Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salmas
Staff
Staff

Created on ‎08-07-2024 10:04 PM

Article Id 331206

Technical Tip: SSL VPN event logs when successfully connected

Description This article discusses SSL VPN logs upon successful connection from FortiClient.
Scope FortiClient, FortiGate.
Solution
  1. When the initial connection is made from FortiClient to FortiGate SSL VPN, the log will be listed as Action 'ssl-new-con'.

 

date=2024-07-24 time=17:19:52 id=7395315174070026249 itime="2024-07-24 17:19:52" euid=2 epid=2 dsteuid=2 dstepid=2 logver=704042662 logid=0101039943 type="event" subtype="vpn" level="information" action="ssl-new-con" msg="SSL new connection" logdesc="SSL VPN new connection" user="N/A" remip=X.X.X.X group="N/A" tunnelid=0 tunneltype="ssl" dst_host="N/A" reason="N/A" eventtime=1721855992674651844 tz="-0400" devid="YYYY" vd="root" dtime="2024-07-24 17:19:52" itime_t=1721855992 devname="LAB"

 

It is possible to filter the same under Log & Report -> System Events -> VPN Events -> Filter: Action == ssl-new-con

 

  1. When a user logs into FortiClient, two separate logs with the action 'tunnel-up' are created on a successful connection. The first log will not have the FortiClient UID, tunnel IP, and tunnel type will be listed as 'ssl-web'.

 

date=2024-07-24 time=17:19:52 id=7395315174070026250 itime="2024-07-24 17:19:52" euid=1027 epid=104 dsteuid=3 dstepid=3 logver=704042662 logid=0101039424 type="event" subtype="vpn" level="information" action="tunnel-up" msg="SSL tunnel established" logdesc="SSL VPN tunnel up" user="test" remip= X.X.X.X group="AD_users" tunnelid=680321789 tunneltype="ssl-web" dst_host="N/A" reason="login successfully" eventtime=1721855992764858823 tz="-0400" devid="YYYY" vd="root" dtime="2024-07-24 17:19:52" itime_t=1721855992 devname="LAB"

 

The second log will give the FortiClient UID and tunnel IP information and the tunnel type will be 'ssl-tunnel'.

 

date=2024-07-24 time=17:19:53 id=7395315178364993552 itime="2024-07-24 17:19:53" euid=1027 epid=104 dsteuid=3 dstepid=3 logver=704042662 logid=0101039947 type="event" subtype="vpn" level="information" action="tunnel-up" msg="SSL tunnel established" logdesc="SSL VPN tunnel up" user="test" remip= X.X.X.X group="AD_users" tunnelip=10.212.134.200 tunnelid=680321789 tunneltype="ssl-tunnel" dst_host="N/A" reason="tunnel established" fctuid="51C62E634698447BA92F9D20E3D9B5DB" eventtime=1721855993235690102 tz="-0400" devid="YYYY" vd="root" dtime="2024-07-24 17:19:53" itime_t=1721855993 devname="LAB"

 

It is possible to filter the same under Log & Report -> System Events -> VPN Events -> Filter: Action == tunnel-up

 

  1. Why It generates two logs is described in below article (Point 2): Technical Tip: SSL-VPN login fail with tunnel type=ssl-web when using FortiClient

 

It is also possible to enable automation stitches for successful SSL VPN logins:

Technical Tip: How to receive an alert email when SSL VPN user login successfully
Labels:
2673
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.