Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSASE Administration Guide

    Connection

    Connection

    To configure the Connection tab:
    1. Create a new profile or edit an existing one:
      1. Go to Configuration > Profiles. By default, the Profiles tab is selected.
      2. Click Create or edit an existing profile.
      3. In the Name field, enter the desired name of the endpoint profile.
    2. On the Connection tab, to enable VPN autoconnect, for Endpoint connects to FortiSASE VPN, select Automatically. Disable the toggle for Show button to disconnect from FortiSASE VPN to prevent endpoints from being able to disconnect from FortiSASE’s secure internet access (SIA) VPN.

      To let endpoint users manually connect to FortiSASE’s SIA VPN, select Manually under Endpoint connects to FortiSASE VPN. This disables the autoconnect feature to connect to FortiSASE’s SIA VPN.

    3. Under FortiSASE bandwidth optimization, enable Bypass FortiSASE when endpoint is on-net.

      On-net rule sets determine if FortiSASE considers endpoints trusted or on-net, meaning they are in a corporate network which should have some level of on-premise security and do not need to automatically connect to FortiSASE VPN for security inspection. This also helps to optimize FortiSASE bandwidth usage.

      For example, when you add an on-net rule set using your corporate network's public IP address, the endpoints on this network do not automatically connect to FortiSASE VPN when they are on-net. Therefore, endpoints only autoconnect to FortiSASE VPN when they have public IP addresses that do not match the configured trusted public IP addresses, meaning when they are considered untrusted or off-fabric and require FortiSASE security inspection.

      FortiSASE supports on-net rule sets with the following detection types to determine if an endpoint is connecting from a trusted location:

      Detection type

      Description

      Receives a successful HTTP(S) 200 OK response from a known server

      This is a Beta feature, and requires enabling FortiClient 7.2 support. See FortiClient 7.2 support.

      To use internal HTTP server:

      1. In the HTTP(S) server IP addresses field, specify the IPv4 or IPv6 IP address of the HTTP server. FortiSASE considers the endpoint as satisfying the rule if FortiClient user manually sends an HTTP GET request to specified internal IP address and receive a 200 OK in response.

      To use internal HTTPS server:

      1. In the HTTP(S) server IP addresses field, specify the IPv4 or IPv6 IP address of the HTTPS server.

      2. Enable Use HTTPS and specify CN/SNI of the HTTPS server certificate.

      3. FortiSASE considers the endpoint to satisfy the rule if the FortiClient user manually sends an HTTPS GET request to the specified internal IP address and receives a server certificate with the specified Server Name Indication (SNI) or Common Name (CN).

      If multiple HTTP(S) servers are configured, FortiSASE considers the rule to be satisfied by the endpoint if a successfully query is completed to any of the server.

      Connects with a known public IP

      In the Known public (WAN) IP addresses field, enter the desired IP address. You can configure multiple addresses using the + button. FortiSASE supports configuration of single IP addresses and IP subnets.

      FortiSASE considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified.

      Is connected to a known DNS server

      In the Known server IP addresses field, configure at least one IP address for the desired DNS server. You can configure multiple IP addresses using the + button.

      FortiSASE considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration.

      Make a successful query to a known DNS server

      This is a Beta feature and requires enabling FortiClient 7.2 support. See FortiClient 7.2 support.

      In the DNS query field, enter the IP address of the DNS server and hostname to query.

      FortiSASE considers the endpoint to satisfy the rule if it sends a DNS query to specified DNS server and successfully resolves the hostname to an IP address.

      To ensure DNS queries are sent, configure the endpoint's DNS server to match the IP address of DNS server specified in DNS query field.

      If multiple DNS servers are configured, FortiSASE considers the rule satisfied if any of the configured DNS servers successfully respond to a query.

      Is connected to a known DHCP server

      When Identify servers by IP/MAC addresses is enabled, configure the IP and/or MAC address for the desired DHCP server in the Known server IP addresses and Known MAC addresses fields, respectively. If configuring Identify servers by IP/MAC addresses, the MAC Address field is optional.

      When you enable Identify servers by DHCP option 224, configure the DHCP code for the desired DHCP server. If the DHCP server is a FortiGate, you can use the FortiGate serial number as the DHCP code, if desired. Otherwise, the DHCP code can be any string configured in the DHCP server as option 224.

      You can configure Identify servers by IP/MAC addresses, just Identify servers by DHCP option 224, or both options. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

      FortiSASE considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration.

      Connects from a known local subnet

      In the Known subnets field, enter a range of IP addresses. In the Known gateway MAC addresses field, optionally enter the default gateway MAC address. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

      FortiSASE considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured.

      Can ping a known server

      In the Known server IP addresses field, enter the server IP address. You can configure multiple addresses using the + button.

      FortiSASE considers the endpoint as satisfying the rule if it can access the server at the specified IP address.

      Note

      Starting in 24.2.c, FortiSASE supports configuring a known IP subnet for the public IP detection type used with on-net rule sets. This feature requires FortiClient 7.0.13 and above. Administrators can no longer configure IP ranges for the public IP on-net detection type. A previously configured public IP range will be displayed as the underlying multiple single public IP addresses within the IP range.

      Configure an on-net rule set to prevent auto connect to FortiSASE VPN when endpoints are on-net:

      1. Next to Bypass FortiSASE when endpoint is on-net, click the dropdown and click + to create a new on-net rule set.
      2. In the Create new rule set slide-in, select one or more detection types by toggling them.
      3. Configure the required fields as described for each detection type.
      4. Click OK to save the on-net rule set.
      5. Click OK to select the newly created on-net rule set.
      6. Click OK to save the profile configuration.
      Note

      On-net rule sets can also be created, edited, and deleted in Configuration > Profiles from the On-net rule sets tab. From this tab, you can also view which profiles each rule set is used in.

    4. Under FortiSASE bandwidth optimization, configure Split tunneling destinations. Traffic configured as a split tunneling destination considered to be a trusted destination that is excluded from the FortiSASE VPN tunnel and redirected to the endpoint physical interface by passing FortiSASE. This also helps optimize FortiSASE bandwidth usage. For example, you may want to add a high bandwidth-consuming application, such as Microsoft Teams or Zoom, as a split tunneling destination. Configure a split tunneling destination:
      1. Click Create.
      2. Configure the following fields:

        Option

        Description

        Type

        Select Infrastructure, FQDN, Local Application, or Subnet.

        Match

        • If you selected Infrastructure, select the desired application from the dropdown list.
        • If you selected FQDN, enter or select the desired fully qualified domain name (FQDN). The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. For example, if you want to exclude YouTube from the VPN tunnel, you can enter youtube.com. When endpoint users use any popular browser such as Chrome, Edge, or Firefox to access youtube.com or *.youtube.com, this traffic does not go through the VPN tunnel.
        • If you selected Local Application, specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

          For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

          • Application Name: teams.exe;firefox.exe

          • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe

          • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

          To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

        • If you selected Subnet, enter the desired subnet. The subnet is dynamically added to the route table when in use, and is removed after disconnection.

          You can select host groups when using the Subnet match type. You must create host groups in Configuration > Hosts before they become visible in the Create Destination dialog.

        Note

        You cannot create subnet destinations in a custom endpoint profile. Therefore, subnet destinations defined in the Default profile also apply to all custom profiles.

        Note

        FortiSASE does not support wildcard FQDNs when configuring an FQDN split tunneling destination.

      3. Click OK.
    5. Under VPNs available to users, you can configure a custom IPsec or SSL VPN configuration or edit the default SSL VPN configuration for Secure Internet Access. These configurations are typically useful for use cases that require endpoints to connect to an on-premise FortiGate via VPN.
      Note

      In FortiSASE 24.1.c and older versions, Authenticate with SSO was previously located in the Settings tab.

      In FortiSASE 24.2.a and later, you can find Authenticate with SSO in the Connection tab, in VPNs available to users, and by collapsing Advanced Settings. Also, in FortiSASE 24.2.a and later, you can edit the default SSL VPN Secure Internet Access configuration.

      To create an alternative custom VPN, do the following:

      1. Click Create, and select SSL VPN or IPsec VPN as per your requirement.
      2. Enter the Name of the VPN tunnel.
      3. Do one of the following:
        • For an IPsec VPN tunnel, configure the following settings:

          Field

          Value

          Remote gateway

          Remote gateway FQDN or IP address.

          Authentication method

          Select preshared key, smart card certificate, or system store certificate to connect to the IPsec VPN gateway.

          Prompt for username

          Display a prompt for the end user to enter their username and password for user authentication.

          Advanced settings

          Enable the toggle for required options to be visible on FortiClient. When you enable Authenticate with SSO, FortiClient is enabled with SSO as an authentication option and uses its built-in browser agent.

        • For an SSL VPN tunnel, configure the following settings:

          Field

          Value

          Remote gateway

          Remote gateway FQDN or IP address.

          Port

          SSL VPN port number.

          Require certificate

          Enable to use certificate-based user authentication.

          Prompt for username

          Display a prompt for the end user to enter their username and password for user authentication.

          Advanced settings

          Enable the toggle for required options to be visible on FortiClient. When you enable Authenticate with SSO, FortiClient is enabled with SSO as an authentication option and uses its built-in browser agent. To use an external browser, enable Use external browser as user-agent for SAML login.

          Note

          FortiSASE supports authentication using multiple SSO providers using FortiTrust Identity. See Configuring FortiSASE with FortiTrust ID as SAML IdP proxy for Entra ID SSO.

    6. The SSL VPN settings apply to alternative SSL VPN tunnels. Enable the respective options to prevent connection errors on FortiClient due to invalid SSL certificates installed on the on-premise VPN gateway.
      Note

      To enable VPN autoconnect on FortiClient for alternative or custom VPN tunnels, set Endpoint connects to FortiSASE VPN to Manually and under required alternative or custom VPNs, enable Show Auto Connect under Advanced Settings for individual alternative VPN tunnel configurations. If the VPN connections fails, the VPN does not automatically connect to the backup FortiSASE SIA VPN. Endpoint users must then manually connect to FortiSASE SIA VPN.

      Note

      When Endpoint connects to FortiSASE VPN is set to Manually, you can configure FortiSASE to provide an option to the end user to save their VPN login password with or without SAML configured under VPNs available to users > <VPN tunnel> > Advanced settings. When using SAML authentication, feature of saving password relies on persistent sessions being enabled in the identity provider (IdP), discussed as follows:

      If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

    7. You must configure some more important FortiClient settings on the Settings tab. See Settings.
    Previous
    Next

    Connection

    Connection

    To configure the Connection tab:
    1. Create a new profile or edit an existing one:
      1. Go to Configuration > Profiles. By default, the Profiles tab is selected.
      2. Click Create or edit an existing profile.
      3. In the Name field, enter the desired name of the endpoint profile.
    2. On the Connection tab, to enable VPN autoconnect, for Endpoint connects to FortiSASE VPN, select Automatically. Disable the toggle for Show button to disconnect from FortiSASE VPN to prevent endpoints from being able to disconnect from FortiSASE’s secure internet access (SIA) VPN.

      To let endpoint users manually connect to FortiSASE’s SIA VPN, select Manually under Endpoint connects to FortiSASE VPN. This disables the autoconnect feature to connect to FortiSASE’s SIA VPN.

    3. Under FortiSASE bandwidth optimization, enable Bypass FortiSASE when endpoint is on-net.

      On-net rule sets determine if FortiSASE considers endpoints trusted or on-net, meaning they are in a corporate network which should have some level of on-premise security and do not need to automatically connect to FortiSASE VPN for security inspection. This also helps to optimize FortiSASE bandwidth usage.

      For example, when you add an on-net rule set using your corporate network's public IP address, the endpoints on this network do not automatically connect to FortiSASE VPN when they are on-net. Therefore, endpoints only autoconnect to FortiSASE VPN when they have public IP addresses that do not match the configured trusted public IP addresses, meaning when they are considered untrusted or off-fabric and require FortiSASE security inspection.

      FortiSASE supports on-net rule sets with the following detection types to determine if an endpoint is connecting from a trusted location:

      Detection type

      Description

      Receives a successful HTTP(S) 200 OK response from a known server

      This is a Beta feature, and requires enabling FortiClient 7.2 support. See FortiClient 7.2 support.

      To use internal HTTP server:

      1. In the HTTP(S) server IP addresses field, specify the IPv4 or IPv6 IP address of the HTTP server. FortiSASE considers the endpoint as satisfying the rule if FortiClient user manually sends an HTTP GET request to specified internal IP address and receive a 200 OK in response.

      To use internal HTTPS server:

      1. In the HTTP(S) server IP addresses field, specify the IPv4 or IPv6 IP address of the HTTPS server.

      2. Enable Use HTTPS and specify CN/SNI of the HTTPS server certificate.

      3. FortiSASE considers the endpoint to satisfy the rule if the FortiClient user manually sends an HTTPS GET request to the specified internal IP address and receives a server certificate with the specified Server Name Indication (SNI) or Common Name (CN).

      If multiple HTTP(S) servers are configured, FortiSASE considers the rule to be satisfied by the endpoint if a successfully query is completed to any of the server.

      Connects with a known public IP

      In the Known public (WAN) IP addresses field, enter the desired IP address. You can configure multiple addresses using the + button. FortiSASE supports configuration of single IP addresses and IP subnets.

      FortiSASE considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified.

      Is connected to a known DNS server

      In the Known server IP addresses field, configure at least one IP address for the desired DNS server. You can configure multiple IP addresses using the + button.

      FortiSASE considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration.

      Make a successful query to a known DNS server

      This is a Beta feature and requires enabling FortiClient 7.2 support. See FortiClient 7.2 support.

      In the DNS query field, enter the IP address of the DNS server and hostname to query.

      FortiSASE considers the endpoint to satisfy the rule if it sends a DNS query to specified DNS server and successfully resolves the hostname to an IP address.

      To ensure DNS queries are sent, configure the endpoint's DNS server to match the IP address of DNS server specified in DNS query field.

      If multiple DNS servers are configured, FortiSASE considers the rule satisfied if any of the configured DNS servers successfully respond to a query.

      Is connected to a known DHCP server

      When Identify servers by IP/MAC addresses is enabled, configure the IP and/or MAC address for the desired DHCP server in the Known server IP addresses and Known MAC addresses fields, respectively. If configuring Identify servers by IP/MAC addresses, the MAC Address field is optional.

      When you enable Identify servers by DHCP option 224, configure the DHCP code for the desired DHCP server. If the DHCP server is a FortiGate, you can use the FortiGate serial number as the DHCP code, if desired. Otherwise, the DHCP code can be any string configured in the DHCP server as option 224.

      You can configure Identify servers by IP/MAC addresses, just Identify servers by DHCP option 224, or both options. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

      FortiSASE considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration.

      Connects from a known local subnet

      In the Known subnets field, enter a range of IP addresses. In the Known gateway MAC addresses field, optionally enter the default gateway MAC address. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

      FortiSASE considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured.

      Can ping a known server

      In the Known server IP addresses field, enter the server IP address. You can configure multiple addresses using the + button.

      FortiSASE considers the endpoint as satisfying the rule if it can access the server at the specified IP address.

      Note

      Starting in 24.2.c, FortiSASE supports configuring a known IP subnet for the public IP detection type used with on-net rule sets. This feature requires FortiClient 7.0.13 and above. Administrators can no longer configure IP ranges for the public IP on-net detection type. A previously configured public IP range will be displayed as the underlying multiple single public IP addresses within the IP range.

      Configure an on-net rule set to prevent auto connect to FortiSASE VPN when endpoints are on-net:

      1. Next to Bypass FortiSASE when endpoint is on-net, click the dropdown and click + to create a new on-net rule set.
      2. In the Create new rule set slide-in, select one or more detection types by toggling them.
      3. Configure the required fields as described for each detection type.
      4. Click OK to save the on-net rule set.
      5. Click OK to select the newly created on-net rule set.
      6. Click OK to save the profile configuration.
      Note

      On-net rule sets can also be created, edited, and deleted in Configuration > Profiles from the On-net rule sets tab. From this tab, you can also view which profiles each rule set is used in.

    4. Under FortiSASE bandwidth optimization, configure Split tunneling destinations. Traffic configured as a split tunneling destination considered to be a trusted destination that is excluded from the FortiSASE VPN tunnel and redirected to the endpoint physical interface by passing FortiSASE. This also helps optimize FortiSASE bandwidth usage. For example, you may want to add a high bandwidth-consuming application, such as Microsoft Teams or Zoom, as a split tunneling destination. Configure a split tunneling destination:
      1. Click Create.
      2. Configure the following fields:

        Option

        Description

        Type

        Select Infrastructure, FQDN, Local Application, or Subnet.

        Match

        • If you selected Infrastructure, select the desired application from the dropdown list.
        • If you selected FQDN, enter or select the desired fully qualified domain name (FQDN). The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. For example, if you want to exclude YouTube from the VPN tunnel, you can enter youtube.com. When endpoint users use any popular browser such as Chrome, Edge, or Firefox to access youtube.com or *.youtube.com, this traffic does not go through the VPN tunnel.
        • If you selected Local Application, specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

          For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

          • Application Name: teams.exe;firefox.exe

          • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe

          • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

          To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

        • If you selected Subnet, enter the desired subnet. The subnet is dynamically added to the route table when in use, and is removed after disconnection.

          You can select host groups when using the Subnet match type. You must create host groups in Configuration > Hosts before they become visible in the Create Destination dialog.

        Note

        You cannot create subnet destinations in a custom endpoint profile. Therefore, subnet destinations defined in the Default profile also apply to all custom profiles.

        Note

        FortiSASE does not support wildcard FQDNs when configuring an FQDN split tunneling destination.

      3. Click OK.
    5. Under VPNs available to users, you can configure a custom IPsec or SSL VPN configuration or edit the default SSL VPN configuration for Secure Internet Access. These configurations are typically useful for use cases that require endpoints to connect to an on-premise FortiGate via VPN.
      Note

      In FortiSASE 24.1.c and older versions, Authenticate with SSO was previously located in the Settings tab.

      In FortiSASE 24.2.a and later, you can find Authenticate with SSO in the Connection tab, in VPNs available to users, and by collapsing Advanced Settings. Also, in FortiSASE 24.2.a and later, you can edit the default SSL VPN Secure Internet Access configuration.

      To create an alternative custom VPN, do the following:

      1. Click Create, and select SSL VPN or IPsec VPN as per your requirement.
      2. Enter the Name of the VPN tunnel.
      3. Do one of the following:
        • For an IPsec VPN tunnel, configure the following settings:

          Field

          Value

          Remote gateway

          Remote gateway FQDN or IP address.

          Authentication method

          Select preshared key, smart card certificate, or system store certificate to connect to the IPsec VPN gateway.

          Prompt for username

          Display a prompt for the end user to enter their username and password for user authentication.

          Advanced settings

          Enable the toggle for required options to be visible on FortiClient. When you enable Authenticate with SSO, FortiClient is enabled with SSO as an authentication option and uses its built-in browser agent.

        • For an SSL VPN tunnel, configure the following settings:

          Field

          Value

          Remote gateway

          Remote gateway FQDN or IP address.

          Port

          SSL VPN port number.

          Require certificate

          Enable to use certificate-based user authentication.

          Prompt for username

          Display a prompt for the end user to enter their username and password for user authentication.

          Advanced settings

          Enable the toggle for required options to be visible on FortiClient. When you enable Authenticate with SSO, FortiClient is enabled with SSO as an authentication option and uses its built-in browser agent. To use an external browser, enable Use external browser as user-agent for SAML login.

          Note

          FortiSASE supports authentication using multiple SSO providers using FortiTrust Identity. See Configuring FortiSASE with FortiTrust ID as SAML IdP proxy for Entra ID SSO.

    6. The SSL VPN settings apply to alternative SSL VPN tunnels. Enable the respective options to prevent connection errors on FortiClient due to invalid SSL certificates installed on the on-premise VPN gateway.
      Note

      To enable VPN autoconnect on FortiClient for alternative or custom VPN tunnels, set Endpoint connects to FortiSASE VPN to Manually and under required alternative or custom VPNs, enable Show Auto Connect under Advanced Settings for individual alternative VPN tunnel configurations. If the VPN connections fails, the VPN does not automatically connect to the backup FortiSASE SIA VPN. Endpoint users must then manually connect to FortiSASE SIA VPN.

      Note

      When Endpoint connects to FortiSASE VPN is set to Manually, you can configure FortiSASE to provide an option to the end user to save their VPN login password with or without SAML configured under VPNs available to users > <VPN tunnel> > Advanced settings. When using SAML authentication, feature of saving password relies on persistent sessions being enabled in the identity provider (IdP), discussed as follows:

      If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

    7. You must configure some more important FortiClient settings on the Settings tab. See Settings.
    Previous
    Next