Fortinet white logo
Fortinet white logo

CLI Reference

config vpn ssl settings

config vpn ssl settings

Configure SSL-VPN.

config vpn ssl settings
    Description: Configure SSL-VPN.
    set status [enable|disable]
    set reqclientcert [enable|disable]
    set user-peer {string}
    set ssl-max-proto-ver [tls1-0|tls1-1|...]
    set ssl-min-proto-ver [tls1-0|tls1-1|...]
    set banned-cipher {option1}, {option2}, ...
    set ciphersuite {option1}, {option2}, ...
    set ssl-insert-empty-fragment [enable|disable]
    set https-redirect [enable|disable]
    set x-content-type-options [enable|disable]
    set ssl-client-renegotiation [disable|enable]
    set force-two-factor-auth [enable|disable]
    set unsafe-legacy-renegotiation [enable|disable]
    set servercert {string}
    set algorithm [high|medium|...]
    set idle-timeout {integer}
    set auth-timeout {integer}
    set login-attempt-limit {integer}
    set login-block-time {integer}
    set login-timeout {integer}
    set dtls-hello-timeout {integer}
    set tunnel-ip-pools <name1>, <name2>, ...
    set tunnel-ipv6-pools <name1>, <name2>, ...
    set dns-suffix {var-string}
    set dns-server1 {ipv4-address}
    set dns-server2 {ipv4-address}
    set wins-server1 {ipv4-address}
    set wins-server2 {ipv4-address}
    set ipv6-dns-server1 {ipv6-address}
    set ipv6-dns-server2 {ipv6-address}
    set ipv6-wins-server1 {ipv6-address}
    set ipv6-wins-server2 {ipv6-address}
    set url-obscuration [enable|disable]
    set http-compression [enable|disable]
    set http-only-cookie [enable|disable]
    set deflate-compression-level {integer}
    set deflate-min-data-size {integer}
    set port {integer}
    set port-precedence [enable|disable]
    set auto-tunnel-static-route [enable|disable]
    set header-x-forwarded-for [pass|add|...]
    set source-interface <name1>, <name2>, ...
    set source-address <name1>, <name2>, ...
    set source-address-negate [enable|disable]
    set source-address6 <name1>, <name2>, ...
    set source-address6-negate [enable|disable]
    set default-portal {string}
    config authentication-rule
        Description: Authentication rule for SSL-VPN.
        edit <id>
            set source-interface <name1>, <name2>, ...
            set source-address <name1>, <name2>, ...
            set source-address-negate [enable|disable]
            set source-address6 <name1>, <name2>, ...
            set source-address6-negate [enable|disable]
            set users <name1>, <name2>, ...
            set groups <name1>, <name2>, ...
            set portal {string}
            set realm {string}
            set client-cert [enable|disable]
            set user-peer {string}
            set cipher [any|high|...]
            set auth [any|local|...]
        next
    end
    set browser-language-detection [enable|disable]
    set dtls-tunnel [enable|disable]
    set dtls-max-proto-ver [dtls1-0|dtls1-2]
    set dtls-min-proto-ver [dtls1-0|dtls1-2]
    set check-referer [enable|disable]
    set http-request-header-timeout {integer}
    set http-request-body-timeout {integer}
    set auth-session-check-source-ip [enable|disable]
    set tunnel-connect-without-reauth [enable|disable]
    set tunnel-user-session-timeout {integer}
    set hsts-include-subdomains [enable|disable]
    set transform-backward-slashes [enable|disable]
    set encode-2f-sequence [enable|disable]
    set encrypt-and-store-password [enable|disable]
    set client-sigalgs [no-rsa-pss|all]
    set dual-stack-mode [enable|disable]
    set tunnel-addr-assigned-method [first-available|round-robin]
    set saml-redirect-port {integer}
    set web-mode-snat [enable|disable]
    set ztna-trusted-client [enable|disable]
    set server-hostname {string}
end

config vpn ssl settings

Parameter

Description

Type

Size

Default

status

Enable/disable SSL-VPN.

option

-

enable

Option

Description

enable

Enable SSL-VPN.

disable

Disable SSL-VPN.

reqclientcert

Enable/disable to require client certificates for all SSL-VPN users.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

ssl-max-proto-ver

SSL maximum protocol version.

option

-

tls1-3

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

-

tls1-2

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

banned-cipher

Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Only applies to TLS 1.2 and below.

option

-

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

CHACHA20

Ban the use of cipher suites using ChaCha20.

ARIA

Ban the use of cipher suites using ARIA.

AESCCM

Ban the use of cipher suites using AESCCM.

ciphersuite

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below.

option

-

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option

Description

TLS-AES-128-GCM-SHA256

Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

TLS-AES-256-GCM-SHA384

Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

TLS-CHACHA20-POLY1305-SHA256

Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

TLS-AES-128-CCM-SHA256

Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

TLS-AES-128-CCM-8-SHA256

Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

https-redirect

Enable/disable redirect of port 80 to SSL-VPN port.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-client-renegotiation

Enable/disable to allow client renegotiation by the server if the tunnel goes down.

option

-

disable

Option

Description

disable

Abort any SSL connection that attempts to renegotiate.

enable

Allow a SSL client to renegotiate.

force-two-factor-auth

Enable/disable only PKI users with two-factor authentication for SSL-VPNs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

servercert

Name of the server certificate to be used for SSL-VPNs.

string

Maximum length: 35

self-sign

algorithm

Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

-

high

Option

Description

high

High algorithms.

medium

High and medium algorithms.

default

default

low

All algorithms.

idle-timeout

SSL-VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

300

auth-timeout

SSL-VPN authentication timeout.

integer

Minimum value: 0 Maximum value: 259200

28800

login-attempt-limit

SSL-VPN maximum login attempt times before block.

integer

Minimum value: 0 Maximum value: 4294967295

2

login-block-time

Time for which a user is blocked from logging in after too many failed login attempts.

integer

Minimum value: 0 Maximum value: 4294967295

60

login-timeout

SSLVPN maximum login timeout.

integer

Minimum value: 10 Maximum value: 180

30

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout.

integer

Minimum value: 10 Maximum value: 60

10

tunnel-ip-pools <name>

Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

tunnel-ipv6-pools <name>

Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

dns-suffix

DNS suffix used for SSL-VPN clients.

var-string

Maximum length: 253

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

wins-server1

WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

WINS server 2.

ipv4-address

Not Specified

0.0.0.0

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

url-obscuration

Enable/disable to obscure the host name of the URL of the web browser display.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-compression

Enable/disable to allow HTTP compression over SSL-VPN tunnels.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-only-cookie

Enable/disable SSL-VPN support for HttpOnly cookies.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

6

deflate-min-data-size

Minimum amount of data that triggers compression.

integer

Minimum value: 200 Maximum value: 65535

300

port

SSL-VPN access port.

integer

Minimum value: 1 Maximum value: 65535

10443

port-precedence

Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-tunnel-static-route

Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

-

add

Option

Description

pass

Forward the same HTTP header.

add

Add the HTTP header.

remove

Remove the HTTP header.

source-interface <name>

SSL-VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

default-portal

Default SSL-VPN portal.

string

Maximum length: 35

browser-language-detection

Enable/disable overriding the configured system language based on the preferred language of the browser.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

dtls-tunnel

Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

dtls-max-proto-ver

DTLS maximum protocol version.

option

-

dtls1-2

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

dtls-min-proto-ver

DTLS minimum protocol version.

option

-

dtls1-0

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

check-referer

Enable/disable verification of referer field in HTTP request header.

option

-

disable

Option

Description

enable

Enable verification of referer field in HTTP request header.

disable

Disable verification of referer field in HTTP request header.

http-request-header-timeout

SSL-VPN session is disconnected if an HTTP request header is not received within this time.

integer

Minimum value: 0 Maximum value: 4294967295

20

http-request-body-timeout

SSL-VPN session is disconnected if an HTTP request body is not received within this time.

integer

Minimum value: 0 Maximum value: 4294967295

30

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

-

enable

Option

Description

enable

Enable checking of source IP for authentication session.

disable

Disable checking of source IP for authentication session.

tunnel-connect-without-reauth

Enable/disable tunnel connection without re-authorization if previous connection dropped.

option

-

disable

Option

Description

enable

Enable tunnel connection without re-authorization.

disable

Disable tunnel connection without re-authorization.

tunnel-user-session-timeout

Time out value to clean up user session after tunnel connection is dropped.

integer

Minimum value: 1 Maximum value: 255

30

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

transform-backward-slashes

Transform backward slashes to forward slashes in URLs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

encrypt-and-store-password

Encrypt and store user passwords for SSL-VPN web sessions.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-sigalgs

Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.

option

-

all

Option

Description

no-rsa-pss

Disable RSA-PSS signature algorithms for client authentication.

all

Enable all supported signature algorithms for client authentication.

dual-stack-mode

Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

tunnel-addr-assigned-method

Method used for assigning address for tunnel.

option

-

first-available

Option

Description

first-available

Assign the first available address from the pools.

round-robin

Assign the available address from the pool with a round robin fashion.

saml-redirect-port

SAML local redirect port in the machine running FortiClient. 0 is to disable redirection on FGT side.

integer

Minimum value: 0 Maximum value: 65535

8020

web-mode-snat

Enable/disable use of IP pools defined in firewall policy while using web-mode.

option

-

disable

Option

Description

enable

Enable use of IP pools defined in firewall policy while using web-mode.

disable

Disable use of IP pools defined in firewall policy while using web-mode.

ztna-trusted-client

Enable/disable verification of device certificate for SSLVPN ZTNA session.

option

-

disable

Option

Description

enable

Enable verification of device certificate for SSLVPN ZTNA session.

disable

Disable verification of device certificate for SSLVPN ZTNA session.

server-hostname

Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.

string

Maximum length: 255

config authentication-rule

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

source-interface <name>

SSL-VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

users <name>

User name.

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

portal

SSL-VPN portal.

string

Maximum length: 35

realm

SSL-VPN realm.

string

Maximum length: 35

client-cert

Enable/disable SSL-VPN client certificate restrictive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

cipher

SSL-VPN cipher strength.

option

-

high

Option

Description

any

Any cipher strength.

high

High cipher strength (>= 168 bits).

medium

Medium cipher strength (>= 128 bits).

auth

SSL-VPN authentication method restriction.

option

-

any

Option

Description

any

Any

local

Local

radius

RADIUS

tacacs+

TACACS+

ldap

LDAP

peer

PEER

config vpn ssl settings

config vpn ssl settings

Configure SSL-VPN.

config vpn ssl settings
    Description: Configure SSL-VPN.
    set status [enable|disable]
    set reqclientcert [enable|disable]
    set user-peer {string}
    set ssl-max-proto-ver [tls1-0|tls1-1|...]
    set ssl-min-proto-ver [tls1-0|tls1-1|...]
    set banned-cipher {option1}, {option2}, ...
    set ciphersuite {option1}, {option2}, ...
    set ssl-insert-empty-fragment [enable|disable]
    set https-redirect [enable|disable]
    set x-content-type-options [enable|disable]
    set ssl-client-renegotiation [disable|enable]
    set force-two-factor-auth [enable|disable]
    set unsafe-legacy-renegotiation [enable|disable]
    set servercert {string}
    set algorithm [high|medium|...]
    set idle-timeout {integer}
    set auth-timeout {integer}
    set login-attempt-limit {integer}
    set login-block-time {integer}
    set login-timeout {integer}
    set dtls-hello-timeout {integer}
    set tunnel-ip-pools <name1>, <name2>, ...
    set tunnel-ipv6-pools <name1>, <name2>, ...
    set dns-suffix {var-string}
    set dns-server1 {ipv4-address}
    set dns-server2 {ipv4-address}
    set wins-server1 {ipv4-address}
    set wins-server2 {ipv4-address}
    set ipv6-dns-server1 {ipv6-address}
    set ipv6-dns-server2 {ipv6-address}
    set ipv6-wins-server1 {ipv6-address}
    set ipv6-wins-server2 {ipv6-address}
    set url-obscuration [enable|disable]
    set http-compression [enable|disable]
    set http-only-cookie [enable|disable]
    set deflate-compression-level {integer}
    set deflate-min-data-size {integer}
    set port {integer}
    set port-precedence [enable|disable]
    set auto-tunnel-static-route [enable|disable]
    set header-x-forwarded-for [pass|add|...]
    set source-interface <name1>, <name2>, ...
    set source-address <name1>, <name2>, ...
    set source-address-negate [enable|disable]
    set source-address6 <name1>, <name2>, ...
    set source-address6-negate [enable|disable]
    set default-portal {string}
    config authentication-rule
        Description: Authentication rule for SSL-VPN.
        edit <id>
            set source-interface <name1>, <name2>, ...
            set source-address <name1>, <name2>, ...
            set source-address-negate [enable|disable]
            set source-address6 <name1>, <name2>, ...
            set source-address6-negate [enable|disable]
            set users <name1>, <name2>, ...
            set groups <name1>, <name2>, ...
            set portal {string}
            set realm {string}
            set client-cert [enable|disable]
            set user-peer {string}
            set cipher [any|high|...]
            set auth [any|local|...]
        next
    end
    set browser-language-detection [enable|disable]
    set dtls-tunnel [enable|disable]
    set dtls-max-proto-ver [dtls1-0|dtls1-2]
    set dtls-min-proto-ver [dtls1-0|dtls1-2]
    set check-referer [enable|disable]
    set http-request-header-timeout {integer}
    set http-request-body-timeout {integer}
    set auth-session-check-source-ip [enable|disable]
    set tunnel-connect-without-reauth [enable|disable]
    set tunnel-user-session-timeout {integer}
    set hsts-include-subdomains [enable|disable]
    set transform-backward-slashes [enable|disable]
    set encode-2f-sequence [enable|disable]
    set encrypt-and-store-password [enable|disable]
    set client-sigalgs [no-rsa-pss|all]
    set dual-stack-mode [enable|disable]
    set tunnel-addr-assigned-method [first-available|round-robin]
    set saml-redirect-port {integer}
    set web-mode-snat [enable|disable]
    set ztna-trusted-client [enable|disable]
    set server-hostname {string}
end

config vpn ssl settings

Parameter

Description

Type

Size

Default

status

Enable/disable SSL-VPN.

option

-

enable

Option

Description

enable

Enable SSL-VPN.

disable

Disable SSL-VPN.

reqclientcert

Enable/disable to require client certificates for all SSL-VPN users.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

ssl-max-proto-ver

SSL maximum protocol version.

option

-

tls1-3

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

-

tls1-2

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

banned-cipher

Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Only applies to TLS 1.2 and below.

option

-

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

CHACHA20

Ban the use of cipher suites using ChaCha20.

ARIA

Ban the use of cipher suites using ARIA.

AESCCM

Ban the use of cipher suites using AESCCM.

ciphersuite

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below.

option

-

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option

Description

TLS-AES-128-GCM-SHA256

Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

TLS-AES-256-GCM-SHA384

Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

TLS-CHACHA20-POLY1305-SHA256

Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

TLS-AES-128-CCM-SHA256

Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

TLS-AES-128-CCM-8-SHA256

Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

https-redirect

Enable/disable redirect of port 80 to SSL-VPN port.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-client-renegotiation

Enable/disable to allow client renegotiation by the server if the tunnel goes down.

option

-

disable

Option

Description

disable

Abort any SSL connection that attempts to renegotiate.

enable

Allow a SSL client to renegotiate.

force-two-factor-auth

Enable/disable only PKI users with two-factor authentication for SSL-VPNs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

servercert

Name of the server certificate to be used for SSL-VPNs.

string

Maximum length: 35

self-sign

algorithm

Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

-

high

Option

Description

high

High algorithms.

medium

High and medium algorithms.

default

default

low

All algorithms.

idle-timeout

SSL-VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

300

auth-timeout

SSL-VPN authentication timeout.

integer

Minimum value: 0 Maximum value: 259200

28800

login-attempt-limit

SSL-VPN maximum login attempt times before block.

integer

Minimum value: 0 Maximum value: 4294967295

2

login-block-time

Time for which a user is blocked from logging in after too many failed login attempts.

integer

Minimum value: 0 Maximum value: 4294967295

60

login-timeout

SSLVPN maximum login timeout.

integer

Minimum value: 10 Maximum value: 180

30

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout.

integer

Minimum value: 10 Maximum value: 60

10

tunnel-ip-pools <name>

Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

tunnel-ipv6-pools <name>

Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

dns-suffix

DNS suffix used for SSL-VPN clients.

var-string

Maximum length: 253

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

wins-server1

WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

WINS server 2.

ipv4-address

Not Specified

0.0.0.0

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

url-obscuration

Enable/disable to obscure the host name of the URL of the web browser display.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-compression

Enable/disable to allow HTTP compression over SSL-VPN tunnels.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-only-cookie

Enable/disable SSL-VPN support for HttpOnly cookies.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

6

deflate-min-data-size

Minimum amount of data that triggers compression.

integer

Minimum value: 200 Maximum value: 65535

300

port

SSL-VPN access port.

integer

Minimum value: 1 Maximum value: 65535

10443

port-precedence

Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-tunnel-static-route

Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

-

add

Option

Description

pass

Forward the same HTTP header.

add

Add the HTTP header.

remove

Remove the HTTP header.

source-interface <name>

SSL-VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

default-portal

Default SSL-VPN portal.

string

Maximum length: 35

browser-language-detection

Enable/disable overriding the configured system language based on the preferred language of the browser.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

dtls-tunnel

Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

dtls-max-proto-ver

DTLS maximum protocol version.

option

-

dtls1-2

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

dtls-min-proto-ver

DTLS minimum protocol version.

option

-

dtls1-0

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

check-referer

Enable/disable verification of referer field in HTTP request header.

option

-

disable

Option

Description

enable

Enable verification of referer field in HTTP request header.

disable

Disable verification of referer field in HTTP request header.

http-request-header-timeout

SSL-VPN session is disconnected if an HTTP request header is not received within this time.

integer

Minimum value: 0 Maximum value: 4294967295

20

http-request-body-timeout

SSL-VPN session is disconnected if an HTTP request body is not received within this time.

integer

Minimum value: 0 Maximum value: 4294967295

30

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

-

enable

Option

Description

enable

Enable checking of source IP for authentication session.

disable

Disable checking of source IP for authentication session.

tunnel-connect-without-reauth

Enable/disable tunnel connection without re-authorization if previous connection dropped.

option

-

disable

Option

Description

enable

Enable tunnel connection without re-authorization.

disable

Disable tunnel connection without re-authorization.

tunnel-user-session-timeout

Time out value to clean up user session after tunnel connection is dropped.

integer

Minimum value: 1 Maximum value: 255

30

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

transform-backward-slashes

Transform backward slashes to forward slashes in URLs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

encrypt-and-store-password

Encrypt and store user passwords for SSL-VPN web sessions.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-sigalgs

Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.

option

-

all

Option

Description

no-rsa-pss

Disable RSA-PSS signature algorithms for client authentication.

all

Enable all supported signature algorithms for client authentication.

dual-stack-mode

Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

tunnel-addr-assigned-method

Method used for assigning address for tunnel.

option

-

first-available

Option

Description

first-available

Assign the first available address from the pools.

round-robin

Assign the available address from the pool with a round robin fashion.

saml-redirect-port

SAML local redirect port in the machine running FortiClient. 0 is to disable redirection on FGT side.

integer

Minimum value: 0 Maximum value: 65535

8020

web-mode-snat

Enable/disable use of IP pools defined in firewall policy while using web-mode.

option

-

disable

Option

Description

enable

Enable use of IP pools defined in firewall policy while using web-mode.

disable

Disable use of IP pools defined in firewall policy while using web-mode.

ztna-trusted-client

Enable/disable verification of device certificate for SSLVPN ZTNA session.

option

-

disable

Option

Description

enable

Enable verification of device certificate for SSLVPN ZTNA session.

disable

Disable verification of device certificate for SSLVPN ZTNA session.

server-hostname

Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.

string

Maximum length: 255

config authentication-rule

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

source-interface <name>

SSL-VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

users <name>

User name.

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

portal

SSL-VPN portal.

string

Maximum length: 35

realm

SSL-VPN realm.

string

Maximum length: 35

client-cert

Enable/disable SSL-VPN client certificate restrictive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

cipher

SSL-VPN cipher strength.

option

-

high

Option

Description

any

Any cipher strength.

high

High cipher strength (>= 168 bits).

medium

Medium cipher strength (>= 128 bits).

auth

SSL-VPN authentication method restriction.

option

-

any

Option

Description

any

Any

local

Local

radius

RADIUS

tacacs+

TACACS+

ldap

LDAP

peer

PEER