Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pgautam
Staff
Staff

Created on ‎07-12-2023 12:27 AM Edited on ‎10-28-2024 09:35 AM By Moderator

Article Id 263576

Technical Tip: How to monitor the link health for SSL VPN connections

Description

This article describes that sometimes, there are some issues where some SSL VPNs users report slowness issues. In such cases, there is a dynamic tunnel link monitoring option available from 7.2.0 FortiOS.
Scope FortiGate, v7.2.x, Link-monitor, Dynamic tunnel.
Solution

Example of the SSL VPN connection:

 

  1. Configure SSL VPN on FortiGate:

Refer to the below guide for the SSL VPN configuration:-

https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/371626/ssl-vpn

 

     2. Now configure the ssl.root interface for link-monitor:

 

config system link-monitor

  edit ssl_vpn

      set srcintf "ssl.root"

      set server-type dynamic

  next

end

 

Note:

In this case, server-type is dynamic

 

For a static server-type link monitor refer to the below link:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Link-monitor/ta-p/197504 

 

     3. Connect to the SSL VPN client from the test PC:

 

Use the below command for the SSL VPN user monitor *

 

get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 test123 1(1) 295 27066 10.201.10.240 0/0 0/0 0

Note:
As of FortiOS v7.4.0 and above, user group information can be viewed directly in the SSL VPN monitor in the User Group column. This eliminates the need to navigate to User & Authentication -> User Groups to find group information.

ssl-vpn monitor.PNG


SSL-VPN sessions:


Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 test123 10.201.10.240 1734 215233/151316 10.212.134.200

 

  • 10.212.134.200 is the SSL VPN IP address assigned from the SSL_VPN subnet pool. 
  • 10.201.10.240 is the end machine's public IP.

 

It is also possible to see the connected user detail from the dashboard SSL-VPN monitor.

 

Verify the SSL VPN health status:

 

diagnose sys link-monitor tunnel al

10.212.134.200 (1): state=alive, peer=10.212.134.200, create_time=2023-07-12 12:01:41, srcintf=ssl.root, latency=2.152, jitter=0.535, pktloss=0.000%

 

In link-monitor SSL VPN assigned IP address 10.212.134.200 will get monitored.

From the above output, it is possible to validate the latency, jitter, and packet loss detail.

 

Note:

SSL VPN link monitor supports ICMP and IPv4 monitoring protocol.

 

Make sure that on the test PC ping is not blocked by the endpoint firewall.

 

The below command can be useful while checking SSL VPN users:

 

diagnose vpn ssl list

 

Related documents:
2555
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.