What are the user authentication timeout options on a FortiGate firewall?
Explaining the various user auth timeout choices that are available on FortiGate.
Depending on environment needs and use cases, it can be fairly common for a firewall to have different restrictions for different users/objects. For example, maybe Bob in the finance department needs access to an accounting web application but Sally in Engineering doesn't. Firewalls can have users/groups listed as a condition of the firewall policy.
Nifty, right? There's an important point to keep in mind though: Some firewalls have default behavior to fallback to less specific policies if a user is unknown. For example, FortiGates have a set auth-on-demand <always|implicitly> CLI command that gives admins the choice. If the option is set to always, then every firewall rule will require user authentication. If the option is set to implicitly (which it is by default), then other rules could leave off authentication and potentially match (without verifying who the user is).
Once a user IS authenticated in some shape or form (meaning that the Firewall knows who is sending traffic through), auth timeouts become very important. In our example above, how long should the firewall assume that it's still Bob generating the outbound traffic to the web app? What if Bob stepped away for lunch and someone else is using the computer?
FortiGates have three user authentication timeout options (as defined in the set auth-timeout-type [idle-timeout|hard-timeout|new-session] command):
- Idle - This is the default timeout mode and basically starts counting when a user device has gone completely quiet (no traffic at all). Once that span of time exceeds a specific threshold (by default 5 minutes), the FortiGate no longer trusts the user state and will need fresh authentication details if/when enforcing the firewall policy.
- Hard - This timeout option is a bit more restrictive. It sets a flat span of time regardless of how active the user/source object is. So even if Bob was at his desk and continually generating traffic, the FortiGate would still be suspicious after X minutes passed by.
- New Session - This mode tries to compromise. It assumes that some transactions (like large file uploads/downloads) may take longer to complete. So it lets existing transactions keep going but considers authentication state invalid if it no longer sees new sessions from the user object in a certain amount of time.
Which mode is best for environments? "It depends". 😃 Some of these decisions will be driven by compliance and regulatory requirements. For more information, check out the following resources:
ppatel
caunon
Mike
