Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.2.3 EMS Administration Guide
    7.2.3
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    SSL VPN

    SSL VPN

    This topic contains descriptions of SSL VPN settings.

    Note

    To view and configure SSL VPN settings, you must enable SSL VPN visibility in System Settings > Feature Select. See Feature Select.

    Configuration

    Description

    SSL VPN

    Enable SSL VPN.

    DNS Cache Service Control

    FortiClient disables Windows DNS cache when it establishes an SSL VPN tunnel. The DNS cache is restored after FortiClient disconnects from the SSL VPN tunnel. If you observe that Fortinet Single Sign On clients do not function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the DNS cache.

    Prefer SSL VPN DNS

    When disabled, EMS does not add the custom DNS server from SSL VPN to the physical interface. When enabled, EMS prepends the custom DNS server from SSL VPN to the physical interface.

    Do Not Accept Invalid Server Certificate

    FortiClient does not complete the requested VPN connection when an invalid SSL VPN server certificate is used.

    Enable Invalid Server Certificate Warning

    FortiClient displays a warning to the user when an invalid SSL VPN certificate is used.

    Split Tunnel Route Metric

    Set route metric for certain subnet as needed.

    For example, you may want to set negative split routes with a higher metric, so these routes can be deactivated when another VPN product is being used and sets the same routes as FortiClient negatives split routes but with a lower metric.

    This configuration is not recommended for most use cases. This element only takes effect when you enable negative split tunnel.

    When you click the Add Tunnel button in the VPN Tunnels section, you can create an SSL VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available for manual SSL VPN tunnel creation:

    Basic Settings

    Name

    Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.

    Type

    Select SSL VPN.

    Remote Gateway

    Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway.

    Port

    Enter the access port. The default port is 443.

    Require Certificate

    Require a certificate.

    Android Certificate Location

    Configure a certificate location for FortiClient (Android) to automatically go to when doing the following:

    • When selecting a certificate
    • When the user clicks Connect to connect to this tunnel

    See Certificate path configuration for automated certificate selection.

    Prompt for Username

    Prompt for the username when accessing VPN.

    Split Tunnel

    Application Based

    Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from or include in the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:

    • Microsoft Office 365
    • Microsoft Teams
    • Skype
    • GoToMeeting
    • Zoom
    • WebEx
    • YouTube

    Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.

    Type

    Select Include or Exclude to configure whether to include or exclude certain application traffic from the VPN tunnel.

    Local Applications

    You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

    For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

    • Application Name: teams.exe;firefox.exe
    • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe
    • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

    To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

    Select the application checkbox, then click Remove to remove it from the list.

    Cloud Applications

    You can exclude or include cloud applications. Click Add. In the list, select the desired applications, then click Add.

    Select the application checkbox, then click Remove to remove it from the list.

    Domain

    You can exclude or include domains. After you exclude a domain, any associated traffic does not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries.

    For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel.

    Select the application checkbox, then click Remove to remove it from the list.

    Advanced Settings

    Enable Single User Mode

    Enable single user mode.

    Save Username

    Save your username.

    Allow Non-Administrators to Use Machine Certificates

    Allow non-administrator users to use local machine certificates.

    Enforce Acceptance of Disclaimer Message

    Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

    Enable SAML Login

    Enable SAML SSO login for this VPN tunnel. See SAML SSO with FortiGate as IdP.

    FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the identity provider (IdP), discussed as follows:

    If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

    The FortiClient save password feature is commonly used along with autoconnect and always-up features as well.

    FQDN Resolution Persistence

    Enable FortiClient to remember the IP address with which it contacts the FortiGate and reuse it throughout the connection phase. This feature helps support load balancing SSL VPN gateways with one FQDN. This feature is only available for FortiClient (Windows). See Load balancing SSL VPN gateways with one FQDN.

    Use External Browser as User-agent for SAML Login

    Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI. See Using a browser as an external user-agent for SAML authentication in an SSL VPN connection.

    Enable Azure Auto Login

    Configure FortiClient to automatically connect to a specified VPN tunnel immediately after it installs and receives its configuration from EMS, authenticating the connection using Microsoft Entra ID (formerly known as Azure Active Directory) credentials. See Autoconnect on logging in as an Entra ID user.

    Redundant Sort Method

    How FortiClient determines the order in which to try connection to the SSL VPN servers when more than one is defined. FortiClient calculates the order before each SSL VPN connection attempt.

    When Server is selected, FortiClient tries the order explicitly defined in the server settings.

    When Ping Speed is selected, FortiClient determines the order by the ping response speed.

    When TCP Round Trip Time is selected, FortiClient determines the order by the TCP round trip time.

    Tag

    Select Allow or Prohibit, then select the desired Zero Trust tag from the Select a Tag dropdown list. Tags only display in the list if they are already configured. See Zero Trust Tags.

    You can use this feature to prohibit endpoints from connecting to the VPN tunnel when they do not meet certain criteria. For example, if you want to prohibit endpoints without up-to-date antivirus signatures from connecting to the VPN tunnel, you would do the following:

    1. Configure a Zero Trust tagging rule that tags all endpoints without up-to-date AV signatures. See Adding a Zero Trust tagging rule set.
    2. For the VPN tunnel settings, select Prohibit, then select the configured tag from the Select a Tag dropdown list.

    Endpoints without up-to-date AV signatures are prohibited from connecting to the VPN tunnel.

    Customize Host Check Fail Warning

    Enable and configure a custom message to display to the user when EMS prohibits the endpoint from connecting to the VPN tunnel due to its applied Zero Trust tag.

    For the example configuration described in the Host Tag field description, you could configure a custom message to direct the user to update their AV signature, so that they can connect to the VPN tunnel afterward.

    Show "Remember Password" Option

    Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate.

    Show "Always Up" Option

    Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate.

    Show "Auto Connect" Option

    Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon.

    On Connect Script

    Enable the on connect script. Enter your script.

    On Disconnect Script

    Enable the disconnect script. Enter your script.
    Previous
    Next

    More Links

    SSL VPN with Okta as SAML IdP

    SSL VPN

    SSL VPN

    This topic contains descriptions of SSL VPN settings.

    Note

    To view and configure SSL VPN settings, you must enable SSL VPN visibility in System Settings > Feature Select. See Feature Select.

    Configuration

    Description

    SSL VPN

    Enable SSL VPN.

    DNS Cache Service Control

    FortiClient disables Windows DNS cache when it establishes an SSL VPN tunnel. The DNS cache is restored after FortiClient disconnects from the SSL VPN tunnel. If you observe that Fortinet Single Sign On clients do not function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the DNS cache.

    Prefer SSL VPN DNS

    When disabled, EMS does not add the custom DNS server from SSL VPN to the physical interface. When enabled, EMS prepends the custom DNS server from SSL VPN to the physical interface.

    Do Not Accept Invalid Server Certificate

    FortiClient does not complete the requested VPN connection when an invalid SSL VPN server certificate is used.

    Enable Invalid Server Certificate Warning

    FortiClient displays a warning to the user when an invalid SSL VPN certificate is used.

    Split Tunnel Route Metric

    Set route metric for certain subnet as needed.

    For example, you may want to set negative split routes with a higher metric, so these routes can be deactivated when another VPN product is being used and sets the same routes as FortiClient negatives split routes but with a lower metric.

    This configuration is not recommended for most use cases. This element only takes effect when you enable negative split tunnel.

    When you click the Add Tunnel button in the VPN Tunnels section, you can create an SSL VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available for manual SSL VPN tunnel creation:

    Basic Settings

    Name

    Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.

    Type

    Select SSL VPN.

    Remote Gateway

    Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway.

    Port

    Enter the access port. The default port is 443.

    Require Certificate

    Require a certificate.

    Android Certificate Location

    Configure a certificate location for FortiClient (Android) to automatically go to when doing the following:

    • When selecting a certificate
    • When the user clicks Connect to connect to this tunnel

    See Certificate path configuration for automated certificate selection.

    Prompt for Username

    Prompt for the username when accessing VPN.

    Split Tunnel

    Application Based

    Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from or include in the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:

    • Microsoft Office 365
    • Microsoft Teams
    • Skype
    • GoToMeeting
    • Zoom
    • WebEx
    • YouTube

    Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.

    Type

    Select Include or Exclude to configure whether to include or exclude certain application traffic from the VPN tunnel.

    Local Applications

    You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

    For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

    • Application Name: teams.exe;firefox.exe
    • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe
    • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

    To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

    Select the application checkbox, then click Remove to remove it from the list.

    Cloud Applications

    You can exclude or include cloud applications. Click Add. In the list, select the desired applications, then click Add.

    Select the application checkbox, then click Remove to remove it from the list.

    Domain

    You can exclude or include domains. After you exclude a domain, any associated traffic does not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries.

    For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel.

    Select the application checkbox, then click Remove to remove it from the list.

    Advanced Settings

    Enable Single User Mode

    Enable single user mode.

    Save Username

    Save your username.

    Allow Non-Administrators to Use Machine Certificates

    Allow non-administrator users to use local machine certificates.

    Enforce Acceptance of Disclaimer Message

    Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

    Enable SAML Login

    Enable SAML SSO login for this VPN tunnel. See SAML SSO with FortiGate as IdP.

    FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the identity provider (IdP), discussed as follows:

    If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

    The FortiClient save password feature is commonly used along with autoconnect and always-up features as well.

    FQDN Resolution Persistence

    Enable FortiClient to remember the IP address with which it contacts the FortiGate and reuse it throughout the connection phase. This feature helps support load balancing SSL VPN gateways with one FQDN. This feature is only available for FortiClient (Windows). See Load balancing SSL VPN gateways with one FQDN.

    Use External Browser as User-agent for SAML Login

    Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI. See Using a browser as an external user-agent for SAML authentication in an SSL VPN connection.

    Enable Azure Auto Login

    Configure FortiClient to automatically connect to a specified VPN tunnel immediately after it installs and receives its configuration from EMS, authenticating the connection using Microsoft Entra ID (formerly known as Azure Active Directory) credentials. See Autoconnect on logging in as an Entra ID user.

    Redundant Sort Method

    How FortiClient determines the order in which to try connection to the SSL VPN servers when more than one is defined. FortiClient calculates the order before each SSL VPN connection attempt.

    When Server is selected, FortiClient tries the order explicitly defined in the server settings.

    When Ping Speed is selected, FortiClient determines the order by the ping response speed.

    When TCP Round Trip Time is selected, FortiClient determines the order by the TCP round trip time.

    Tag

    Select Allow or Prohibit, then select the desired Zero Trust tag from the Select a Tag dropdown list. Tags only display in the list if they are already configured. See Zero Trust Tags.

    You can use this feature to prohibit endpoints from connecting to the VPN tunnel when they do not meet certain criteria. For example, if you want to prohibit endpoints without up-to-date antivirus signatures from connecting to the VPN tunnel, you would do the following:

    1. Configure a Zero Trust tagging rule that tags all endpoints without up-to-date AV signatures. See Adding a Zero Trust tagging rule set.
    2. For the VPN tunnel settings, select Prohibit, then select the configured tag from the Select a Tag dropdown list.

    Endpoints without up-to-date AV signatures are prohibited from connecting to the VPN tunnel.

    Customize Host Check Fail Warning

    Enable and configure a custom message to display to the user when EMS prohibits the endpoint from connecting to the VPN tunnel due to its applied Zero Trust tag.

    For the example configuration described in the Host Tag field description, you could configure a custom message to direct the user to update their AV signature, so that they can connect to the VPN tunnel afterward.

    Show "Remember Password" Option

    Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate.

    Show "Always Up" Option

    Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate.

    Show "Auto Connect" Option

    Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon.

    On Connect Script

    Enable the on connect script. Enter your script.

    On Disconnect Script

    Enable the disconnect script. Enter your script.
    Previous
    Next