Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff

Created on ‎04-20-2020 10:07 AM Edited on ‎10-27-2024 11:56 PM By Community Manager

Article Id 192027

Technical Tip: Multiple sessions of SSL VPN users

Description

 

This article describes how to limit users to one active SSL VPN connection at a time.

 

Scope

 

FortiGate v6.2.6 and above.


Solution

 

From the FortiGate GUI: VPN > SSL VPN Portals, edit SSL-VPN Portal and enable: 'Limit Users to One SSL-VPN Connection at a Time'.


 
The following commands can be used in the CLI:
 
config vpn ssl web portal
    edit <portal name>
        set limit-user-logins enable
    end
 
If a user tries to establish another connection on top of the existing SSL VPN session, either from the SSL VPN Web portal or with FortiClient, it will prompt the following message:
 
Screenshot 2022-01-07 084521.png
 
You already have an open SSL VPN connection. Opening multiple connections are not permitted.
Do you want to proceed and disconnect your other connection?


Select '[Yes]' and the existing session will be terminated.

 

Make sure that the policy has the exact group or user as a source matching with authentication rule under SSL VPN settings.

 

For example :

 

User 'test1' should be matched with the 'tunnel-access' VPN portal and it has 'Limit Users to One SSL-VPN Connection at a Time' enabled under it. All other users/groups should be matched with the 'full-access' VPN portal.

 

VPN1.png

 

The policy sequence order also matters, so make sure to put user-specified policy on top of user group policy as shown in the below screenshot.

 

VPN2.png

 

If a top policy is not configured and only the second policy is configured, then the SSL VPN limit per connection would not be considered because the connection would be allowed with the second authentication rule from SSL VPN settings and will get matched with the 'full-access' VPN portal instead of 'tunnel-access' VPN portal. Even if user 'test1' is a part of VPN_Group, the SSL VPN user limit will not be considered.

 

Note:

Notice that if this feature is enabled but FortiGate is still exhausting the IP address pool, this can be due to an existing defect: '663532' (It is fixed in v6.2.6): 663532:  Get no more IP address available error when users connect to SSL VPN after upgrading to 6.2...

 
Confirm the situation with the following commands:

  •  If it is hitting this defect, some indexes may be lost and not continuous:

 

get vpn ssl monitor

 

  • Compare the sessions, with which the command line only shows 1 session while GUI shows the numbers of session:

 

diagnose vpn ssl list

 

If it is hitting the defect, please consider the following actions:

  • Consider upgrading to the fixed-release.
  • Reload the FortiGate to release the IP addresses.
  • Manually clear the sessions with the following commands.

 

To list all SSL VPN sessions and their index numbers:

 

execute vpn sslvpn list

 

To disconnect a tunnel mode user:

 

execute vpn sslvpn del-tunnel <index>

 

To disconnect a web mode user:

 

execute vpn sslvpn del-web <index>

Labels:
53610
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.