Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.9 Administration Guide
    7.2.9
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Authentication settings

    Authentication settings

    General authentication settings include:

    Only some of the settings can be configured in the GUI.

    To configure authentication settings in the GUI:

    1. Go to User & Authentication > Authentication Settings.

    2. Configure the following settings:

      Setting

      Description

      Authentication Timeout

      Enter the desired timeout, in minutes, from 1 to 1440 (24 hours). The default time is 5 minutes. Only idle timeout can be configured in the GUI.

      Protocol support

      Select the protocols to challenge during firewall user authentication.

      HTTP redirect

      Redirect HTTP challenge to a secure channel (HTTPS). This option is only available if HTTP is selected in the Protocol Support options.

      Certificate

      Select the local certificate to use for authentication.

    3. Click OK.

    Timeout

    Authenticated users and user groups can have timeout values per user or group, in addition to FortiGate-wide timeouts. Three types of user timeouts can be configured:

    Timeout type

    Description

    Idle

    The idle timer starts when a user initiates a session. As long as data are transferred in this session, the timer continually resets. If the data flow stops, the timer is allowed to advance until it reaches its limit. When the user has been idle for too long, they must re‑authenticate before traffic is allowed to continue in that session.

    This is the default setting. It can be configured in the GUI and CLI.

    Hard

    The hard timer starts when a user initiates a session. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any events.

    This setting can be configured in the CLI.

    Session

    The session timer starts when a user initiates a session. When the timeout is reached, existing sessions may continue. New sessions are not allowed until the user re-authenticates. This timeout is not affected by any events.

    This setting can be configured in the CLI.

    The authentication timeout time is configured in minutes. The default is five minutes. If VDOMs are enabled, the global level auth-timeout user setting is the default that all VDOMs inherit. If the timeout time is set to zero,

    To configure timeout for authenticated users:
    config user setting
    set auth-timeout-type {idle-timeout | hard-timeout | new-session}
    set auth-timeout <integer>
end
    To configure the authentication timeout for a user group:
    config user group
    edit <name>
        set authtimeout <integer>
    next
end

    If the group timeout time is zero (the default) or the user belongs to multiple RADIUS groups, then the user group timeout values are ignored and the global user timeout value is used.

    Protocols

    When you enable user authentication within a security policy, the authentication challenge is normally issued for any of four protocols, depending on the connection protocol:

    • HTTP (you can set this to redirect to HTTPS)
    • HTTPS
    • FTP
    • Telnet

    The selected protocols control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a protocol support method, it allows the user to authenticate with a customized local certificate.

    When you enable user authentication within a security policy, FortiOS challenges the security policy user to authenticate. For user ID and password authentication, the user must provide their username and password. For certificate authentication (HTTPS, or HTTP redirected to HTTPS only), you can install customized certificates on the unit and the user can also install customized certificates on their browser. Otherwise, users see a warning message and must accept a default Fortinet certificate. The network user's web browser may deem the default certificate invalid.

    Enable auth-secure-http to redirect HTTP challenges to a secure channel. Enable auth-ssl-allow-renegotiation to allow SSL re-negotiation for HTTPS authentication.

    Enable auth-http-basic to use HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. Some basic web browsers, such as those on older mobile devices, may only support HTTP basic authentication.

    FTP and Telnet authentication replacement messages cannot be customized.

    To configure the protocols to challenge during firewall user authentication:
    config user setting
    set auth-type {http https ftp telnet}
    set auth-secure-http {enable | disable}
    set auth-http-basic {enable | disable}
    set auth-ssl-allow-renegotiation  {enable | disable}
end

    Certificates

    Configure the HTTPS certificate and CA certificate to use for policy authentication.

    To configure certificates for policy authentication:
    config user setting
    set auth-cert <certificate>
    set auth-ca-cert <CA certificate>
end

    Lockouts

    Failed log in attempts can indicate malicious attempts to gain access to your network. To prevent this security risk, you can limit the number of failed log in attempts. After the configured maximum number of failed log in attempts is reached (1 - 10, default = 3), access to the account is blocked for the configured lockout duration (0 - 4294967295 seconds, default = 0)

    To configure the maximum failed log in attempts and the lockout duration:
    config user setting
    set auth-lockout-threshold <integer>
    set auth-lockout-duration <integer>
end

    Authentication policy extensions

    By default, unauthenticated traffic is permitted to fall to the next policy. This means that unauthenticated users are only forced to authenticate against a policy when there are no other matching policies. To avoid this, you can force authentication to always take place.

    To set that authentication requirement:
    config user setting
    set auth-on-demand {always | implicitly}
end

    Where:

    always

    Always trigger firewall authentication on demand.

    implicitly

    Implicitly trigger firewall authentication on demand. This is the default setting (and the behavior in FortiOS 6.0 and earlier).

    In the following example, authentication is required; traffic that would otherwise be allowed by the second policy is instead blocked by the first policy.

    To use forced authentication:
    config user setting
    set auth-on-demand always
end
    config firewall policy
    edit 1
        set name "QA to Database"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "QA_subnet"
        set dstaddr "Database"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set groups "qa_group"
        set nat enable
    next
    edit 2
        set name "QA to Internet"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "QA_subnet"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end
    Previous
    Next

    Authentication settings

    Authentication settings

    General authentication settings include:

    Only some of the settings can be configured in the GUI.

    To configure authentication settings in the GUI:

    1. Go to User & Authentication > Authentication Settings.

    2. Configure the following settings:

      Setting

      Description

      Authentication Timeout

      Enter the desired timeout, in minutes, from 1 to 1440 (24 hours). The default time is 5 minutes. Only idle timeout can be configured in the GUI.

      Protocol support

      Select the protocols to challenge during firewall user authentication.

      HTTP redirect

      Redirect HTTP challenge to a secure channel (HTTPS). This option is only available if HTTP is selected in the Protocol Support options.

      Certificate

      Select the local certificate to use for authentication.

    3. Click OK.

    Timeout

    Authenticated users and user groups can have timeout values per user or group, in addition to FortiGate-wide timeouts. Three types of user timeouts can be configured:

    Timeout type

    Description

    Idle

    The idle timer starts when a user initiates a session. As long as data are transferred in this session, the timer continually resets. If the data flow stops, the timer is allowed to advance until it reaches its limit. When the user has been idle for too long, they must re‑authenticate before traffic is allowed to continue in that session.

    This is the default setting. It can be configured in the GUI and CLI.

    Hard

    The hard timer starts when a user initiates a session. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any events.

    This setting can be configured in the CLI.

    Session

    The session timer starts when a user initiates a session. When the timeout is reached, existing sessions may continue. New sessions are not allowed until the user re-authenticates. This timeout is not affected by any events.

    This setting can be configured in the CLI.

    The authentication timeout time is configured in minutes. The default is five minutes. If VDOMs are enabled, the global level auth-timeout user setting is the default that all VDOMs inherit. If the timeout time is set to zero,

    To configure timeout for authenticated users:
    config user setting
    set auth-timeout-type {idle-timeout | hard-timeout | new-session}
    set auth-timeout <integer>
end
    To configure the authentication timeout for a user group:
    config user group
    edit <name>
        set authtimeout <integer>
    next
end

    If the group timeout time is zero (the default) or the user belongs to multiple RADIUS groups, then the user group timeout values are ignored and the global user timeout value is used.

    Protocols

    When you enable user authentication within a security policy, the authentication challenge is normally issued for any of four protocols, depending on the connection protocol:

    • HTTP (you can set this to redirect to HTTPS)
    • HTTPS
    • FTP
    • Telnet

    The selected protocols control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a protocol support method, it allows the user to authenticate with a customized local certificate.

    When you enable user authentication within a security policy, FortiOS challenges the security policy user to authenticate. For user ID and password authentication, the user must provide their username and password. For certificate authentication (HTTPS, or HTTP redirected to HTTPS only), you can install customized certificates on the unit and the user can also install customized certificates on their browser. Otherwise, users see a warning message and must accept a default Fortinet certificate. The network user's web browser may deem the default certificate invalid.

    Enable auth-secure-http to redirect HTTP challenges to a secure channel. Enable auth-ssl-allow-renegotiation to allow SSL re-negotiation for HTTPS authentication.

    Enable auth-http-basic to use HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. Some basic web browsers, such as those on older mobile devices, may only support HTTP basic authentication.

    FTP and Telnet authentication replacement messages cannot be customized.

    To configure the protocols to challenge during firewall user authentication:
    config user setting
    set auth-type {http https ftp telnet}
    set auth-secure-http {enable | disable}
    set auth-http-basic {enable | disable}
    set auth-ssl-allow-renegotiation  {enable | disable}
end

    Certificates

    Configure the HTTPS certificate and CA certificate to use for policy authentication.

    To configure certificates for policy authentication:
    config user setting
    set auth-cert <certificate>
    set auth-ca-cert <CA certificate>
end

    Lockouts

    Failed log in attempts can indicate malicious attempts to gain access to your network. To prevent this security risk, you can limit the number of failed log in attempts. After the configured maximum number of failed log in attempts is reached (1 - 10, default = 3), access to the account is blocked for the configured lockout duration (0 - 4294967295 seconds, default = 0)

    To configure the maximum failed log in attempts and the lockout duration:
    config user setting
    set auth-lockout-threshold <integer>
    set auth-lockout-duration <integer>
end

    Authentication policy extensions

    By default, unauthenticated traffic is permitted to fall to the next policy. This means that unauthenticated users are only forced to authenticate against a policy when there are no other matching policies. To avoid this, you can force authentication to always take place.

    To set that authentication requirement:
    config user setting
    set auth-on-demand {always | implicitly}
end

    Where:

    always

    Always trigger firewall authentication on demand.

    implicitly

    Implicitly trigger firewall authentication on demand. This is the default setting (and the behavior in FortiOS 6.0 and earlier).

    In the following example, authentication is required; traffic that would otherwise be allowed by the second policy is instead blocked by the first policy.

    To use forced authentication:
    config user setting
    set auth-on-demand always
end
    config firewall policy
    edit 1
        set name "QA to Database"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "QA_subnet"
        set dstaddr "Database"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set groups "qa_group"
        set nat enable
    next
    edit 2
        set name "QA to Internet"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "QA_subnet"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end
    Previous
    Next