FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 294773

FortiGate can process the renewal of expired passwords for local SSL VPN users. 

This article provides describes how to resolve issues when password renewal with password complexity is not working in FortiClient SSL VPN.
Scope FortiOS 7.4.1

Password complexity is a new feature in FortiOS 7.4.1


Refer to the below document: 

New features or enhancements


Refer to the below documentation on how to enable password renewal with password complexity for local users:

Enhance complexity options for local user password policy 7.4.1 | FortiGate / FortiOS 7.4.0 | Fortin...


This feature is supported for local SSL VPN users both with 2FA and without 2FA enabled.


In the below configuration, SSL VPN local user 'pearlangelica' is applied with FortiToken as 2FA.


Enable password renewal with complexity in FortiGate:


  1. Configure password policy:


config user password-policy

    edit "pwpolicy1"

         set expire-days 5

         set warn-days 3

         set expired-password-renewal enable

         set min-lower-case-letter 1

         set min-upper-case-letter 1

         set min-non-alphanumeric 1

         set min-number 1

         set min-change-characters 2

         set expire-status enable

         set reuse-password disable




  1. Apply password policy on the SSL VPN user.

Password policy can be applied on the user level.


Local user with 2FA enabled:


config user local
    edit "pearlangelica"
        set type password
        set two-factor fortitoken
        set fortitoken "FTKMOB35D39832AD"
        set email-to "<email address>"
        set passwd-policy "pwpolicy1"   <----- Apply password policy.
        set passwd-time 2024-01-08 11:24:40   <----- Last password change.
        set passwd ENC QWp+uKQ7Mk1GOh+864tiS/zOVo/Wsx/4DcVRRMrfe3Ujre1lv0It45yD8S9mgl2BBPKl39hkZHSoto+akR9kIgpnIE9tU73yMdehp7Gq3KWUKeQoYnv8iWFUXQjmLTEp5gJ3Mb221tFtAYd9jumB/YS+v52QrGvWJdg3OQfxb3bdkgtpgGWMagTZojLj5gLv4kyM7A==



Password policy can also be applied in global settings:

config user setting
    set default-user-password-policy 'pwpolicy1'



To change the expired password, log in to the VPN using the existing password.



The new password should meet the complexity requirements configured on the password policy

If the new password does not meet the requirements, the error ‘New password may not meet the policy’ will prompt.


With FortiToken 2FA enabled:

For a local SSL VPN user with 2FA enabled, the user will need to input the password together with the token first.


password renewal 2fa-1.PNG


Once the user is successfully authenticated with the password and FortiToken, it will be necessary to enter a new password.


 password renewal 2fa-2.PNG



The same process will go if using SSL VPN web mode. For a local SSL VPN user with 2FA enabled, the user will need to input the password together with the Token first.


With FortiToken 2FA enabled:


ssl web 2fa-1.PNG


User will be asked to enter a new password.


ssl web 2fa-2.PNG



If the password change is successful, it will allow the user to directly connect to the VPN after the password change. This is the expected behavior.

In case this issue and the error 'Unable to establish the VPN connection. The VPN server may be unreachable (-8)' appears, there is a known issue Bug 0958430 in FortiOS 7.4.1 where password renewal with password complexity is not working in SSL VPN FortiClient.


unable to establish connection.PNG



For a permanent fix, upgrade the firmware to FortiOS v7.4.2.

For a workaround, use SSL VPN web mode for password renewal.