Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    Home FortiClient 7.2.0 New Features
    7.2.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.3
    6.2.2
    6.2.1
    6.2.0

    SSL VPN DTLS support for FortiClient (macOS) and (Linux) 7.2.2

    SSL VPN DTLS support for FortiClient (macOS) and (Linux) 7.2.2

    7.2.2 adds the capability for FortiClient on macOS and Linux to use DTLS to connect to an SSL VPN tunnel. Using TLS for SSL VPN causes performance issues and packet loss. DTLS improves SSL VPN tunnel performance and has less overheard, which improves overall customer experience.

    To configure FortiOS for SSL VPN DTLS support for FortiClient:
    1. Ensure that UDP traffic is allowed on the FortiGate for ingress and egress ports.
    2. Enable DTLS for the SSL VPN tunnel:

      config vpn ssl settings

      set dtls-tunnel enable

      end

    To configure EMS for SSL VPN DTLS support for FortiClient:
    1. In EMS, go to Endpoint Profiles > Remote Access > SSL VPN.
    2. Enable Preferred DTLS Tunnel.

    To verify that FortiClient uses DTLS for the SSL VPN connection:
    1. After FortiClient receives the updated profile from EMS, connect to the SSL VPN tunnel.
    2. Verify that FortiClient uses DTLS for the SSL VPN connection using one of the following methods:
      • In Command Prompt, run ip addr and look at the tunnel details. The MTU value for the DTLS tunnel setup should be 1 200:
         fctvpnf50ba67b: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1200 qdisc fq_codel state UP group default qlen 500
    link/none
    inet 10.20.20.1/32 scope global noprefixroute fctvpnf50ba67b
       valid_lft forever preferred_lft forever
      • Verify the DTLS handshakes in the /var/log/forticlient/sslvpn.log file:
        20230809 19:40:24.838 TZ=-0700 [sslvpn:DEBG] dtls_handshake:14 DtlsShowKeyValuePair-->
20230809 19:40:24.838 TZ=-0700 [sslvpn:DEBG] dtls_handshake:44 pK=0xf57984, pV=0xf57989, K=|type|,V=|heartbeat|
20230809 19:40:30.846 TZ=-0700 [sslvpn:DEBG] dtls_handshake:14 DtlsShowKeyValuePair-->
20230809 19:40:30.847 TZ=-0700 [sslvpn:DEBG] dtls_handshake:44 pK=0xf57984, pV=0xf57989, K=|type|,V=|heartbeat|
20230809 19:40:36.897 TZ=-0700 [sslvpn:DEBG] dtls_handshake:14 DtlsShowKeyValuePair-->
20230809 19:40:36.898 TZ=-0700 [sslvpn:DEBG] dtls_handshake:44 pK=0xf57984, pV=0xf57989, K=|type|,V=|heartbeat|
20230809 19:40:42.905 TZ=-0700 [sslvpn:DEBG] dtls_handshake:14 DtlsShowKeyValuePair-->
    Previous
    Next

    SSL VPN DTLS support for FortiClient (macOS) and (Linux) 7.2.2

    SSL VPN DTLS support for FortiClient (macOS) and (Linux) 7.2.2

    7.2.2 adds the capability for FortiClient on macOS and Linux to use DTLS to connect to an SSL VPN tunnel. Using TLS for SSL VPN causes performance issues and packet loss. DTLS improves SSL VPN tunnel performance and has less overheard, which improves overall customer experience.

    To configure FortiOS for SSL VPN DTLS support for FortiClient:
    1. Ensure that UDP traffic is allowed on the FortiGate for ingress and egress ports.
    2. Enable DTLS for the SSL VPN tunnel:

      config vpn ssl settings

      set dtls-tunnel enable

      end

    To configure EMS for SSL VPN DTLS support for FortiClient:
    1. In EMS, go to Endpoint Profiles > Remote Access > SSL VPN.
    2. Enable Preferred DTLS Tunnel.

    To verify that FortiClient uses DTLS for the SSL VPN connection:
    1. After FortiClient receives the updated profile from EMS, connect to the SSL VPN tunnel.
    2. Verify that FortiClient uses DTLS for the SSL VPN connection using one of the following methods:
      • In Command Prompt, run ip addr and look at the tunnel details. The MTU value for the DTLS tunnel setup should be 1 200:
         fctvpnf50ba67b: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1200 qdisc fq_codel state UP group default qlen 500
    link/none
    inet 10.20.20.1/32 scope global noprefixroute fctvpnf50ba67b
       valid_lft forever preferred_lft forever
      • Verify the DTLS handshakes in the /var/log/forticlient/sslvpn.log file:
        20230809 19:40:24.838 TZ=-0700 [sslvpn:DEBG] dtls_handshake:14 DtlsShowKeyValuePair-->
20230809 19:40:24.838 TZ=-0700 [sslvpn:DEBG] dtls_handshake:44 pK=0xf57984, pV=0xf57989, K=|type|,V=|heartbeat|
20230809 19:40:30.846 TZ=-0700 [sslvpn:DEBG] dtls_handshake:14 DtlsShowKeyValuePair-->
20230809 19:40:30.847 TZ=-0700 [sslvpn:DEBG] dtls_handshake:44 pK=0xf57984, pV=0xf57989, K=|type|,V=|heartbeat|
20230809 19:40:36.897 TZ=-0700 [sslvpn:DEBG] dtls_handshake:14 DtlsShowKeyValuePair-->
20230809 19:40:36.898 TZ=-0700 [sslvpn:DEBG] dtls_handshake:44 pK=0xf57984, pV=0xf57989, K=|type|,V=|heartbeat|
20230809 19:40:42.905 TZ=-0700 [sslvpn:DEBG] dtls_handshake:14 DtlsShowKeyValuePair-->
    Previous
    Next