Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 6.4.0 EMS Administration Guide
    6.4.0
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    VPN

    VPN

    Configuration

    Description

    VPN

    Enable or disable VPN.

    Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

    General

    Allow Personal VPN

    Allow users to create, modify, and use personal VPN configurations.

    Disable Connect/Disconnect

    Disable the Connect/Disconnect button when using Auto Connect with VPN.

    Show VPN before Logon

    Allow users to select a VPN connection before logging into the system.

    Use Windows Credentials

    If allowing users to select a VPN connection before logging into the system, enable this option to allow them to use their current Windows username and password.

    Minimize FortiClient Console on Connect

    Minimize FortiClient after successfully establishing a VPN connection.

    Show Connection Progress

    Display information on FortiClient dashboard while establishing connections.

    Suppress VPN Notifications

    Block FortiClient from displaying any VPN connection or error notifications.

    Use Vendor ID

    Use vendor ID. Enter the vendor ID in the Vendor ID field.

    Current Connection

    Select the current VPN tunnel.

    Keep Running Max Tries

    Maximum number of attempts to retry a VPN connection lost due to network issues. If set to 0, it retries indefinitely.

    SSL VPN

    Enable SSL VPN.

    DNS Cache Service Control

    FortiClient disables Windows DNS cache when an SSL VPN tunnel is established. The DNS cache is restored after the SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the DNS cache.

    Prefer SSL VPN DNS

    When disabled, EMS does not add the custom DNS server from SSL VPN to the physical interface. When enabled, EMS prepends the custom DNS server from SSL VPN to the physical interface.

    IPsec VPN

    Enable IPsec VPN.

    Enable or disable the following:

    • Beep If Connection Fails
    • Use Windows Store Certificates
      • Current User Windows Store Certificates
      • Local Computer Windows Store Certificates
    • Use Smart Card Certificates
    • Show Auth Certificates Only
    • Block IPv6
    • Enable UDP Checksum
    • Disable Default Route
    • Check for Certificate Private Key
    • Enhanced Key Usage Mandatory

    The following options are available in the Creating VPN Tunnel window after clicking the Add Tunnel button in the VPN Tunnels section.

    Basic Settings

    Name

    Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.

    Type

    Select SSL VPN or IPsec VPN.

    Remote Gateway

    Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway.

    Port

    Enter the access port. Available if you selected SSL VPN. The default port is 443.

    Require Certificate

    Require a certificate. Available if you selected SSL VPN.

    Authentication Method

    Select the authentication method for the VPN. Available if you selected IPsec VPN.

    Pre-Shared Key

    Enter the preshared key required. Available if you selected Pre-Shared Key for Authentication Method.

    Prompt for Username

    Prompt for the username when accessing VPN.

    VPN Settings

    Available if you selected IPsec VPN for the VPN type.

    IKE

    Select Version 1 or Version 2.

    Mode

    Select Main or Aggressive.

    Options

    Select Mode Config, Manual Set, or DHCP over IPsec.

    Specify DNS Server (IPv4)

    Specify the DNS server for the VPN tunnel. Available if you selected Manual Set.

    Assign IP Address (IPv4)

    Enter the IP address to assign for the VPN tunnel. Available if you selected Manual Set.

    Split Table

    Enter the IP address and subnet mask for the VPN tunnel. Available if you selected Manual Set or DHCP over IPsec.

    Phase 1

    Available if you selected IPsec VPN for the VPN type.

    Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

    You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

    Encryption

    Select the encryption standard.

    Authentication

    Select the authentication method.

    DH Groups

    Select one or more Diffie-Hellman (DH) groups from groups 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, and 21. At least one of the selected groups on the remote peer or client must match one of the selections on the FortiGate. Failure to match one or more DH groups results in failed negotiations.

    Key Life

    Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.

    Local ID

    Enter the local ID.

    Enable Implied SPDO

    Enable implied SPDO. Enter the timeout in seconds.

    Dead Peer Detection

    Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.

    NAT Traversal

    Select the checkbox if a NAT device exists between the client and the local FortiGate. The client and the local FortiGate must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

    Enable Local LAN

    Enable local LAN.

    Enable IKE Fragmentation

    Enable IKE fragmentation.

    Allow non-administrators to use machine certificates

    Allow non-administrator users to use local machine certificates to connect IPsec VPN.

    Phase 2

    Available if you selected IPsec VPN for the VPN type.

    Select the encryption and authentication algorithms that to propose to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.

    Encryption

    Select the encryption standard.

    Authentication

    Select the authentication method.

    DH Group

    Select one DH group (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, or 21). This must match the DH group that the remote peer or dialup client uses.

    Key Life

    Set a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.

    Enable Replay Detection

    Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.

    Enable Perfect Forward Secrecy (PFS)

    Enable PFS. PFS forces a new DH exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.

    Advanced Settings

    Enable One-Time Password

    Enable one-time password. Available if you selected IPsec VPN for the VPN type.

    Enable XAuth

    Enable IKE Extended Authentication (xAuth). Available if you selected IPsec VPN for the VPN type.

    XAuth Timeout

    Only available if Enable XAuth is enabled. Configure the IKE Extended Authentication (xAuth) timeout in seconds. Default value is two minutes if not configured. Enter a value between 120 and 300 seconds.

    Prompt for Certificate

    Prompt the user for the certificate. Available if you selected IPsec VPN for the VPN type.

    Enable Single User Mode

    Enable single user mode.

    Show Passcode

    Display Passcode instead of Password in the VPN tab in FortiClient.

    Enable Invalid Server Certificate Warning

    Display a warning to the user that the certificate is invalid before attempting VPN connection. Available if you selected SSL VPN for the VPN type.

    Save Username

    Save your username.

    Allow Non-Administrators to Use Machine Certificates

    Allow non-administrator users to use local machine certificates. Available if you selected SSL VPN for the VPN type.

    Enforce Acceptance of Disclaimer Message

    Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

    Show "Remember Password" Option

    Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate.

    Show "Always Up" Option

    Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate.

    Show "Auto Connect" Option

    Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon.

    On Connect Script

    Enable the on connect script. Enter your script.

    On Disconnect Script

    Enable the disconnect script. Enter your script.
    Previous
    Next

    VPN

    VPN

    Configuration

    Description

    VPN

    Enable or disable VPN.

    Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

    General

    Allow Personal VPN

    Allow users to create, modify, and use personal VPN configurations.

    Disable Connect/Disconnect

    Disable the Connect/Disconnect button when using Auto Connect with VPN.

    Show VPN before Logon

    Allow users to select a VPN connection before logging into the system.

    Use Windows Credentials

    If allowing users to select a VPN connection before logging into the system, enable this option to allow them to use their current Windows username and password.

    Minimize FortiClient Console on Connect

    Minimize FortiClient after successfully establishing a VPN connection.

    Show Connection Progress

    Display information on FortiClient dashboard while establishing connections.

    Suppress VPN Notifications

    Block FortiClient from displaying any VPN connection or error notifications.

    Use Vendor ID

    Use vendor ID. Enter the vendor ID in the Vendor ID field.

    Current Connection

    Select the current VPN tunnel.

    Keep Running Max Tries

    Maximum number of attempts to retry a VPN connection lost due to network issues. If set to 0, it retries indefinitely.

    SSL VPN

    Enable SSL VPN.

    DNS Cache Service Control

    FortiClient disables Windows DNS cache when an SSL VPN tunnel is established. The DNS cache is restored after the SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the DNS cache.

    Prefer SSL VPN DNS

    When disabled, EMS does not add the custom DNS server from SSL VPN to the physical interface. When enabled, EMS prepends the custom DNS server from SSL VPN to the physical interface.

    IPsec VPN

    Enable IPsec VPN.

    Enable or disable the following:

    • Beep If Connection Fails
    • Use Windows Store Certificates
      • Current User Windows Store Certificates
      • Local Computer Windows Store Certificates
    • Use Smart Card Certificates
    • Show Auth Certificates Only
    • Block IPv6
    • Enable UDP Checksum
    • Disable Default Route
    • Check for Certificate Private Key
    • Enhanced Key Usage Mandatory

    The following options are available in the Creating VPN Tunnel window after clicking the Add Tunnel button in the VPN Tunnels section.

    Basic Settings

    Name

    Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.

    Type

    Select SSL VPN or IPsec VPN.

    Remote Gateway

    Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway.

    Port

    Enter the access port. Available if you selected SSL VPN. The default port is 443.

    Require Certificate

    Require a certificate. Available if you selected SSL VPN.

    Authentication Method

    Select the authentication method for the VPN. Available if you selected IPsec VPN.

    Pre-Shared Key

    Enter the preshared key required. Available if you selected Pre-Shared Key for Authentication Method.

    Prompt for Username

    Prompt for the username when accessing VPN.

    VPN Settings

    Available if you selected IPsec VPN for the VPN type.

    IKE

    Select Version 1 or Version 2.

    Mode

    Select Main or Aggressive.

    Options

    Select Mode Config, Manual Set, or DHCP over IPsec.

    Specify DNS Server (IPv4)

    Specify the DNS server for the VPN tunnel. Available if you selected Manual Set.

    Assign IP Address (IPv4)

    Enter the IP address to assign for the VPN tunnel. Available if you selected Manual Set.

    Split Table

    Enter the IP address and subnet mask for the VPN tunnel. Available if you selected Manual Set or DHCP over IPsec.

    Phase 1

    Available if you selected IPsec VPN for the VPN type.

    Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

    You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

    Encryption

    Select the encryption standard.

    Authentication

    Select the authentication method.

    DH Groups

    Select one or more Diffie-Hellman (DH) groups from groups 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, and 21. At least one of the selected groups on the remote peer or client must match one of the selections on the FortiGate. Failure to match one or more DH groups results in failed negotiations.

    Key Life

    Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.

    Local ID

    Enter the local ID.

    Enable Implied SPDO

    Enable implied SPDO. Enter the timeout in seconds.

    Dead Peer Detection

    Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.

    NAT Traversal

    Select the checkbox if a NAT device exists between the client and the local FortiGate. The client and the local FortiGate must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

    Enable Local LAN

    Enable local LAN.

    Enable IKE Fragmentation

    Enable IKE fragmentation.

    Allow non-administrators to use machine certificates

    Allow non-administrator users to use local machine certificates to connect IPsec VPN.

    Phase 2

    Available if you selected IPsec VPN for the VPN type.

    Select the encryption and authentication algorithms that to propose to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.

    Encryption

    Select the encryption standard.

    Authentication

    Select the authentication method.

    DH Group

    Select one DH group (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, or 21). This must match the DH group that the remote peer or dialup client uses.

    Key Life

    Set a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.

    Enable Replay Detection

    Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.

    Enable Perfect Forward Secrecy (PFS)

    Enable PFS. PFS forces a new DH exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.

    Advanced Settings

    Enable One-Time Password

    Enable one-time password. Available if you selected IPsec VPN for the VPN type.

    Enable XAuth

    Enable IKE Extended Authentication (xAuth). Available if you selected IPsec VPN for the VPN type.

    XAuth Timeout

    Only available if Enable XAuth is enabled. Configure the IKE Extended Authentication (xAuth) timeout in seconds. Default value is two minutes if not configured. Enter a value between 120 and 300 seconds.

    Prompt for Certificate

    Prompt the user for the certificate. Available if you selected IPsec VPN for the VPN type.

    Enable Single User Mode

    Enable single user mode.

    Show Passcode

    Display Passcode instead of Password in the VPN tab in FortiClient.

    Enable Invalid Server Certificate Warning

    Display a warning to the user that the certificate is invalid before attempting VPN connection. Available if you selected SSL VPN for the VPN type.

    Save Username

    Save your username.

    Allow Non-Administrators to Use Machine Certificates

    Allow non-administrator users to use local machine certificates. Available if you selected SSL VPN for the VPN type.

    Enforce Acceptance of Disclaimer Message

    Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

    Show "Remember Password" Option

    Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate.

    Show "Always Up" Option

    Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate.

    Show "Auto Connect" Option

    Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon.

    On Connect Script

    Enable the on connect script. Enter your script.

    On Disconnect Script

    Enable the disconnect script. Enter your script.
    Previous
    Next