FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jstan
Staff
Staff
Article Id 198436

Description
This article describes the behavior of 'auth-timeout' if the firewall users belong to multiple user groups.

Solution
Use case:
- Global 'authtimeout' value is 5 minutes.
- Group A is configured with authtimeout value of 1 minute.
- Group B is configured with authtimeout value of 10 minutes.
- User 1Group is a member of Group A.
- User 2Group is a member of Group A and Group B.
- When user 1Group gets authenticated, the user is inheriting the timeout value of 1 minute (60 seconds).
- When user 2Group gets authenticated, the user is inheriting the timeout value of 5 minutes.

# diag firewall auth list
10.158.0.222, 1Group
        src_mac: 00:49:72:69:1a:01
        type: fw, id: 0, duration: 6, idled: 1
        expire: 59, allow-idle: 60
        packets: in 274 out 236, bytes: in 206428 out 31982
        user_id: 16777218
        group_id: 2
        group_name: GroupA

10.158.0.222, 2Group
        src_mac: 00:49:72:69:1a:01
        type: fw, id: 0, duration: 3, idled: 0
        expire: 300, allow-idle: 300
        packets: in 1831 out 708, bytes: in 2608200 out 46472
        user_id: 16777219
        group_id: 2 3
        group_name: GroupA GroupB

       
Expected behavior:
- If authtimeout=0 in user and user group, auth-timeout should be global value from 'user setting'.
- If authtimeout=non-zero in user-group and authtimeout=0 in user, then auth-timeout should be value from user-group.
- If authtimeout=non-zero in user-group and authtimeout=0 in user, and user is a member of multiple user-group, then auth-timeout is the global value from 'user setting'.

 

Contributors