Skip to main content
msanjaypadma
Staff
msanjaypadma
Staff
November 21, 2025

Technical Tip: Automating SSL VPN user disconnection using automation stitch on FortiGate

  • November 21, 2025
  • 0 replies
  • 928 views
Description

 

This article describes a step-by-step guide to configure an Automation Stitch on FortiGate to automatically disconnect all active SSL VPN users at a specified time.

 

Scope

 

FortiGate Firewall.

 

Solution

 

The solution involves creating an Automation Stitch that triggers at a scheduled time to execute a CLI command, disconnecting all SSL VPN users. The process encompasses defining a trigger based on a schedule, creating an action to run the CLI script, and assembling these components into a stitch.

Step 1: Access the Automation Section.

Navigate to Security Fabric -> Automation tab.


0.PNG

 

Step 2: Create a New Stitch.

  • Select Create New to initiate a new Automation Stitch.
  • Enter a meaningful Name and Description.
  • Set Status to Enabled.
  • Choose Action Execution as Sequential to ensure orderly execution of steps.


6.PNG
Step 3: Define the Trigger.

  • Select the Trigger tab within the stitch configuration.
  • Select Create to define a new trigger.
  • Choose Schedule as the trigger type.


7.PNG

8.PNG
Step 4: Configure Schedule Trigger.

  • Provide a Name for the trigger.
  • Specify the Frequency (e.g., daily, weekly) and set the exact Time (e.g., 06:00 AM) when the disconnection should occur.
  • Select OK to save the trigger.


9.PNG

 

Note: For this example, the trigger is configured to activate daily at 6:00 AM.

Step 5: Associate Trigger with Stitch.

  • Return to the main stitch configuration screen.
  • Select the newly created trigger from the list to associate it with the stitch.

 

10.PNG

 

Step 6: Define the Action.

  • Select the Action tab.
  • Select Create, then select CLI Script as the action type.

 

11.PNG

 

Step 7: Input CLI Script.

  • Enter a Name for the action.
  • In the script field, input the following command:


execute vpn sslvpn del-all

This command disconnects all active SSL VPN users.

  • Select OK to save the action.


12.PNG

 

Step 8: Finalize and Enable.
Confirm all settings and select OK to create the Automation Stitch.

 

CLI Reference:

 

config system automation-action

    edit "command-SSLVPN"

        set action-type cli-script

        set script "execute vpn sslvpn del-all"

        set accprofile "super_admin"

    next

end

 

config system automation-trigger

    edit "Timer-SSLVPN"

        set trigger-type scheduled

        set trigger-hour 6

    next

end

 

config system automation-stitch

    edit "SSLVPN-DisconnectAll"

        set trigger "Timer-SSLVPN"

            config actions

                edit 1

                    set action "command-SSLVPN"

                    set required enable

                next

            end

    next

end

 

Verification: 

 

To verify the configuration, run the following CLI command : 

 

get vpn ssl monitor
diagnose test application autod 3


1.PNG

 

3.PNG

 

4.PNG

 

5.PNG


13.PNG

 

Troubleshooting: 

To troubleshoot the automation stitch, it is necessary to stop all running scripts, reset any debug that may be running, and then enable debugging for the automation stitch.



FortiGate # diagnose debug reset

FortiGate # diagnose debug application autod -1
Debug messages will be on for 30 minutes.

FortiGate # diagnose debug enable

 

For further diagnostics commands, refer to: Technical Tip: How to check why automation stitch is not working as expected.

    Terms & ConditionsAccessibility statement