Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
btan
Staff & Editor
Staff & Editor

Created on ‎07-20-2025 10:29 PM

Article Id 402382

Technical Tip: Stop FortiClient from attempting AutoConnect when there is Always-Up + auth-timeout setup from FortiGate

Description

This article describes how to stop FortiClient from attempting AutoConnect after the 'auth-timeout' timer from FortiGate.
Scope FortiClient v7.2 and v7.4.
Solution

VPN setup summary:

  • Configure 'auth-timeout' on FortiGate (VPN tunnel will be dropped after the configured duration).
  • Configure [Auto Connect Only When Off-Fabric] + [Always-Up VPN] + [Always Up Max Tries = 3] + <keep_running>1 in FortiClient EMS endpoint profile.


In this example, auth-timeout on FortiGate is set to 43200 (12 hours), meaning the user can only be connected up to 12 hours per VPN session, regardless of whether or not the user is actively using the VPN tunnel.

 

This configuration is useful when an organization has below requirements:

  • End users must always connect to VPN when in off-fabric (eg, out-of-office, not physically located in the company).
  • End users must reauthenticate every 12 hours to continue using VPN for security reasons.

 

Issue description:

  • After the VPN is connected for 12 hours, the VPN tunnel will be dropped from the FortiGate side. However, FortiClient keeps on attempting AutoConnect (as it is configured as such).
  • FortiClient did not respect the [Always Up Max Tries = 3] configuration; it keeps on attempting AutoConnect until it succeeds.
  • This can be an issue when the VPN tunnel is a SAML VPN with MFA authentication.
  • If the user is away or not in front of the computer after the VPN disconnection, it causes the MFA token to be sent to the end user's mobile phone.


july-kb4-1.png

 

  • It may also result in Entra ID blocking the user account if there are such security policies applied on the Entra ID side.

 

july-kb4-2.png

 

This behavior is due to the [Always Up Max Tries = 3] configuration is not applicable in the [Auto Connect Only When Off-Fabric] scenario.

Solution:

  1. In FortiClient EMS, enable on/off-fabric profile.

 

july-kb4-3-policy.png

 

  1. In the on-fabric profile, do not configure any Auto Connect.

 

july-kb4-4.png

 

  1. In the off-fabric profile:
  • Set [Disable Internet Check] to OFF.
  • Configure the desired [Auto Connect] tunnel.
  • Set [Auto Connect Only When Off-Fabric] to ON.
  • Set [Always Up Max Tries] to a desired value (eg, 3).

 

july-kb4-5.png

 

With this configuration, the expected results:

  1. After VPN is connected for the auth-timeout duration (eg, 12 hours), the VPN tunnel will be dropped from the FortiGate side.
  2. FortiClient determines the endpoint fabric status.
  • If it is on-fabric, FortiClient will not autoconnect.
  • If it is off-fabric, FortiClient will attempt to AutoConnect. It will stop the AutoConnect attempt after 3 tries.
  1. As such, when user is away or not in front of the computer, the MFA token will not be sent to the end user's mobile phone.
  2. FortiClient will still attempt AutoConnect when there is a brief VPN disconnection due to network hiccups on the end user side.
339
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.