Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: FortiEMS and AutoConnect/AlwaysUP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiEMS and AutoConnect/AlwaysUP
Hi Team,
So I have a case with TAC that is hitting the wall in the last 2 weeks. I have a client with 800 users , Fortigate and FortiEMS.
The main reason that he purchased FortiEMS is to have the users always connected and to be able to control which user can disconnect or not).
The problem is that even everything looks just fine, has the proper configuration from all the possible documentations, the auto-connect is not working! Not to speak about "user
EMS:
<options>
<allow_personal_vpns>0</allow_personal_vpns>
<certs_require_keyspec>0</certs_require_keyspec>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<keep_running_max_tries>0</keep_running_max_tries>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<disable_connect_disconnect>1</disable_connect_disconnect>
<secure_remote_access>1</secure_remote_access>
<show_vpn_before_logon>0</show_vpn_before_logon>
<show_negotiation_wnd>1</show_negotiation_wnd>
<on_os_start_connect/>
<autoconnect_on_install>1</autoconnect_on_install>
<suppress_vpn_notification>0</suppress_vpn_notification>
<use_windows_credentials>1</use_windows_credentials>
<minimize_window_on_connect>0</minimize_window_on_connect>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<after_logon_saml_auth>0</after_logon_saml_auth>
<current_connection_name>vpn.gw</current_connection_name>
<current_connection_type>ipsec</current_connection_type>
<autoconnect_tunnel>vpn.gw</autoconnect_tunnel>
Fortigate:
config vpn ipsec phase1-interface
edit "VPN"
set xauthtype auto
set save-password enable
set client-auto-negotiate enable
set dpd-retryinterval 60
next
Nothing works!
Client is pushed with SCCM, after installation it connects to EMS , policy is fetched, Remote Access tab appears but user has to enter username and password :) After that, if the network card is disconnected and EMS goes down, upon restoration EMS connects back, fetches the policy but again Remote Access requires password to connect.
To be honest I'm out of any ideas. Any help will be really appreciated.
Labels:
- Labels:
-
FortiClient EMS
-
FortiGate
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @melkool ,
Can you please make the following change,
under the XML config for the SSL VPN tunnel, try to find a tag called <keep_running> and change the value from 0 to 1.
Let us know if that fixes the issue for you.
Thank you.
Maulish Shah
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Maulish
Client is using IPSec VPN as you can see in config vpn ipsec phase1-interface :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The feature you need is "Always up" or "Keep alive". As per documentation:
If you are using SAML for authentication, this is achieved by "Persistent cookies" from idP.
FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the IdP, discussed as follows:
If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.
The FortiClient save password feature is commonly used along with autoconnect and always-up features as well.
Please refer to the following docs for configuration guidance.
- Save password, auto connect, and always up | FortiClient 7.4.1 | Fortinet Document Library
- Configuring autoconnect with username and password authentication | FortiClient 7.4.1 | Fortinet Doc...
- Enabling VPN always up | FortiClient 7.4.1 | Fortinet Document Library
M. B.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, after many tests I used this configuration to start an IPSEC VPN at PC startup without user interaction. See if it is your case:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi FortiMax_it.
As the "XML" is not documented I have no idea if <machine> and <keep running> are usable in 7.4.0. Also <on_os_start> this syntax is completely missing from my 7.4.0 XML. Not sure if this was used in early versions but to be honest I am kind of afraid to test it and FUBAR ~540 users if something goes wrong.
I'll clone the profile and have a try on my VM.
Thank for info, it's the most good information until know :) even after 3h with TAC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient EMS XML reference guide is available at https://docs.fortinet.com/document/forticlient/7.4.1/xml-reference-guide/387580/introduction
M. B.
Created on
11-18-2024
10:57 PM
Edited on
11-18-2024
10:59 PM
By
Jean-Philippe_P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info. I've managed to make it work (somehow).
Right now I have another issue. I was instructed by TAC to disable "on/off fabric" profiles in order to , quote "not to disturb EMS client".
So before I was using OnFabric with profile X and Off-Fabric with a default profile just for the "Remote Access" tab to be inactive.
Right now I have the same profile for both On and Off-Fabric, I have set <connect_only_when_offnet>1 . Detection works! But client connects to the VPN as it has the "always on", connect on start, etc etc
Am I asking to much from this platform ? I mean it's something very simple that worked in the past with another vendor:
- 800 users
- 2 policies (no permission to disable VPN; permission to disable VPN)
- always on / permanent VPN when not in network (100% full route back to gateway)
- When "On-Fabric" detection by the public IP (which works great) do not connect. Or if "connected" terminate the connection.
I mean I can block it from the firewall but since this a EMS there should be something there that I couldn't find.
So to be honest my idea is to switch back to On-Fabric Profile but then I will have issues when Off-Fabric as the client will try 3 times to connect and then it will stop (at least this is what TAC told me)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can have multiple tunnels in a Remote Access profile.
- Each tunnel has a separate "<keep_running>" tag.
- The Remote Access profile has just one "<autoconnect_tunnel>" tag.
- The Remote Access profile has just one "<autoconnect_only_when_offnet>" tag.
Autoconnect does NOT mean and does NOT do "auto reconnecting if disconnected". Resuming a broken/disconnected connection is done by <keep_running> (a.k.a Always Up): Enabling VPN always up | FortiClient 7.4.1 | Fortinet Document Library
M. B.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks but it does not answer my question / problem.
Right now I have almost all users in their office, so "Online - On-net" and connected to VPN. Unnecessary load for the gateway. If they go Off-Net everything is fine but why the f word they are connecting from inside when the "autoconnect only when offnet" is there and the condition is met. Confirmed by FortiEMS GUI. IT met condition by WAN IP detection.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,769 -
FortiClient
1,782 -
5.2
801 -
FortiManager
739 -
5.4
639 -
FortiAnalyzer
565 -
FortiSwitch
478 -
Fortiap
475 -
FortiClient EMS
437 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
192 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
107 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
57 -
High Availability
57 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
Radius
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiGate-VM
21 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1740 | |
| 1109 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.