Fortinet black logo

New Features

Home FortiClient 7.2.0 New Features
7.2.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

Selecting closest gateway for VPN connection

Selecting closest gateway for VPN connection

FortiClient (Linux) and (macOS) add the ability to sort VPN gateways in a list based on ping speed and TCP round trip time. FortiClient then selects and connects to the closest gateway in the list accordingly. Prior to this implementation, FortiClient (Linux) and (macOS) could only sort and select a VPN gateway from a list in the given order.

FortiClient (Linux) and (macOS) use of the following bases to select the closest remote gateway:

  • Ping response time duration
  • TCP round trip time (TCP three-way handshake (SYN, SYN-ACK, ACK))

In the following examples, FortiClient can connect to the following VPN gateways:

Name

IP address

VPN gateway A

172.17.61.220

VPN gateway B

172.17.162.20
To configure FortiClient to select the gateway based on ping speed:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Create a new profile, and add a VPN tunnel with multiple gateways.
  3. Go to Advanced Settings.
  4. Under Redundant Sort Method, select Ping Speed.
  5. Assign the profile to the desired endpoint.
  6. After the endpoint receives the updated profile from EMS, connect to the configured VPN tunnel.
  7. In Terminal, ping the remote gateways. When VPN gateway A has a lower ping response time than VPN gateway B, FortiClient connects to VPN gateway A. When VPN gateway B has a lower ping response time than VPN gateway A, FortiClient connects to VPN gateway B.

    You can observe these results in Wireshark. When FortiClient sends an echo request to both gateways and an echo reply returns from the VPN gateway B before VPN gateway A, FortiClient initiates a VPN connection with VPN gateway B.

To configure FortiClient to select the gateway based on TCP round trip time:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Create a new profile, and add a VPN tunnel with multiple gateways.
  3. Go to Advanced Settings.
  4. Under Redundant Sort Method, select TCP Round Trip Time.
  5. Assign the profile to the desired endpoint.
  6. After the endpoint receives the updated profile from EMS, connect to the configured VPN tunnel. You can observe these results in Wireshark. FortiClient initiates a TCP handshake with both gateways and connects to the faster (closer) gateway. In the example, since VPN gateway B is faster, it connects to that gateway.

Previous
Next

Selecting closest gateway for VPN connection

FortiClient (Linux) and (macOS) add the ability to sort VPN gateways in a list based on ping speed and TCP round trip time. FortiClient then selects and connects to the closest gateway in the list accordingly. Prior to this implementation, FortiClient (Linux) and (macOS) could only sort and select a VPN gateway from a list in the given order.

FortiClient (Linux) and (macOS) use of the following bases to select the closest remote gateway:

  • Ping response time duration
  • TCP round trip time (TCP three-way handshake (SYN, SYN-ACK, ACK))

In the following examples, FortiClient can connect to the following VPN gateways:

Name

IP address

VPN gateway A

172.17.61.220

VPN gateway B

172.17.162.20
To configure FortiClient to select the gateway based on ping speed:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Create a new profile, and add a VPN tunnel with multiple gateways.
  3. Go to Advanced Settings.
  4. Under Redundant Sort Method, select Ping Speed.
  5. Assign the profile to the desired endpoint.
  6. After the endpoint receives the updated profile from EMS, connect to the configured VPN tunnel.
  7. In Terminal, ping the remote gateways. When VPN gateway A has a lower ping response time than VPN gateway B, FortiClient connects to VPN gateway A. When VPN gateway B has a lower ping response time than VPN gateway A, FortiClient connects to VPN gateway B.

    You can observe these results in Wireshark. When FortiClient sends an echo request to both gateways and an echo reply returns from the VPN gateway B before VPN gateway A, FortiClient initiates a VPN connection with VPN gateway B.

To configure FortiClient to select the gateway based on TCP round trip time:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Create a new profile, and add a VPN tunnel with multiple gateways.
  3. Go to Advanced Settings.
  4. Under Redundant Sort Method, select TCP Round Trip Time.
  5. Assign the profile to the desired endpoint.
  6. After the endpoint receives the updated profile from EMS, connect to the configured VPN tunnel. You can observe these results in Wireshark. FortiClient initiates a TCP handshake with both gateways and connects to the faster (closer) gateway. In the example, since VPN gateway B is faster, it connects to that gateway.

Previous
Next