FORTICLIENT SSL VPN CONFIGURATION NOTES

DISABLE SIP ALG ON FORTIGATE FIREWALLS
November 19, 2018
Zultys Voice Mail
Zultys Voice Mail
November 19, 2018
DISABLE SIP ALG ON FORTIGATE FIREWALLS
November 19, 2018
Zultys Voice Mail
Zultys Voice Mail
November 19, 2018

FORTICLIENT SSL VPN CONFIGURATION NOTES

< Back
You are here:
Print
Created On
Last Updated On
byAnton Karpov

Overview

Fortigate Forticlient SSL VPN configuration is simple and described in details on YouTube and in Fortinet cookbook  .  Below is the list of problems we have found and configuration examples that will help you to solve them. These notes are for for software version 6.0.1 and 5.6, but might work for 5.4 and even 5.2

As usual: Backup configuration of your firewall before making any changes

Update 03/2020

Please update your Fortigate firewall to at least version 6.0.5 , there is a security vulnerability in older versions.

Also, update your Forticlient to 6.0 or 6.2 from Forticlient web site

Note: most problems with unstable Forticlient SSL VPN connection are related to Internet connection problems, like packet loss.

SETTING UP DNS SUFFIX .

If your users connect to a Forigate firewall using Forticlient SSL VPN and you are using internal DNS servers for DNS resolution, you might expect your users to be able to resolve names of devices on your network. However, this will not work unless you configure your local DNS suffix.

Example: DNS suffix for your local domain is “mycompany.local”

Run this command in Fortigate CLI to allow your Forticlient SSL VPN users to resolve names of devices on your local network

config vpn ssl settings
set dns-suffix mycompany.local
end

FORTICLIENT SSL VPN RANDOMLY DISCONNECTS

Your Forticlient SSL VPN users might experience frequent disconnects, even if “Always On” check box is checked in Forticlient’s login window.

Here is configuration that works

config vpn ssl settings
set auth-timeout 259200
set idle-timeout 259200
end

Note: timeout is in seconds , so 259200 seconds is 72 hours.  You might want to decrease it as you see fit. We normally set it up for 8 hours or 28800 seconds. This prevents users from just leaving VPN on overnight.

SD-WAN, or WAN Load Balancing

If you are using SD-WAN or WAN load balancing, following config changes will be needed

Make sure your balancing strategy is setup to “Sessioin” , not “Volume”.

For Fortigates with FortiOS 6.0.1 or later

Use the following CLI command:

config system interface
  edit <name>
    set preserve-session-route enable
  next
end

Where <name> is the name of your WAN interface. Repeat this command for all your WAN interfaces.

For Fortigates with FortiOS 6.0.0 or earlier,

use the following CLI command:

config vpn ssl settings
   set route-source-interface enable
end
Table of Contents
Anton Karpov
Anton Karpov

Leave a Reply

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply..