CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
cifs
- cifs domain-controller
- cifs profile
credential-store
- credential-store domain-controller
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control fctems
extender-controller
- extender-controller extender
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall city
- firewall consolidated policy
- firewall country
- firewall decrypted-traffic-mirror
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-botnet
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall internet-service-ipbl-reason
- firewall internet-service-ipbl-vendor
- firewall internet-service-list
- firewall internet-service-name
- firewall internet-service-owner
- firewall internet-service-reputation
- firewall internet-service-sld
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy6
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall region
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vendor-mac
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
- ips view-map
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller global
- switch-controller initial-config template
- switch-controller initial-config vlans
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller mac-policy
- switch-controller managed-switch
- switch-controller nac-device
- switch-controller nac-settings
- switch-controller poe
- switch-controller port-policy
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy local-access
- switch-controller snmp-community
- switch-controller snmp-user
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-profile
- switch-controller traffic-policy
- switch-controller virtual-port-pool
- switch-controller vlan-policy
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geneve
- system geoip-country
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg device-detection-portal
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg nntp
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system standalone-cluster
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wan-link
- system virtual-wire-pair
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user nac-policy
- user password-policy
- user peer
- user peergrp
- user pop3
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller access-control-list
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller apcfg-profile
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.4.0 CLI Reference

6.4.0

vpn ssl web portal

Portal.

  config vpn ssl web portal
      Description: Portal.
      edit <name>
          set tunnel-mode [enable|disable]
          set ip-mode [range|user-group]
          set auto-connect [enable|disable]
          set keep-alive [enable|disable]
          set save-password [enable|disable]
          set ip-pools <name1>, <name2>, ...
          set exclusive-routing [enable|disable]
          set service-restriction [enable|disable]
          set split-tunneling [enable|disable]
          set split-tunneling-routing-negate [enable|disable]
          set split-tunneling-routing-address <name1>, <name2>, ...
          set dns-server1 {ipv4-address}
          set dns-server2 {ipv4-address}
          set dns-suffix {var-string}
          set wins-server1 {ipv4-address}
          set wins-server2 {ipv4-address}
          set ipv6-tunnel-mode [enable|disable]
          set ipv6-pools <name1>, <name2>, ...
          set ipv6-exclusive-routing [enable|disable]
          set ipv6-service-restriction [enable|disable]
          set ipv6-split-tunneling [enable|disable]
          set ipv6-split-tunneling-routing-negate [enable|disable]
          set ipv6-split-tunneling-routing-address <name1>, <name2>, ...
          set ipv6-dns-server1 {ipv6-address}
          set ipv6-dns-server2 {ipv6-address}
          set ipv6-wins-server1 {ipv6-address}
          set ipv6-wins-server2 {ipv6-address}
          set web-mode [enable|disable]
          set display-bookmark [enable|disable]
          set user-bookmark [enable|disable]
          set allow-user-access {option1}, {option2}, ...
          set user-group-bookmark [enable|disable]
          config bookmark-group
              Description: Portal bookmark group.
              edit <name>
                  config bookmarks
                      Description: Bookmark table.
                      edit <name>
                          set apptype [ftp|rdp|...]
                          set url {var-string}
                          set host {var-string}
                          set folder {var-string}
                          set additional-params {var-string}
                          set listening-port {integer}
                          set remote-port {integer}
                          set show-status-window [enable|disable]
                          set description {var-string}
                          set server-layout [de-de-qwertz|en-gb-qwerty|...]
                          set security [rdp|nla|...]
                          set preconnection-id {integer}
                          set preconnection-blob {var-string}
                          set load-balancing-info {var-string}
                          set port {integer}
                          set logon-user {var-string}
                          set logon-password {password}
                          set sso [disable|static|...]
                          config form-data
                              Description: Form data.
                              edit <name>
                                  set value {var-string}
                              next
                          end
                          set sso-credential [sslvpn-login|alternative]
                          set sso-username {var-string}
                          set sso-password {password}
                          set sso-credential-sent-once [enable|disable]
                      next
                  end
              next
          end
          set display-connection-tools [enable|disable]
          set display-history [enable|disable]
          set display-status [enable|disable]
          set heading {string}
          set redir-url {var-string}
          set theme [blue|green|...]
          set custom-lang {string}
          set smb-ntlmv1-auth [enable|disable]
          set smbv1 [enable|disable]
          set smb-min-version [smbv1|smbv2|...]
          set smb-max-version [smbv1|smbv2|...]
          set host-check [none|av|...]
          set host-check-interval {integer}
          set host-check-policy <name1>, <name2>, ...
          set limit-user-logins [enable|disable]
          set mac-addr-check [enable|disable]
          set mac-addr-action [allow|deny]
          config mac-addr-check-rule
              Description: Client MAC address check rule.
              edit <name>
                  set mac-addr-mask {integer}
                  set mac-addr-list <addr1>, <addr2>, ...
              next
          end
          set os-check [enable|disable]
          config os-check-list
              Description: SSL VPN OS checks.
              edit <name>
                  set action [deny|allow|...]
                  set tolerance {integer}
                  set latest-patch-level {user}
              next
          end
          set forticlient-download [enable|disable]
          set forticlient-download-method [direct|ssl-vpn]
          set customize-forticlient-download-url [enable|disable]
          set windows-forticlient-download-url {var-string}
          set macos-forticlient-download-url {var-string}
          set skip-check-for-unsupported-os [enable|disable]
          set skip-check-for-browser [enable|disable]
          set hide-sso-credential [enable|disable]
          config split-dns
              Description: Split DNS for SSL VPN.
              edit <id>
                  set domains {var-string}
                  set dns-server1 {ipv4-address}
                  set dns-server2 {ipv4-address}
                  set ipv6-dns-server1 {ipv6-address}
                  set ipv6-dns-server2 {ipv6-address}
              next
          end
      next
  end

config vpn ssl web portal

Parameter Name	Description	Type	Size
tunnel-mode	Enable/disable IPv4 SSL-VPN tunnel mode. enable: Enable setting. disable: Disable setting.	option	-
ip-mode	Method by which users of this SSL-VPN tunnel obtain IP addresses. range: Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command. user-group: Use IP the addresses associated with individual users or user groups (usually from external auth servers).	option	-
auto-connect	Enable/disable automatic connect by client when system is up. enable: Enable setting. disable: Disable setting.	option	-
keep-alive	Enable/disable automatic reconnect for FortiClient connections. enable: Enable setting. disable: Disable setting.	option	-
save-password	Enable/disable FortiClient saving the user's password. enable: Enable setting. disable: Disable setting.	option	-
ip-pools `<name>`	IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients. Address name.	string	Maximum length: 79
exclusive-routing	Enable/disable all traffic go through tunnel only. enable: Enable setting. disable: Disable setting.	option	-
service-restriction	Enable/disable tunnel service restriction. enable: Enable setting. disable: Disable setting.	option	-
split-tunneling	Enable/disable IPv4 split tunneling. enable: Enable setting. disable: Disable setting.	option	-
split-tunneling-routing-negate	Enable to negate split tunneling routing address. enable: Enable setting. disable: Disable setting.	option	-
split-tunneling-routing-address `<name>`	IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access. Address name.	string	Maximum length: 79
dns-server1	IPv4 DNS server 1.	ipv4-address	Not Specified
dns-server2	IPv4 DNS server 2.	ipv4-address	Not Specified
dns-suffix	DNS suffix.	var-string	Maximum length: 253
wins-server1	IPv4 WINS server 1.	ipv4-address	Not Specified
wins-server2	IPv4 WINS server 1.	ipv4-address	Not Specified
ipv6-tunnel-mode	Enable/disable IPv6 SSL-VPN tunnel mode. enable: Enable setting. disable: Disable setting.	option	-
ipv6-pools `<name>`	IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients. Address name.	string	Maximum length: 79
ipv6-exclusive-routing	Enable/disable all IPv6 traffic go through tunnel only. enable: Enable setting. disable: Disable setting.	option	-
ipv6-service-restriction	Enable/disable IPv6 tunnel service restriction. enable: Enable setting. disable: Disable setting.	option	-
ipv6-split-tunneling	Enable/disable IPv6 split tunneling. enable: Enable setting. disable: Disable setting.	option	-
ipv6-split-tunneling-routing-negate	Enable to negate IPv6 split tunneling routing address. enable: Enable setting. disable: Disable setting.	option	-
ipv6-split-tunneling-routing-address `<name>`	IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access. Address name.	string	Maximum length: 79
ipv6-dns-server1	IPv6 DNS server 1.	ipv6-address	Not Specified
ipv6-dns-server2	IPv6 DNS server 2.	ipv6-address	Not Specified
ipv6-wins-server1	IPv6 WINS server 1.	ipv6-address	Not Specified
ipv6-wins-server2	IPv6 WINS server 2.	ipv6-address	Not Specified
web-mode	Enable/disable SSL VPN web mode. enable: Enable setting. disable: Disable setting.	option	-
display-bookmark	Enable to display the web portal bookmark widget. enable: Enable setting. disable: Disable setting.	option	-
user-bookmark	Enable to allow web portal users to create their own bookmarks. enable: Enable setting. disable: Disable setting.	option	-
allow-user-access	Allow user access to SSL-VPN applications. web: HTTP/HTTPS access. ftp: FTP access. smb: SMB/CIFS access. sftp: SFTP access. telnet: TELNET access. ssh: SSH access. vnc: VNC access. rdp: RDP access. ping: PING access. citrix: CITRIX access. portforward: Port Forward access.	option	-
user-group-bookmark	Enable to allow web portal users to create bookmarks for all users in the same user group. enable: Enable setting. disable: Disable setting.	option	-
display-connection-tools	Enable to display the web portal connection tools widget. enable: Enable setting. disable: Disable setting.	option	-
display-history	Enable to display the web portal user login history widget. enable: Enable setting. disable: Disable setting.	option	-
display-status	Enable to display the web portal status widget. enable: Enable setting. disable: Disable setting.	option	-
heading	Web portal heading message.	string	Maximum length: 31
redir-url	Client login redirect URL.	var-string	Maximum length: 255
theme	Web portal color scheme. blue: Light blue theme. green: Green theme. neutrino: Neutrino theme. melongene: Melongene theme (eggplant color). mariner: Mariner theme (dark blue color).	option	-
custom-lang	Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.	string	Maximum length: 35
smb-ntlmv1-auth	Enable support of NTLMv1 for Samba authentication. enable: Enable setting. disable: Disable setting.	option	-
smbv1	smbv1 enable: enable disable: disable	option	-
smb-min-version	SMB minimum client protocol version. smbv1: SMB version 1. smbv2: SMB version 2. smbv3: SMB version 3.	option	-
smb-max-version	SMB maximum client protocol version. smbv1: SMB version 1. smbv2: SMB version 2. smbv3: SMB version 3.	option	-
host-check	Type of host checking performed on endpoints. none: No host checking. av: AntiVirus software recognized by the Windows Security Center. fw: Firewall software recognized by the Windows Security Center. av-fw: AntiVirus and firewall software recognized by the Windows Security Center. custom: Custom.	option	-
host-check-interval	Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.	integer	Minimum value: 120 Maximum value: 259200
host-check-policy `<name>`	One or more policies to require the endpoint to have specific security software. Host check software list name.	string	Maximum length: 79
limit-user-logins	Enable to limit each user to one SSL-VPN session at a time. enable: Enable setting. disable: Disable setting.	option	-
mac-addr-check	Enable/disable MAC address host checking. enable: Enable setting. disable: Disable setting.	option	-
mac-addr-action	Client MAC address action. allow: Allow connection when client MAC address is matched. deny: Deny connection when client MAC address is matched.	option	-
os-check	Enable to let the FortiGate decide action based on client OS. enable: Enable setting. disable: Disable setting.	option	-
forticlient-download	Enable/disable download option for FortiClient. enable: Enable setting. disable: Disable setting.	option	-
forticlient-download-method	FortiClient download method. direct: Download via direct link. ssl-vpn: Download via SSL-VPN.	option	-
customize-forticlient-download-url	Enable support of customized download URL for FortiClient. enable: Enable setting. disable: Disable setting.	option	-
windows-forticlient-download-url	Download URL for Windows FortiClient.	var-string	Maximum length: 1023
macos-forticlient-download-url	Download URL for Mac FortiClient.	var-string	Maximum length: 1023
skip-check-for-unsupported-os	Enable to skip host check if client OS does not support it. enable: Enable setting. disable: Disable setting.	option	-
skip-check-for-browser	Enable to skip host check for browser support. enable: Enable setting. disable: Disable setting.	option	-
hide-sso-credential	Enable to prevent SSO credential being sent to client. enable: Enable setting. disable: Disable setting.	option	-

config bookmarks

Parameter Name	Description	Type	Size
apptype	Application type. ftp: FTP. rdp: RDP. sftp: SFTP. smb: SMB/CIFS. ssh: SSH. telnet: Telnet. vnc: VNC. web: HTTP/HTTPS.	option	-
url	URL parameter.	var-string	Maximum length: 128
host	Host name/IP parameter.	var-string	Maximum length: 128
folder	Network shared file folder parameter.	var-string	Maximum length: 128
additional-params	Additional parameters.	var-string	Maximum length: 128
listening-port	Listening port (0 - 65535).	integer	Minimum value: 0 Maximum value: 65535
remote-port	Remote port (0 - 65535).	integer	Minimum value: 0 Maximum value: 65535
show-status-window	Enable/disable showing of status window. enable: Enable setting. disable: Disable setting.	option	-
description	Description.	var-string	Maximum length: 128
server-layout	Server side keyboard layout. de-de-qwertz: German (qwertz). en-gb-qwerty: Engligh (UK). en-us-qwerty: English (US). es-es-qwerty: Spanish. fr-ca-qwerty: Canadian French (qwerty). fr-fr-azerty: French (azerty). fr-ch-qwertz: Swiss French (qwertz). it-it-qwerty: Italian. ja-jp-qwerty: Japanese. pt-br-qwerty: Portuguese/Brazilian. sv-se-qwerty: Swedish. tr-tr-qwerty: Turkish. failsafe: Unknown keyboard.	option	-
security	Security mode for RDP connection. rdp: Standard RDP encryption. nla: Network Level Authentication. tls: TLS encryption. any: Allow the server to choose the type of security.	option	-
preconnection-id	The numeric ID of the RDP source (0-2147483648).	integer	Minimum value: 0 Maximum value: 2147483648
preconnection-blob	An arbitrary string which identifies the RDP source.	var-string	Maximum length: 511
load-balancing-info	The load balancing information or cookie which should be provided to the connection broker.	var-string	Maximum length: 511
port	Remote port.	integer	Minimum value: 0 Maximum value: 65535
logon-user	Logon user.	var-string	Maximum length: 35
logon-password	Logon password.	password	Not Specified
sso	Single Sign-On. disable: Disable SSO. static: Static SSO. auto: Auto SSO.	option	-
sso-credential	Single sign-on credentials. sslvpn-login: SSL-VPN login. alternative: Alternative.	option	-
sso-username	SSO user name.	var-string	Maximum length: 35
sso-password	SSO password.	password	Not Specified
sso-credential-sent-once	Single sign-on credentials are only sent once to remote server. enable: Single sign-on credentials are only sent once to remote server. disable: Single sign-on credentials are sent to remote server for every HTTP request.	option	-

config form-data

Parameter Name	Description	Type	Size
value	Value.	var-string	Maximum length: 63

config mac-addr-check-rule

Parameter Name	Description	Type	Size
mac-addr-mask	Client MAC address mask.	integer	Minimum value: 1 Maximum value: 48
mac-addr-list `<addr>`	Client MAC address list. Client MAC address.	mac-address	Not Specified

config os-check-list

Parameter Name	Description	Type	Size
action	OS check options. deny: Deny all OS versions. allow: Allow any OS version. check-up-to-date: Verify OS is up-to-date.	option	-
tolerance	OS patch level tolerance.	integer	Minimum value: 0 Maximum value: 65535
latest-patch-level	Latest OS patch level.	user	Not Specified

config split-dns

Parameter Name	Description	Type	Size
domains	Split DNS domains used for SSL-VPN clients separated by comma(,).	var-string	Maximum length: 1024
dns-server1	DNS server 1.	ipv4-address	Not Specified
dns-server2	DNS server 2.	ipv4-address	Not Specified
ipv6-dns-server1	IPv6 DNS server 1.	ipv6-address	Not Specified
ipv6-dns-server2	IPv6 DNS server 2.	ipv6-address	Not Specified

Portal.

config vpn ssl web portal Description: Portal. edit <name> set tunnel-mode [enable|disable] set ip-mode [range|user-group] set auto-connect [enable|disable] set keep-alive [enable|disable] set save-password [enable|disable] set ip-pools <name1>, <name2>, ... set exclusive-routing [enable|disable] set service-restriction [enable|disable] set split-tunneling [enable|disable] set split-tunneling-routing-negate [enable|disable] set split-tunneling-routing-address <name1>, <name2>, ... set dns-server1 {ipv4-address} set dns-server2 {ipv4-address} set dns-suffix {var-string} set wins-server1 {ipv4-address} set wins-server2 {ipv4-address} set ipv6-tunnel-mode [enable|disable] set ipv6-pools <name1>, <name2>, ... set ipv6-exclusive-routing [enable|disable] set ipv6-service-restriction [enable|disable] set ipv6-split-tunneling [enable|disable] set ipv6-split-tunneling-routing-negate [enable|disable] set ipv6-split-tunneling-routing-address <name1>, <name2>, ... set ipv6-dns-server1 {ipv6-address} set ipv6-dns-server2 {ipv6-address} set ipv6-wins-server1 {ipv6-address} set ipv6-wins-server2 {ipv6-address} set web-mode [enable|disable] set display-bookmark [enable|disable] set user-bookmark [enable|disable] set allow-user-access {option1}, {option2}, ... set user-group-bookmark [enable|disable] config bookmark-group Description: Portal bookmark group. edit <name> config bookmarks Description: Bookmark table. edit <name> set apptype [ftp|rdp|...] set url {var-string} set host {var-string} set folder {var-string} set additional-params {var-string} set listening-port {integer} set remote-port {integer} set show-status-window [enable|disable] set description {var-string} set server-layout [de-de-qwertz|en-gb-qwerty|...] set security [rdp|nla|...] set preconnection-id {integer} set preconnection-blob {var-string} set load-balancing-info {var-string} set port {integer} set logon-user {var-string} set logon-password {password} set sso [disable|static|...] config form-data Description: Form data. edit <name> set value {var-string} next end set sso-credential [sslvpn-login|alternative] set sso-username {var-string} set sso-password {password} set sso-credential-sent-once [enable|disable] next end next end set display-connection-tools [enable|disable] set display-history [enable|disable] set display-status [enable|disable] set heading {string} set redir-url {var-string} set theme [blue|green|...] set custom-lang {string} set smb-ntlmv1-auth [enable|disable] set smbv1 [enable|disable] set smb-min-version [smbv1|smbv2|...] set smb-max-version [smbv1|smbv2|...] set host-check [none|av|...] set host-check-interval {integer} set host-check-policy <name1>, <name2>, ... set limit-user-logins [enable|disable] set mac-addr-check [enable|disable] set mac-addr-action [allow|deny] config mac-addr-check-rule Description: Client MAC address check rule. edit <name> set mac-addr-mask {integer} set mac-addr-list <addr1>, <addr2>, ... next end set os-check [enable|disable] config os-check-list Description: SSL VPN OS checks. edit <name> set action [deny|allow|...] set tolerance {integer} set latest-patch-level {user} next end set forticlient-download [enable|disable] set forticlient-download-method [direct|ssl-vpn] set customize-forticlient-download-url [enable|disable] set windows-forticlient-download-url {var-string} set macos-forticlient-download-url {var-string} set skip-check-for-unsupported-os [enable|disable] set skip-check-for-browser [enable|disable] set hide-sso-credential [enable|disable] config split-dns Description: Split DNS for SSL VPN. edit <id> set domains {var-string} set dns-server1 {ipv4-address} set dns-server2 {ipv4-address} set ipv6-dns-server1 {ipv6-address} set ipv6-dns-server2 {ipv6-address} next end next end

config vpn ssl web portal

Parameter Name

Description

Type

Size

tunnel-mode

Enable/disable IPv4 SSL-VPN tunnel mode.
enable: Enable setting.
disable: Disable setting.

option

ip-mode

Method by which users of this SSL-VPN tunnel obtain IP addresses.
range: Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.
user-group: Use IP the addresses associated with individual users or user groups (usually from external auth servers).

option

auto-connect

Enable/disable automatic connect by client when system is up.
enable: Enable setting.
disable: Disable setting.

option

keep-alive

Enable/disable automatic reconnect for FortiClient connections.
enable: Enable setting.
disable: Disable setting.

option

save-password

Enable/disable FortiClient saving the user's password.
enable: Enable setting.
disable: Disable setting.

option

ip-pools <name>

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.
Address name.

string

Maximum length: 79

exclusive-routing

Enable/disable all traffic go through tunnel only.
enable: Enable setting.
disable: Disable setting.

option

service-restriction

Enable/disable tunnel service restriction.
enable: Enable setting.
disable: Disable setting.

option

split-tunneling

Enable/disable IPv4 split tunneling.
enable: Enable setting.
disable: Disable setting.

option

split-tunneling-routing-negate

Enable to negate split tunneling routing address.
enable: Enable setting.
disable: Disable setting.

option

split-tunneling-routing-address <name>

IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.
Address name.

string

Maximum length: 79

dns-server1

IPv4 DNS server 1.

ipv4-address

Not Specified

dns-server2

IPv4 DNS server 2.

ipv4-address

Not Specified

dns-suffix

DNS suffix.

var-string

Maximum length: 253

wins-server1

IPv4 WINS server 1.

ipv4-address

Not Specified

wins-server2

IPv4 WINS server 1.

ipv4-address

Not Specified

ipv6-tunnel-mode

Enable/disable IPv6 SSL-VPN tunnel mode.
enable: Enable setting.
disable: Disable setting.

option

ipv6-pools <name>

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.
Address name.

string

Maximum length: 79

ipv6-exclusive-routing

Enable/disable all IPv6 traffic go through tunnel only.
enable: Enable setting.
disable: Disable setting.

option

ipv6-service-restriction

Enable/disable IPv6 tunnel service restriction.
enable: Enable setting.
disable: Disable setting.

option

ipv6-split-tunneling

Enable/disable IPv6 split tunneling.
enable: Enable setting.
disable: Disable setting.

option

ipv6-split-tunneling-routing-negate

Enable to negate IPv6 split tunneling routing address.
enable: Enable setting.
disable: Disable setting.

option

ipv6-split-tunneling-routing-address <name>

IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.
Address name.

string

Maximum length: 79

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

web-mode

Enable/disable SSL VPN web mode.
enable: Enable setting.
disable: Disable setting.

option

display-bookmark

Enable to display the web portal bookmark widget.
enable: Enable setting.
disable: Disable setting.

option

user-bookmark

Enable to allow web portal users to create their own bookmarks.
enable: Enable setting.
disable: Disable setting.

option

allow-user-access

Allow user access to SSL-VPN applications.
web: HTTP/HTTPS access.
ftp: FTP access.
smb: SMB/CIFS access.
sftp: SFTP access.
telnet: TELNET access.
ssh: SSH access.
vnc: VNC access.
rdp: RDP access.
ping: PING access.
citrix: CITRIX access.
portforward: Port Forward access.

option

user-group-bookmark

Enable to allow web portal users to create bookmarks for all users in the same user group.
enable: Enable setting.
disable: Disable setting.

option

display-connection-tools

Enable to display the web portal connection tools widget.
enable: Enable setting.
disable: Disable setting.

option

display-history

Enable to display the web portal user login history widget.
enable: Enable setting.
disable: Disable setting.

option

display-status

Enable to display the web portal status widget.
enable: Enable setting.
disable: Disable setting.

option

heading

Web portal heading message.

string

Maximum length: 31

redir-url

Client login redirect URL.

var-string

Maximum length: 255

theme

Web portal color scheme.
blue: Light blue theme.
green: Green theme.
neutrino: Neutrino theme.
melongene: Melongene theme (eggplant color).
mariner: Mariner theme (dark blue color).

option

custom-lang

Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.

string

Maximum length: 35

smb-ntlmv1-auth

Enable support of NTLMv1 for Samba authentication.
enable: Enable setting.
disable: Disable setting.

option

smbv1

smbv1
enable: enable
disable: disable

option

smb-min-version

SMB minimum client protocol version.
smbv1: SMB version 1.
smbv2: SMB version 2.
smbv3: SMB version 3.

option

smb-max-version

SMB maximum client protocol version.
smbv1: SMB version 1.
smbv2: SMB version 2.
smbv3: SMB version 3.

option

host-check

Type of host checking performed on endpoints.
none: No host checking.
av: AntiVirus software recognized by the Windows Security Center.
fw: Firewall software recognized by the Windows Security Center.
av-fw: AntiVirus and firewall software recognized by the Windows Security Center.
custom: Custom.

option

host-check-interval

Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

integer

Minimum value: 120 Maximum value: 259200

host-check-policy <name>

One or more policies to require the endpoint to have specific security software.
Host check software list name.

string

Maximum length: 79

limit-user-logins

Enable to limit each user to one SSL-VPN session at a time.
enable: Enable setting.
disable: Disable setting.

option

mac-addr-check

Enable/disable MAC address host checking.
enable: Enable setting.
disable: Disable setting.

option

mac-addr-action

Client MAC address action.
allow: Allow connection when client MAC address is matched.
deny: Deny connection when client MAC address is matched.

option

os-check

Enable to let the FortiGate decide action based on client OS.
enable: Enable setting.
disable: Disable setting.

option

forticlient-download

Enable/disable download option for FortiClient.
enable: Enable setting.
disable: Disable setting.

option

forticlient-download-method

FortiClient download method.
direct: Download via direct link.
ssl-vpn: Download via SSL-VPN.

option

customize-forticlient-download-url

Enable support of customized download URL for FortiClient.
enable: Enable setting.
disable: Disable setting.

option

windows-forticlient-download-url

Download URL for Windows FortiClient.

var-string

Maximum length: 1023

macos-forticlient-download-url

Download URL for Mac FortiClient.

var-string

Maximum length: 1023

skip-check-for-unsupported-os

Enable to skip host check if client OS does not support it.
enable: Enable setting.
disable: Disable setting.

option

skip-check-for-browser

Enable to skip host check for browser support.
enable: Enable setting.
disable: Disable setting.

option

hide-sso-credential

Enable to prevent SSO credential being sent to client.
enable: Enable setting.
disable: Disable setting.

option

config bookmarks

Parameter Name

Description

Type

Size

apptype

Application type.
ftp: FTP.
rdp: RDP.
sftp: SFTP.
smb: SMB/CIFS.
ssh: SSH.
telnet: Telnet.
vnc: VNC.
web: HTTP/HTTPS.

option

url

URL parameter.

var-string

Maximum length: 128

host

Host name/IP parameter.

var-string

Maximum length: 128

folder

Network shared file folder parameter.

var-string

Maximum length: 128

additional-params

Additional parameters.

var-string

Maximum length: 128

listening-port

Listening port (0 - 65535).

integer

Minimum value: 0 Maximum value: 65535

remote-port

Remote port (0 - 65535).

integer

Minimum value: 0 Maximum value: 65535

show-status-window

Enable/disable showing of status window.
enable: Enable setting.
disable: Disable setting.

option

description

Description.

var-string

Maximum length: 128

server-layout

Server side keyboard layout.
de-de-qwertz: German (qwertz).
en-gb-qwerty: Engligh (UK).
en-us-qwerty: English (US).
es-es-qwerty: Spanish.
fr-ca-qwerty: Canadian French (qwerty).
fr-fr-azerty: French (azerty).
fr-ch-qwertz: Swiss French (qwertz).
it-it-qwerty: Italian.
ja-jp-qwerty: Japanese.
pt-br-qwerty: Portuguese/Brazilian.
sv-se-qwerty: Swedish.
tr-tr-qwerty: Turkish.
failsafe: Unknown keyboard.

option

security

Security mode for RDP connection.
rdp: Standard RDP encryption.
nla: Network Level Authentication.
tls: TLS encryption.
any: Allow the server to choose the type of security.

option

preconnection-id

The numeric ID of the RDP source (0-2147483648).

integer

Minimum value: 0 Maximum value: 2147483648

preconnection-blob

An arbitrary string which identifies the RDP source.

var-string

Maximum length: 511

load-balancing-info

The load balancing information or cookie which should be provided to the connection broker.

var-string

Maximum length: 511

port

Remote port.

integer

Minimum value: 0 Maximum value: 65535

logon-user

Logon user.

var-string

Maximum length: 35

logon-password

Logon password.

password

Not Specified

sso

Single Sign-On.
disable: Disable SSO.
static: Static SSO.
auto: Auto SSO.

option

sso-credential

Single sign-on credentials.
sslvpn-login: SSL-VPN login.
alternative: Alternative.

option

sso-username

SSO user name.

var-string

Maximum length: 35

sso-password

SSO password.

password

Not Specified

sso-credential-sent-once

Single sign-on credentials are only sent once to remote server.
enable: Single sign-on credentials are only sent once to remote server.
disable: Single sign-on credentials are sent to remote server for every HTTP request.

option

config form-data

Parameter Name

Description

Type

Size

value

Value.

var-string

Maximum length: 63

Parameter Name

Description

Type

Size

mac-addr-mask

Client MAC address mask.

integer

Minimum value: 1 Maximum value: 48

mac-addr-list <addr>

Client MAC address list.
Client MAC address.

mac-address

Not Specified

config os-check-list

Parameter Name

Description

Type

Size

action

OS check options.
deny: Deny all OS versions.
allow: Allow any OS version.
check-up-to-date: Verify OS is up-to-date.

option

tolerance

OS patch level tolerance.

integer

Minimum value: 0 Maximum value: 65535

latest-patch-level

Latest OS patch level.

user

Not Specified

config split-dns

Parameter Name

Description

Type

Size

domains

Split DNS domains used for SSL-VPN clients separated by comma(,).

var-string

Maximum length: 1024

dns-server1

DNS server 1.

ipv4-address

Not Specified

dns-server2

DNS server 2.

ipv4-address

Not Specified

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

vpn ssl web portal

Portal.

config vpn ssl web portal

config bookmarks

config form-data

config mac-addr-check-rule

config os-check-list

config split-dns

vpn ssl web portal

Portal.

config vpn ssl web portal

config bookmarks

config form-data