Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.2.3 EMS Administration Guide
    7.2.3
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Per-machine prelogon VPN connection without user interaction

    Per-machine prelogon VPN connection without user interaction

    You can configure per-machine SSL and IPsec VPN tunnels that connect before user logon without user interaction using XML configuration. The following describes the XML tags required:

    XML tag

    Description

    Default value

    <show_vpn_before_logon>

    Show VPN before logon tile when logging in to Windows. Per-machine autoconnect depends on this tag being enabled to work.

    Boolean: [1|0]

    1

    <on_os_start_connect>

    Enter the tunnel name for VPN to connect to when the OS starts. For per machine autoconnect to work, you must define a tunnel as the tunnel for per-machine autoconnect. See the <machine> tag.

    <on_os_start_connect_has_priority>

    When per-user and per-machine autoconnect configurations both exist, the following occurs:

    • If this tag is set to 1, the per-machine autoconnect configuration remains connected.
    • If this tag is set to 0, after logging into Windows, the per-machine autoconnect configuration drops, and the per-user autoconnect configuration connects.

    1

    <machine>

    Enabling this tag indicates that FortiClient should use this tunnel for per-machine autoconnect. This tag must be enabled for per-machine autoconnect to start to connect.

    Boolean: [1|0]

    0

    <username>

    Enter the remote gateway authentication username if xAuth is enabled. If using public key infrastructure (PKI) authentication, do not configure this tag.

    <password>

    Enter the password for the remote gateway authentication username if xAuth is enabled. If using PKI authentication, do not configure this tag.

    <keep_running>

    When this tag is enabled and the network status changes from up to down to up again, the tunnel autoconnects when the network status is up again. This tag applies whether before or after logging in to Windows.

    Boolean: [1|0]

    0

    The following show example XML configurations for SSL and IPsec VPN for per-machine autoconnect. Elements of note have been bolded for emphasis. Both examples are balanced but incomplete XML configuration fragments. The fragments include all closing tags, but omits some important elements to complete the configuration.

    SSL VPN example

    <vpn>

    <options>

    <on_os_start_connect>myfgt-ssl</on_os_start_connect>

    <show_vpn_before_logon>1</show_vpn_before_logon>

    <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>

    </options>

    <sslvpn>

    <options>

    <enabled>1</enabled>

    <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

    </options>

    <connections>

    <connection>

    <name>myfgt-ssl</name>

    <description />

    <server>172.17.61.39:10439</server>

    <ui>

    <show_alwaysup>1</show_alwaysup>

    <show_autoconnect>1</show_autoconnect>

    <save_username>0</save_username>

    <show_remember_password>1</show_remember_password>

    </ui>

    <machine>1</machine>

    <password>11111111</password>

    <username>t1</username>

    <keep_running>0</keep_running >

    <certificate>

    <common_name>

    <match_type>simple</match_type>

    <pattern>

    <![CDATA[ems.loc]]>

    </pattern>

    </common_name>

    <issuer>

    <match_type>simple</match_type>

    <pattern>

    <![CDATA[L4RTP-AD4-EMS-LAB-CA]]>

    </pattern>

    </issuer>

    </certificate>

    <warn_invalid_server_certificate>0</warn_invalid_server_certificate>

    <prompt_certificate>1</prompt_certificate>

    <prompt_username>1</prompt_username>

    </connection>

    </connections>

    </sslvpn>

    </vpn>

    IPsec VPN example

    <ipsecvpn>

    <connections>

    <connection>

    <name>myfgt-ipsec</name>

    <type>manual</type>

    <ui>

    <show_remember_password>1</show_remember_password>

    <show_alwaysup>1</show_alwaysup>

    <show_autoconnect>1</show_autoconnect>

    <show_passcode>0</show_passcode>

    <save_username>0</save_username>

    </ui>

    <ike_settings>

    <server>fgt28.com</server>

    <authentication_method>System Store X509 Certificate</authentication_method>

    <fgt>1</fgt>

    <prompt_certificate>1</prompt_certificate>

    <xauth_timeout>120</xauth_timeout>

    <xauth>

    <use_otp>0</use_otp>

    <enabled>1</enabled>

    <prompt_username>1</prompt_username>

    <username>t1</username>

    <password>1</password>

    </xauth>

    <run_fcauth_system>1</run_fcauth_system>

    <auth_data>

    <certificate>

    <common_name>

    <match_type>wildcard</match_type>

    <pattern>*</pattern>

    </common_name>

    <issuer>

    <match_type>simple</match_type>

    <pattern>L4RTP-AD4-EMS-LABCA</pattern>

    </issuer>

    </certificate>

    </auth_data>

    </ike_settings>

    <ipsec_settings>

    </ipsec_settings>

    <host_check_fail_warning></host_check_fail_warning>

    <keep_running>0</keep_running>

    <machine>1</machine>

    </connection>

    </connections>

    </ipsecvpn>

    Use cases

    In addition to per-machine autoconnect VPN tunnels, you can also configure per-user autoconnect VPN tunnels. The following describes the expected behavior for different scenarios involving these VPN tunnels:

    Scenario

    Behavior

    Only a per-user autoconnect tunnel with <keep_running> disabled is configured.
    • The per-user tunnel only connects after the user logs in to the device.
    • The per-user tunnel does not disconnect unless the user manually disconnects it.
    • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

    Only a per-user autoconnect tunnel with <keep_running> enabled is configured.
    • The per-user tunnel only connects after the user logs in to the device.
    • The per-user tunnel does not disconnect.
    • When the device disconnects from the network, the per-user tunnel disconnects.
    • When the device reconnects to the network, the per-user tunnel reconnects.
    • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

    Only a per-machine autoconnect tunnel with <keep_running> disabled is configured.
    • The per-machine tunnel connects before the user logs in to the device.
    • After the user logs in to the device, the per-machine tunnel remains connected and does not disconnect.
    • When the device disconnects from the network, the per-machine tunnel disconnects.
    • When the device reconnects to the network, the per-machine tunnel reconnects.
    • When the user manually disconnects the per-machine tunnel, the tunnel does not automatically reconnect.

    Only a per-machine autoconnect tunnel with <keep_running> enabled is configured.
    • The per-machine tunnel connects before the user logs in to the device.
    • After the user logs in to the device, the per-machine tunnel remains connected and does not disconnect.
    • When the user manually disconnects the per-machine tunnel, the tunnel does not automatically reconnect.

    The following tunnels are configured:

    • A per-machine autoconnect tunnel with <keep_running> disabled
    • A per-user autoconnect tunnel with:
      • <keep_running> disabled
      • <show_remember_password> enabled
      • <show_autoconnect> enabled
    • The per-machine tunnel connects before the user logs in to the device.
    • After the user logs in to the device, the per-machine tunnel disconnects, and the per-user tunnel connects.
    • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

    The following tunnels are configured:

    • A per-machine autoconnect tunnel with <keep_running> enabled
    • A per-user autoconnect tunnel with <keep_running> enabled
    • The per-machine tunnel connects beforethe user logs in to the device.
    • After the user logs in to the device, the per-machine tunnel disconnects, and the per-user tunnel connects.
    • When the device disconnects from the network, the per-user tunnel disconnects.
    • When the device reconnects to the network, the per-user tunnel reconnects.
    • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

    This document is not intended to cover all possible VPN tunnel configuration combinations.

    Previous
    Next

    Per-machine prelogon VPN connection without user interaction

    Per-machine prelogon VPN connection without user interaction

    You can configure per-machine SSL and IPsec VPN tunnels that connect before user logon without user interaction using XML configuration. The following describes the XML tags required:

    XML tag

    Description

    Default value

    <show_vpn_before_logon>

    Show VPN before logon tile when logging in to Windows. Per-machine autoconnect depends on this tag being enabled to work.

    Boolean: [1|0]

    1

    <on_os_start_connect>

    Enter the tunnel name for VPN to connect to when the OS starts. For per machine autoconnect to work, you must define a tunnel as the tunnel for per-machine autoconnect. See the <machine> tag.

    <on_os_start_connect_has_priority>

    When per-user and per-machine autoconnect configurations both exist, the following occurs:

    • If this tag is set to 1, the per-machine autoconnect configuration remains connected.
    • If this tag is set to 0, after logging into Windows, the per-machine autoconnect configuration drops, and the per-user autoconnect configuration connects.

    1

    <machine>

    Enabling this tag indicates that FortiClient should use this tunnel for per-machine autoconnect. This tag must be enabled for per-machine autoconnect to start to connect.

    Boolean: [1|0]

    0

    <username>

    Enter the remote gateway authentication username if xAuth is enabled. If using public key infrastructure (PKI) authentication, do not configure this tag.

    <password>

    Enter the password for the remote gateway authentication username if xAuth is enabled. If using PKI authentication, do not configure this tag.

    <keep_running>

    When this tag is enabled and the network status changes from up to down to up again, the tunnel autoconnects when the network status is up again. This tag applies whether before or after logging in to Windows.

    Boolean: [1|0]

    0

    The following show example XML configurations for SSL and IPsec VPN for per-machine autoconnect. Elements of note have been bolded for emphasis. Both examples are balanced but incomplete XML configuration fragments. The fragments include all closing tags, but omits some important elements to complete the configuration.

    SSL VPN example

    <vpn>

    <options>

    <on_os_start_connect>myfgt-ssl</on_os_start_connect>

    <show_vpn_before_logon>1</show_vpn_before_logon>

    <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>

    </options>

    <sslvpn>

    <options>

    <enabled>1</enabled>

    <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

    </options>

    <connections>

    <connection>

    <name>myfgt-ssl</name>

    <description />

    <server>172.17.61.39:10439</server>

    <ui>

    <show_alwaysup>1</show_alwaysup>

    <show_autoconnect>1</show_autoconnect>

    <save_username>0</save_username>

    <show_remember_password>1</show_remember_password>

    </ui>

    <machine>1</machine>

    <password>11111111</password>

    <username>t1</username>

    <keep_running>0</keep_running >

    <certificate>

    <common_name>

    <match_type>simple</match_type>

    <pattern>

    <![CDATA[ems.loc]]>

    </pattern>

    </common_name>

    <issuer>

    <match_type>simple</match_type>

    <pattern>

    <![CDATA[L4RTP-AD4-EMS-LAB-CA]]>

    </pattern>

    </issuer>

    </certificate>

    <warn_invalid_server_certificate>0</warn_invalid_server_certificate>

    <prompt_certificate>1</prompt_certificate>

    <prompt_username>1</prompt_username>

    </connection>

    </connections>

    </sslvpn>

    </vpn>

    IPsec VPN example

    <ipsecvpn>

    <connections>

    <connection>

    <name>myfgt-ipsec</name>

    <type>manual</type>

    <ui>

    <show_remember_password>1</show_remember_password>

    <show_alwaysup>1</show_alwaysup>

    <show_autoconnect>1</show_autoconnect>

    <show_passcode>0</show_passcode>

    <save_username>0</save_username>

    </ui>

    <ike_settings>

    <server>fgt28.com</server>

    <authentication_method>System Store X509 Certificate</authentication_method>

    <fgt>1</fgt>

    <prompt_certificate>1</prompt_certificate>

    <xauth_timeout>120</xauth_timeout>

    <xauth>

    <use_otp>0</use_otp>

    <enabled>1</enabled>

    <prompt_username>1</prompt_username>

    <username>t1</username>

    <password>1</password>

    </xauth>

    <run_fcauth_system>1</run_fcauth_system>

    <auth_data>

    <certificate>

    <common_name>

    <match_type>wildcard</match_type>

    <pattern>*</pattern>

    </common_name>

    <issuer>

    <match_type>simple</match_type>

    <pattern>L4RTP-AD4-EMS-LABCA</pattern>

    </issuer>

    </certificate>

    </auth_data>

    </ike_settings>

    <ipsec_settings>

    </ipsec_settings>

    <host_check_fail_warning></host_check_fail_warning>

    <keep_running>0</keep_running>

    <machine>1</machine>

    </connection>

    </connections>

    </ipsecvpn>

    Use cases

    In addition to per-machine autoconnect VPN tunnels, you can also configure per-user autoconnect VPN tunnels. The following describes the expected behavior for different scenarios involving these VPN tunnels:

    Scenario

    Behavior

    Only a per-user autoconnect tunnel with <keep_running> disabled is configured.
    • The per-user tunnel only connects after the user logs in to the device.
    • The per-user tunnel does not disconnect unless the user manually disconnects it.
    • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

    Only a per-user autoconnect tunnel with <keep_running> enabled is configured.
    • The per-user tunnel only connects after the user logs in to the device.
    • The per-user tunnel does not disconnect.
    • When the device disconnects from the network, the per-user tunnel disconnects.
    • When the device reconnects to the network, the per-user tunnel reconnects.
    • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

    Only a per-machine autoconnect tunnel with <keep_running> disabled is configured.
    • The per-machine tunnel connects before the user logs in to the device.
    • After the user logs in to the device, the per-machine tunnel remains connected and does not disconnect.
    • When the device disconnects from the network, the per-machine tunnel disconnects.
    • When the device reconnects to the network, the per-machine tunnel reconnects.
    • When the user manually disconnects the per-machine tunnel, the tunnel does not automatically reconnect.

    Only a per-machine autoconnect tunnel with <keep_running> enabled is configured.
    • The per-machine tunnel connects before the user logs in to the device.
    • After the user logs in to the device, the per-machine tunnel remains connected and does not disconnect.
    • When the user manually disconnects the per-machine tunnel, the tunnel does not automatically reconnect.

    The following tunnels are configured:

    • A per-machine autoconnect tunnel with <keep_running> disabled
    • A per-user autoconnect tunnel with:
      • <keep_running> disabled
      • <show_remember_password> enabled
      • <show_autoconnect> enabled
    • The per-machine tunnel connects before the user logs in to the device.
    • After the user logs in to the device, the per-machine tunnel disconnects, and the per-user tunnel connects.
    • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

    The following tunnels are configured:

    • A per-machine autoconnect tunnel with <keep_running> enabled
    • A per-user autoconnect tunnel with <keep_running> enabled
    • The per-machine tunnel connects beforethe user logs in to the device.
    • After the user logs in to the device, the per-machine tunnel disconnects, and the per-user tunnel connects.
    • When the device disconnects from the network, the per-user tunnel disconnects.
    • When the device reconnects to the network, the per-user tunnel reconnects.
    • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

    This document is not intended to cover all possible VPN tunnel configuration combinations.

    Previous
    Next