Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sprasanta
Staff
Staff

Created on ‎09-27-2021 10:22 AM Edited on ‎09-25-2025 02:00 AM By Moderator

Article Id 196064

Technical Tip: SSL VPN port conflict warning

Description 

 

This article describes the issue while implementing SSL VPN initial configuration from the GUI, where a warning 'Port conflicts with the administrative HTTPS port for this system' appears.

This occurs because FortiOS is configured to use port-443 by default for 'SSL-VPN & WEB-GUI', prompting the administrator to choose a different port to prevent conflicts.

By default, when the administrative HTTPS port and SSL VPN port are the same, admin GUI connections are blocked on the SSL VPN-enabled interface.

 

config vpn ssl settings

    set port-precedence enable/disable   
end

 

Enable (default value) means that if SSL-VPN connections are allowed on an interface, admin GUI connections are blocked on that interface.

 

Scope

 

FortiGate.

Solution

 

Administrators can either change the SSL VPN port to any custom port, for example: 10443, 4443, or change the administrative HTTPS port for GUI access to any custom port.

From the GUI.

Navigate to VPN -> 'SSL-VPN Settings'.

 

SSL VPN 46.PNG

 
To change the port from CLI:
 
config vpn ssl settings
    set port 4443
end

Note that if changes of the SSL VPN listening port to a custom port (e.g., 10443) other than the FortiGate administrative HTTPS port (443) do not resolve the GUI warning for 'Redirect HTTP to SSL-VPN', as shown in the following screenshot:

1.jpg

 

It is necessary to modify the administrative HTTP port (default: 80) to another custom port (e.g., 8080) to address this warning altogether (attachment below).

2.jpg

 

In rare cases, even after changing the default HTTP port for administrative access and configuring the SSL VPN to use a port other than 80 with 'Redirect to HTTPS' disabled, some SSL VPN daemons may still listen on port 80. This behavior can interfere with ACME certificate generation and result in the following error:

 

Port 80 already in use by sslvpn
attribute set operator error, -23, discard the setting
Command fail. Return code -23"

 

Identify which service is using TCP port 80:

 

diagnose sys tcpsock | grep 80

 

To resolve the issue, restart the SSL VPN daemon or reboot the FortiGate:

 

fnsysctl killall sslvpn

 

Related article:

To change the admin GUI port: Technical Tip: How to change the port for the admin access to avoid port conflict

17610
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.