This article describes SSL VPN timers.
The SSL VPN timers can be configured through CLI.
Config VPN SSL settings:
set idle-timeout 300 <----- The period of time in seconds that the SSL VPN will wait before it disconnects.
Set the value between 1-259200 (or 1 second to 3 days), or 0 for no timeout.
The default is set to 300.
set auth-timeout 28800
The period of time in seconds that the SSL VPN will wait before re-authentication is enforced.
Set the value between 1-259200 (or 1 second 3 days), or 0 for no timeout.
The default is set to 28800.
set login-timeout 30
SSLVPN maximum login timeout (10 - 180 sec, default = 30). range[10-180]).
set dtls-hello-timeout 10
SSL-VPN maximum DTLS hello timeout (10 - 60 sec, default = 10). range[10-60]).
When DTLS is enabled on both the FortiGate and FortiClient then only FortiClient uses DTLS, else TLS is used.
To enable the DTLS on Forticlient:
Separately, one of the above four timers (login-timeout) contributes to the SSL VPN Login Attempt Limit function (aka 'Lockout') function.
This feature is intended to prevent brute-force login attempts to the SSL VPN, and it does this by checking how many times a given user (identified by their Source IP Address) attempts to log in to the SSL VPN within a configurable period of time.
The following are the configuration options that affect this feature:
#config vpn ssl settings
set login-attempt-limit <0 - 10, default = 2>
set login-block-time <0 - 86400 seconds, default = 60>
set login-timeout <10 - 180 seconds, default = 30>
- login-attempt-limit sets the number of failed attempts that a user has before they are temporarily locked out. Note that this value is inclusive (i.e. with the default value of 2, a user will be locked out after completing and failing their second login attempt) and that a value of 0 specifies no login limit will be imposed.
- login-block-time specifies the amount of time (in seconds) that a user will be locked-out for after reaching the login-attempt-limit. A value of 0 results in no lockout period (similar in effect to setting login-attempt-limit to 0).
- login-timeout specifies the window of time for which logins are considered consecutive and applicable to the login-attempt-limit. For example, if one login attempt is made, then a second login attempt is made 20 seconds afterward, those two would be considered consecutive since they are within the login-timeout window (i.e. less than 30 seconds in-between attempts) and a lockout could be triggered. If the second attempt was made after 31 seconds, however, it would not be considered consecutive and a lockout would not occur.
In essence, the behavior of the SSL-VPN lockout functionality (using the default values) can be explained as follows: a user must fail at two logins (login-attempt-limit) within 30 seconds.