FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff
Article Id 192027

Description

This article describes how to limit users to one active SSL VPN connection at a time.

 

Scope

FortiOS 6.2.6 and above.


Solution

From the FortiGate GUI: VPN > SSL VPN Portals, edit SSL-VPN Portal and enable: "Limit Users to One SSL-VPN Connection at a Time".



 
Following commands can be used in the CLI:
 
# config vpn ssl web portal
    edit <portal name>
        set limit-user-logins enable
    end
 
If a user tries to establish another connection on the top of the existing SSL VPN session, either from the SSL VPN Web portal or with FortiClient, it will prompt the following message:
 
Screenshot 2022-01-07 084521.png
 
You already have an open SSL VPN connection. Opening multiple connections are not permitted.
Do you want to proceed and disconnect your other connection?


Select "[Yes]" and the existing session will be terminated.

 

Note

Please notice that if this feature is enabled but FortiGate is still exhausting the IP address pool, this can be due to existing defect: "663532" (It is fixed in FortiOS 6.2.6):

 
 
Please confirm the situation with the following commands:
 
  •  If it is hitting this defect, some indexes may be lost and not continuous

# get vpn ssl monitor
  • Compare the sessions, with which command line only shows 1 session while GUI shows numbers of session

# diagnose vpn ssl list

 

If it is hitting the defect, please consider the following actions:

  • Consider upgrading to the fixed release
  • Reload the FortiGate to release the IP addresses
  • Manually clear the sessions with the following commands:

To list all SSL VPN sessions and their index numbers:

# execute vpn sslvpn list

 

To disconnect a tunnel mode user:

# execute vpn sslvpn del-tunnel <index>

 

To disconnect a web mode user:

# execute vpn sslvpn del-web <index>

 

Contributors