Created on 06-11-2020 02:01 AM Edited on 11-23-2021 08:26 AM By Anonymous
Description
This article describes the behavior of 'auth-timeout' if the firewall users belong to multiple user groups.
Solution
Use case:
- Global 'authtimeout' value is 5 minutes.
- Group A is configured with authtimeout value of 1 minute.
- Group B is configured with authtimeout value of 10 minutes.
- User 1Group is a member of Group A.
- User 2Group is a member of Group A and Group B.
- When user 1Group gets authenticated, the user is inheriting the timeout value of 1 minute (60 seconds).
- When user 2Group gets authenticated, the user is inheriting the timeout value of 5 minutes.
# diag firewall auth list
10.158.0.222, 1Group
src_mac: 00:49:72:69:1a:01
type: fw, id: 0, duration: 6, idled: 1
expire: 59, allow-idle: 60
packets: in 274 out 236, bytes: in 206428 out 31982
user_id: 16777218
group_id: 2
group_name: GroupA
10.158.0.222, 2Group
src_mac: 00:49:72:69:1a:01
type: fw, id: 0, duration: 3, idled: 0
expire: 300, allow-idle: 300
packets: in 1831 out 708, bytes: in 2608200 out 46472
user_id: 16777219
group_id: 2 3
group_name: GroupA GroupB
Expected behavior:
- If authtimeout=0 in user and user group, auth-timeout should be global value from 'user setting'.
- If authtimeout=non-zero in user-group and authtimeout=0 in user, then auth-timeout should be value from user-group.
- If authtimeout=non-zero in user-group and authtimeout=0 in user, and user is a member of multiple user-group, then auth-timeout is the global value from 'user setting'.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.