FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sinamdar
Staff
Staff
Article Id 196892
Description

This article explains how a domain user entry is handled by FSAE.


Scope

FSAE


Solution
Scenario: Only FSAE mode of authentication is provided to the users.
 
When the user freshly logs in to the system, they will register themself under the FSAE database. There are three parameters which will decide how long this entry will be there.
 
1. System idle timeout (user > options > authentication timeout)
 
If the user leaves the session idle and the idle period exceeds this time limit then the established sessions from that system will be purged.  However, the entry under FSAE will be still there. Once the user returns they can access the Internet without re-authenticating and their entry can be seen by executing the “diag deb authd fsae list” command on the FortiGate.
 
2. Workstation verify interval (FSAE > Timers)
 
According to this period FSAE will check the user availability on the network using ports 139 and 445.  If the system is responding then it will always be listed with an “OK” status.  If not, FSAE will push that entry to a “not registered” status.  The entry will still be available and can be seen under the “fsae list”. Once the user returns they can access the Internet without re-authenticating.
 
3. If the system is not responding and exceeding the “dead entry timeout” then FSAE will terminate the users authentication record from its database.  After this, if user returns and tries to access the Internet, they cannot access it.  They need to restart the system so that FSAE can collect the login detail again.
 
To avoid this, NTLM auth support can be enabled for the users.  If enabled, once users loose their entry on FSAE they will be presented with a credential window and they can authenticate directly.  There is no need to restart or login again.

Contributors