SSL VPN conserve mode
FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service. SSL VPN also has its own conserve mode. The FortiGate enters the SSL VPN conserve mode before the Kernel conserve mode in an attempt to prevent the Kernel conserve mode from triggering. During the SSL VPN conserve mode, no new SSL connections are allowed. It starts when free memory is <25% of the total memory (when the memory on the FortiGate is less than 512Mb) or <10% of the total memory (when the FortiGate has more than 512Mb built in). To determine if the FortiGate has entered SSL VPN conserve mode - CLI
Run the following command in the CLI Console:
diagnose vpn ssl statistics
Result (showing conserve mode state in red):
FGVM080000120082 # diagnose vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit: 1
System total memory: 2118737920
System free memory: 218537984
SSLVPN memory margin: 314572800
SSLVPN state: conserve
Max number of users: 1
Max number of tunnels: 0
Max number of connections: 6
Current number of users: 0
Current number of tunnels: 0
Current number of connections: 0
Allow one-time login per user
You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. To allow one-time login per user - web-based manager:
Go to VPN > SSL-VPN Portals, select a portal, and enable Limit Users to One SSL-VPN Connection at a Time. It is disabled by default.
To allow one-time login per user - CLI:
config vpn ssl web portal
edit <portal_name>
set limit-user-logins enable
end
WAN link load balancing
You can set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.
CLI syntax
config firewall policy
edit <example>
set dstintf virtual-wan-link
end