VPN

VPN

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Configuration	Description
VPN	Enable or disable VPN use.
General
Allow Personal VPN	Allow users to create, modify, and use personal VPN configurations.
Disable Connect/Disconnect	Enable or disable the Connect/Disconnect button when using Auto Connect with VPN.
Show VPN before Logon	Allow user to select a VPN connection before logging into the system.
Minimize FortiClient Console on Connect	Minimize FortiClient after successfully establishing a connection.
Show Connection Progress	Display information on the FortiClient GUI while establishing connections.
Suppress VPN Notifications	Block FortiClient from displaying any VPN connection or error notifications.
Use Vendor ID	Use vendor ID. Enter the vendor ID in the Vendor ID field.
Current Connection	Select the current VPN tunnel.
Keep Running Max Tries	The maximum number of attempts to retry a VPN connection that was lost due to network issues. If set to 0, it retries indefinitely
SSL VPN	Enable SSL VPN.
DNS Cache Service Control	FortiClient disables Windows DNS cache when an SSL VPN tunnel is established. The DNS cache is restored after the SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the DNS cache.
Prefer SSL VPN DNS	When disabled, the custom DNS server from SSL VPN is not added to the physical interface. When enabled, the custom DNS server from SSL VPN is prepended to the physical interface.
IPsec VPN	Enable IPsec VPN.
	Enable or disable the following: Beep If Connection Fails Use Windows Store Certificates Current User Windows Store Certificates (IPsec only) Local Computer Windows Store Certificates (IPSec only) Use Smart Card Certificates Show Auth Certificates Only Block IPv6 Enable UDP Checksum Disable Default Route Check for Certificate Private Key Enhanced Key Usage Mandatory

The following options are available in the Creating VPN Tunnel window after clicking the Add Tunnel button in the VPN Tunnels section.

Basic Settings
Name	Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.
Type	Select SSL VPN or IPsec VPN.
Remote Gateway	Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN connects to the next configured gateway.
Port	Enter the access port. Available if SSL VPN is selected. The default port is 443.
Require Certificate	Require a certificate. Available if SSL VPN is selected.
Authentication Method	Select the authentication method for the VPN. Available if IPsec VPN is selected.
Pre-Shared Key	Enter the preshared key required. Available if Pre-Shared Key is selected for Authentication Method.
Prompt for Username	Prompt for the username when accessing VPN.
VPN Settings	Available if IPsec VPN is selected for the VPN type.
Mode	Select Main or Aggressive.
Options	Select Mode Config, Manual Set, or DHCP over IPsec.
Specify DNS Server (IPv4)	Specify the DNS server for the VPN tunnel. Available if Manual Set is selected.
Assign IP Address (IPv4)	Enter the IP address to assign for the VPN tunnel. Available if Manual Set is selected.
Split Table	Enter the IP address and subnet mask for the VPN tunnel. Available if Manual Set or DHCP over IPsec is selected.
Phase 1	Available if IPsec VPN is selected for the VPN type. Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required. You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.
Encryption	Select the encryption standard.
Authentication	Select the authentication method.
DH Groups	Select one or more Diffie-Hellman groups from DH group 1, 2, 5, 14, 15, 16, 17, 18, 19 and 20. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate. Failure to match one or more DH groups results in failed negotiations.
Key Life	Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
Local ID	Enter the local ID.
Enable Implied SPDO	Enable implied SPDO. Enter the timeout in seconds.
Dead Peer Detection	Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
NAT Traversal	Select the checkbox if a NAT device exists between the client and the local FortiGate. The client and the local FortiGate must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Enable Local LAN	Enable local LAN.
Enable IKE Fragmentation	Enable IKE fragmentation.
Phase 2	Available if IPsec VPN is selected for the VPN type. Select the encryption and authentication algorithms that is proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
Encryption	Select the encryption standard.
Authentication	Select the authentication method.
DH Group	Select one Diffie-Hellman (DH) group (1, 2, 5, 14, 15, 16, 17, 18, 19 or 20). This must match the DH Group that the remote peer or dialup client uses.
Key Life	The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
Enable Replay Detection	Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
Enable Perfect Forward Secrecy (PFS)	Select the checkbox to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
Auto Keep Alive	Enable auto keep alive.
Allow non-administrators to use machine certificates	Allow non-administrator users to use local machine certificates.
Advanced Settings
Enable One-Time Password	Enable one-time password. Available if IPsec VPN is selected for the VPN type.
Enable XAuth	Enable IKE Extended Authentication (xAuth). Available if IPsec VPN is selected for the VPN type.
XAuth Timeout	Only available if Enable XAuth is enabled. Configure the IKE Extended Authentication (xAuth) timeout in seconds. Default value is two minutes if not configured. Enter a value between 120 and 300 seconds.
Prompt for Certificate	Prompt the user for the certificate. Available if IPsec VPN is selected for the VPN type.
Enable Single User Mode	Enable Single User Mode.
Show Passcode	Display Passcode instead of Password in the VPN tab on the FortiClient console.
Enable Invalid Server Certificate Warning	Display a warning to the user that the certificate is invalid before attempting VPN connection. Available if SSL VPN is selected for the VPN type.
Save Username	Save your username.
Allow Non-Administrators to Use Machine Certificates	Allow non-administrator users to use local machine certificates. Available if SSL VPN is selected for the VPN type.
Show "Remember Password" Option	Have the VPN tunnel remember the password.
Show "Always Up" Option	Have the VPN tunnel always up. This also needs to be enabled on the FortiGate.
Show "Auto Connect" Option	Automatically connect the VPN tunnel. This also needs to be enabled on the FortiGate.
On Connect Script	Enable the on connect script. Enter your script. This also needs to be enabled on the FortiGate.
On Disconnect Script	Enable the disconnect script. Enter your script. This also needs to be enabled on the FortiGate.

VPN

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Configuration	Description
VPN	Enable or disable VPN use.
General
Allow Personal VPN	Allow users to create, modify, and use personal VPN configurations.
Disable Connect/Disconnect	Enable or disable the Connect/Disconnect button when using Auto Connect with VPN.
Show VPN before Logon	Allow user to select a VPN connection before logging into the system.
Minimize FortiClient Console on Connect	Minimize FortiClient after successfully establishing a connection.
Show Connection Progress	Display information on the FortiClient GUI while establishing connections.
Suppress VPN Notifications	Block FortiClient from displaying any VPN connection or error notifications.
Use Vendor ID	Use vendor ID. Enter the vendor ID in the Vendor ID field.
Current Connection	Select the current VPN tunnel.
Keep Running Max Tries	The maximum number of attempts to retry a VPN connection that was lost due to network issues. If set to 0, it retries indefinitely
SSL VPN	Enable SSL VPN.
DNS Cache Service Control	FortiClient disables Windows DNS cache when an SSL VPN tunnel is established. The DNS cache is restored after the SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the DNS cache.
Prefer SSL VPN DNS	When disabled, the custom DNS server from SSL VPN is not added to the physical interface. When enabled, the custom DNS server from SSL VPN is prepended to the physical interface.
IPsec VPN	Enable IPsec VPN.
	Enable or disable the following: Beep If Connection Fails Use Windows Store Certificates Current User Windows Store Certificates (IPsec only) Local Computer Windows Store Certificates (IPSec only) Use Smart Card Certificates Show Auth Certificates Only Block IPv6 Enable UDP Checksum Disable Default Route Check for Certificate Private Key Enhanced Key Usage Mandatory

The following options are available in the Creating VPN Tunnel window after clicking the Add Tunnel button in the VPN Tunnels section.

Basic Settings
Name	Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.
Type	Select SSL VPN or IPsec VPN.
Remote Gateway	Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN connects to the next configured gateway.
Port	Enter the access port. Available if SSL VPN is selected. The default port is 443.
Require Certificate	Require a certificate. Available if SSL VPN is selected.
Authentication Method	Select the authentication method for the VPN. Available if IPsec VPN is selected.
Pre-Shared Key	Enter the preshared key required. Available if Pre-Shared Key is selected for Authentication Method.
Prompt for Username	Prompt for the username when accessing VPN.
VPN Settings	Available if IPsec VPN is selected for the VPN type.
Mode	Select Main or Aggressive.
Options	Select Mode Config, Manual Set, or DHCP over IPsec.
Specify DNS Server (IPv4)	Specify the DNS server for the VPN tunnel. Available if Manual Set is selected.
Assign IP Address (IPv4)	Enter the IP address to assign for the VPN tunnel. Available if Manual Set is selected.
Split Table	Enter the IP address and subnet mask for the VPN tunnel. Available if Manual Set or DHCP over IPsec is selected.
Phase 1	Available if IPsec VPN is selected for the VPN type. Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required. You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.
Encryption	Select the encryption standard.
Authentication	Select the authentication method.
DH Groups	Select one or more Diffie-Hellman groups from DH group 1, 2, 5, 14, 15, 16, 17, 18, 19 and 20. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate. Failure to match one or more DH groups results in failed negotiations.
Key Life	Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
Local ID	Enter the local ID.
Enable Implied SPDO	Enable implied SPDO. Enter the timeout in seconds.
Dead Peer Detection	Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
NAT Traversal	Select the checkbox if a NAT device exists between the client and the local FortiGate. The client and the local FortiGate must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Enable Local LAN	Enable local LAN.
Enable IKE Fragmentation	Enable IKE fragmentation.
Phase 2	Available if IPsec VPN is selected for the VPN type. Select the encryption and authentication algorithms that is proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
Encryption	Select the encryption standard.
Authentication	Select the authentication method.
DH Group	Select one Diffie-Hellman (DH) group (1, 2, 5, 14, 15, 16, 17, 18, 19 or 20). This must match the DH Group that the remote peer or dialup client uses.
Key Life	The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
Enable Replay Detection	Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
Enable Perfect Forward Secrecy (PFS)	Select the checkbox to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
Auto Keep Alive	Enable auto keep alive.
Allow non-administrators to use machine certificates	Allow non-administrator users to use local machine certificates.
Advanced Settings
Enable One-Time Password	Enable one-time password. Available if IPsec VPN is selected for the VPN type.
Enable XAuth	Enable IKE Extended Authentication (xAuth). Available if IPsec VPN is selected for the VPN type.
XAuth Timeout	Only available if Enable XAuth is enabled. Configure the IKE Extended Authentication (xAuth) timeout in seconds. Default value is two minutes if not configured. Enter a value between 120 and 300 seconds.
Prompt for Certificate	Prompt the user for the certificate. Available if IPsec VPN is selected for the VPN type.
Enable Single User Mode	Enable Single User Mode.
Show Passcode	Display Passcode instead of Password in the VPN tab on the FortiClient console.
Enable Invalid Server Certificate Warning	Display a warning to the user that the certificate is invalid before attempting VPN connection. Available if SSL VPN is selected for the VPN type.
Save Username	Save your username.
Allow Non-Administrators to Use Machine Certificates	Allow non-administrator users to use local machine certificates. Available if SSL VPN is selected for the VPN type.
Show "Remember Password" Option	Have the VPN tunnel remember the password.
Show "Always Up" Option	Have the VPN tunnel always up. This also needs to be enabled on the FortiGate.
Show "Auto Connect" Option	Automatically connect the VPN tunnel. This also needs to be enabled on the FortiGate.
On Connect Script	Enable the on connect script. Enter your script. This also needs to be enabled on the FortiGate.
On Disconnect Script	Enable the disconnect script. Enter your script. This also needs to be enabled on the FortiGate.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

EMS Administration Guide

VPN

VPN

VPN