On an IPSec-enabled instance, it is expected to see an SSL VPN login attempt under Operations -> Logs -> Events.

date=2025-09-28 time=5:03:06 AM id=7555001173363650000 itime="2025-09-28 5:03:06 AM" euid=19593 epid=104 dsteuid=3 dstepid=3 logver=702086657 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="test.local" group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1759035786155850000 tz="+0000" devid="FGVMPGTM25002960" vd="root" csf="u9whtfdv" dtime="2025-09-28 5:03:06 AM" itime_t=1759035786 devname="Bangalore_India"

In a few instances, navigate to Analytics -> Events -> VPN Events to view the logs.

Note: For the 'SSLVPN' event logs with 'N/A', these are requests received by the backend FortiGate. Since the service SSLVPN is running on port 443 and the service is listening to the Internet, such types of logs are expected.

If the number of attempts looks high, it is always recommended to have a geography host and/or geofencing configured. Geofencing is indeed a tool that can be used to block 'undesired' connection attempts.

Under Security -> Hosts, configure geography hosts before adding regional access to FortiSASE.

Under Network -> Geofencing, specify the countries/regions that endpoints may connect to. This can be used to block connections from countries/regions with no known authenticated users.

Refer to the mature admin guide for more information on Geofencing.

There is currently no option to disable SSL VPN in FortiSASE. It will be removed in the future release as per the current development roadmap once all endpoint profiles are migrated from SSL VPN to IPSec.