Authentication settings
General authentication settings include:
Only some of the settings can be configured in the GUI.
To configure authentication settings in the GUI:
-
Go to User & Authentication > Authentication Settings.
-
Configure the following settings:
Setting
Description
Authentication Timeout
Enter the desired timeout, in minutes, from 1 to 1440 (24 hours). The default time is 5 minutes. Only idle timeout can be configured in the GUI.
Protocol support
Select the protocols to challenge during firewall user authentication.
HTTP redirect
Redirect HTTP challenge to a secure channel (HTTPS). This option is only available if HTTP is selected in the Protocol Support options.
Certificate
Select the local certificate to use for authentication.
-
Click OK.
Timeout
Authenticated users and user groups can have timeout values per user or group, in addition to FortiGate-wide timeouts. Three types of user timeouts can be configured:
Timeout type |
Description |
---|---|
Idle |
The idle timer starts when a user initiates a session. As long as data are transferred in this session, the timer continually resets. If the data flow stops, the timer is allowed to advance until it reaches its limit. When the user has been idle for too long, they must re‑authenticate before traffic is allowed to continue in that session. This is the default setting. It can be configured in the GUI and CLI. |
Hard |
The hard timer starts when a user initiates a session. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any events. This setting can be configured in the CLI. |
Session |
The session timer starts when a user initiates a session. When the timeout is reached, existing sessions may continue. New sessions are not allowed until the user re-authenticates. This timeout is not affected by any events. This setting can be configured in the CLI. |
The authentication timeout time is configured in minutes. The default is five minutes. If VDOMs are enabled, the global level auth-timeout
user setting is the default that all VDOMs inherit. If the timeout time is set to zero,
To configure timeout for authenticated users:
config user setting set auth-timeout-type {idle-timeout | hard-timeout | new-session} set auth-timeout <integer> end
To configure the authentication timeout for a user group:
config user group edit <name> set authtimeout <integer> next end
If the group timeout time is zero (the default) or the user belongs to multiple RADIUS groups, then the user group timeout values are ignored and the global user timeout value is used.
Preserve authentication sessions after reboot
FortiGate models with a log disk can preserve authentication sessions a firewall reboot. This eliminates the need to reauthenticate after rebooting.
When session authentication backup is enabled, authenticated sessions are backed up at the configured interval. By default, session authentication backup is disabled.
config system global set auth-session-auto-backup {enable | disable} set auth-session-auto-backup-interval {1min | 5min | 15min | 30min | 1hr} end
To configure authentication session backup:
-
Enable authentication backup and specify a backup interval.
In this example, authentication backup runs every minute.
config system global set auth-session-auto-backup enable set auth-session-auto-backup-interval 1min end
Protocols
When you enable user authentication within a security policy, the authentication challenge is normally issued for any of four protocols, depending on the connection protocol:
- HTTP (you can set this to redirect to HTTPS)
- HTTPS
- FTP
- Telnet
The selected protocols control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a protocol support method, it allows the user to authenticate with a customized local certificate.
When you enable user authentication within a security policy, FortiOS challenges the security policy user to authenticate. For user ID and password authentication, the user must provide their username and password. For certificate authentication (HTTPS, or HTTP redirected to HTTPS only), you can install customized certificates on the unit and the user can also install customized certificates on their browser. Otherwise, users see a warning message and must accept a default Fortinet certificate. The network user's web browser may deem the default certificate invalid.
Enable auth-secure-http
to redirect HTTP challenges to a secure channel. Enable auth-ssl-allow-renegotiation
to allow SSL re-negotiation for HTTPS authentication.
Enable auth-http-basic
to use HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. Some basic web browsers, such as those on older mobile devices, may only support HTTP basic authentication.
FTP and Telnet authentication replacement messages cannot be customized.
To configure the protocols to challenge during firewall user authentication:
config user setting set auth-type {http https ftp telnet} set auth-secure-http {enable | disable} set auth-http-basic {enable | disable} set auth-ssl-allow-renegotiation {enable | disable} end
Certificates
Configure the HTTPS certificate and CA certificate to use for policy authentication.
To configure certificates for policy authentication:
config user setting set auth-cert <certificate> set auth-ca-cert <CA certificate> end
Lockouts
Failed log in attempts can indicate malicious attempts to gain access to your network. To prevent this security risk, you can limit the number of failed log in attempts. After the configured maximum number of failed log in attempts is reached (1 - 10, default = 3), access to the account is blocked for the configured lockout duration (0 - 4294967295 seconds, default = 0)
To configure the maximum failed log in attempts and the lockout duration:
config user setting set auth-lockout-threshold <integer> set auth-lockout-duration <integer> end
Authentication policy extensions
By default, unauthenticated traffic is permitted to fall to the next policy. This means that unauthenticated users are only forced to authenticate against a policy when there are no other matching policies. To avoid this, you can force authentication to always take place.
To set that authentication requirement:
config user setting set auth-on-demand {always | implicitly} end
Where:
|
Always trigger firewall authentication on demand. |
|
Implicitly trigger firewall authentication on demand. This is the default setting (and the behavior in FortiOS 6.0 and earlier). |
In the following example, authentication is required; traffic that would otherwise be allowed by the second policy is instead blocked by the first policy.
To use forced authentication:
config user setting set auth-on-demand always end
config firewall policy edit 1 set name "QA to Database" set srcintf "port10" set dstintf "port9" set srcaddr "QA_subnet" set dstaddr "Database" set action accept set schedule "always" set service "ALL" set fsso disable set groups "qa_group" set nat enable next edit 2 set name "QA to Internet" set srcintf "port10" set dstintf "port9" set srcaddr "QA_subnet" set dstaddr "all" set action accept set schedule "always" set service "ALL" set fsso disable set nat enable next end