Created on
01-25-2022
02:19 AM
Edited on
05-08-2025
05:38 AM
By
Stephen_G
Description |
This article describes some commonly used timers relevant to SSL-VPN. |
Scope | FortiGate, FortiSASE. |
Solution |
SSL VPN timers can be configured through CLI.
config vpn ssl settings set idle-timeout <1-259200 seconds, default 300> set auth-timeout <1-259200 seconds, default 28800> set login-timeout <10-180 seconds, default 30> set dtls-hello-timeout <10-60 seconds, default 10> end
Notes for DTLS: DTLS is only used when enabled on both the FortiGate and FortiClient, otherwise TCP TLS is used.
To enable the DTLS on FortiClient: Go to FortiClient Settings -> Expand the VPN Options section and enable the 'Preferred DTLS Tunnel' option. For more information on enabling DTLS on FortiClient, see the article Technical Tip: Using DTLS to improve SSL VPN performance.
If a particular FortiClient consistently connects to the VPN but is disconnected after the dtls-hello-timeout, verify that the client's DTLS traffic reaches FortiGate and test disabling DTLS on the FortiClient's remote connection profile.
SSL VPN Lockout: This feature is intended to prevent brute-force login attempts to the SSL VPN by checking how many times a given user (identified by their Source IP Address) attempts to log in to the SSL VPN within a configurable period.
The following are the configuration options that affect this feature:
config vpn ssl settings
set login-attempt-limit <0 - 10, default = 2>
set login-block-time <0 - 86400 seconds, default = 60>
set login-timeout <10 - 180 seconds, default = 30>
end
To review the block IP list for SSL VPN failed login attempt run the following command in CLI (v7.2.6 and v7.4.1 above)
diagnose vpn ssl blocklist list
If remote users are using Multi-Factor Authentication (MFA), the 'remoteauthtimeout' value under global settings should be modified to allow users sufficient time to complete the MFA process:
config system global set remoteauthtimeout <1 to 300> <----- Default value is set to 5 seconds. end A 'remote user' in this context is one whose credential is checked by a remote service such as RADIUS, LDAP or SAML.
Note:
FortiSASE timers are the same as the FortiGate SSL-VPN. Therefore, with the initial deployment of FortiSASE, default timers should be set.
To request changes to these settings in FortiSASE, open a support case using the FCTEMSXXXX serial number associated with the FortiSASE instance.
Note: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.