FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff

Description

 

This article discusses about the default settings on SSL-VPN and the consequences of configuration changes under SSL-VPN settings in a production environment.


Solution

 

By default, a SSL-VPN connection logouts after 8 hours.
 
    set auth-timeout 28800
The auth-timeout is period of time in seconds that the SSL-VPN will wait before re-authentication is enforced.
Default value is 28800 seconds (8 hours). Range: <0> to <259200>

A value of 0 indicates no timeout.
 
Also you may adjust the idle-timeout period of time in seconds that the SSL-VPN will wait before timing out the user if not being active.
 
# config vpn ssl settings
    set idle-timeout 300
Default value is 300 seconds (5 minutes). Range: <0> to <259200>.

Changes as above or changing tunnel/web mode will not impact the environment.

However, be aware:
Once a SSL-VPN client is connected, a change to firewall address objects or IP pools under SSL-VPN settings in a production environment will tear down all the active SSL-VPN connections regardless of the above timeout.

This is an expected behavior and the following log will be displayed.
 
CLI DEBUG:

[260:root:0][257:root:0]Config change causes all session to be closed in vdom 'root'