- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN - Web mode disabled, but Forticlient connects in web mode
Hi Team,
We would like to use SSL VPN in tunnel mode only. We have disabled the web mode on portal, but some users using Forticlient are connected in ssl-web mode. After numerous session resets clients finally connect in tunnel mode. Any ideas and help finding the reason is appreciated.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for your question. Can you share some screenshots how Forticlient is connected in Webmode? Or how are you checking this exactly?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After login there's an error on the Forticlient:
Here is what we see on the Fortigate:
And the event log:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you created the Authentication rule, so users in question will be mapped unequivocally to the specific portal where the Web mode is disabled ? By your description sounds like they fall through and finally reach default rule which has Web mode enabled. It is also possible when you have the same users located in multiple AD groups with each group having different portals.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you need to correctly map the user groups to the correct portal. And also, the Forticlient only uses tunnel-mode, so this is weird.
A problem here is that, even though web-mode is disabled, if you try to access the vpn portal address through browser, tha page is still presented, although no one will be able to authenticate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The users are authenticated and mapped to one portal. We use Azure as Identity Provider if that matters. This particular problem happens only to limited number of users, who have the very same group assignments as the rest, who never experience it and are able to connect normally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever find the root cause for this? I'm seeing the same thing in my environment and am mystified as to why this is happening.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also seeing this. Using FortiClient 7.0.6.0290 to Fortigate 7.0.6Build0366. Just one user is failing to connect and FG logs show it's trying to connect via web mode.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, does anyone found solution of this problem? In some cases users login correctly when change network to LTE...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Team,
After hiding the SSL VPN login page (on v 7.4.1 and below) or disabling it globally (v7.4.2 and above), it is expected to see every failed authentication for SSL VPN flagged with 'tunnel Type ssl-web'. The log does not mean an authentication attempt is being pushed through the SSL VPN login page.
Every authentication failure on the FortiGate will be categorized as web for the tunnel type even if the attempt came from a FortiClient.
This is due to FortiClient identifying itself to be accessing the tunnel mode after the authentication attempt and as a result, FortiGate cannot detect tunnel mode versus web mode on authentication failure
Please check the link below for more information:
Thanks
Khushdeep