Fortinet white logo
Fortinet white logo

VPN options

VPN options

The VPN <options> XML tag contains global information controlling VPN states:

<forticlient_configuration>

<vpn>

<options>

<current_connection_name>ssldemo</current_connection_name>

<current_connection_type>ssl</current_connection_type>

<autoconnect_tunnel></autoconnect_tunnel>

<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>

<autoconnect_on_install>1</autoconnect_on_install>

<keep_running_max_tries>0</keep_running_max_tries>

<secure_remote_access>0</secure_remote_access>

<minimize_window_on_connect>1</minimize_window_on_connect>

<allow_personal_vpns>1</allow_personal_vpns>

<disable_connect_disconnect>0</disable_connect_disconnect>

<on_os_start_connect>SSLVPN_Name</on_os_start_connect>

<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials>

<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>

<show_negotiation_wnd>0</show_negotiation_wnd>

<disable_dead_gateway_detection>0</disable_dead_gateway_detection>

<vendor_id></vendor_id>

<disable_internet_check>0</disable_internet_check>

<suppress_vpn_notification>0</suppress_vpn_notification>

<certs_require_keyspec>0</certs_require_keyspec>

<lockdown>

<enabled>1</enabled>

<grace_period>120</grace_period>

<max_attempts>3</max_attempts>

<exceptions>

<apps>

<app>C:\Program Files\Google\Chrome\Application\chrome.exe</app>

</apps>

<ips>

<ip>172.17.81.15/32</ip>

</ips>

</exceptions>

</lockdown>

</options>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for VPN options, as well as the descriptions and default values where applicable:

XML tag

Description

Default value

<current_connection_name>

Enter the current connection name, if any.

<current_connection_type>

Select the current connection's VPN type: [ipsec | ssl]

<autoconnect_tunnel>

Name of the configured IPsec or SSL VPN tunnel to automatically connect to when FortiClient starts.

<autoconnect_only_when_offnet>

Autoconnect only when FortiClient is off-fabric.

Boolean value: [0 | 1]

0

<autoconnect_on_install>

When enabled, the endpoint automatically connects to the VPN tunnel specified in <autoconnect_tunnel> after FortiClient receives an endpoint profile update.

Boolean value: [0 | 1]

<keep_running_max_tries>

The maximum number of attempts to make when retrying a VPN connection that was lost due to network issues. If this tag is set to 0, it retries indefinitely.

0

<secure_remote_access>

When enabled, FortiClient allows or denies the endpoint from connecting to a VPN tunnel based on the tags applied to the endpoint and whether those tags are configured as <allowed> or <prohibited> in the specified VPN tunnel's configuration. If configured, FortiClient displays a custom warning message to the end user.

Boolean value: [0 | 1]

<minimize_window_on_connect>

Minimize FortiClient after successfully establishing a VPN connection.

Boolean value: [0 | 1]

1

<allow_personal_vpns>

Enable end users to create, modify, and use personal VPN configurations.

Boolean value: [0 | 1]

When this setting is configured as 0, FortiClient users are not be able to configure personal VPN connections. Only provisioned VPN connections are available to the user.

1

<use_legacy_vpn_before_logon>

Use the old VPN before logon interface.

Boolean value: [0 | 1]

1

<disable_connect_disconnect>

Enable the Connect/Disconnect button when using Auto Connect with VPN.

Boolean value: [0 | 1]

0

<on_os_start_connect>

Enter the name of the VPN tunnel that FortiClient starts when the OS boots up. This tunnel must be configured with <machine> set to 1, with its credentials provided in the XML configuration and stored in HKLM as opposed to HKCU. If using a certificate, the certificate must exist in the computer certificate store.

If the stored tunnel credentials are incorrect, FortiClient prompts the user for credentials to establish the tunnel connection.

For this feature to work, <show_vpn_before_logon> must be configured to 1.

This feature may not work for IPsec VPN tunnels using certificates when per-user autoconnect is configured.

Boolean value: [0 | 1]

<on_os_start_connect_has_priority>

When this element is set to 0, FortiClient connects to a per-user VPN tunnel after user logon. If FortiClient was previously connected to a VPN tunnel configured with the <machine> element, it disconnects from that tunnel to connect to the per-user tunnel.

When this element is set to 1, the tunnel configured with the <machine> element takes priority over any per-user tunnel configured. The machine tunnel remains connected after user logon.

Boolean value: [0 | 1]

0

<show_vpn_before_logon>

Allow user to select a VPN connection before logging into the system.

Boolean value: [0 | 1]

0

<use_windows_credentials>

Connect with the current username and password.

You must enable <show_vpn_before_logon> before enabling <use_windows_credentials>.

Boolean value: [0 | 1]

1

<show_negotiation_wnd>

Display information in FortiClient while establishing connections.

Boolean value: [0 | 1]

0

<disable_dead_gateway_detection>

Notifies the Windows OS to disable the detection of dead gateway. You may set this element to 1 if you observe that FortiClient IPsec VPN sends packets using an IP address other than those in the IP address pool assigned by the IPsec VPN server.

Boolean value: [0 | 1]

<vendor_id>

The default value is empty, signifying that FortiClient should use its hard-coded ID during IPsec VPN connection.

<disable_internet_check>

When this setting is configured as 0, VPN autoconnect only starts when the Internet is accessible. When enabled, VPN autoconnect starts even if FortiClient cannot access the Internet.

Boolean value: [0 | 1]

0

<suppress_vpn_notification>

Block FortiClient from displaying any VPN connection or error notifications.

0

<certs_require_keyspec>

If this element is set to 0, FortiClient includes all certificates that have a NULL key specification when prompting the user to select a certificate.

If this element is set to 1, FortiClient only lists certificates that include AT_KEYEXCHANGE/AT_SIGNATURE/CERT_NCRYPT_KEY_SPEC when prompting the user to select a certificate. The state of the key spec is only accessible by querying the certificate for its private key. If the certificate is on a smartcard or if the private key is password-protected, Windows requests a PIN/password. This can result in unwanted PIN/password prompts when the FortiClient GUI is opened. For example, it can result in PIN/password prompts when just viewing the Remote Access tab in the FortiClient GUI, potentially one prompt for each certificate on the smartcard.

Boolean value: [0 | 1]

0

<lockdown> elements

<enabled>

Configure network lockdown for off-fabric endpoints when they are not connected to SSL VPN.

When network lockdown is configured, when an endpoint goes off-fabric, a grace period that the EMS administrator configured comes into effect. During the grace period, an endpoint can continue to access LAN and the Internet without restrictions. If the endpoint does not connect to SSL VPN by the end of the grace period, the endpoint cannot access LAN and the Internet. It can still access IP addresses and applications that the EMS administrator has configured as exceptions, as well as connect to VPN to regain Internet access. For a full tunnel VPN, LAN is only accessible if exclusive routing is disabled. The administrator configures a limited number of attempts for the end user to enter valid VPN credentials. Once the user reaches the limit, the endpoint is in network lockdown.

<grace_period>

Configure a grace period in seconds during which an off-fabric endpoint that is not connected to SSL VPN can continue to access LAN and the Internet without restrictions.

120

<max_attempts>

Confgure the maximum number of attempts for the end user of an off-fabric endpoint to enter valid SSL VPN credentials.

3

<lockdown><exceptions> elements

<apps><app>

Enter the path to applications that an off-Fabric endpoint that is not connected to SSL VPN can still access.

<ips><ip>

Enter IP addresses that an off-Fabric endpoint that is not connected to SSL VPN can still access.

VPN options

VPN options

The VPN <options> XML tag contains global information controlling VPN states:

<forticlient_configuration>

<vpn>

<options>

<current_connection_name>ssldemo</current_connection_name>

<current_connection_type>ssl</current_connection_type>

<autoconnect_tunnel></autoconnect_tunnel>

<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>

<autoconnect_on_install>1</autoconnect_on_install>

<keep_running_max_tries>0</keep_running_max_tries>

<secure_remote_access>0</secure_remote_access>

<minimize_window_on_connect>1</minimize_window_on_connect>

<allow_personal_vpns>1</allow_personal_vpns>

<disable_connect_disconnect>0</disable_connect_disconnect>

<on_os_start_connect>SSLVPN_Name</on_os_start_connect>

<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials>

<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>

<show_negotiation_wnd>0</show_negotiation_wnd>

<disable_dead_gateway_detection>0</disable_dead_gateway_detection>

<vendor_id></vendor_id>

<disable_internet_check>0</disable_internet_check>

<suppress_vpn_notification>0</suppress_vpn_notification>

<certs_require_keyspec>0</certs_require_keyspec>

<lockdown>

<enabled>1</enabled>

<grace_period>120</grace_period>

<max_attempts>3</max_attempts>

<exceptions>

<apps>

<app>C:\Program Files\Google\Chrome\Application\chrome.exe</app>

</apps>

<ips>

<ip>172.17.81.15/32</ip>

</ips>

</exceptions>

</lockdown>

</options>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for VPN options, as well as the descriptions and default values where applicable:

XML tag

Description

Default value

<current_connection_name>

Enter the current connection name, if any.

<current_connection_type>

Select the current connection's VPN type: [ipsec | ssl]

<autoconnect_tunnel>

Name of the configured IPsec or SSL VPN tunnel to automatically connect to when FortiClient starts.

<autoconnect_only_when_offnet>

Autoconnect only when FortiClient is off-fabric.

Boolean value: [0 | 1]

0

<autoconnect_on_install>

When enabled, the endpoint automatically connects to the VPN tunnel specified in <autoconnect_tunnel> after FortiClient receives an endpoint profile update.

Boolean value: [0 | 1]

<keep_running_max_tries>

The maximum number of attempts to make when retrying a VPN connection that was lost due to network issues. If this tag is set to 0, it retries indefinitely.

0

<secure_remote_access>

When enabled, FortiClient allows or denies the endpoint from connecting to a VPN tunnel based on the tags applied to the endpoint and whether those tags are configured as <allowed> or <prohibited> in the specified VPN tunnel's configuration. If configured, FortiClient displays a custom warning message to the end user.

Boolean value: [0 | 1]

<minimize_window_on_connect>

Minimize FortiClient after successfully establishing a VPN connection.

Boolean value: [0 | 1]

1

<allow_personal_vpns>

Enable end users to create, modify, and use personal VPN configurations.

Boolean value: [0 | 1]

When this setting is configured as 0, FortiClient users are not be able to configure personal VPN connections. Only provisioned VPN connections are available to the user.

1

<use_legacy_vpn_before_logon>

Use the old VPN before logon interface.

Boolean value: [0 | 1]

1

<disable_connect_disconnect>

Enable the Connect/Disconnect button when using Auto Connect with VPN.

Boolean value: [0 | 1]

0

<on_os_start_connect>

Enter the name of the VPN tunnel that FortiClient starts when the OS boots up. This tunnel must be configured with <machine> set to 1, with its credentials provided in the XML configuration and stored in HKLM as opposed to HKCU. If using a certificate, the certificate must exist in the computer certificate store.

If the stored tunnel credentials are incorrect, FortiClient prompts the user for credentials to establish the tunnel connection.

For this feature to work, <show_vpn_before_logon> must be configured to 1.

This feature may not work for IPsec VPN tunnels using certificates when per-user autoconnect is configured.

Boolean value: [0 | 1]

<on_os_start_connect_has_priority>

When this element is set to 0, FortiClient connects to a per-user VPN tunnel after user logon. If FortiClient was previously connected to a VPN tunnel configured with the <machine> element, it disconnects from that tunnel to connect to the per-user tunnel.

When this element is set to 1, the tunnel configured with the <machine> element takes priority over any per-user tunnel configured. The machine tunnel remains connected after user logon.

Boolean value: [0 | 1]

0

<show_vpn_before_logon>

Allow user to select a VPN connection before logging into the system.

Boolean value: [0 | 1]

0

<use_windows_credentials>

Connect with the current username and password.

You must enable <show_vpn_before_logon> before enabling <use_windows_credentials>.

Boolean value: [0 | 1]

1

<show_negotiation_wnd>

Display information in FortiClient while establishing connections.

Boolean value: [0 | 1]

0

<disable_dead_gateway_detection>

Notifies the Windows OS to disable the detection of dead gateway. You may set this element to 1 if you observe that FortiClient IPsec VPN sends packets using an IP address other than those in the IP address pool assigned by the IPsec VPN server.

Boolean value: [0 | 1]

<vendor_id>

The default value is empty, signifying that FortiClient should use its hard-coded ID during IPsec VPN connection.

<disable_internet_check>

When this setting is configured as 0, VPN autoconnect only starts when the Internet is accessible. When enabled, VPN autoconnect starts even if FortiClient cannot access the Internet.

Boolean value: [0 | 1]

0

<suppress_vpn_notification>

Block FortiClient from displaying any VPN connection or error notifications.

0

<certs_require_keyspec>

If this element is set to 0, FortiClient includes all certificates that have a NULL key specification when prompting the user to select a certificate.

If this element is set to 1, FortiClient only lists certificates that include AT_KEYEXCHANGE/AT_SIGNATURE/CERT_NCRYPT_KEY_SPEC when prompting the user to select a certificate. The state of the key spec is only accessible by querying the certificate for its private key. If the certificate is on a smartcard or if the private key is password-protected, Windows requests a PIN/password. This can result in unwanted PIN/password prompts when the FortiClient GUI is opened. For example, it can result in PIN/password prompts when just viewing the Remote Access tab in the FortiClient GUI, potentially one prompt for each certificate on the smartcard.

Boolean value: [0 | 1]

0

<lockdown> elements

<enabled>

Configure network lockdown for off-fabric endpoints when they are not connected to SSL VPN.

When network lockdown is configured, when an endpoint goes off-fabric, a grace period that the EMS administrator configured comes into effect. During the grace period, an endpoint can continue to access LAN and the Internet without restrictions. If the endpoint does not connect to SSL VPN by the end of the grace period, the endpoint cannot access LAN and the Internet. It can still access IP addresses and applications that the EMS administrator has configured as exceptions, as well as connect to VPN to regain Internet access. For a full tunnel VPN, LAN is only accessible if exclusive routing is disabled. The administrator configures a limited number of attempts for the end user to enter valid VPN credentials. Once the user reaches the limit, the endpoint is in network lockdown.

<grace_period>

Configure a grace period in seconds during which an off-fabric endpoint that is not connected to SSL VPN can continue to access LAN and the Internet without restrictions.

120

<max_attempts>

Confgure the maximum number of attempts for the end user of an off-fabric endpoint to enter valid SSL VPN credentials.

3

<lockdown><exceptions> elements

<apps><app>

Enter the path to applications that an off-Fabric endpoint that is not connected to SSL VPN can still access.

<ips><ip>

Enter IP addresses that an off-Fabric endpoint that is not connected to SSL VPN can still access.