Fortigate – how a special character (+) could break VPN with Firmware 6.0.5

I received an email alert from the Fortigate Switzerland distributor to say that a new firmware 6.0.5 had been released to fix a critical hole in the VPN portal. This hole could steal passwords. It was highly recommended to apply the fix urgently.

My colleague from Trenka Informatik has a few clients with Fortigate firewalls. So we upgraded a few firewalls in the data center using VPN Tunnels and did not encounter issues .

Trenka Informatik also has a client whose users are required to vpn into the office using FortiToken (2-factor authentication).

I upgraded the firewall on a Friday night, using my vpn login with FortiToken. The login worked fine even after installation of Firmware 6.0.5 both with Forticlient for Windows or the FortiClient iOS app.

Investigation

However, on Monday we received word that users were not able to login using FortiToken. They had to first disable FortiToken and then it worked. I was puzzled and started to investigate. First thing I did was to look at the logs. These clearly showed that some users had not been able to log in. The apparent error was “unknown users”. I then called the Fortigate distributor to ask if he was aware of any issues with Firmware 6.0.5. said The answer was no and that there was no hint in the knowledge base either. A recommended test was to log in directly via the VPN web portal to see if the FortiToken works there.

Perhaps it should be mentioned, that this particular client uses FortiClient for Windows as the only access method for VPN.

I usually log in as a member of the “VPN Admin” group. For the testing purposes though, I created a test user in the group “VPN-office+server” which all regular users belong to and assigned myself a FortiToken.

To my surprise, I wasn’t able to log in as test user using the FortiToken. The log showed “unknown user”. When I changed the group membership  to “VPN admin”, the login worked. Next up: change my regular login group from Admin to VPN-office+server and try to log in. No luck. Fail.

Solution

It was pretty clear that the group membership was the problem. But why? The same firewall policy applied to both groups, so this could not be the reason. Time for another call to the Fortigate support number. I shared my investigation with them. Their response: It could be that using special characters in the naming of a group could be the problem.

Bingo, Easily rectified! I changed the group name to “VPN-office-server”. Result?  All regular users were able to resume logging in using FortiToken. Bingo!

Worth mentioning here that we had previously upgraded this firewall many times, including major upgrades and the group name had never been a problem. But apparently Firmware 6.0.5 doesn’t like special characters.

Moral of the story: Try to avoid using special characters when assigning names to groups as it might lead to issues. Instead use the old fashioned and boring _ (underscore). 🙂