FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 191322

Description

 

This article describes the default settings on SSL VPN and the consequences of configuration changes to SSL-VPN settings in a production environment.
 
Scope
 
Any supported version of FortiGate.


Solution

 

By default, an SSL VPN connection logs out after 8 hours:
 
config vpn ssl settings
    set auth-timeout 28800
end
 
The auth-timeout is the period of time in seconds that the SSL-VPN will wait before re-authentication is enforced.
The default value is 28800 seconds (8 hours). The value can be between <0> to <259200>

A value of 0 indicates no timeout.
 
Adjust the idle-timeout period of time in seconds that the SSL-VPN will wait before timing out the user if not being active.
 
config vpn ssl settings
    set idle-timeout 300
end
 
The default value is 300 seconds (5 minutes). The value can be between <0> to <259200>.

Changes as above or changing tunnel/web mode will not impact the environment unless the user surpasses the newly configured value. If the user connection time is still lower than the newly configured value, the user will not be disconnected. These settings are applied to current active sessions.
 

Example:

  • User 1 is connected for 3 minutes.
  • User 2 is connected for 2 hours.
Result: Setting the 'auth-timeout' to 3600 sec will disconnect user 2 but not user 1.

However, be aware that once an SSL VPN client is connected, a change to firewall address objects or IP pools under SSL VPN settings in a production environment will tear down all of the active SSL VPN connections regardless of the configured timeout period described above.

This is an expected behavior and the following log will be displayed.
 
CLI debug:
 
[260:root:0][257:root:0]Config change causes all session to be closed in vdom 'root'