FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jackie_T
Staff
Staff
Article Id 189617

Description


This article describes how to configure and verify the timeout for authenticated user.

The objective is to de-authenticate user after specific duration. User can be the remote user of LDAP group.

 

Scope

 

FortiGate.

Solution
The hard timeout can be set in CLI:

 

config user setting
    set auth-timeout x                         <----- The value of 'x' here is in minutes.
    set 
auth-timeout-type hard-timeout                      <----- Make sure to select the type as hard-timeout.
end

 

If the user is in a group, the group timeout will be applied instead.

For group configuration.

 

config user group
    edit "LDAPGroup"
        set authtimeout y                      <----- the value here is in minutes.
        set member "LDAPServer"
            config match
                edit 1
                    set server-name "LDAPServer"
                    set group-name "CN=Domain Users,CN=Users,DC=abc,DC=com”
            end
end

 

To verify the timeout settings, run the below command:

 

diag firewall auth list
Results:
Wira-kvm17 # diag firewall auth list
10.204.xx.xxx, isaac, LDAPGroup
        src_mac: 00:49:72:xx:xx:xx
        type: fw, id: 0, duration: 8, idled: 1
        expire: 52  <<<< how long before user expire
        flag(4): hard   <<<< timeout type
        server: LDAPServer
        packets: in 586 out 481, bytes: in 297789 out 122415
        group_id: 2
        group_name: LDAPGroup

 

Total allowed login time = duration + expire.

 

For example:

After user2 authenticated to the Firewall, its expired time will reduce to 0, and then, user2 will need to authenticate again in the web browser:

 

1.PNG

 

2.png

 

3.png


Useful commands:

 

diagnose firewall auth filter

clear                                            <----- Clear all filters.
source                                           <----- IPv4 source address.
source6                                          <----- IPv6 source address.
policy                                           <----- Policy ID.
user                                             <----- User name.
group                                            <----- Group name.
method                                           <----- method.