FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 203615

This article describes SSL VPN timers.

Scope FortiGate.

The SSL VPN timers can be configured through CLI.


Config VPN SSL settings:


set idle-timeout 300 <----- The period of time in seconds that the SSL VPN will wait before it disconnects. 

Set the value between 1-259200 (or 1 second to 3 days), or 0 for no timeout.

The default is set to 300.


set auth-timeout 28800

The period of time in seconds that the SSL VPN will wait before re-authentication is enforced.

Set the value between 1-259200 (or 1 second 3 days), or 0 for no timeout.

The default is set to 28800.


set login-timeout 30

SSLVPN maximum login timeout (10 - 180 sec, default = 30). range[10-180]).


set dtls-hello-timeout 10

SSL-VPN maximum DTLS hello timeout (10 - 60 sec, default = 10). range[10-60]).



When DTLS is enabled on both the FortiGate and FortiClient then only FortiClient uses DTLS, else TLS is used.


To enable the DTLS on Forticlient:

Go to FortiClient Settings -> Expand the VPN Options section and enable the 'Preferred DTLS Tunnel' option.


SSL-VPN Lockout:


Separately, one of the above four timers (login-timeout) contributes to the SSL VPN Login Attempt Limit function (aka 'Lockout') function.
This feature is intended to prevent brute-force login attempts to the SSL VPN, and it does this by checking how many times a given user (identified by their Source IP Address) attempts to log in to the SSL VPN within a configurable period of time. 
The following are the configuration options that affect this feature:
#config vpn ssl settings
    set login-attempt-limit <0 - 10, default = 2>
    set login-block-time <0 - 86400 seconds, default = 60>
    set login-timeout <10 - 180 seconds, default = 30>
- login-attempt-limit sets the number of failed attempts that a user has before they are temporarily locked out. Note that this value is inclusive (i.e. with the default value of 2, a user will be locked out after completing and failing their second login attempt) and that a value of 0 specifies no login limit will be imposed.
- login-block-time specifies the amount of time (in seconds) that a user will be locked-out for after reaching the login-attempt-limit. A value of 0 results in no lockout period (similar in effect to setting login-attempt-limit to 0).
- login-timeout specifies the window of time for which logins are considered consecutive and applicable to the login-attempt-limit. For example, if one login attempt is made, then a second login attempt is made 20 seconds afterward, those two would be considered consecutive since they are within the login-timeout window (i.e. less than 30 seconds in-between attempts) and a lockout could be triggered. If the second attempt was made after 31 seconds, however, it would not be considered consecutive and a lockout would not occur.
In essence, the behavior of the SSL-VPN lockout functionality (using the default values) can be explained as follows: a user must fail at two logins (login-attempt-limit) within 30 seconds.