config vpn ssl settings

Configure SSL VPN.

config vpn ssl settings
    Description: Configure SSL VPN.
    set reqclientcert [enable|disable]
    set sslv3 [enable|disable]
    set tlsv1-0 [enable|disable]
    set tlsv1-1 [enable|disable]
    set tlsv1-2 [enable|disable]
    set banned-cipher [RSA|DH|...]
    set ssl-big-buffer [enable|disable]
    set ssl-insert-empty-fragment [enable|disable]
    set https-redirect [enable|disable]
    set ssl-client-renegotiation [disable|enable]
    set force-two-factor-auth [enable|disable]
    set unsafe-legacy-renegotiation [enable|disable]
    set servercert {string}
    set algorithm [high|medium|...]
    set idle-timeout {integer}
    set auth-timeout {integer}
    set login-attempt-limit {integer}
    set login-block-time {integer}
    set login-timeout {integer}
    set dtls-hello-timeout {integer}
    config tunnel-ip-pools
        Description: Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
        edit <name>
        next
    end
    config tunnel-ipv6-pools
        Description: Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
        edit <name>
        next
    end
    set dns-suffix {var-string}
    set dns-server1 {ipv4-address}
    set dns-server2 {ipv4-address}
    set wins-server1 {ipv4-address}
    set wins-server2 {ipv4-address}
    set ipv6-dns-server1 {ipv6-address}
    set ipv6-dns-server2 {ipv6-address}
    set ipv6-wins-server1 {ipv6-address}
    set ipv6-wins-server2 {ipv6-address}
    set route-source-interface [enable|disable]
    set url-obscuration [enable|disable]
    set http-compression [enable|disable]
    set http-only-cookie [enable|disable]
    set deflate-compression-level {integer}
    set deflate-min-data-size {integer}
    set port {integer}
    set port-precedence [enable|disable]
    set auto-tunnel-static-route [enable|disable]
    set header-x-forwarded-for [pass|add|...]
    config source-interface
        Description: SSL VPN source interface of incoming traffic.
        edit <name>
        next
    end
    config source-address
        Description: Source address of incoming traffic.
        edit <name>
        next
    end
    set source-address-negate [enable|disable]
    config source-address6
        Description: IPv6 source address of incoming traffic.
        edit <name>
        next
    end
    set source-address6-negate [enable|disable]
    set default-portal {string}
    config authentication-rule
        Description: Authentication rule for SSL VPN.
        edit <id>
            config source-interface
                Description: SSL VPN source interface of incoming traffic.
                edit <name>
                next
            end
            config source-address
                Description: Source address of incoming traffic.
                edit <name>
                next
            end
            set source-address-negate [enable|disable]
            config source-address6
                Description: IPv6 source address of incoming traffic.
                edit <name>
                next
            end
            set source-address6-negate [enable|disable]
            config users
                Description: User name.
                edit <name>
                next
            end
            config groups
                Description: User groups.
                edit <name>
                next
            end
            set portal {string}
            set realm {string}
            set client-cert [enable|disable]
            set cipher [any|high|...]
            set auth [any|local|...]
        next
    end
    set dtls-tunnel [enable|disable]
    set check-referer [enable|disable]
    set http-request-header-timeout {integer}
    set http-request-body-timeout {integer}
end

config vpn ssl settings

Parameter	Description	Type	Size
reqclientcert	Enable to require client certificates for all SSL-VPN users.	option	-
	Option Description enable Enable setting. disable Disable setting.
sslv3	sslv3	option	-
	Option Description enable enable disable disable
tlsv1-0	Enable/disable TLSv1.0.	option	-
	Option Description enable Enable setting. disable Disable setting.
tlsv1-1	Enable/disable TLSv1.1.	option	-
	Option Description enable Enable setting. disable Disable setting.
tlsv1-2	Enable/disable TLSv1.2.	option	-
	Option Description enable Enable setting. disable Disable setting.
banned-cipher	Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.	option	-
	Option Description RSA Ban the use of cipher suites using RSA key. DH Ban the use of cipher suites using DH. DHE Ban the use of cipher suites using authenticated ephemeral DH key agreement. ECDH Ban the use of cipher suites using ECDH key exchange. ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key agreement. DSS Ban the use of cipher suites using DSS authentication. ECDSA Ban the use of cipher suites using ECDSA authentication. AES Ban the use of cipher suites using either 128 or 256 bit AES. AESGCM Ban the use of cipher suites AES in Galois Counter Mode (GCM). CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA. 3DES Ban the use of cipher suites using triple DES SHA1 Ban the use of cipher suites using SHA1. SHA256 Ban the use of cipher suites using SHA256. SHA384 Ban the use of cipher suites using SHA384. STATIC Ban the use of cipher suites using static keys.
ssl-big-buffer	Disable using the big SSLv3 buffer feature to save memory and force higher security.	option	-
	Option Description enable Enable setting. disable Disable setting.
ssl-insert-empty-fragment	Enable/disable insertion of empty fragment.	option	-
	Option Description enable Enable setting. disable Disable setting.
https-redirect	Enable/disable redirect of port 80 to SSL-VPN port.	option	-
	Option Description enable Enable setting. disable Disable setting.
ssl-client-renegotiation	Enable to allow client renegotiation by the server if the tunnel goes down.	option	-
	Option Description disable Abort any SSL connection that attempts to renegotiate. enable Allow a SSL client to renegotiate.
force-two-factor-auth	Enable to force two-factor authentication for all SSL-VPNs.	option	-
	Option Description enable Enable setting. disable Disable setting.
unsafe-legacy-renegotiation	Enable/disable unsafe legacy re-negotiation.	option	-
	Option Description enable Enable setting. disable Disable setting.
servercert	Name of the server certificate to be used for SSL-VPNs.	string	Maximum length: 35
algorithm	Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.	option	-
	Option Description high High algorithms. medium High and medium algorithms. default default low All algorithms.
idle-timeout	SSL VPN disconnects if idle for specified time in seconds.	integer	Minimum value: 0 Maximum value: 259200
auth-timeout	SSL-VPN authentication timeout.	integer	Minimum value: 0 Maximum value: 259200
login-attempt-limit	SSL VPN maximum login attempt times before block.	integer	Minimum value: 0 Maximum value: 4294967295
login-block-time	Time for which a user is blocked from logging in after too many failed login attempts.	integer	Minimum value: 0 Maximum value: 4294967295
login-timeout	SSLVPN maximum login timeout.	integer	Minimum value: 10 Maximum value: 180
dtls-hello-timeout	SSLVPN maximum DTLS hello timeout.	integer	Minimum value: 10 Maximum value: 60
dns-suffix	DNS suffix used for SSL-VPN clients.	var-string	Maximum length: 253
dns-server1	DNS server 1.	ipv4-address	Not Specified
dns-server2	DNS server 2.	ipv4-address	Not Specified
wins-server1	WINS server 1.	ipv4-address	Not Specified
wins-server2	WINS server 2.	ipv4-address	Not Specified
ipv6-dns-server1	IPv6 DNS server 1.	ipv6-address	Not Specified
ipv6-dns-server2	IPv6 DNS server 2.	ipv6-address	Not Specified
ipv6-wins-server1	IPv6 WINS server 1.	ipv6-address	Not Specified
ipv6-wins-server2	IPv6 WINS server 2.	ipv6-address	Not Specified
route-source-interface	Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.	option	-
	Option Description enable Enable setting. disable Disable setting.
url-obscuration	Enable to obscure the host name of the URL of the web browser display.	option	-
	Option Description enable Enable setting. disable Disable setting.
http-compression	Enable to allow HTTP compression over SSL-VPN tunnels.	option	-
	Option Description enable Enable setting. disable Disable setting.
http-only-cookie	Enable/disable SSL-VPN support for HttpOnly cookies.	option	-
	Option Description enable Enable setting. disable Disable setting.
deflate-compression-level	Compression level (0~9).	integer	Minimum value: 0 Maximum value: 9
deflate-min-data-size	Minimum amount of data that triggers compression.	integer	Minimum value: 200 Maximum value: 65535
port	SSL-VPN access port.	integer	Minimum value: 1 Maximum value: 65535
port-precedence	Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.	option	-
	Option Description enable Enable setting. disable Disable setting.
auto-tunnel-static-route	Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.	option	-
	Option Description enable Enable setting. disable Disable setting.
header-x-forwarded-for	Forward the same, add, or remove HTTP header.	option	-
	Option Description pass Forward the same HTTP header. add Add the HTTP header. remove Remove the HTTP header.
source-address-negate	Enable/disable negated source address match.	option	-
	Option Description enable Enable setting. disable Disable setting.
source-address6-negate	Enable/disable negated source IPv6 address match.	option	-
	Option Description enable Enable setting. disable Disable setting.
default-portal	Default SSL VPN portal.	string	Maximum length: 35
dtls-tunnel	Enable DTLS to prevent eavesdropping, tampering, or message forgery.	option	-
	Option Description enable Enable setting. disable Disable setting.
check-referer	Enable/disable verification of referer field in HTTP request header.	option	-
	Option Description enable Enable verification of referer field in HTTP request header. disable Disable verification of referer field in HTTP request header.
http-request-header-timeout	SSL-VPN session is disconnected if an HTTP request header is not received within this time.	integer	Minimum value: 0 Maximum value: 4294967295
http-request-body-timeout	SSL-VPN session is disconnected if an HTTP request body is not received within this time.	integer	Minimum value: 0 Maximum value: 4294967295

config tunnel-ip-pools

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config tunnel-ipv6-pools

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config source-interface

Parameter	Description	Type	Size
name	Interface name.	string	Maximum length: 35

config source-interface

Parameter	Description	Type	Size
name	Interface name.	string	Maximum length: 35

config source-address

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config source-address

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config source-address6

Parameter	Description	Type	Size
name	IPv6 address name.	string	Maximum length: 64

config source-address6

Parameter	Description	Type	Size
name	IPv6 address name.	string	Maximum length: 64

config authentication-rule

Parameter	Description	Type	Size
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295
source-address-negate	Enable/disable negated source address match.	option	-
	Option Description enable Enable setting. disable Disable setting.
source-address6-negate	Enable/disable negated source IPv6 address match.	option	-
	Option Description enable Enable setting. disable Disable setting.
portal	SSL VPN portal.	string	Maximum length: 35
realm	SSL VPN realm.	string	Maximum length: 35
client-cert	Enable/disable SSL VPN client certificate restrictive.	option	-
	Option Description enable Enable setting. disable Disable setting.
cipher	SSL VPN cipher strength.	option	-
	Option Description any Any cipher strength. high High cipher strength (>= 168 bits). medium Medium cipher strength (>= 128 bits).
auth	SSL VPN authentication method restriction.	option	-
	Option Description any Any local Local radius RADIUS tacacs+ TACACS+ ldap LDAP

config source-interface

Parameter	Description	Type	Size
name	Interface name.	string	Maximum length: 35

config source-interface

Parameter	Description	Type	Size
name	Interface name.	string	Maximum length: 35

config source-address

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config source-address

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config source-address6

Parameter	Description	Type	Size
name	IPv6 address name.	string	Maximum length: 64

config source-address6

Parameter	Description	Type	Size
name	IPv6 address name.	string	Maximum length: 64

config users

Parameter	Description	Type	Size
name	User name.	string	Maximum length: 64

config groups

Parameter	Description	Type	Size
name	Group name.	string	Maximum length: 64