FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192723



This article describes how to configure a password expiration day and a warning feature for the local user database of SSL VPN.



To configure SSL VPN users to change their password in the local user database before it expires

The password policy is used to configure the password renewal frequency (every 2 days for instance) and the warning that normally occurs the day before the expiration date. Password policy can be applied to any local user password.

The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.


In FortiOS 7.0, users are warned as per warn-days set and they have to renew their password before it get expire, which is based on the expire-days mentioned in the password policy. The user cannot renew the password and need to contact the FortiGate administrator for assistance. 

In FortiOS 6.2, users are warned one day before the expiry date of the password and they have one day to renew it. When the password is expired, the user cannot renew the password and need to contact the FortiGate administrator for assistance.

In FortiOS 6.0/5.6, users are warned one day before the expiry date of the password. Users can still renew the password even after the password has expired.

Configure and assign the password policy using the CLI

The following commands are used to configure a password policy that includes an expiration date and a warning time. 


#config user password-policy
    edit "pwpolicy1"          <- password policy name.
        set expire-days 5     <- password expiry.
        set warn-days 3       <- warning notification for password going to be expire soon.
        set expired-password-renewal disable  <- if enable this option is, after the password expires, still end user can renew the password, with no need to depend upon FortiGate Administrator. 



Assign the password policy to the newly created user.


#config user local

    edit "sslvpnuser1"     <- local username.
        set type password
        set passwd-policy "pwpolicy1"    <- applying password policy.
        set passwd-time 2021-11-26 22:46:15    <- the default start time for the password, this is the time when the user was created.
        set passwd  xyz   <- password.


Once the user is reached warn-days, the user will get the below prompt, while connecting to SSL VPN by entering old username and password. It will redirect to enter a new password for the same.

KB-forticlient password change.PNG


Once a user changes his password,  'passwd-time' will get changed again. 


# config user local

    edit "sslvpnuser1"

     set type password
     set passwd-policy "pwpolicy1"
     set passwd-time 2021-11-30 23:34:30  <- passwd-time has been changed.
     set passwd ENC +sddai212=




Note that, currently, the Password renewal for local users when using the Dial IPSec VPN is not supported.