Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chrisn
New Contributor

Authentication timeout setting

I recently upgraded my two FortiGate appliances from 5.4 to 5.6.6, and I'm trying to make the authentication timeout longer (User & Device -> Authentication Settings - Authentication Timeout). According to everything I can find, I should be able to set the timeout up to 4320 minutes (link to manual). However, whenever I try to change it to more than 1440 minutes, I get the error "Please enter a value less than or equal to 1440". This happens through both GUI and CLI. Is there something I am missing in the upgrade process?

 

Here is the output from the CLI interface:

HorstDenver50E # config user setting
 
HorstDenver50E (setting) # set auth-timeout 4320
The auth-timeout value 4320 must be in the range of 1-1440.
 
value parse error before '4320'
Command fail. Return code -61

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Hi,

that looks like documentation bug. Thank you, I'll report it as I haven't found that reported, yet.

Because CLI still shows boundary up onto 1440.

 

c2fgvm (setting) # set auth-timeout ? auth-timeout Enter an integer value from <1> to <1440> (default = <5>).

 

EDIT:

limit actually exist but in slightly different part .. 

c2fgvm # con user group c2fgvm (group) # c2fgvm (group) # edit Alfa-Mans c2fgvm (Alfa-Mans) # set authtimeout authtimeout Enter an integer value from <0> to <43200>.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Dave_Hall
Honored Contributor

Looks like in a difference section of the 5.6 CLI Reference manual for the user settings, the max authentication timeout value is 1440.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
chrisn

So what about the following feature in this document listing new authentication features in FortiOS 5.6?

 

User authentication max timeout setting change (378085)

 

To accommodate wireless hotspot users authenticated on the FortiGate, the user authentication max timeout setting has been extended to three days (from one day, previously).

 

It's listed under "New authentication features added to FortiOS 5.6." Was it removed in later versions of 5.6? Or is it only supported on certain models? I have a FortiGate 50E & 60E.

 

Edit: Ok, I changed the timeout in the user group, and that appears to work. Fortunately I don't have many user groups so this is a viable option. However, there is no visibility through the GUI that there is a custom timeout specified for a certain group. It would be nice to have some indication in the GUI just to minimize possible future headaches if you forget exactly how things are configured.

Labels
Top Kudoed Authors