Fortinet black logo

Administration Guide

Aging out host or user records

Copy Link
Copy Doc ID 5bf21617-1bf0-11ec-8c53-00505692583a:470658
Download PDF

Aging out host or user records

Host and User records remain in the database indefinitely unless you set expiration dates for those records. There are several methods for setting expiration dates.

As new hosts, users or administrators are added to the database, the Expiration Date and/or Inactivity Date are automatically populated based on settings elsewhere in FortiNAC. Aging settings are configured using the methods listed below. If no global settings have been established and hosts or users are added without Expiration or Inactivity dates, those dates can be added later by configuring the settings below.

If you set age times for existing users or hosts, you may inadvertently cause them to be deleted from the database. If the expiration date calculated for those hosts or users is before today's date, those records will be removed from the database.

Aging a large number of hosts or users at the same time can cause processing delays with FortiNAC if users attempt to re-register within a short period of time of each other. It is recommended that you stagger the aging times to reduce the number of possible re-registrations at any given time.

Host age times are evaluated every ten minutes. If you specify a date and time, the host may not be removed from the database for up to ten minutes after the time selected.

The user inactivity timer is started when all hosts registered to a user are seen as offline. When a host is seen as connected, the timer is cleared. The timer is also cleared when the user logs into FortiNAC.

Directory

If the Time To Live option is enabled in the Directory Attribute Mappings window, the value stored in the directory is used to calculate the expiration date and inactivity date. This is based on the user's record in the directory. For the user, only the expiration date is calculated. For the host, both the expiration date and the inactivity date are calculated. This may also apply to administrators. The host must be associated with a user to inherit these settings.

System Settings

Age times under System > Settings > User/Host Management > Aging are used to populate Expiration Date and Inactivity Date for hosts as they are added to the database and Expiration Date for Users. If these settings are configured after administrators, network users or hosts have been added to the database, those without age times or that are not set to Never Expire, will be automatically updated. Records with age times are not modified. See Aging.

Group Aging

You can create a host group and use Group Aging to populate the Expiration Date and/or the Inactivity Date fields for hosts in that group. All hosts in the group are modified even if they already have an age time set, except those set to Never Expire. See Aging hosts in a group.

Host Aging

You can enter or override aging values for individual hosts by clicking Set on the Host Properties window or using the Set Host Expiration Date option on the Host View. See Set host expiration date.

User Aging

You can enter or override those values for individual users, including administrators, by clicking Set on the User Properties window or using the Set User Expiration Date option on the user view. See Set user expiration date.

Administrator User Aging

Administrators never age out of the database under any circumstances. These users must be removed from the database manually from the administrators View.

Administrative User Aging

Administrators are treated like regular network users when aging settings are applied, depending on how they are added to the database. Below are ways to set the expiration date for an administrator:

  • When adding an administrator from the administrator users view, the new user will receive an expiration date based on the information in the global aging settings, the Time To Live setting in the directory or based on a group setting if they are placed in a group. See Aging.
  • Manually give any administrator an expiration date by selecting the user on the administrators View and using the Set Expiration option. See Set user expiration date.
  • When an administrator is added by converting an existing network user to an administrator, the new administrator can have aging set through any of the possible aging options.
  • If you assign administrator profiles based on directory groups, there are circumstances in which an administrator would be assigned an expiration date. See Set privileges based on directory groups.
  • If a non-administrator registered a host through the captive portal and a directory synchronization is run, the user would then be converted to an administrator. However, it would have an expiration date based on the global aging settings. This also occurs when a host is registered to a user manually by an administrator.

Guest Aging

A Guest user's expiration date is set based on the Account Duration entered in the guest template used to create the Guest. The host registered to the Guest inherits its expiration date from the Global Aging settings. When the Guest user's account expires, both the Guest user's account and the guest's registered host are automatically removed from the database. If the host's expiration date is earlier than the Guest user's expiration date, the host is removed from the database, but the Guest user account remains.

Aging out host or user records

Host and User records remain in the database indefinitely unless you set expiration dates for those records. There are several methods for setting expiration dates.

As new hosts, users or administrators are added to the database, the Expiration Date and/or Inactivity Date are automatically populated based on settings elsewhere in FortiNAC. Aging settings are configured using the methods listed below. If no global settings have been established and hosts or users are added without Expiration or Inactivity dates, those dates can be added later by configuring the settings below.

If you set age times for existing users or hosts, you may inadvertently cause them to be deleted from the database. If the expiration date calculated for those hosts or users is before today's date, those records will be removed from the database.

Aging a large number of hosts or users at the same time can cause processing delays with FortiNAC if users attempt to re-register within a short period of time of each other. It is recommended that you stagger the aging times to reduce the number of possible re-registrations at any given time.

Host age times are evaluated every ten minutes. If you specify a date and time, the host may not be removed from the database for up to ten minutes after the time selected.

The user inactivity timer is started when all hosts registered to a user are seen as offline. When a host is seen as connected, the timer is cleared. The timer is also cleared when the user logs into FortiNAC.

Directory

If the Time To Live option is enabled in the Directory Attribute Mappings window, the value stored in the directory is used to calculate the expiration date and inactivity date. This is based on the user's record in the directory. For the user, only the expiration date is calculated. For the host, both the expiration date and the inactivity date are calculated. This may also apply to administrators. The host must be associated with a user to inherit these settings.

System Settings

Age times under System > Settings > User/Host Management > Aging are used to populate Expiration Date and Inactivity Date for hosts as they are added to the database and Expiration Date for Users. If these settings are configured after administrators, network users or hosts have been added to the database, those without age times or that are not set to Never Expire, will be automatically updated. Records with age times are not modified. See Aging.

Group Aging

You can create a host group and use Group Aging to populate the Expiration Date and/or the Inactivity Date fields for hosts in that group. All hosts in the group are modified even if they already have an age time set, except those set to Never Expire. See Aging hosts in a group.

Host Aging

You can enter or override aging values for individual hosts by clicking Set on the Host Properties window or using the Set Host Expiration Date option on the Host View. See Set host expiration date.

User Aging

You can enter or override those values for individual users, including administrators, by clicking Set on the User Properties window or using the Set User Expiration Date option on the user view. See Set user expiration date.

Administrator User Aging

Administrators never age out of the database under any circumstances. These users must be removed from the database manually from the administrators View.

Administrative User Aging

Administrators are treated like regular network users when aging settings are applied, depending on how they are added to the database. Below are ways to set the expiration date for an administrator:

  • When adding an administrator from the administrator users view, the new user will receive an expiration date based on the information in the global aging settings, the Time To Live setting in the directory or based on a group setting if they are placed in a group. See Aging.
  • Manually give any administrator an expiration date by selecting the user on the administrators View and using the Set Expiration option. See Set user expiration date.
  • When an administrator is added by converting an existing network user to an administrator, the new administrator can have aging set through any of the possible aging options.
  • If you assign administrator profiles based on directory groups, there are circumstances in which an administrator would be assigned an expiration date. See Set privileges based on directory groups.
  • If a non-administrator registered a host through the captive portal and a directory synchronization is run, the user would then be converted to an administrator. However, it would have an expiration date based on the global aging settings. This also occurs when a host is registered to a user manually by an administrator.

Guest Aging

A Guest user's expiration date is set based on the Account Duration entered in the guest template used to create the Guest. The host registered to the Guest inherits its expiration date from the Global Aging settings. When the Guest user's account expires, both the Guest user's account and the guest's registered host are automatically removed from the database. If the host's expiration date is earlier than the Guest user's expiration date, the host is removed from the database, but the Guest user account remains.