Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pgautam
Staff
Staff

Created on ‎07-12-2023 12:27 AM

Article Id 263576

Technical Tip: How to monitor the link health for SSL VPN connections

Description

This article describes that sometimes, there are some issues where some SSL VPNs users report slowness issues. In such cases, there is a dynamic tunnel link monitoring option available from 7.2.0 FortiOS.
Scope FortiGate, v7.2.x, Link-monitor, Dynamic tunnel.
Solution

Example of the SSL VPN connection:

 

  1. Configure SSL VPN on FortiGate:

Refer to the below guide for the SSL VPN configuration:-

https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/371626/ssl-vpn

 

     2. Now configure the ssl.root interface for link-monitor:

 

config system link-monitor

  edit ssl_vpn

      set srcintf "ssl.root"

      set server-type dynamic

  next

end

 

Note:

In this case, server-type is dynamic

 

For a static server-type link monitor refer to the below link:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Link-monitor/ta-p/197504 

 

     3. Connect to the SSL VPN client from the test PC:

 

Use the below command for the SSL VPN user monitor 

 

get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 test123 1(1) 295 27066 10.201.10.240 0/0 0/0 0

 

SSL-VPN sessions:


Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 test123 10.201.10.240 1734 215233/151316 10.212.134.200

 

10.212.134.200 is the SSL VPN IP address assigned from the SSL_VPN subnet pool. 

10.201.10.240 is the end machine's public IP.

 

It is also possible to see the connected user detail from the dashboard SSL-VPN monitor.

 

Verify the SSL VPN health status:

 

diagnose sys link-monitor tunnel al

10.212.134.200 (1): state=alive, peer=10.212.134.200, create_time=2023-07-12 12:01:41, srcintf=ssl.root, latency=2.152, jitter=0.535, pktloss=0.000%

 

In link-monitor SSL VPN assigned IP address 10.212.134.200 will get monitored.

From the above output, it is possible to validate the latency, jitter, and packet loss detail.

 

Note:

SSL VPN link monitor supports ICMP and IPv4 monitoring protocol.

 

Make sure that on the test PC ping is not blocked by the endpoint firewall.

 

Related documents:

https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/371626/ssl-vpn

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Link-monitor/ta-p/197504

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/50631/sla-link-monitoring-for-dynami...

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/28104/ssl-vpn-monitor
1283
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.