Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dtehrani
New Contributor

Created on ‎08-24-2015 12:55 PM

Forticlient Certificates and OFF-Net behaviour.

Hi Guys, I am new to the forums. During the last weeks we have installed a Fortigate Cluster. (for the first time, I admit in the beginning.)

 

I wish to find some exchange on some ideas we expect to do with Forticlient and some "Yes" or "No's" from the experienced users.

 

Certificate Authentication (+other credentials)

Is there any experience in authenticating via IPSec with a computer certificate, issued from the Windows Domain (via GPO)?

(It is working for us with User Certificates, no success for the computer certificate)

 

Forticlient Off-Net behaviour

What is the intended behaviour for Forticlient: "Auto-connect when Off-Net: This option allows the FortiClient to autoconnect to a VPN even when it has an off-net status." (from the product description)

Would this block traffic other than to the VPN Site? This is what I would like to achieve, any experience in a similar setup?

 

Thanks for sharing your thoughts.

Regards,

Darius

Environment: FortiOS  5.24 + Forticlient 5.24 Windows 2012 Domain, Windows Clients.

2751
0 Kudos
2 REPLIES 2
Chris_Lin_FTNT
Staff
Staff

Created on ‎09-01-2015 08:58 AM

Certificate Authentication (+other credentials)

Two questions:

1. Is that certificate accessible to FortiClient IPSec, including private key, etc.

2. Does it have proper usage for IPSec?

 

When you connect, what does FortiGate debug say?

1218
0 Kudos
Chris_Lin_FTNT
Staff
Staff

Created on ‎09-01-2015 02:56 PM

Forticlient Off-Net behaviour

Yes. It can block traffic.

 

Make that IPSec off-net autoconnect, disable disconnect, and use IPSec settings

<ike_settings> <implied_SPDO>1</implied_SPDO> </ike_settings>

Then even before IPSec is connected, other traffic will be blocked.

 

But there are many corner cases, e.g., you may need to acknowledge a login web page before you have Internet access, PC wake up from sleep, it takes actually time to determine on-net/off-net. So this feature is not very reliable.

1218
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.