiee, killing interrupt handler!"
New Contributor

if user closes the keepalive page accidentally, user entry has to be de-authenticated and terminated immediately