- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Active Directory timeout?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Active Directory timeout?
Hi all,
new to fortigate products.. trying to get web filtering up and running so I can get rid of Websense and simply use the fortigates features. I'm hitting a little problem though.. so I'm using FSSO in polling mode to AD. Its recognizing the users fine, but it seems to be timing out at some point. For example, I have a windows 7 VM that I have using the fortigate as its gateway for testing. I log this machine in as a test user, test the policies, it blocks me to the appropriate sites, etc.. however after a while, it seems to just "forget" about me and won't let me access any sites at all unless I log off/back on. Annoying. Am I timing out? Any way to prevent this from happening or how do you handle? Using a Fortigate 200D
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I logged a call with Fortigate and had an engineer remote in and see that after 8 hours the FSSO logons disappear, they just drop off. So he saw it for himself and then escalated it to another engineer who came back with a solution.
To change the authentication time for FSSO, please change the logon-history to longer time. Below are the commands to change. config user fsso-polling edit <ID> set logon-history <int> (0-48, default is 8) next end
I asked for some more detail of what I was changing and they replied config user fsso-polling edit 1 set logon-history <int> (0-48, default is 8), for the logon-history, it is refer timeout period that you need. default, it is 8 hours. next end So I did this and it all works.
Give it a go.
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont know if its a bug or if thats just the way it is. But I agree, I had the LDAP way setup and it was working pretty well, but the timeout thing is a deal breaker for us. The other "bug" we have with 5.2.2 is that if you use web ssl vpn, and connect to a terminal server, it disconnects you right away from the session. They confirmed it was a bug after sending them logs.
Anyway, you had the DC agents working?? Do tell :) lol..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I logged a call with Fortigate and had an engineer remote in and see that after 8 hours the FSSO logons disappear, they just drop off. So he saw it for himself and then escalated it to another engineer who came back with a solution.
To change the authentication time for FSSO, please change the logon-history to longer time. Below are the commands to change. config user fsso-polling edit <ID> set logon-history <int> (0-48, default is 8) next end
I asked for some more detail of what I was changing and they replied config user fsso-polling edit 1 set logon-history <int> (0-48, default is 8), for the logon-history, it is refer timeout period that you need. default, it is 8 hours. next end So I did this and it all works.
Give it a go.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Talked to a Senior Engineer today and described the problem. He said "Yep, agentless/polling mode is only good for 8 hours" he said he might be able to get it to 10, but thats it. Solution was to use the FSSO Agent with DC agents on the DC's. So far so good, still have to enable Remote Registry service, and the ports, but it seems to be showing users authenticating properly
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
This topic is very interesting. I would like to raise a few points.
Lets not forget the appliance is a security appliance. Being a security appliance its there to enforce security/company security policies.
Depending on what type of industry the client is in, its not a good thing for the firewall to remember logons "forever" sort of speak, its a breach of security. Is the user logged on forever "logon-history hours to keep as an active logon. 0 means keeping forever".
Some clients do not want to install the DC agents on their DC and do not want to open ports on their workstations.
I've found that letting the fortigate poll the DC and explaining to the client that its not wise to have "forever sessions" and force users to re-authenticate as a security measure is not such a bad thing.
The first step would be to establish a company security policy and then work from there.
Any opinions?
Carlitos loves firewalls
NSE4 (5.4,6.0)
NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)
NSE7 (Enterprise Firewall 6.0)
Carlitos loves firewalls
NSE4 (5.4,6.0)
NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)
NSE7 (Enterprise Firewall 6.0)
- « Previous
-
- 1
- 2
- Next »
Related Posts
- ZTNA not working. Help please. 355 Views
- Multiple Site to Site vs Hub... 188 Views
- What are the options for user... 593 Views
- Assigned fortitoken not associated with any... 238 Views
- Fortinac-F WPA2 Enterprise 317 Views
Labels
-
FortiGate
6,581 -
FortiClient
1,310 -
5.2
801 -
5.4
639 -
FortiManager
569 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
245 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
25 -
SD-WAN
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
Certificate
14 -
SAML
13 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
SNMP
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.