Fortinet white logo
Fortinet white logo

SSL VPN

SSL VPN

SSL VPN configurations consist of one <options> section, followed by one or more VPN <connection> sections:

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled>

<dnscache_service_control>0</dnscache_service_control>

<!-- 0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange -->

<prefer_sslvpn_dns>1</prefer_sslvpn_dns>

<use_legacy_ssl_adapter>1</use_legacy_ssl_adapter>

<preferred_dtls_tunnel>1</preferred_dtls_tunnel>

<block_ipv6>0</block_ipv6>

<no_dhcp_server_route>0</no_dhcp_server_route>

<no_dns_registration>0</no_dns_registration>

<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

<keep_connection_alive>1</keep_connection_alive>

<show_auth_cert_only>1</show_auth_cert_only>

</options>

<connections>

<connection>

<name>SSLVPN_Name</name>

<description>Optional_Description</description>

<server>ssldemo.fortinet.com:10443</server>

<username>Encrypted/NonEncrypted_UsernameString</username>

<single_user_mode>0</single_user_mode>

<disclaimer_msg></disclaimer_msg>

<redundant_sort_method>0</redundant_sort_method>

<sso_enabled>1</sso_enabled>

<use_external_browser>1</use_external_browser>

<warn_invalid_server_certificate>1</warn_invalid_server_certificate>

<machine>1</machine>

<dual_stack>0</dual_stack>

<keep_running>0</keep_running>

<ui>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<password>Encrypted/NonEncrypted_PasswordString</password>

<certificate/>

<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>

<prompt_certificate>0</prompt_certificate>

<prompt_username>0</prompt_username>

<fgt>1</fgt>

<on_connect>

<script>

<os>windows</os>

<script>

<![CDATA[test]]>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<![CDATA]]>

</script>

</script>

</on_disconnect>

<traffic_control>

<enabled>1</enabled>

<mode>2</mode>

<enable_local_lan>1</enable_local_lan>

<apps>

<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>

<app>%appdata%\Zoom\bin\Zoom.exe</app>

<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>

</apps>

<fqdns>

<fqdn>webex.com</fqdn>

<fqdn>gotomeeting.com</fqdn>

<fqdn>youtube.com</fqdn>

</fqdns>

</traffic_control>

<tags>

<allowed>NoVuln</allowed>

<prohibited>CriticalVuln</prohibited>

</tags>

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

The following table provides the SSL VPN XML tags, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<sslvpn><options> elements

<enabled>

Enable SSL VPN.

Boolean value: [0 | 1]

1

<dnscache_service_control>

FortiClient disables Windows OS DNS cache when an SSL VPN tunnel is established.

The DNS cache is restored after SSL VPN tunnel is disconnected. If you observe that FSSO clients do not function correctly when an SSL VPN tunnel is up, use <prefer_sslvpn_dns> to control the DNS cache.

0

<prefer_sslvpn_dns>

When this setting is 0, the custom DNS server from SSL VPN is not added to the physical interface. When this setting is 1, the custom DNS server from SSL VPN is prepended to the physical interface.

Boolean value: [0 | 1]

0

<use_legacy_ssl_adapter>

When this setting is 0, FortiClient uses the new SSL driver. When this setting is 1, FortiClient uses the legacy SSL driver.

Boolean value: [0 | 1]

1

<preferred_dtls_tunnel>

DTLS supported only by FortiClient (Windows).

When this setting is 0, FortiClient uses TLS, even if dtls-tunnel is enabled on the FortiGate.

When this setting is 1, FortiClient uses DTLS, if it is enabled on the FortiGate, and tunnel establishment is successful. If dtls-tunnel is disabled on the FortiGate, or tunnel establishment is not successful, FortiClient uses TLS. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN.

Boolean value: [0 | 1]

<block_ipv6>

When this setting is 0, FortiClient allows IPv6 connection.

When this setting is 1, FortiClient blocks IPv6 connection. FortiClient uses only IPv4 connectivity when the SSL VPN tunnel is up.

Boolean value: [0 | 1]

0

<no_dhcp_server_route>

When this setting is 0, FortiClient creates the DHCP public server route upon tunnel establishment.

When this setting is 1, FortiClient does not create the DHCP public server route upon tunnel establishment.

Boolean value: [0 | 1]

0

<no_dns_registration>

When this setting is 0, FortiClient registers the SSL VPN adapter's address in the Active Directory (AD) DNS server.

When this setting is 1, FortiClient does not register the SSL VPN adapter's address in the AD DNS server.

When this setting is 2, FortiClient registers only its own tunnel interface IP address in the AD DNS server.

0

<disallow_invalid_server_certificate>

When this setting is 0 and an invalid server certificate is used, FortiClient displays a popup that allows the user to continue with the invalid certificate.

When this setting is 1 and an invalid server certificate is used, FortiClient does not display a popup and stops the connection.

Boolean value: [0 | 1]

0

<keep_connection_alive>

Retry restoring an active VPN session connection.

Boolean value: [0 | 1]

<show_auth_cert_only>

Supress dialog boxes from displaying in FortiClient when using SmartCard certificates.

Boolean value: [0 | 1]

0

The <connections> XML tag may contain one or more <connection> elements. Each <connection> has the following:

  • Information used to establish an SSL VPN connection
  • on_connect: a script to run right after a successful connection
  • on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<name>

VPN connection name.

<description>

Optional description to identify the VPN connection.

<server>

SSL server IP address or FQDN, along with the port number as applicable.

Default port number: 443

<username>

Encrypted or non-encrypted username on SSL server.

<single_user_mode>

Enable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged on the computer.

Boolean value: [0 | 1]

0

<disclaimer_msg>

Enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

<redundant_sort_method>

How FortiClient determines the order in which to try connection to the SSL VPN servers when more than one is defined. FortiClient calculates the order before each SSL VPN connection attempt.

  • When the value is 0, FortiClient tries the order explicitly defined in the <server> tag.
  • When the value is 1, FortiClient determines the order by the ping response speed.
  • When the value is 2, FortiClient determines the order by the TCP round trip time.

0

<sso_enabled>

Enable SAML SSO for the VPN tunnel. For this feature to function, the administrator must have configured the necessary options on the Service Provider and Identity Provider. See SAML support for SSL VPN.

<use_external_browser>

Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI. See Using a browser as an external user-agent for SAML authentication in an SSL VPN connection.

<warn_invalid_server_certificate>

Display a warning message if the server certificate is invalid. EMS automatically copies this setting to each SSL VPN tunnel.

Boolean value: [0 | 1]

0

<machine>

When this setting is 1, FortiClient can connect to the tunnel without user interaction. See <on_os_start_connect> in VPN options.

Boolean value: [0 | 1]

<dual_stack>

Enable or disable FortiClient to establish a dual stack SSL VPN tunnel to allow both IPv4 and IPv6 traffic to pass through. See Dual stack IPv4 and IPv6 support for SSL VPN.

The following summarizes what occurs when dual stack settings differ between FortiClient and FortiOS:

  • If FortiClient XML is set to <dual_stack>1</dual_stack> and FortiOS CLI has set dual-stack-mode enable, the tunnel allows IPv4 and IPv6 traffic.
  • If FortiClient XML is set to <dual_stack>1</dual_stack> and FortiOS CLI has set dual-stack-mode disable, FortiClient cannot connect to the SSL VPN tunnel.
  • If FortiClient XML is set to <dual_stack>0</dual_stack> and FortiOS CLI has set dual-stack-mode enable or disable, FortiClient can connect to the SSL VPN tunnel, but IPv4 traffic can only go through the IPv4 tunnel, and IPv6 traffic can only go through the IPv6 tunnel.

Boolean value: [0 | 1]

<keep_running>

Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection.

0

<password>

Given user's encrypted or non-encrypted password.

<certificate> elements

The XML sample provided above only shows XML configuration when using a username and password. See Sample XML using certificate authentication for example of XML configuration for certificate authentication.

<certificate><common_name> elements

Elements for common name of the certificate for VPN logon.

<match_type>

Enter the type of matching to use:

  • simple: exact match
  • wildcard: wildcard
  • regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<certificate><issuer> elements

Elements about the issuer of the certificate for VPN logon.

<match_type>

Enter the type of matching to use:

  • simple: exact match
  • wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching.

<allow_standard_user_use_system_cert>

When this setting is 1, non-administrator users can use local machine certificates to connect SSL VPN. When this setting is 0, non-administrator users cannot use machine certificates to connect SSL VPN.

Boolean value: [0 | 1]

0

<prompt_certificate>

Request a certificate during connection establishment.

Boolean value: [0 | 1]

0

<prompt_username>

Request a username.

Boolean value: [0 | 1]

1

<fgt>

Indicates whether FortiClient received a VPN configuration from FortiGate or EMS. When this setting is 1, FortiClient received a VPN configuration from FortiGate or EMS, and the user can view the VPN configuration when connected to FortiGate or EMS. If FortiClient is disconnected from FortiGate or EMS after connecting and receiving the VPN configuration, the user can view and delete the VPN configuration but cannot edit it.

When this setting is 0, FortiClient did not receive a VPN configuration from FortiGate or EMS, and the user can view or delete VPN configurations. It is not recommended to manually change the <fgt> setting.

Boolean value: [0 | 1]

<ui> elements

The FortiGate sets the elements of the <ui> XML tag by following an SSL VPN connection.

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

<traffic_control> elements

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<enable_local_lan>

Enable access to local resources while an application-based split tunnel with an exclusion rule configured is up. If this option is disabled, access to local resources may be denied when an application-based split tunnel with an exclusion rule configured is up.

Boolean value: [0 | 1]

1

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.

<tags> elements

<allowed>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel.

<prohibited>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel.

The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones.

Sample XML using certificate authentication

<sslvpn>

...

<connections>

<connection>

...

<certificate>

<common_name>

<match_type>

<![CDATA[wildcard]]>

</match_type>

<pattern>

<![CDATA[*]]>

</pattern>

</common_name>

<issuer>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[Certificate Authority]]>

</pattern>

</issuer>

</certificate>

...

</connection>

</connections>

...

<sslvpn>

This is a balanced but incomplete XML configuration fragment. It includes all closing tags, but omits some important elements to complete the configuration.

See the first XML sample in this topic for a more complete XML configuration example using a username and password for authentication.

The <on_connect> and <on_disconnect> tags both have very similar tag structure:

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[

]]>

</script>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[

]]>

</script>

</script>

</script>

</on_disconnect>

The following table provides CDATA XML tags, the description, and the default value (where applicable):

XML tag

Description

Default value

<os>

The OS for which the script is written. Enter one of the following: [windows | MacOSX]

<script>

The MS DOS batch or macOS shell script to run.

<![CDATA[

]]>

Wraps the scripts in CDATA elements.

Write the MS DOS batch or macOS shell script inside the CDATA tag. Write one line per command like a regular batch script file. The script is executed in the context of the user that connected the tunnel.

Wherever you write #username# in your script, it is automatically substituted with the XAuth username of the user that connected the tunnel.

Wherever you write #password# in your script, it is automatically substituted with the XAuth password of the user that connected the tunnel.

Remember to check your XML file before deploying to ensure that carriage returns/line feeds are present.

The example scripts above show a script that mounts several network drives after an SSL connection is established. The drives are unmounted with the corresponding scripts in the <on_disconnect> XML tag.

The <on_connect> and <on_disconnect> scripts are optional.

SSL VPN

SSL VPN

SSL VPN configurations consist of one <options> section, followed by one or more VPN <connection> sections:

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled>

<dnscache_service_control>0</dnscache_service_control>

<!-- 0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange -->

<prefer_sslvpn_dns>1</prefer_sslvpn_dns>

<use_legacy_ssl_adapter>1</use_legacy_ssl_adapter>

<preferred_dtls_tunnel>1</preferred_dtls_tunnel>

<block_ipv6>0</block_ipv6>

<no_dhcp_server_route>0</no_dhcp_server_route>

<no_dns_registration>0</no_dns_registration>

<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

<keep_connection_alive>1</keep_connection_alive>

<show_auth_cert_only>1</show_auth_cert_only>

</options>

<connections>

<connection>

<name>SSLVPN_Name</name>

<description>Optional_Description</description>

<server>ssldemo.fortinet.com:10443</server>

<username>Encrypted/NonEncrypted_UsernameString</username>

<single_user_mode>0</single_user_mode>

<disclaimer_msg></disclaimer_msg>

<redundant_sort_method>0</redundant_sort_method>

<sso_enabled>1</sso_enabled>

<use_external_browser>1</use_external_browser>

<warn_invalid_server_certificate>1</warn_invalid_server_certificate>

<machine>1</machine>

<dual_stack>0</dual_stack>

<keep_running>0</keep_running>

<ui>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<password>Encrypted/NonEncrypted_PasswordString</password>

<certificate/>

<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>

<prompt_certificate>0</prompt_certificate>

<prompt_username>0</prompt_username>

<fgt>1</fgt>

<on_connect>

<script>

<os>windows</os>

<script>

<![CDATA[test]]>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<![CDATA]]>

</script>

</script>

</on_disconnect>

<traffic_control>

<enabled>1</enabled>

<mode>2</mode>

<enable_local_lan>1</enable_local_lan>

<apps>

<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>

<app>%appdata%\Zoom\bin\Zoom.exe</app>

<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>

</apps>

<fqdns>

<fqdn>webex.com</fqdn>

<fqdn>gotomeeting.com</fqdn>

<fqdn>youtube.com</fqdn>

</fqdns>

</traffic_control>

<tags>

<allowed>NoVuln</allowed>

<prohibited>CriticalVuln</prohibited>

</tags>

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

The following table provides the SSL VPN XML tags, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<sslvpn><options> elements

<enabled>

Enable SSL VPN.

Boolean value: [0 | 1]

1

<dnscache_service_control>

FortiClient disables Windows OS DNS cache when an SSL VPN tunnel is established.

The DNS cache is restored after SSL VPN tunnel is disconnected. If you observe that FSSO clients do not function correctly when an SSL VPN tunnel is up, use <prefer_sslvpn_dns> to control the DNS cache.

0

<prefer_sslvpn_dns>

When this setting is 0, the custom DNS server from SSL VPN is not added to the physical interface. When this setting is 1, the custom DNS server from SSL VPN is prepended to the physical interface.

Boolean value: [0 | 1]

0

<use_legacy_ssl_adapter>

When this setting is 0, FortiClient uses the new SSL driver. When this setting is 1, FortiClient uses the legacy SSL driver.

Boolean value: [0 | 1]

1

<preferred_dtls_tunnel>

DTLS supported only by FortiClient (Windows).

When this setting is 0, FortiClient uses TLS, even if dtls-tunnel is enabled on the FortiGate.

When this setting is 1, FortiClient uses DTLS, if it is enabled on the FortiGate, and tunnel establishment is successful. If dtls-tunnel is disabled on the FortiGate, or tunnel establishment is not successful, FortiClient uses TLS. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN.

Boolean value: [0 | 1]

<block_ipv6>

When this setting is 0, FortiClient allows IPv6 connection.

When this setting is 1, FortiClient blocks IPv6 connection. FortiClient uses only IPv4 connectivity when the SSL VPN tunnel is up.

Boolean value: [0 | 1]

0

<no_dhcp_server_route>

When this setting is 0, FortiClient creates the DHCP public server route upon tunnel establishment.

When this setting is 1, FortiClient does not create the DHCP public server route upon tunnel establishment.

Boolean value: [0 | 1]

0

<no_dns_registration>

When this setting is 0, FortiClient registers the SSL VPN adapter's address in the Active Directory (AD) DNS server.

When this setting is 1, FortiClient does not register the SSL VPN adapter's address in the AD DNS server.

When this setting is 2, FortiClient registers only its own tunnel interface IP address in the AD DNS server.

0

<disallow_invalid_server_certificate>

When this setting is 0 and an invalid server certificate is used, FortiClient displays a popup that allows the user to continue with the invalid certificate.

When this setting is 1 and an invalid server certificate is used, FortiClient does not display a popup and stops the connection.

Boolean value: [0 | 1]

0

<keep_connection_alive>

Retry restoring an active VPN session connection.

Boolean value: [0 | 1]

<show_auth_cert_only>

Supress dialog boxes from displaying in FortiClient when using SmartCard certificates.

Boolean value: [0 | 1]

0

The <connections> XML tag may contain one or more <connection> elements. Each <connection> has the following:

  • Information used to establish an SSL VPN connection
  • on_connect: a script to run right after a successful connection
  • on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<name>

VPN connection name.

<description>

Optional description to identify the VPN connection.

<server>

SSL server IP address or FQDN, along with the port number as applicable.

Default port number: 443

<username>

Encrypted or non-encrypted username on SSL server.

<single_user_mode>

Enable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged on the computer.

Boolean value: [0 | 1]

0

<disclaimer_msg>

Enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

<redundant_sort_method>

How FortiClient determines the order in which to try connection to the SSL VPN servers when more than one is defined. FortiClient calculates the order before each SSL VPN connection attempt.

  • When the value is 0, FortiClient tries the order explicitly defined in the <server> tag.
  • When the value is 1, FortiClient determines the order by the ping response speed.
  • When the value is 2, FortiClient determines the order by the TCP round trip time.

0

<sso_enabled>

Enable SAML SSO for the VPN tunnel. For this feature to function, the administrator must have configured the necessary options on the Service Provider and Identity Provider. See SAML support for SSL VPN.

<use_external_browser>

Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI. See Using a browser as an external user-agent for SAML authentication in an SSL VPN connection.

<warn_invalid_server_certificate>

Display a warning message if the server certificate is invalid. EMS automatically copies this setting to each SSL VPN tunnel.

Boolean value: [0 | 1]

0

<machine>

When this setting is 1, FortiClient can connect to the tunnel without user interaction. See <on_os_start_connect> in VPN options.

Boolean value: [0 | 1]

<dual_stack>

Enable or disable FortiClient to establish a dual stack SSL VPN tunnel to allow both IPv4 and IPv6 traffic to pass through. See Dual stack IPv4 and IPv6 support for SSL VPN.

The following summarizes what occurs when dual stack settings differ between FortiClient and FortiOS:

  • If FortiClient XML is set to <dual_stack>1</dual_stack> and FortiOS CLI has set dual-stack-mode enable, the tunnel allows IPv4 and IPv6 traffic.
  • If FortiClient XML is set to <dual_stack>1</dual_stack> and FortiOS CLI has set dual-stack-mode disable, FortiClient cannot connect to the SSL VPN tunnel.
  • If FortiClient XML is set to <dual_stack>0</dual_stack> and FortiOS CLI has set dual-stack-mode enable or disable, FortiClient can connect to the SSL VPN tunnel, but IPv4 traffic can only go through the IPv4 tunnel, and IPv6 traffic can only go through the IPv6 tunnel.

Boolean value: [0 | 1]

<keep_running>

Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection.

0

<password>

Given user's encrypted or non-encrypted password.

<certificate> elements

The XML sample provided above only shows XML configuration when using a username and password. See Sample XML using certificate authentication for example of XML configuration for certificate authentication.

<certificate><common_name> elements

Elements for common name of the certificate for VPN logon.

<match_type>

Enter the type of matching to use:

  • simple: exact match
  • wildcard: wildcard
  • regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<certificate><issuer> elements

Elements about the issuer of the certificate for VPN logon.

<match_type>

Enter the type of matching to use:

  • simple: exact match
  • wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching.

<allow_standard_user_use_system_cert>

When this setting is 1, non-administrator users can use local machine certificates to connect SSL VPN. When this setting is 0, non-administrator users cannot use machine certificates to connect SSL VPN.

Boolean value: [0 | 1]

0

<prompt_certificate>

Request a certificate during connection establishment.

Boolean value: [0 | 1]

0

<prompt_username>

Request a username.

Boolean value: [0 | 1]

1

<fgt>

Indicates whether FortiClient received a VPN configuration from FortiGate or EMS. When this setting is 1, FortiClient received a VPN configuration from FortiGate or EMS, and the user can view the VPN configuration when connected to FortiGate or EMS. If FortiClient is disconnected from FortiGate or EMS after connecting and receiving the VPN configuration, the user can view and delete the VPN configuration but cannot edit it.

When this setting is 0, FortiClient did not receive a VPN configuration from FortiGate or EMS, and the user can view or delete VPN configurations. It is not recommended to manually change the <fgt> setting.

Boolean value: [0 | 1]

<ui> elements

The FortiGate sets the elements of the <ui> XML tag by following an SSL VPN connection.

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

<traffic_control> elements

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<enable_local_lan>

Enable access to local resources while an application-based split tunnel with an exclusion rule configured is up. If this option is disabled, access to local resources may be denied when an application-based split tunnel with an exclusion rule configured is up.

Boolean value: [0 | 1]

1

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.

<tags> elements

<allowed>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel.

<prohibited>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel.

The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones.

Sample XML using certificate authentication

<sslvpn>

...

<connections>

<connection>

...

<certificate>

<common_name>

<match_type>

<![CDATA[wildcard]]>

</match_type>

<pattern>

<![CDATA[*]]>

</pattern>

</common_name>

<issuer>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[Certificate Authority]]>

</pattern>

</issuer>

</certificate>

...

</connection>

</connections>

...

<sslvpn>

This is a balanced but incomplete XML configuration fragment. It includes all closing tags, but omits some important elements to complete the configuration.

See the first XML sample in this topic for a more complete XML configuration example using a username and password for authentication.

The <on_connect> and <on_disconnect> tags both have very similar tag structure:

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[

]]>

</script>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[

]]>

</script>

</script>

</script>

</on_disconnect>

The following table provides CDATA XML tags, the description, and the default value (where applicable):

XML tag

Description

Default value

<os>

The OS for which the script is written. Enter one of the following: [windows | MacOSX]

<script>

The MS DOS batch or macOS shell script to run.

<![CDATA[

]]>

Wraps the scripts in CDATA elements.

Write the MS DOS batch or macOS shell script inside the CDATA tag. Write one line per command like a regular batch script file. The script is executed in the context of the user that connected the tunnel.

Wherever you write #username# in your script, it is automatically substituted with the XAuth username of the user that connected the tunnel.

Wherever you write #password# in your script, it is automatically substituted with the XAuth password of the user that connected the tunnel.

Remember to check your XML file before deploying to ensure that carriage returns/line feeds are present.

The example scripts above show a script that mounts several network drives after an SSL connection is established. The drives are unmounted with the corresponding scripts in the <on_disconnect> XML tag.

The <on_connect> and <on_disconnect> scripts are optional.