Fortinet black logo

Administration Guide

User and user group timeouts

Authenticated user groups can have timeout values per group in addition to FortiGate-wide timeouts. Three types of group timeouts can be configured: idle, hard, and session. These are in addition to any external timeouts, such as those on RADIUS servers.

To configure the timeout type for authenticated users:
config user setting
    set auth-timeout-type {idle-timeout | hard-timeout | new-session}
    set auth-timeout <integer>
end

Timeouts are measured in minutes (1 - 1440, default = 5). If VDOMs are enabled, the global level auth-timeout user setting is the default all VDOMs inherit.

Timeout type

Description

Idle

This is the default setting. The idle timer starts when a user initiates a session. As long as data is transferred in this session, the timer continually resets. If the data flow stops, the timer is allowed to advance until it reaches its limit. When the user has been idle for too long, the user must re-authenticate before traffic is allowed to continue in that session.

Hard

The hard timer starts when a user initiates a session. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any events.

Session

The session timer starts when a user initiates a session. When the timeout is reached, existing sessions may continue. New sessions are not allowed until the user re-authenticates. This timeout is not affected by any events.

To configure the authentication timeout for a user group:
config user group
    edit <name>
        set authtimeout <integer>
    next
end

Timeouts are measured in minutes (0 - 43200). A value of zero (the default) means the global timeout is used.

Note

If a user belongs to multiple RADIUS groups, the group authtimeout values are ignored. The global auth-timeout value is used instead (under config user setting).

Authenticated user groups can have timeout values per group in addition to FortiGate-wide timeouts. Three types of group timeouts can be configured: idle, hard, and session. These are in addition to any external timeouts, such as those on RADIUS servers.

To configure the timeout type for authenticated users:
config user setting
    set auth-timeout-type {idle-timeout | hard-timeout | new-session}
    set auth-timeout <integer>
end

Timeouts are measured in minutes (1 - 1440, default = 5). If VDOMs are enabled, the global level auth-timeout user setting is the default all VDOMs inherit.

Timeout type

Description

Idle

This is the default setting. The idle timer starts when a user initiates a session. As long as data is transferred in this session, the timer continually resets. If the data flow stops, the timer is allowed to advance until it reaches its limit. When the user has been idle for too long, the user must re-authenticate before traffic is allowed to continue in that session.

Hard

The hard timer starts when a user initiates a session. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any events.

Session

The session timer starts when a user initiates a session. When the timeout is reached, existing sessions may continue. New sessions are not allowed until the user re-authenticates. This timeout is not affected by any events.

To configure the authentication timeout for a user group:
config user group
    edit <name>
        set authtimeout <integer>
    next
end

Timeouts are measured in minutes (0 - 43200). A value of zero (the default) means the global timeout is used.

Note

If a user belongs to multiple RADIUS groups, the group authtimeout values are ignored. The global auth-timeout value is used instead (under config user setting).