FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
emmanouilg
Staff
Staff
Article Id 203615
Description

This article describes some commonly used timers relevant to SSL-VPN.

Scope FortiGate, FortiSASE.
Solution

SSL VPN timers can be configured through CLI.

 

config vpn ssl settings

set idle-timeout <1-259200 seconds, default 300>

set auth-timeout <1-259200 seconds, default 28800>

set login-timeout <10-180 seconds, default 30>

set dtls-hello-timeout <10-60 seconds, default 10>

end

 

  • idle-timeout: The period in seconds that the SSL VPN will wait with no traffic before it disconnects. Default is 300 (5 minutes).
  • auth-timeout: The period in seconds an SSL VPN tunnel will stay up before re-authentication is enforced by disconnecting the tunnel. Default is 28800 (8 hours).
  • set login-timeout: The allowed period FortiClient has to establish an SSL VPN tunnel after successful authentication, with a default value of 30 seconds. If the FortiClient is unable to confirm tunnel setup to FortiGate within this time, FortiGate will disconnect the tunnel.
  • dtls-hello-timeout: SSL VPN maximum DTLS hello timeout, default 10 seconds. If the DTLS is enabled on both sides but the FortiGate receives no DTLS hello within this time, FortiGate will disconnect the tunnel.

 

Notes for DTLS:

DTLS is only used when enabled on both the FortiGate and FortiClient, otherwise TCP TLS is used.

 

To enable the DTLS on FortiClient: Go to FortiClient Settings -> Expand the VPN Options section and enable the 'Preferred DTLS Tunnel' option. For more information on enabling DTLS on FortiClient, see the article Technical Tip: Using DTLS to improve SSL VPN performance.

 

If a particular FortiClient consistently connects to the VPN but is disconnected after the dtls-hello-timeout, verify that the client's DTLS traffic reaches FortiGate and test disabling DTLS on the FortiClient's remote connection profile.

 

SSL VPN Lockout:

 
This feature is intended to prevent brute-force login attempts to the SSL VPN by checking how many times a given user (identified by their Source IP Address) attempts to log in to the SSL VPN within a configurable period. 
 
The following are the configuration options that affect this feature:
 
config vpn ssl settings
    set login-attempt-limit <0 - 10, default = 2>
    set login-block-time <0 - 86400 seconds, default = 60>
    set login-timeout <10 - 180 seconds, default = 30>
end
 
  • login-attempt-limit sets the number of failed attempts that a user has before they are temporarily locked out. Note that this value is inclusive (i.e. with the default value of 2, a user will be locked out after completing and failing their second login attempt) and that a value of 0 specifies no login limit will be imposed.

  • login-block-time specifies the amount of time (in seconds) that a user will be locked out after reaching the login-attempt limit. A value of 0 results in no lockout period (similar in effect to setting login-attempt-limit to 0). This value is also used as the window within which attempts are considered consecutive.

  • login-timeout defines the allowed time between successful authentication and SSL-VPN tunnel establishment. In other words, the FortiClient must establish the tunnel within the login-timeout period after authentication or the login attempt will fail.
 
To review the block IP list for SSL VPN failed login attempt run the following command in CLI (v7.2.6 and v7.4.1 above)
 
diagnose vpn ssl blocklist list
 
If remote users are using Multi-Factor Authentication (MFA), the 'remoteauthtimeout' value under global settings should be modified to allow users sufficient time to complete the MFA process:
      

config system global

   set remoteauthtimeout <1 to 300>  <----- Default value is set to 5 seconds.

end

 
A 'remote user' in this context is one whose credential is checked by a remote service such as RADIUS, LDAP or SAML.
 
Note: 
FortiSASE timers are the same as the FortiGate SSL-VPN. Therefore, with the initial deployment of FortiSASE, default timers should be set. 
 
To request changes to these settings in FortiSASE, open a support case using the FCTEMSXXXX serial number associated with the FortiSASE instance.
 

Note:
Starting from v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.