FortiClient VPN Integration
Overview
FortiClient provides VPN remote access, endpoint protection, and ZTNA. KYRA MDR collects FortiClient VPN events through FortiGate syslog. Supports FortiClient 7.x with FortiGate 7.x.
Prerequisites
- A KYRA MDR Collector installed and running
- FortiGate configured as FortiClient VPN gateway
- Syslog configured on the FortiGate
- FortiClient VPN operational on endpoints
Configuration
FortiClient VPN events are forwarded through FortiGate syslog:
- Ensure syslog is configured (see FortiGate integration)
- Enable VPN event logging:
config log syslogd filter set severity information set forward-traffic enableend
config vpn ssl settings set login-attempt-limit 3 set login-block-time 60end- Enable EMS logging if using FortiClient EMS:
config endpoint-control settings set forticlient-reg-sync enableend- Verify with
diagnose vpn ssl list
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| SSL VPN Login | VPN authentication events | Access monitoring |
| SSL VPN Logout | Session termination events | Session tracking |
| Tunnel Up/Down | Tunnel establishment events | VPN availability |
| Compliance Check | Endpoint compliance assessment | Security compliance |
| EMS Events | Endpoint management events | Endpoint inventory |
| Web Mode | Web-mode VPN access events | Application access monitoring |
Troubleshooting
No VPN events: Set syslog filter severity to information.
Missing compliance data: Requires FortiClient EMS integration with FortiGate.
SSL VPN vs IPsec: Ensure logging covers both VPN types if both are in use.
Contact kyra@seekerslab.com for support.