FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff
Staff
Description

This article describes a feature on the FortiGate that will allow FortiClient SSL-VPN users to automatically reconnect to the VPN in the event of a temporary drop in network connectivity.

 

This feature is particularly useful when administrators are combining Multi-Factor Authentication (MFA) with username/password authentication, as it allows users to reconnect to the SSL-VPN without requiring them to re-authenticate (i.e. no need for end-users to accept MFA token pushes or input token codes).

 

Note that this feature is independent of the 'Save Password' or 'Always Up (Keep Alive)' SSL-VPN features (meaning 'Allow client to save password' and 'allow client to keep connections alive'), and so the feature are not required to be enabled on the FortiGate or FortiClient.

Scope

FortiGate Tunnel-Mode SSL-VPN (available with FortiOS 6.2 and later)

FortiClient SSL-VPN.

Solution

In the CLI for the FortiGate SSL-VPN Settings (config vpn ssl settings), enable tunnel-connect-without-reauth:

 

# config vpn ssl setting
  set tunnel-connect-without-reauth enable

end

 

The above option is CLI-only on the FortiGate. If the FortiClient version supports the feature, then it will automatically utilize the functionality advertised by the FortiGate (that is no corresponding configuration needed on FortiClient or EMS).

 

Suggested Testing Procedure:

 

The following can be used to test/demonstrate the SSL-VPN functionality once tunnel-connect-without-reauth has been enabled:

1) Prepare a client device that has FortiClient installed, as well as two network interfaces (e.g. a wired interface and a WiFi interface).

2) Disable one of the interfaces, then connect to the SSL-VPN.

3) Once connected to the VPN, disable the currently-active interface and enable the secondary/inactive interface.

The expected behavior is for the VPN to disconnect, then after a few seconds it should automatically reconnect without prompting the user to authenticate themselves.

 

Note:

 

After enabling tunnel-connect-without-reauth, a new associated config option will appear that allows admins to adjust the amount of time FortiClient has to perform the re-connection:

 

tunnel-user-session-timeout - Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30).

 

Contributors