FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to avoid re-authentication when a connected SSL VPN user changes the network, for instance, moving to a different SSID or network. FortiGate and FortiClient hand out an authentication cookie that will be used if the connection drops to reconnect the tunnel.
Scope
FortiGate, FortiClient.
Solution
The following features should be enabled under SSL VPN and portal settings:
conf vpn ssl settings set auth-session-check-source-ip disable <----- By default is enabled. set tunnel-connect-without-reauth enable <----- By default is disabled set tunnel-user-session-timeout x <----- 1~86400 seconds .This value has a limit of 255 seconds on old FortiOS versions. The default is 30 end
config vpn ssl web portal <portal name> set auto-connect enable set keep-alive enable end
When the features are enabled, FortiClient will try to reconnect without re-authentication.
Note:
auto-connect/keep-alive needs to be enabled on the FortiClient side.
