Fortinet white logo
Fortinet white logo

Administration Guide

Authentication settings

Authentication settings

General authentication settings include:

Only some of the settings can be configured in the GUI.

To configure authentication settings in the GUI:
  1. Go to User & Authentication > Authentication Settings.

  2. Configure the following settings:

    Setting

    Description

    Authentication Timeout

    Enter the desired timeout, in minutes, from 1 to 1440 (24 hours). The default time is 5 minutes. Only idle timeout can be configured in the GUI.

    Protocol support

    Select the protocols to challenge during firewall user authentication.

    HTTP redirect

    Redirect HTTP challenge to a secure channel (HTTPS). This option is only available if HTTP is selected in the Protocol Support options.

    Certificate

    Select the local certificate to use for authentication.

  3. Click OK.

Timeout

Authenticated users and user groups can have timeout values per user or group, in addition to FortiGate-wide timeouts. Three types of user timeouts can be configured:

Timeout type

Description

Idle

The idle timer starts when a user initiates a session. As long as data are transferred in this session, the timer continually resets. If the data flow stops, the timer is allowed to advance until it reaches its limit. When the user has been idle for too long, they must re‑authenticate before traffic is allowed to continue in that session.

This is the default setting. It can be configured in the GUI and CLI.

Hard

The hard timer starts when a user initiates a session. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any events.

This setting can be configured in the CLI.

Session

The session timer starts when a user initiates a session. When the timeout is reached, existing sessions may continue. New sessions are not allowed until the user re-authenticates. This timeout is not affected by any events.

This setting can be configured in the CLI.

The authentication timeout time is configured in minutes. The default is five minutes. If VDOMs are enabled, the global level auth-timeout user setting is the default that all VDOMs inherit. If the timeout time is set to zero,

To configure timeout for authenticated users:
config user setting
    set auth-timeout-type {idle-timeout | hard-timeout | new-session}
    set auth-timeout <integer>
end
To configure the authentication timeout for a user group:
config user group
    edit <name>
        set authtimeout <integer>
    next
end

If the group timeout time is zero (the default) or the user belongs to multiple RADIUS groups, then the user group timeout values are ignored and the global user timeout value is used.

Preserve authentication sessions after reboot

FortiGate models with a log disk can preserve authentication sessions a firewall reboot. This eliminates the need to reauthenticate after rebooting.

When session authentication backup is enabled, authenticated sessions are backed up at the configured interval. By default, session authentication backup is disabled.

config system global
    set auth-session-auto-backup {enable | disable}
    set auth-session-auto-backup-interval {1min | 5min | 15min | 30min | 1hr}
end
To configure authentication session backup:
  1. Enable authentication backup and specify a backup interval.

    In this example, authentication backup runs every minute.

    config system global
        set auth-session-auto-backup enable
        set auth-session-auto-backup-interval 1min
    end

Protocols

When you enable user authentication within a security policy, the authentication challenge is normally issued for any of four protocols, depending on the connection protocol:

  • HTTP (you can set this to redirect to HTTPS)
  • HTTPS
  • FTP
  • Telnet

The selected protocols control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a protocol support method, it allows the user to authenticate with a customized local certificate.

When you enable user authentication within a security policy, FortiOS challenges the security policy user to authenticate. For user ID and password authentication, the user must provide their username and password. For certificate authentication (HTTPS, or HTTP redirected to HTTPS only), you can install customized certificates on the unit and the user can also install customized certificates on their browser. Otherwise, users see a warning message and must accept a default Fortinet certificate. The network user's web browser may deem the default certificate invalid.

Enable auth-secure-http to redirect HTTP challenges to a secure channel. Enable auth-ssl-allow-renegotiation to allow SSL re-negotiation for HTTPS authentication.

Enable auth-http-basic to use HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. Some basic web browsers, such as those on older mobile devices, may only support HTTP basic authentication.

FTP and Telnet authentication replacement messages cannot be customized.

To configure the protocols to challenge during firewall user authentication:
config user setting
    set auth-type {http https ftp telnet}
    set auth-secure-http {enable | disable}
    set auth-http-basic {enable | disable}
    set auth-ssl-allow-renegotiation  {enable | disable}
end

Certificates

Configure the HTTPS certificate and CA certificate to use for policy authentication.

To configure certificates for policy authentication:
config user setting
    set auth-cert <certificate>
    set auth-ca-cert <CA certificate>
end

Lockouts

Failed log in attempts can indicate malicious attempts to gain access to your network. To prevent this security risk, you can limit the number of failed log in attempts. After the configured maximum number of failed log in attempts is reached (1 - 10, default = 3), access to the account is blocked for the configured lockout duration (0 - 4294967295 seconds, default = 0)

To configure the maximum failed log in attempts and the lockout duration:
config user setting
    set auth-lockout-threshold <integer>
    set auth-lockout-duration <integer>
end

Authentication policy extensions

By default, unauthenticated traffic is permitted to fall to the next policy. This means that unauthenticated users are only forced to authenticate against a policy when there are no other matching policies. To avoid this, you can force authentication to always take place.

To set that authentication requirement:
config user setting
    set auth-on-demand {always | implicitly}
end

Where:

always

Always trigger firewall authentication on demand.

implicitly

Implicitly trigger firewall authentication on demand. This is the default setting (and the behavior in FortiOS 6.0 and earlier).

In the following example, authentication is required; traffic that would otherwise be allowed by the second policy is instead blocked by the first policy.

To use forced authentication:
config user setting
    set auth-on-demand always
end
config firewall policy
    edit 1
        set name "QA to Database"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "QA_subnet"
        set dstaddr "Database"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set groups "qa_group"
        set nat enable
    next
    edit 2
        set name "QA to Internet"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "QA_subnet"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end

Authentication settings

Authentication settings

General authentication settings include:

Only some of the settings can be configured in the GUI.

To configure authentication settings in the GUI:
  1. Go to User & Authentication > Authentication Settings.

  2. Configure the following settings:

    Setting

    Description

    Authentication Timeout

    Enter the desired timeout, in minutes, from 1 to 1440 (24 hours). The default time is 5 minutes. Only idle timeout can be configured in the GUI.

    Protocol support

    Select the protocols to challenge during firewall user authentication.

    HTTP redirect

    Redirect HTTP challenge to a secure channel (HTTPS). This option is only available if HTTP is selected in the Protocol Support options.

    Certificate

    Select the local certificate to use for authentication.

  3. Click OK.

Timeout

Authenticated users and user groups can have timeout values per user or group, in addition to FortiGate-wide timeouts. Three types of user timeouts can be configured:

Timeout type

Description

Idle

The idle timer starts when a user initiates a session. As long as data are transferred in this session, the timer continually resets. If the data flow stops, the timer is allowed to advance until it reaches its limit. When the user has been idle for too long, they must re‑authenticate before traffic is allowed to continue in that session.

This is the default setting. It can be configured in the GUI and CLI.

Hard

The hard timer starts when a user initiates a session. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any events.

This setting can be configured in the CLI.

Session

The session timer starts when a user initiates a session. When the timeout is reached, existing sessions may continue. New sessions are not allowed until the user re-authenticates. This timeout is not affected by any events.

This setting can be configured in the CLI.

The authentication timeout time is configured in minutes. The default is five minutes. If VDOMs are enabled, the global level auth-timeout user setting is the default that all VDOMs inherit. If the timeout time is set to zero,

To configure timeout for authenticated users:
config user setting
    set auth-timeout-type {idle-timeout | hard-timeout | new-session}
    set auth-timeout <integer>
end
To configure the authentication timeout for a user group:
config user group
    edit <name>
        set authtimeout <integer>
    next
end

If the group timeout time is zero (the default) or the user belongs to multiple RADIUS groups, then the user group timeout values are ignored and the global user timeout value is used.

Preserve authentication sessions after reboot

FortiGate models with a log disk can preserve authentication sessions a firewall reboot. This eliminates the need to reauthenticate after rebooting.

When session authentication backup is enabled, authenticated sessions are backed up at the configured interval. By default, session authentication backup is disabled.

config system global
    set auth-session-auto-backup {enable | disable}
    set auth-session-auto-backup-interval {1min | 5min | 15min | 30min | 1hr}
end
To configure authentication session backup:
  1. Enable authentication backup and specify a backup interval.

    In this example, authentication backup runs every minute.

    config system global
        set auth-session-auto-backup enable
        set auth-session-auto-backup-interval 1min
    end

Protocols

When you enable user authentication within a security policy, the authentication challenge is normally issued for any of four protocols, depending on the connection protocol:

  • HTTP (you can set this to redirect to HTTPS)
  • HTTPS
  • FTP
  • Telnet

The selected protocols control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a protocol support method, it allows the user to authenticate with a customized local certificate.

When you enable user authentication within a security policy, FortiOS challenges the security policy user to authenticate. For user ID and password authentication, the user must provide their username and password. For certificate authentication (HTTPS, or HTTP redirected to HTTPS only), you can install customized certificates on the unit and the user can also install customized certificates on their browser. Otherwise, users see a warning message and must accept a default Fortinet certificate. The network user's web browser may deem the default certificate invalid.

Enable auth-secure-http to redirect HTTP challenges to a secure channel. Enable auth-ssl-allow-renegotiation to allow SSL re-negotiation for HTTPS authentication.

Enable auth-http-basic to use HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. Some basic web browsers, such as those on older mobile devices, may only support HTTP basic authentication.

FTP and Telnet authentication replacement messages cannot be customized.

To configure the protocols to challenge during firewall user authentication:
config user setting
    set auth-type {http https ftp telnet}
    set auth-secure-http {enable | disable}
    set auth-http-basic {enable | disable}
    set auth-ssl-allow-renegotiation  {enable | disable}
end

Certificates

Configure the HTTPS certificate and CA certificate to use for policy authentication.

To configure certificates for policy authentication:
config user setting
    set auth-cert <certificate>
    set auth-ca-cert <CA certificate>
end

Lockouts

Failed log in attempts can indicate malicious attempts to gain access to your network. To prevent this security risk, you can limit the number of failed log in attempts. After the configured maximum number of failed log in attempts is reached (1 - 10, default = 3), access to the account is blocked for the configured lockout duration (0 - 4294967295 seconds, default = 0)

To configure the maximum failed log in attempts and the lockout duration:
config user setting
    set auth-lockout-threshold <integer>
    set auth-lockout-duration <integer>
end

Authentication policy extensions

By default, unauthenticated traffic is permitted to fall to the next policy. This means that unauthenticated users are only forced to authenticate against a policy when there are no other matching policies. To avoid this, you can force authentication to always take place.

To set that authentication requirement:
config user setting
    set auth-on-demand {always | implicitly}
end

Where:

always

Always trigger firewall authentication on demand.

implicitly

Implicitly trigger firewall authentication on demand. This is the default setting (and the behavior in FortiOS 6.0 and earlier).

In the following example, authentication is required; traffic that would otherwise be allowed by the second policy is instead blocked by the first policy.

To use forced authentication:
config user setting
    set auth-on-demand always
end
config firewall policy
    edit 1
        set name "QA to Database"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "QA_subnet"
        set dstaddr "Database"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set groups "qa_group"
        set nat enable
    next
    edit 2
        set name "QA to Internet"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "QA_subnet"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end