FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191322



This article describes the default settings on SSL VPN and the consequences of configuration changes to SSL-VPN settings in a production environment.
Any supported version of FortiGate.



By default, an SSL VPN connection logs out after 8 hours:
config vpn ssl settings
    set auth-timeout 28800
The auth-timeout is the period of time in seconds that the SSL-VPN will wait before re-authentication is enforced.
The default value is 28800 seconds (8 hours). The value can be between <0> to <259200>

A value of 0 indicates no timeout.
Adjust the idle-timeout period of time in seconds that the SSL-VPN will wait before timing out the user if not being active.
config vpn ssl settings
    set idle-timeout 300
The default value is 300 seconds (5 minutes). The value can be between <0> to <259200>.

Changes as above or changing tunnel/web mode will not impact the environment unless the user surpasses the newly configured value. If the user connection time is still lower than the newly configured value, the user will not be disconnected. These settings are applied to current active sessions.


  • User 1 is connected for 3 minutes.
  • User 2 is connected for 2 hours.
Result: Setting the 'auth-timeout' to 3600 sec will disconnect user 2 but not user 1.

However, be aware that once an SSL VPN client is connected, a change to firewall address objects or IP pools under SSL VPN settings in a production environment will tear down all of the active SSL VPN connections regardless of the configured timeout period described above.

This is an expected behavior and the following log will be displayed.
CLI debug:
[260:root:0][257:root:0]Config change causes all session to be closed in vdom 'root'