The SSL VPN monitor shows users with active web connections even though the SSL VPN portal only allows for tunnel mode (aka FortiClient) connections.:

The above screenshot shows that the user belongs to the ’SAML’ user group and the below screenshot shows that the user group 'SAML' has been mapped to the ‘tunnel-access’ portal.

As shown in the following screenshot, the tunnel-access SSL VPN portal has Web Mode toggled off:

The SSL VPN monitor shows an active web connection because the user is able to access and authenticate against the web portal. However, after a successful authentication, the portal displays the below warning:

'The SSL-VPN portal has been enabled for tunnel mode use only. FortiClient is required to connect.'

Even with web mode disabled in the SSL VPN portal settings, the above landing page is still available after a user authenticates successfully. This is expected behavior, though it is possible to disable SSL VPN web mode entirely in the global settings.

From v7.4.1, the complete functionality of SSL VPN web mode can be disabled in global mode with the following command:

config system global

set sslvpn-web-mode disable

end

For more information on the disabling web-mode globally, see Technical Tip: How to disable SSL VPN web-mode globally.

Note:

Starting from v7.6.3, SSL VPN web mode will be called 'Agentless VPN'.