Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vladimir_Ostrovsky
New Contributor

Hard timeout for authenticated Explicit Web Proxy sessions

Good day, I'm using Explicit Web Proxy with Kerberos authentication, as described here. The authentication works, but I noticed that user session remains active as long as browser keeps sending queries via the proxy. Only after it doesn't deliver any traffic during period defined in this variable:

config system global

    ...

    proxy-auth-timeout NN

    ...

end

- only then the session is removed, so that at next request the authentication process will repeat and a list of groups will be fetched from LDAP.

 

I've set the timeout type to hard:

config user setting     set auth-timeout 3     set auth-timeout-type hard-timeout end

but it seems to be ignored, as well as auth-timeout value (and as authtimeout value at user group level).

My question is: is it possible to set hard timeout for Explicit Proxy sessions? So that after some time (say, 10 minutes) user's group memberships will be pulled from LDAP regardless to whether the user's browser is active or not? My FortiGate's firmware version is v5.6.3. Thanks, Vladimir.

4 REPLIES 4
Fishbone_FTNT

Hello Vladimir,

your observation is correct. The user identity is kept as long as the user IP has opened browser tcp session to the proxy.

 

There will be more controls to this coming in new FortiOS versions, where you could enforce user reauthentication, regardless of user (in)activity. There will be also changes in detection modes how user is being detected as idle. At this time, if there is no session to the proxy, idle timeout is expiring.

So I think better solution is on the way.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

Vladimir_Ostrovsky

Fishbone, thank you very much.

FortiKoala
Staff
Staff

Please make sure the you have "Keep-alive" option is disabled in the Global config. The authentication keepalive page can be Disabled by the CLI command: # config system global # set auth-keepalive disable # end When enabled the HTML page will be displayed and the firewall authentication keepalive will prevent sessions from ending when the authentication timeout ends.

 

This article may help http://kb.fortinet.com/kb....do?externalID=FD37221

Vladimir_Ostrovsky

Thank you, it's disabled (it's a default value, as I understand).

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors