New Member

Question

SSL VPN - Web mode disabled, but Forticlient connects in web mode

Forum|Forum|4 years ago
April 13, 2022
6 replies
17183 views

Hi Team,

We would like to use SSL VPN in tunnel mode only. We have disabled the web mode on portal, but some users using Forticlient are connected in ssl-web mode. After numerous session resets clients finally connect in tunnel mode. Any ideas and help finding the reason is appreciated.

FortiGate

akristof

Staff

Hello,

Thank you for your question. Can you share some screenshots how Forticlient is connected in Webmode? Or how are you checking this exactly?

dimitarkAuthor

New Member

After login there's an error on the Forticlient:

Here is what we see on the Fortigate:

And the event log:

Yurisk

SuperUser

Have you created the Authentication rule, so users in question will be mapped unequivocally to the specific portal where the Web mode is disabled ? By your description sounds like they fall through and finally reach default rule which has Web mode enabled. It is also possible when you have the same users located in multiple AD groups with each group having different portals.

tio3udes

Explorer III

Yes, you need to correctly map the user groups to the correct portal. And also, the Forticlient only uses tunnel-mode, so this is weird.

A problem here is that, even though web-mode is disabled, if you try to access the vpn portal address through browser, tha page is still presented, although no one will be able to authenticate.

dimitarkAuthor

New Member

The users are authenticated and mapped to one portal. We use Azure as Identity Provider if that matters. This particular problem happens only to limited number of users, who have the very same group assignments as the rest, who never experience it and are able to connect normally.

Hoid

New Member

Did you ever find the root cause for this? I'm seeing the same thing in my environment and am mystified as to why this is happening.

jklee

New Member

I am also seeing this. Using FortiClient 7.0.6.0290 to Fortigate 7.0.6Build0366. Just one user is failing to connect and FG logs show it's trying to connect via web mode.

BB1

New Member

Hi, does anyone found solution of this problem? In some cases users login correctly when change network to LTE...

kkhushdeep

Staff

Hello Team,

After hiding the SSL VPN login page (on v 7.4.1 and below) or disabling it globally (v7.4.2 and above), it is expected to see every failed authentication for SSL VPN flagged with 'tunnel Type ssl-web'. The log does not mean an authentication attempt is being pushed through the SSL VPN login page.

Every authentication failure on the FortiGate will be categorized as web for the tunnel type even if the attempt came from a FortiClient.

This is due to FortiClient identifying itself to be accessing the tunnel mode after the authentication attempt and as a result, FortiGate cannot detect tunnel mode versus web mode on authentication failure

Please check the link below for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-authentication-failure-logs-are-still/ta-p/328096

Thanks

Khushdeep

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded