Tag Archives: FortiGate Firewall

FortiGate Next Generation Firewall leverages dedicated security processors and threat intelligence security services from FortiGuard.

Credential or ssl vpn configuration is wrong

FortiClient Error: Credential or ssl vpn configuration is wrong (-7200)

When trying to start an SSL VPN connection on a Windows 10, Windows Server 2016 or 2019 with the FortiClient, it may be that the error message “Credential or ssl vpn configuration is wrong (-7200)” appears. The reason to drop connection to the endpoint during initializing caused by the encryption, which can be found in the settings of the Internet options.

Another symptom can be determined, the SSL-VPN connection and authentication are successfully established, but remote devices cannot be reached, and ICMP replies are also missing and result in a timeout.

How to solve ssl vpn failure

According to Fortinet support, the settings are taken from the Internet options. The Internet Options of the Control Panel can be opened via Internet Explorer (IE), or by calling inetcpl.cpl directly.

Windows Logo + R

Press the Win+R keys enter inetcpl.cpl and click OK.

Run inetcpl.cpl
FortiClient Credential or ssl vpn configuration is wrong. Internet Options Delete personal settings

Select the Advanced tab

Click the Reset… button. If the Reset Internet Explorer settings button does not appear, go to the next step.

Click the Delete personal settings option

Click Reset

Open Internet Options again.

Go back to Advanced tab

Disable use TLS 1.0 (no longer supported)

Add website to Trusted sites

Add the SSL-VPN gateway URL to the Trusted sites. Usually, the SSL VPN gateway is the FortiGate on the endpoint side.

Internet Options Add SSL-VPN gateway URL to Trusted Sites

Go to the Security tab in Internet Options and choose Trusted sites then click the button Sites. Insert the SSL-VPN gateway URL into Add this website to the zone and click Add, here like https://sslvpn_gateway:10443 as placeholder.

Note: The default Fortinet certificate for SSL VPN was used here, but using a validated certificate won’t make a difference.

Furthermore, the SSL state must be reset, go to tab Content under Certificates. Click the Clear SSL state button.

Internet Options Clear SSL state

The SSL VPN connection should now be possible with the FortiClient version 6 or later, on Windows Server 2016 or later, also on Windows 10.

Don’t get success yet ?

If you haven’t had any success up to this point, don’t despair now, there is more help available, may the following is the case!

Credentials or SSLVPN configuration is wrong

If you may use an FortiClient 7 on Windows 10 or Windows 11, then create a new local user on the FortiGate and add it to the SSL-VPN group.

create a new local user on the FortiGate

Add the user to the SSLVPN group assigned in the SSL VPN settings.

Add the user to the SSLVPN group assigned in the SSL VPN settings.

Try to verify the credentails using the web mode, for this in SSL-VPN Portals the Web Mode must my enabled.

FortiGate SSL-VPN Portals

Note that the group with the affected user is assigned under SSL-VPN Settings at Authentication/Portal Mapping.

FortiGate SSL-VPN Settings Authentication/Portal Mapping

Try to authenticate the vpn connection with this user.

VPN Connected

It worked here with this attempt, but I haven’t yet been able to successfully carry out the authentication via LDAP server,

If your attempt was more successful and you know more ? please let us know and post your comment!

How to use FortiClient VPN Post Login Script

Run FortiClient SSL VPN Scripts from CLI

How to use the FortiClient SSL VPN from the Windows command line, and apply from batch scripts. The FortiClient, available for FortiGate for all known operating systems, download from the Fortinet Support section. In addition to the FortiClient 6.4.2.1580 for Windows used here also the FortiClientTools 6.0.9.0277.

FortiClient VPN Windows  Installation
FortiClient VPN

After the FortiClient is installed, we leave the VPN configuration left blank. Now the FortiClientTools are unpacked into a directory, of interest is the folder contents of SSLVPNcmdline, here the file FortiSSLVPNclient.exe is to be found, along with the Microsoft Visual C++ Redistributable mfc140.dll, msvcp140.dll, vcruntime140.dll runtime components.

Contents of SSLVPNcmdline FortiClientTools_6.0.9.0277.zip.

Running FortiSSLVPNclient.exe opens the GUI.

FortiClient SSLVPN Tool Installation auf Windows
FortiClient SSLVPN

We decide not to use the VPN connection profile stored in Settings, instead to connect from CLI with append parameters.

FortiSSLVPNclient connect -h 226.62.42.81:10443 -u homer:password123 -i -q -m

It is now a good way to start the VPN connection with login and network drive mapping from the script, the following batch file should enable this.

@echo off
START "" /I FortiSSLVPNclient connect -h 226.62.42.81:10443 -u homer:password123 -i -q -m
timeout 10
net use * /delete /yes
net use R: \\10.10.10.10\data /user:homer password123 /persistent:no
REM further instructions!

With option connect -h will connect to the VPN gateway, belong the IP address and the port number separated by a colon. The user -u who should log in to the gateway and the password after the colon. With the timeout wait 10 seconds to VPN connection to be established before execute network drive mapping. The value may be reduced or it must be increased.

In the taskbar, the Icon FortiSSLVPNclient, over which the context menu opens with a right-click.

The VPN connection can be disconnected with the following script.

@echo off
START "" /I FortiSSLVPNclient disconnect

FortiSSLVPNclient Command Line Usage
Usage: FortiSSLVPNclient.exe [options] [args]

FortiSSLVPNClient Tool Help Site

Source link: Fortinet Knowledge Base