When configuring an Authentication policy rule, you
can specify a timeout period during which a user authenticates only
for initial access to services and applications, not for subsequent
access. Your goal is to specify a timeout that strikes a balance
between the need to secure services and applications and the need
to minimize interruptions to the user workflow. When a user authenticates,
the firewall records a timestamp for the first authentication challenge
(factor) and a timestamp for any additional
Multi-Factor
Authentication (MFA) factors. When the user subsequently
requests services and applications that match an Authentication
rule, the firewall evaluates the timeout specified in the rule relative
to each timestamp. This means the firewall reissues authentication
challenges on a per-factor basis when timeouts expire. If you
Redistribute
User Mappings and Authentication Timestamps, all your firewalls
will enforce Authentication policy timeouts consistently for all
users.