On an IPSec-enabled instance, it is expected to see an SSL VPN login attempt under Operations -> Logs -> Events.

date=2025-09-28 time=5:03:06 AM id=7555001173363650000 itime="2025-09-28 5:03:06 AM" euid=19593 epid=104 dsteuid=3 dstepid=3 logver=702086657 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="test.local" group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1759035786155850000 tz="+0000" devid="FGVMPGTM25002960" vd="root" csf="u9whtfdv" dtime="2025-09-28 5:03:06 AM" itime_t=1759035786 devname="Bangalore_India"

If the number of attempts looks high, it is always recommended to have a geography host or/and geofencing configured. Geofencing is indeed a tool that can be used to block “undesired” connection attempts.

Under Security -> Hosts,configure geography hosts before adding regional access to FortiSASE

Under Network -> Geofencing, specify the countries/regions that endpoints may connect to. This can be used to block connections from countries/regions with no known authenticated users.

Refer to the mature admin guide for more information on Geofencing: Mature Administration Guide 

There is currently no option to disable SSL VPN in FortiSASE. It will be removed in the future release as per the current development roadmap once all endpoint profiles are migrated from SSL VPN to IPSec.