FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff
Article Id 192027

Description

 

This article describes how to limit users to one active SSL VPN connection at a time.

 

Scope

 

FortiGate v6.2.6 and above.


Solution

 

From the FortiGate GUI: VPN -> SSL VPN Portals, edit SSL-VPN Portal and enable: 'Limit Users to One SSL-VPN Connection at a Time'.

 

JeanPhilippe_P_0-1754311972295.png

 

The following commands can be used in the CLI:
 
config vpn ssl web portal
    edit <portal name>
        set limit-user-logins enable
end
 
If a user tries to establish another connection on top of the existing SSL VPN session, either from the SSL VPN Web portal or with FortiClient, it will prompt the following message:
 
Screenshot 2022-01-07 084521.png


Select '[Yes]' and the existing session will be terminated.

 

Make sure that the policy has the exact group or user as a source matching the authentication rule under SSL VPN settings.

 

For example :

 

User 'test1' should be matched with the 'tunnel-access' VPN portal, and it has 'Limit Users to One SSL-VPN Connection at a Time' enabled under it. All other users/groups should be matched with the 'full-access' VPN portal.

 

VPN1.png

 

The policy sequence order also matters, so make sure to put the user-specified policy on top of the user group policy, as shown in the screenshot below.

 

VPN2.png

 

If a top policy is not configured and only the second policy is configured, then the SSL VPN limit per connection would not be considered because the connection would be allowed with the second authentication rule from SSL VPN settings and would get matched with the 'full-access' VPN portal instead of the 'tunnel-access' VPN portal. Even if user 'test1' is a part of VPN_Group, the SSL VPN user limit will not be considered.

 

Note:

Notice that if this feature is enabled but FortiGate is still exhausting the IP address pool, this can be due to an existing defect: '663532' (It is fixed in v6.2.6): 663532:  Get no more IP address available error when users connect to SSL VPN after upgrading to 6.2...

 
Confirm the situation with the following commands:
  •  If it is hitting this defect, some indexes may be lost and not continuous:

 

get vpn ssl monitor

 

  • Compare the sessions, with which the command line only shows 1 session, while the GUI shows the number of sessions:

 

diagnose vpn ssl list

 

If it is hitting the defect, please consider the following actions:

  • Consider upgrading to the fixed-release.
  • Reload the FortiGate to release the IP addresses.
  • Manually clear the sessions with the following commands.

 

To list all SSL VPN sessions and their index numbers:

 

execute vpn sslvpn list

 

ss1.png

 

To disconnect a tunnel mode user:

 

execute vpn sslvpn del-tunnel <index>

 

To disconnect a web mode user:

 

execute vpn sslvpn del-web <index>

 

ss2.png

 

Note:

Starting v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN' as explained in Technical Tip: Upcoming changes on SSL VPN modes starting from v7.6.3.