FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ymorohashi
Staff
Staff
Article Id 190539

Description

 

This article describes what is the meaning of 'admin-console-timeout 0'.

 

From the FortiOS Handbook, zero value is described as below:
'An idle timeout has been added for FortiGate console sessions (admin sessions connecting to a FortiGate console port or USB port).
By default the console timeout is set to 0 and console sessions will never timeout'.
 
The FortiGate CLI offers additional explanations:
'Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout'.

So the console session can still be disconnected even if configuring 'admin-console-timeout 0'.
The value of '0'  will make FortiGate consider the 'admintimeout' setting.


Solution

 

The expected behavior is as follows. Firstly, '0' means 'admin-console-timeout' is not enabled. In this case, 'admintimeout' is used as a console session idle timer. 
 
In the following configuration:
 
FortiGate # config system global
FortiGate (global) # show full-configuration | grep timeout
    set admin-console-timeout 0 -> This counter is in seconds.
    set admintimeout 1 -> This counter is in minutes.
    set device-idle-timeout 300 
-> This counter is in seconds.
    set proxy-auth-timeout 300 -> This counter is in minutes.
    set ldapconntimeout 500 -> This counter is in seconds.
    set remoteauthtimeout 5 -> This counter is in seconds.
 
FortiGate (global) #'admin-console-timeout' is 0. admintimeout is configured as 1 min.

So the console session will be disconnected after 1 minute of idle time as admintimeout.

'admin-console-timeout' is allowed to be configured in the range of 15-300 seconds from the CLI.
 
FortiGate # config system global
FortiGate (global) # show full-configuration | grep timeout
    set admin-console-timeout 20
    set admintimeout 1
    set explicit-proxy-auth-timeout 300
    set ldapconntimeout 500
    set remoteauthtimeout 5

FortiGate (global) #'admin-console-timeout' is configured as 20 seconds in this example.

The console session idle timer is overwritten from 'admintimeout 1 (min)' to 20 sec.
 

admin-console-timeout -> Enter an integer value from <15> to <300> or (special = <0>).  This counter is in seconds.

 

This is intended to lower the timeout for a console session to a matter of seconds.

But to have a longer time while the session is active, this setting should be disabled (0), and the duration, in this case, will be given by the admintimeout value in minutes.


admintimeout -> Enter an integer value from <1> to <480> (default = <5>).  -> This counter is in minutes.

 

Values minutes/seconds are described here:

Configure global attributes