<enabled>

Enable SSL VPN.

Boolean value: [0 | 1]

<dnscache_service_control>

FortiClient disables Windows OS DNS cache when FortiClient establishes an SSL VPN tunnel.

The DNS cache is restored after SSL VPN tunnel is disconnected. If you observe that FSSO clients do not function correctly when an SSL VPN tunnel is up, use <prefer_sslvpn_dns> to control the DNS cache.

<prefer_sslvpn_dns>

If disabled, the custom DNS server from SSL VPN is not added to the physical interface. If enabled, the custom DNS server from SSL VPN is prepended to the physical interface.

Boolean value: [0 | 1]

<use_gui_saml_auth>

This field controls how FortiClient presents SAML authentication in the GUI. Behavior differs based on whether you are using the FortiClient internal browser or an external browser, and whether the endpoint is joined to a Microsoft Entra ID domain or not.

The following table summarizes the behavior for scenarios when FortiClient has established a VPN connection, disconnects, and the user attempts to reconnect to the tunnel. In all scenarios, Save Password is disabled for the tunnel.

If both <use_webview2_saml_auth> and <use_gui_saml_auth> are enabled, FortiClient uses Electron for VPN tunnels where connection before logon is enabled and WebView2 for other tunnels.

FortiClient (macOS) does not support this element.

Boolean value: [0 | 1]

<use_legacy_ssl_adapter>

If disabled, FortiClient uses the new SSL driver. If enabled, FortiClient uses the legacy SSL driver.

Boolean value: [0 | 1]

<preferred_dtls_tunnel>

DTLS supported only by FortiClient (Windows).

When this setting is 0, FortiClient uses TLS, even if dtls-tunnel is enabled on the FortiGate.

When this setting is 1, FortiClient uses DTLS, if it is enabled on the FortiGate, and tunnel establishment is successful. If dtls-tunnel is disabled on the FortiGate, or tunnel establishment is not successful, FortiClient uses TLS. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN.

Boolean value: [0 | 1]

<block_ipv6>

When this setting is 0, FortiClient allows IPv6 connection.

When this setting is 1, FortiClient blocks IPv6 connection. FortiClient uses only IPv4 connectivity when the SSL VPN tunnel is up.

Boolean value: [0 | 1]

<no_dhcp_server_route>

When this setting is 0, FortiClient creates the DHCP public server route upon tunnel establishment.

When this setting is 1, FortiClient does not create the DHCP public server route upon tunnel establishment.

Boolean value: [0 | 1]

<no_dns_registration>

When this setting is 0, FortiClient registers the SSL VPN adapter's address in the Active Directory (AD) DNS server.

When this setting is 1, FortiClient does not register the SSL VPN adapter's address in the AD DNS server.

When this setting is 2, FortiClient registers only its own tunnel interface IP address in the AD DNS server.

<disallow_invalid_server_certificate>

When you disable this setting and an invalid server certificate is used, FortiClient displays a popup that allows the user to continue with the invalid certificate.

When you enable this setting and an invalid server certificate is used, FortiClient does not display a popup and stops the connection.

This setting checks the certificate used for SAML authentication that FortiOS, in the role of the SAML service provider, presents to FortiClient. On FortiOS, this certificate is configured under the following command:

config user setting
    set auth-cert "<certificate>"
end

Boolean value: [0 | 1]

<keep_connection_alive>

Retry restoring an active VPN session connection.

Boolean value: [0 | 1]

<show_auth_cert_only>

Suppress dialogs from displaying certificates that do not bear OID "1.3.6.1.5.5.7.3.2" (client authentication).

Boolean value: [0 | 1]

<negative_split_tunnel_metric>

Set route metric for certain subnet as needed.

For example, you may want to set negative split routes with a higher metric, so these routes can be deactivated when another VPN product is being used and sets the same routes as FortiClient negatives split routes but with a lower metric.

This configuration is not recommended for most use cases. This element only takes effect when you enable negative split tunnel.

<enforce_disabling_smartdns_for_splitdns>

This element changes the status of the following registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DisableSmartNameResolution or in a group policy, Computer Configuration > Administrative Templates > Network > DNS Client > Turn off smart multi-homed name resolution.

When using SSL VPN split DNS, if this element is enabled, it may prevent the client from sending simultaneous DNS queries on multiple network interfaces. However, in cases where DNS queries via the FortiClient VPN virtual network interface are slow or fail, Windows may still attempt to resolve DNS queries through the physical network adapter. If you want to route DNS queries primarily through the FortiClient VPN interface, enabling the element helps ensure that queries are typically restricted to a single interface, though this behavior cannot be fully guaranteed.

Boolean value: [0 | 1]

<dtls_mtu>

Maximum transmit unit (MTU) size for packets on SSL VPN tunnels when using DTLS. Set from a minimum of 576 to a maximum of 1500 bytes.

<name>

VPN connection name.

<description>

Optional description to identify the VPN connection.

<no_vnic_dns_server>

If enabled, FortiClient does not send DNS requests to the SSL VPN virtual adapter and only to the local adapters.

If disabled, FortiClient may send DNS requests to both the SSL VPN virtual and local adapters depending on other DNS configuration settings.

Boolean value: [0 | 1]

<server>

SSL server IP address or FQDN, along with the port number as applicable.

<username>

Encrypted or non-encrypted username on SSL server.

<single_user_mode>

Enable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged on the computer.

Boolean value: [0 | 1]

<disclaimer_msg>

Enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

<redundant_sort_method>

How FortiClient determines the order in which to try connection to the SSL VPN servers when more than one is defined. FortiClient calculates the order before each SSL VPN connection attempt.

• When the value is 0, FortiClient tries the order explicitly defined in the <server> tag.
• When the value is 1, FortiClient determines the order by the ping response speed.
• When the value is 2, FortiClient determines the order by the TCP round trip time.

<sso_enabled>

Enable SAML SSO for the VPN tunnel. For this feature to function, the administrator must have configured the necessary options on the Service Provider and Identity Provider. See SAML support for SSL VPN.

<keep_fqdn_resolution_consistency>

Enable FortiClient to remember the IP address with which it contacts the FortiGate and reuse it throughout the connection phase. This feature helps support load balancing SSL VPN gateways with one FQDN. This feature is only available for FortiClient (Windows). See Load balancing SSL VPN gateways with one FQDN.

<use_external_browser>

Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI. See Using a browser as an external user-agent for SAML authentication in an SSL VPN connection.

<warn_invalid_server_certificate>

Display a warning message if the server certificate is invalid. EMS automatically copies this setting to each SSL VPN tunnel.

Boolean value: [0 | 1]

<machine>

When this setting is 1, FortiClient can connect to the tunnel without user interaction. See <on_os_start_connect> in VPN options.

Boolean value: [0 | 1]

<dual_stack>

Enable or disable FortiClient to establish a dual stack SSL VPN tunnel to allow both IPv4 and IPv6 traffic to pass through. See Dual stack IPv4 and IPv6 support for SSL VPN.

The following summarizes what occurs when dual stack settings differ between FortiClient and FortiOS:

• If FortiClient XML is set to <dual_stack>1</dual_stack> and FortiOS CLI has set dual-stack-mode enable, the tunnel allows IPv4 and IPv6 traffic.
• If FortiClient XML is set to <dual_stack>1</dual_stack> and FortiOS CLI has set dual-stack-mode disable, FortiClient cannot connect to the SSL VPN tunnel.
• If FortiClient XML is set to <dual_stack>0</dual_stack> and FortiOS CLI has set dual-stack-mode enable or disable, FortiClient can connect to the SSL VPN tunnel, but IPv4 traffic can only go through the IPv4 tunnel, and IPv6 traffic can only go through the IPv6 tunnel.

In summary, for dual stack to function, you must enable the respective dual_stack settings for both FortiClient and FortiGate. In addition, the FortiGate firewall policy must allow both IPv4 and IPv6 traffic to go through VPN tunnel.

Only FortiClient (Windows) supports this feature.

Boolean value: [0 | 1]

<keep_running>

Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection.

An EMS-pushed tunnel with <keep_running> enabled displays with Save Password and Always Up enabled and grayed out in the FortiClient GUI.

Boolean value: [0 | 1]

<resolve_to_ipv4_only>

If an FQDN is used for the VPN gateway that can be resolved to IPv4 and IPv6, but only IPv4 functions, FortiClient resolves the FQDN via the IPv4 address.

Boolean value: [0 | 1]

<pkcs11_lib>

Enter the name or path of a shared library on a Linux machine where FortiClient can find a smart card certificate to authenticate the connection. For example, you could enter /usr/lib/sample.so.

<traffic_keep_strategy>

Enable to run ipconfig /flushdns when the VPN tunnel connects. This may help resolve issues with accessing local services via DNS.

Boolean value: [0 | 1]

<ssl_vpn_method>

This option only applies for FortiClient (macOS).

Enable to use alternative OpenSSL code, which can be used when using DTLS fallback to TLS. Otherwise, FortiClient uses the default existing SSL VPN logic.

Boolean value: [0 | 1]

<fido_auth>

Enable to allow Yubikey (FIDO2) authentication for the FortiClient embedded browser for macOS.

Boolean value: [0 | 1]

<password>

Given user's encrypted or non-encrypted password.

<allow_standard_user_use_system_cert>

When you enable this setting, non-administrators can use local machine certificates to connect SSL VPN. When you disable this setting, non-administrators cannot use machine certificates to connect SSL VPN.

Boolean value: [0 | 1]

<prompt_certificate>

Request a certificate during connection establishment.

Boolean value: [0 | 1]

<prompt_username>

Request a username during connection establishment.

Boolean value: [0 | 1]

<fgt>

Indicates whether FortiClient received a VPN configuration from FortiGate or EMS. When this setting is 1, FortiClient received a VPN configuration from FortiGate or EMS, and the user can view the VPN configuration when connected to FortiGate or EMS. If FortiClient is disconnected from FortiGate or EMS after connecting and receiving the VPN configuration, the user can view and delete the VPN configuration but cannot edit it.

When this setting is 0, FortiClient did not receive a VPN configuration from FortiGate or EMS, and the user can view or delete VPN configurations. It is not recommended to manually change the <fgt> setting.

Boolean value: [0 | 1]

<match_type>

Enter the type of matching to use:

• simple: exact match
• wildcard: wildcard
• regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<match_type>

Enter the type of matching to use:

• simple: exact match
• wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching.

<match_type>

Enter the type of matching to use. Choose from:

• simple: exact match
• wildcard: wildcard
• regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

<save_password>

When enabled, Save Password is enabled for the VPN tunnel in the FortiClient GUI.

An EMS-pushed tunnel with <save_password> enabled displays with Save Password enabled and grayed out in the FortiClient GUI.

Boolean value: [0 | 1]

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<enable_local_lan>

Enable access to local resources while an application-based split tunnel with an exclusion rule configured is up. If this option is disabled, access to local resources may be denied when an application-based split tunnel with an exclusion rule configured is up.

Boolean value: [0 | 1]

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.

<tags> elements

<allowed>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel.

<prohibited>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel.

<enabled>

Enable Azure auto login. When the user logs in to the endpoint using an Azure Active Directory (AD) account, FortiClient silently automatically connects to the VPN tunnel configured in <vpn><options><autoconnect_tunnel>. <sso_enabled> must be enabled for this feature to function correctly.

See the EMS Administration Guide for details on configuring this feature.

Boolean value: [0 | 1]

<tenant_name>

Enter the Azure domain name as obtained from the Azure portal.

<client_id>

Enter the FortiClient application ID as obtained from the Azure portal.

<vpn_before_logon><username_format>

Configure the required username format for the VPN before logon connection to successfully authenticate. This configuration takes effect if the user selects their username from the left panel when logging into Windows instead of typing in their name. Configure one of the following:

• username
• upn or user principal name. Configure this if the username must be in the format username@domain, such as rpark@fortinet.com.
• dlln or down-level logon name. Configure this if the username must be in the format domain\username, such as fortinet.com/rpark.

<os>

OS for which the script is written. Enter one of the following: [windows | MacOSX]

<script>

MS DOS batch or macOS shell script to run.

<![CDATA[

]]>

Wraps the scripts in CDATA elements.