Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎07-12-2023 12:27 AM Edited on ‎09-08-2025 12:45 AM By Moderator

Article Id 263576

Technical Tip: How to monitor the link health for SSL VPN connections

Description

This article describes that sometimes, there are some issues where some SSL VPN users report slowness issues. In such cases, there is a dynamic tunnel link monitoring option available from FortiOS v7.2.0.
Scope FortiGate, v7.2.x, Link-monitor, Dynamic tunnel.
Solution

Example of the SSL VPN connection:

 

  1. Configure SSL VPN on FortiGate:

Refer to the guide below for the SSL VPN configuration:

SSL VPN

 

  1. Now configure the ssl.root interface for link-monitor:

 

config system link-monitor

    edit ssl_vpn

        set srcintf "ssl.root"

        set server-type dynamic

    next

end

 

Note:

In this case, server-type is dynamic

 

For a static server-type link monitor, refer to the link below:

Technical Tip: Link-Monitor Explained 

 

  1. Connect to the SSL VPN client from the test PC:

Use the command below for the SSL VPN user monitor:

 

get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 test123 1(1) 295 27066 10.201.10.240 0/0 0/0 0

Note:
As of FortiOS v7.4.0 and above, user group information can be viewed directly in the SSL VPN monitor in the User Group column. This eliminates the need to navigate to User & Authentication -> User Groups to find group information.

ssl-vpn monitor.PNG


SSL VPN sessions:


Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 test123 10.201.10.240 1734 215233/151316 10.212.134.200

 

  • 10.212.134.200 is the SSL VPN IP address assigned from the SSL VPN subnet pool. 
  • 10.201.10.240 is the end machine's public IP.

 

It is also possible to see the connected user details from the dashboard SSL VPN monitor.

 

Verify the SSL VPN health status:

 

diagnose sys link-monitor tunnel all

10.212.134.200 (1): state=alive, peer=10.212.134.200, create_time=2023-07-12 12:01:41, srcintf=ssl.root, latency=2.152, jitter=0.535, pktloss=0.000%

 

In the link-monitor SSL VPN assigned IP address 10.212.134.200 will get monitored.

From the above output, it is possible to validate the latency, jitter, and packet loss details.

 

Note:

SSL VPN link monitor supports ICMP and IPv4 monitoring protocols.

 

Make sure that on the test PC, ping is not blocked by the endpoint firewall.

 

The command below can be useful while checking SSL VPN users:

 

diagnose vpn ssl list

 

Related documents:
4533
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.