Created on
01-25-2022
02:19 AM
Edited on
01-22-2023
08:29 AM
By
Anthony_E
Description |
This article describes SSL VPN timers. |
Scope | FortiGate. |
Solution |
The SSL VPN timers can be configured through CLI.
Config VPN SSL settings:
set idle-timeout 300 <----- The period of time in seconds that the SSL VPN will wait before it disconnects. Set the value between 1-259200 (or 1 second to 3 days), or 0 for no timeout. The default is set to 300.
set auth-timeout 28800 The period of time in seconds that the SSL VPN will wait before re-authentication is enforced. Set the value between 1-259200 (or 1 second 3 days), or 0 for no timeout. The default is set to 28800.
set login-timeout 30 SSLVPN maximum login timeout (10 - 180 sec, default = 30). range[10-180]).
set dtls-hello-timeout 10 SSL-VPN maximum DTLS hello timeout (10 - 60 sec, default = 10). range[10-60]).
Note: When DTLS is enabled on both the FortiGate and FortiClient then only FortiClient uses DTLS, else TLS is used.
To enable the DTLS on Forticlient:
SSL-VPN Lockout:
Separately, one of the above four timers (login-timeout) contributes to the SSL VPN Login Attempt Limit function (aka 'Lockout') function.
This feature is intended to prevent brute-force login attempts to the SSL VPN, and it does this by checking how many times a given user (identified by their Source IP Address) attempts to log in to the SSL VPN within a configurable period of time.
The following are the configuration options that affect this feature:
#config vpn ssl settings
set login-attempt-limit <0 - 10, default = 2>
set login-block-time <0 - 86400 seconds, default = 60>
set login-timeout <10 - 180 seconds, default = 30>
end
- login-attempt-limit sets the number of failed attempts that a user has before they are temporarily locked out. Note that this value is inclusive (i.e. with the default value of 2, a user will be locked out after completing and failing their second login attempt) and that a value of 0 specifies no login limit will be imposed.
- login-block-time specifies the amount of time (in seconds) that a user will be locked-out for after reaching the login-attempt-limit. A value of 0 results in no lockout period (similar in effect to setting login-attempt-limit to 0).
- login-timeout specifies the window of time for which logins are considered consecutive and applicable to the login-attempt-limit. For example, if one login attempt is made, then a second login attempt is made 20 seconds afterward, those two would be considered consecutive since they are within the login-timeout window (i.e. less than 30 seconds in-between attempts) and a lockout could be triggered. If the second attempt was made after 31 seconds, however, it would not be considered consecutive and a lockout would not occur.
In essence, the behavior of the SSL-VPN lockout functionality (using the default values) can be explained as follows: a user must fail at two logins (login-attempt-limit) within 30 seconds.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.