Fortinet Managing FortiGate SSL VPN auth-timeout and idle timeout for optimized user authentication

To configure authentication for an SSL VPN - CLI

config vpn ssl settings set algorithm

set auth-timeout set dns-server1 set dns-server2 set idle-timeout set portal-heading set reqclientcert

set route-source-interface set servercert

set sslv2 set sslv3

set sslvpn-enable set tunnel-endip set tunnel-startip set url-obscuration set wins-server1 set wins-server2 end

The tunnel-endipand tunnel-startipkeywords are required for tunnel- mode access only. All other keywords are optional.

When you configure the timeout settings, if you set the authentication timeout (auth-timeout) to 0, then the remote client does not have to re-authenticate again unless they log out of the system. In order to fully take advantage of this setting, the value for idle-timeouthas to be set to 0 also, so the client does not timeout if the maximum idle time is reached. If the idle-timeoutis not set to the infinite value, the system will log out if it reaches the limit set, regardless of the auth-timeoutsetting.

Strong authentication is a form of computer security in which the identities of networked users, clients, and servers are verified without transmitting passwords over the internet. To verify a user’s identity, strong authentication combines something the user knows (a user name and password) with something the user has (a client-side certificate). Strong authentication can be configured for SSL VPN user groups using X.509 (version 1 or 3) digital certificates.

Configuring strong authentication of SSL VPN users/user groups

You can use strong authentication to verify the identities of SSL VPN user group members. The accounts for individual users and user groups containing those users have to be created prior to configuring strong authentication, and a firewall encryption policy has to be created to permit access by that user group.To enable strong authentication for an SSL VPN user group:

•Obtain a signed group certificate from a CA and load the signed group certificate into the web browser used by each user. Follow the browser documentation to load the certificates.

•Install the root certificate and the CRL from the issuing CA on the FortiGate unit.

•Configure strong authentication for the group of users having a copy of the group certificate.