|
The SSL VPN timers can be configured through CLI.
config vpn ssl settings
set idle-timeout 300 <----- The period in seconds that the SSL VPN will wait before it disconnects.
Set the value between 1-259200 (or 1 second to 3 days), or 0 for no timeout.
The default is set to 300.
set auth-timeout 28800
The period in seconds that the SSL VPN will wait before re-authentication is enforced.
Set the value between 1-259200 (or 1 second 3 days), or 0 for no timeout.
The default is set to 28800.
set login-timeout 30
SSL VPN maximum login timeout (10 - 180 sec, default = 30). range[10-180]).
set dtls-hello-timeout 10
SSL VPN maximum DTLS hello timeout (10 - 60 sec, default = 10). range[10-60]).
Note:
When DTLS is enabled on both the FortiGate and FortiClient then only FortiClient uses DTLS, else TLS is used.
To enable the DTLS on FortiClient: Go to FortiClient Settings -> Expand the VPN Options section and enable the 'Preferred DTLS Tunnel' option.
SSL VPN Lockout: Separately, one of the above four timers (login-timeout) contributes to the SSL VPN Login Attempt Limit function (aka 'Lockout') function.
This feature is intended to prevent brute-force login attempts to the SSL VPN, and it does this by checking how many times a given user (identified by their Source IP Address) attempts to log in to the SSL VPN within a configurable period.
The following are the configuration options that affect this feature:
config vpn ssl settings
set login-attempt-limit <0 - 10, default = 2>
set login-block-time <0 - 86400 seconds, default = 60>
set login-timeout <10 - 180 seconds, default = 30>
end
- login-attempt-limit sets the number of failed attempts that a user has before they are temporarily locked out. Note that this value is inclusive (i.e. with the default value of 2, a user will be locked out after completing and failing their second login attempt) and that a value of 0 specifies no login limit will be imposed.
- login-block-time specifies the amount of time (in seconds) that a user will be locked out after reaching the login-attempt-limit. A value of 0 results in no lockout period (similar in effect to setting login-attempt-limit to 0).
- login-timeout specifies the window of time for which logins are considered consecutive and applicable to the login-attempt-limit. For example, if one login attempt is made, then a second login attempt is made 20 seconds afterward, those two would be considered consecutive since they are within the login-timeout window (i.e. less than 30 seconds in between attempts) and a lockout could be triggered.
If the second attempt was made after 31 seconds, however, it would not be considered consecutive and a lockout would not occur.
In essence, the behavior of the SSL VPN lockout functionality (using the default values) can be explained as follows: a user must fail at two logins (login-attempt-limit) within 30 seconds.
To review the block IP list for SSL VPN failed login attempt run the following command in CLI (v7.2.6 and v7.4.1 above:(
diagnose vpn ssl blocklist list
Note:
This article also helps the FortiSASE. FortiSASE timers are the same as the FortiGate SSL VPN. Therefore, with the initial deployment of FortiSASE, default timers should be set.
To change any settings on FortiSASE, open a TAC case with the requirement and the development team will change it if required.
|
