SSL VPN

SSL VPN

SSL VPN configurations consist of one <options> section, followed by one or more VPN <connection> section.

<forticlient_configuration>

<vpn>

<dnscache_service_control>0</dnscache_service_control>

<prefer_sslvpn_dns>1</prefer_sslvpn_dns>

<use_legacy_ssl_adapter>1</use_legacy_ssl_adapter>

<preferred_dtls_tunnel>1</preferred_dtls_tunnel>

<no_dhcp_server_route>0</no_dhcp_server_route>

<no_dns_registration>0</no_dns_registration>

<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

<keep_connection_alive>1</keep_connection_alive>

</options>

<name>SSLVPN_Name</name>

<description>Optional_Description</description>

<server>ssldemo.fortinet.com:10443</server>

<username>Encrypted/NonEncrypted_UsernameString</username>

<single_user_mode>0</single_user_mode>

<ui>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<password>Encrypted/NonEncrypted_PasswordString</password>

<warn_invalid_server_certificate>1</warn_invalid_server_certificate>

<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>

<prompt_certificate>0</prompt_certificate>

<prompt_username>0</prompt_username>

<on_connect>

<os>windows</os>

<![CDATA[test]]>

</script>

</on_connect>

<on_disconnect>

<os>windows</os>

<![CDATA]]>

</script>

</on_disconnect>

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for SSL VPN, as well as the descriptions and default values where applicable.

XML Tag	Description	Default Value
`<sslvpn><options>` elements
<enabled>	Enable or disable SSL VPN. Boolean value: `[0 \| 1]`	1
<dnscache_service_control>	FortiClient disables Windows OS DNS cache when an SSL VPN tunnel is established. The DNS cache is restored after SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use the following XML configuration to control DNS cache	0
<prefer_sslvpn_dns>	When this setting is `0`, the custom DNS server from SSL VPN is not added to the physical interface. When this setting is `1`, the custom DNS server from SSL VPN is prepended to the physical interface. Boolean value: `[0 \| 1]`	0
<use_legacy_ssl_adapter>	When this setting is `0`, the new SSL driver is used. When this setting is `1`, the legacy SSL driver is used. Boolean value: `[0 \| 1]`	1
<preferred_dtls_tunnel>	When this setting is `0`, FortiClient uses TLS, even if `dtls-tunnel` is enabled on FortiGate. When this setting is `1`, FortiClient uses DTLS, if it is enabled on the FortiGate, and tunnel establishment is successful. If `dtls-tunnel` is disabled on FortiGate, or tunnel establishment is not successful, TLS is used. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN. Boolean value: `[0 \| 1]`
<no_dhcp_server_route>	When this setting is `0`, FortiClient creates the DHCP public server route upon tunnel establishment. When this setting is `1`, FortiClient does not create the DHCP public server route upon tunnel establishment. Boolean value: `[0 \| 1]`	0
<no_dns_registration>	When this setting is `0`, FortiClient registers the SSL VPN adapter's address in the AD domain DNS. When this setting is `1`, FortiClient does not register the SSL VPN adapter's address in the AD domain DNS. Boolean value: `[0 \| 1]`	0
<disallow_invalid_server_certificate>	When this setting is `0` and an invalid server certificate is used, FortiClient displays a popup that allows the user to continue with the invalid certificate. When this setting is `1` and an invalid server certificate is used, FortiClient does not display a popup and stops the connection. Boolean value: `[0 \| 1]`	0
<keep_connection_alive>	Retry restoring connection of an active VPN session. Boolean value: `[0 \| 1]`

The <connections> XML tag may contain one or more <connection> elements. Each <connection> has the following:

Information used to establish an SSL VPN connection
on_connect: a script to run right after a successful connection
on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML Tag	Description	Default Value
<name>	VPN connection name.
<description>	Optional description to identify the VPN connection.
<server>	SSL server IP address or FQDN, along with the port number as applicable.	Default port number: `443`
<username>	Either encrypted or non-encrypted username on SSL server.
<single_user_mode>	Enable or disable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged on the computer. Boolean value: `[0 \| 1]`	0
<password>	Either encrypted or non-encrypted password of the given user.
<certificate>	Encrypted certificate name to connect with.
<warn_invalid_server_certificate>	Enable or disable displaying of a warning message if the server certificate is invalid. Boolean value: `[0 \| 1]`	0
<allow_standard_user_use_system_cert>	When this setting is `1`, non-administrator users can use local machine certificates to connect SSL VPN. When this setting is `0`, non-administrator users cannot use machine certificates to connect SSL VPN. Boolean value: `[0 \| 1]`	0
<prompt_certificate>	Request for a certificate during a connection establishment. Boolean value: `[0 \| 1]`	0
<prompt_username>	Request for a username. Boolean value: `[0 \| 1]`	1
<fgt>	Indicates whether FortiClient received a VPN configuration from FortiGate or EMS. When this setting is `1`, FortiClient received a VPN configuration from FortiGate or EMS, and the user can view the VPN configuration when connected to FortiGate or EMS. If FortiClient is disconnected from FortiGate or EMS after connecting and receiving the VPN configuration, the user can view and delete the VPN configuration, but not edit it. When this setting is `0`, FortiClient did not receive a VPN configuration from FortiGate or EMS, and the user can view or delete VPN configurations. It is not recommended to manually change the `<fgt>` setting. Boolean value: `[0 \| 1]`
`<ui>` elements The elements of the `<ui>` XML tag are set by the FortiGate following an SSL VPN connection.
<show_remember_password>	Display or hide the Save Password checkbox in the console. Boolean value: `[0 \| 1]`
<show_alwaysup>	Display or hide the Always Up checkbox in the console. Boolean value: `[0 \| 1]`
<show_autoconnect>	Display or hide the Auto Connect checkbox in the console. Boolean value: `[0 \| 1]`
<save_username>	Save and display the last username used for VPN connection. Boolean value: `[0 \| 1]`

The VPN connection name is mandatory. If a connection of this type and this name exists, its values are overwritten with the new ones.

The <on_connect> and <on_disconnect> tags both have very similar tag structure:

<on_connect>

<os>windows</os>

<![CDATA[

]]>

</script>

</on_connect>

<on_disconnect>

<os>windows</os>

<![CDATA[

]]>

</script>

</on_disconnect>

The following table provides CDATA XML tags, the description, and the default value (where applicable).

XML Tag	Description	Default Value
<os>	The OS for which the script is written. Select either: `[windows \| MacOSX]`
<script>	The MS DOS batch or macOS shell script to run.
<![CDATA[ ]]>	Wraps the scripts in CDATA elements.
Write the MS DOS batch or macOS shell script inside the CDATA tag. Write one line per command like a regular batch script file. The script is executed in the context of the user that connected the tunnel. Wherever you write `#username#` in your script, it is automatically substituted with the XAuth username of the user that connected the tunnel. Wherever you write `#password#` in your script, it is automatically substituted with the XAuth password of the user that connected the tunnel. Remember to check your XML file before deploying to ensure that carriage returns/line feeds are present.

The example scripts above show a script that mounts several network drives after an SSL connection is established. The drives are unmounted with the corresponding scripts in the <on_disconnect> XML tag.

The <on_connect> and <on_disconnect> scripts are optional.

SSL VPN

SSL VPN configurations consist of one <options> section, followed by one or more VPN <connection> section.

<forticlient_configuration>

<vpn>

<dnscache_service_control>0</dnscache_service_control>

<prefer_sslvpn_dns>1</prefer_sslvpn_dns>

<use_legacy_ssl_adapter>1</use_legacy_ssl_adapter>

<preferred_dtls_tunnel>1</preferred_dtls_tunnel>

<no_dhcp_server_route>0</no_dhcp_server_route>

<no_dns_registration>0</no_dns_registration>

<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

<keep_connection_alive>1</keep_connection_alive>

</options>

<name>SSLVPN_Name</name>

<description>Optional_Description</description>

<server>ssldemo.fortinet.com:10443</server>

<username>Encrypted/NonEncrypted_UsernameString</username>

<single_user_mode>0</single_user_mode>

<ui>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<password>Encrypted/NonEncrypted_PasswordString</password>

<warn_invalid_server_certificate>1</warn_invalid_server_certificate>

<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>

<prompt_certificate>0</prompt_certificate>

<prompt_username>0</prompt_username>

<on_connect>

<os>windows</os>

<![CDATA[test]]>

</script>

</on_connect>

<on_disconnect>

<os>windows</os>

<![CDATA]]>

</script>

</on_disconnect>

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for SSL VPN, as well as the descriptions and default values where applicable.

XML Tag	Description	Default Value
`<sslvpn><options>` elements
<enabled>	Enable or disable SSL VPN. Boolean value: `[0 \| 1]`	1
<dnscache_service_control>	FortiClient disables Windows OS DNS cache when an SSL VPN tunnel is established. The DNS cache is restored after SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use the following XML configuration to control DNS cache	0
<prefer_sslvpn_dns>	When this setting is `0`, the custom DNS server from SSL VPN is not added to the physical interface. When this setting is `1`, the custom DNS server from SSL VPN is prepended to the physical interface. Boolean value: `[0 \| 1]`	0
<use_legacy_ssl_adapter>	When this setting is `0`, the new SSL driver is used. When this setting is `1`, the legacy SSL driver is used. Boolean value: `[0 \| 1]`	1
<preferred_dtls_tunnel>	When this setting is `0`, FortiClient uses TLS, even if `dtls-tunnel` is enabled on FortiGate. When this setting is `1`, FortiClient uses DTLS, if it is enabled on the FortiGate, and tunnel establishment is successful. If `dtls-tunnel` is disabled on FortiGate, or tunnel establishment is not successful, TLS is used. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN. Boolean value: `[0 \| 1]`
<no_dhcp_server_route>	When this setting is `0`, FortiClient creates the DHCP public server route upon tunnel establishment. When this setting is `1`, FortiClient does not create the DHCP public server route upon tunnel establishment. Boolean value: `[0 \| 1]`	0
<no_dns_registration>	When this setting is `0`, FortiClient registers the SSL VPN adapter's address in the AD domain DNS. When this setting is `1`, FortiClient does not register the SSL VPN adapter's address in the AD domain DNS. Boolean value: `[0 \| 1]`	0
<disallow_invalid_server_certificate>	When this setting is `0` and an invalid server certificate is used, FortiClient displays a popup that allows the user to continue with the invalid certificate. When this setting is `1` and an invalid server certificate is used, FortiClient does not display a popup and stops the connection. Boolean value: `[0 \| 1]`	0
<keep_connection_alive>	Retry restoring connection of an active VPN session. Boolean value: `[0 \| 1]`

The <connections> XML tag may contain one or more <connection> elements. Each <connection> has the following:

Information used to establish an SSL VPN connection
on_connect: a script to run right after a successful connection
on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML Tag	Description	Default Value
<name>	VPN connection name.
<description>	Optional description to identify the VPN connection.
<server>	SSL server IP address or FQDN, along with the port number as applicable.	Default port number: `443`
<username>	Either encrypted or non-encrypted username on SSL server.
<single_user_mode>	Enable or disable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged on the computer. Boolean value: `[0 \| 1]`	0
<password>	Either encrypted or non-encrypted password of the given user.
<certificate>	Encrypted certificate name to connect with.
<warn_invalid_server_certificate>	Enable or disable displaying of a warning message if the server certificate is invalid. Boolean value: `[0 \| 1]`	0
<allow_standard_user_use_system_cert>	When this setting is `1`, non-administrator users can use local machine certificates to connect SSL VPN. When this setting is `0`, non-administrator users cannot use machine certificates to connect SSL VPN. Boolean value: `[0 \| 1]`	0
<prompt_certificate>	Request for a certificate during a connection establishment. Boolean value: `[0 \| 1]`	0
<prompt_username>	Request for a username. Boolean value: `[0 \| 1]`	1
<fgt>	Indicates whether FortiClient received a VPN configuration from FortiGate or EMS. When this setting is `1`, FortiClient received a VPN configuration from FortiGate or EMS, and the user can view the VPN configuration when connected to FortiGate or EMS. If FortiClient is disconnected from FortiGate or EMS after connecting and receiving the VPN configuration, the user can view and delete the VPN configuration, but not edit it. When this setting is `0`, FortiClient did not receive a VPN configuration from FortiGate or EMS, and the user can view or delete VPN configurations. It is not recommended to manually change the `<fgt>` setting. Boolean value: `[0 \| 1]`
`<ui>` elements The elements of the `<ui>` XML tag are set by the FortiGate following an SSL VPN connection.
<show_remember_password>	Display or hide the Save Password checkbox in the console. Boolean value: `[0 \| 1]`
<show_alwaysup>	Display or hide the Always Up checkbox in the console. Boolean value: `[0 \| 1]`
<show_autoconnect>	Display or hide the Auto Connect checkbox in the console. Boolean value: `[0 \| 1]`
<save_username>	Save and display the last username used for VPN connection. Boolean value: `[0 \| 1]`

The VPN connection name is mandatory. If a connection of this type and this name exists, its values are overwritten with the new ones.

The <on_connect> and <on_disconnect> tags both have very similar tag structure:

<on_connect>

<os>windows</os>

<![CDATA[

]]>

</script>

</on_connect>

<on_disconnect>

<os>windows</os>

<![CDATA[

]]>

</script>

</on_disconnect>

The following table provides CDATA XML tags, the description, and the default value (where applicable).

XML Tag	Description	Default Value
<os>	The OS for which the script is written. Select either: `[windows \| MacOSX]`
<script>	The MS DOS batch or macOS shell script to run.
<![CDATA[ ]]>	Wraps the scripts in CDATA elements.
Write the MS DOS batch or macOS shell script inside the CDATA tag. Write one line per command like a regular batch script file. The script is executed in the context of the user that connected the tunnel. Wherever you write `#username#` in your script, it is automatically substituted with the XAuth username of the user that connected the tunnel. Wherever you write `#password#` in your script, it is automatically substituted with the XAuth password of the user that connected the tunnel. Remember to check your XML file before deploying to ensure that carriage returns/line feeds are present.

The <on_connect> and <on_disconnect> scripts are optional.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

XML Reference Guide

SSL VPN

SSL VPN

SSL VPN