Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yangw
Staff
Staff

Created on ‎11-02-2025 09:59 PM

Article Id 417491

Troubleshooting Tip: Administrator accounts are automatically logged out when accessing remote FortiGate via local FortiGate SD-WAN WAN Links

Description This article explains an issue where administrator accounts are unexpectedly logged out of a remote FortiGate device when accessing it through a local FortiGate using SD-WAN WAN links. 
Scope

FortiGate.
Solution

Symptoms:

The situation arises due to FortiGate login violations caused by multiple source IPs attempting to access the same HTTPS administrative interface.

 

This typically occurs when SD-WAN rules allow session traffic to traverse multiple uplinks, resulting in session stickiness problems and forced logouts. The article provides a step-by-step guide for tracing the issue, configuring source-IP stickiness, and enhancing management security by restricting admin access to designated source IPs.


The administrator is logged out immediately or shortly after logging in to the remote FortiGate’s administrative interface. The admin login attempt is recorded in the logs, but a 'login violation' or 'session expired' event occurs.

 

Logs may indicate that the source IP for management traffic is changing or not persistent throughout the session.

 

Root Cause:

When SD-WAN is configured for load balancing or lacks session persistence, administrative traffic from a local FortiGate to a remote FortiGate may egress from different WAN interfaces, causing the source IP address to change. FortiGate’s admin sessions are tightly bound to the source IP. If the source IP changes during the session, the remote FortiGate considers it a violation and logs out the admin user for security reasons.​

 

Solution:

To address this issue, follow the steps below:

 

  1. Verify WAN and SD-WAN Interfaces: Navigate to Network -> Interfaces to verify the WAN interface IP addresses. Navigate to Network -> SD-WAN to review SD-WAN rule configuration. Ensure there are no rules that would shift traffic between WAN links for the same session.
  2. Trace the Packet Flow: On both the local and remote FortiGates, run the following debug commands to trace management session traffic:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow filter addr <source-IP> <destination-IP> and
diagnose debug flow filter port 443
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug enable
diagnose debug flow trace start 9999

 

After initiating and replicating the issue, disable debug with:


diagnose debug dissable
diagnose debug reset

 

  1. Configure SD-WAN for Source-IP Stickiness: Edit the SD-WAN rule associated with management traffic. Enable Session Persistence to ensure all session packets use the same egress interface and keep a consistent source IP.
  2. Restrict Administrative Access to Trusted Hosts: On the administrative account(s), configure 'Restrict login to trusted hosts' and specify the allowed source IP addresses or subnet ranges that should be permitted for administrative access. This further reduces risk and ensures security hardening.

 

Related documents:

System administrator best practices 

Technical Tip: Interface Stickiness for SD-WAN 
93
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.