Hi Team,
We would like to use SSL VPN in tunnel mode only. We have disabled the web mode on portal, but some users using Forticlient are connected in ssl-web mode. After numerous session resets clients finally connect in tunnel mode. Any ideas and help finding the reason is appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for your question. Can you share some screenshots how Forticlient is connected in Webmode? Or how are you checking this exactly?
After login there's an error on the Forticlient:
Here is what we see on the Fortigate:
And the event log:
Have you created the Authentication rule, so users in question will be mapped unequivocally to the specific portal where the Web mode is disabled ? By your description sounds like they fall through and finally reach default rule which has Web mode enabled. It is also possible when you have the same users located in multiple AD groups with each group having different portals.
Yes, you need to correctly map the user groups to the correct portal. And also, the Forticlient only uses tunnel-mode, so this is weird.
A problem here is that, even though web-mode is disabled, if you try to access the vpn portal address through browser, tha page is still presented, although no one will be able to authenticate.
The users are authenticated and mapped to one portal. We use Azure as Identity Provider if that matters. This particular problem happens only to limited number of users, who have the very same group assignments as the rest, who never experience it and are able to connect normally.
Did you ever find the root cause for this? I'm seeing the same thing in my environment and am mystified as to why this is happening.
I am also seeing this. Using FortiClient 7.0.6.0290 to Fortigate 7.0.6Build0366. Just one user is failing to connect and FG logs show it's trying to connect via web mode.
Hi, does anyone found solution of this problem? In some cases users login correctly when change network to LTE...
Hello Team,
After hiding the SSL VPN login page (on v 7.4.1 and below) or disabling it globally (v7.4.2 and above), it is expected to see every failed authentication for SSL VPN flagged with 'tunnel Type ssl-web'. The log does not mean an authentication attempt is being pushed through the SSL VPN login page.
Every authentication failure on the FortiGate will be categorized as web for the tunnel type even if the attempt came from a FortiClient.
This is due to FortiClient identifying itself to be accessing the tunnel mode after the authentication attempt and as a result, FortiGate cannot detect tunnel mode versus web mode on authentication failure
Please check the link below for more information:
Thanks
Khushdeep
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.