Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL VPN Vulnerabilities and Best Practices Discussion

I'm currently experimenting with SSL VPN on my FortiGate 40F at home. I've taken some precautions by implementing a self-generated CA/cert PKI How do you approach SSL VPN security? 


Hi @SusanEmelia ,

Here are some best practices to secure the SSL VPN : 

-Integrate with Authentication servers

-Use a non factory certificate (you already generated a certificate)
-Use multi factor authentication

-Deploy user certificates for remote SSL VPN users

-Define the minimum supported TLS version

-If you have multiple groups and portals is wise to configure SSL VPM multi-realm

If you have found a solution, please like and accept it to make it easily accessible for others.


Hello @SusanEmelia 


> You can Implement multifactor authentication for user logins.

> Regularly update the FortiGate firmware and Forticlient to patch known vulnerabilities and ensure you're using the latest security features.

> Set session timeout limits and idle logout policies to automatically disconnect inactive sessions, reducing the window for unauthorized access.
> Enable logging and monitoring features to track user activities, detect anomalies, and respond to security incidents promptly.
> Educate users about best practices for VPN usage, including safeguarding credentials, recognizing phishing attempts, and reporting suspicious activities.

let us know if you have any queries.



New Contributor III



as @dbu wrote use two-factor-authentication...

Good to know: You do not need to buy any FortiTokens, if you use method via mail.

But you can only set this via CLI:

config user local

edit <username>

set two-factor email

set email-to <email address>


Of cource you need a SMTP server for your firewall.

But I have only done that with local users (you can ask by any problems...).


Additionally I would use security profiles like SSL-Inspection and IPS (especially the users use their own hardware...).


Non-or-less-security aspect

And nobody has mentioned split tunneling yet. I suggest you to make use of split tunneling.

So traffic which is designated for the internet gets routed through the router e.g. in HomeOffice instead of your firewall.


adding further, it is worth mentioning that you have also two free Fortitoken mobile.

If you have found a solution, please like and accept it to make it easily accessible for others.
Top Kudoed Authors