<current_connection_name>

Enter the current connection name, if any.

<current_connection_type>

Select the current connection's VPN type: [ipsec | ssl]

<autoconnect_tunnel>

Name of the configured IPsec or SSL VPN tunnel to automatically connect to when FortiClient starts.

<autoconnect_only_when_offnet>

Autoconnect only when FortiClient is off-fabric.

Boolean value: [0 | 1]

<autoconnect_only_when_epc_state_determined>

When FortiClient cannot determine the endpoint's on-/off-Fabric status, it does not autoconnect to VPN. If the autoconnect process was in progress, FortiClient halts the process and waits for the on-/off-Fabric status to be determined.

This tag does not apply to when the user manually attempts connection to VPN via the GUI or FortiTray. It only applies to VPN autoconnect and related reconnection attempts.

Boolean value: [0 | 1]

<autoconnect_on_install>

When enabled, the endpoint automatically connects to the VPN tunnel specified in <autoconnect_tunnel> after FortiClient receives an endpoint profile update.

Boolean value: [0 | 1]

<keep_running_max_tries>

Maximum number of attempts to make when retrying a VPN connection that FortiClient lost due to network issues. If you disable this option, FortiClient retries the connection indefinitely.

<secure_remote_access>

When enabled, FortiClient allows or denies the endpoint from connecting to a VPN tunnel based on the tags applied to the endpoint and whether those tags are configured as <allowed> or <prohibited> in the specified VPN tunnel configuration. If configured, FortiClient displays a custom warning message to the end user.

Boolean value: [0 | 1]

<minimize_window_on_connect>

If FortiClient is connected to one VPN tunnel, the FortiClient console minimizes after successfully establishing the tunnel connection.

If FortiClient is connected to multiple concurrent VPN tunnels, the FortiClient console does not automatically minimize regardless of this setting.

Boolean value: [0 | 1]

<allow_personal_vpns>

Enable end users to create, modify, and use personal VPN configurations.

When you disable this setting, FortiClient users cannot configure personal VPN connections. Only provisioned VPN connections are available to the user.

Boolean value: [0 | 1]

<use_legacy_vpn_before_logon>

Use the old VPN before logon interface.

Boolean value: [0 | 1]

<disable_connect_disconnect>

Enable the Connect/Disconnect button when using Auto Connect with VPN.

Boolean value: [0 | 1]

<on_os_start_connect>

Enter the name of the VPN tunnel that FortiClient starts when the OS boots up. You must configure this tunnel with <machine> enabled, with its credentials provided in the XML configuration and stored in HKLM as opposed to HKCU. If using a certificate, the certificate must exist in the computer certificate store.

If the stored tunnel credentials are incorrect, FortiClient prompts the user for credentials to establish the tunnel connection.

This feature may not work for IPsec VPN tunnels using certificates when per-user autoconnect is configured.

<on_os_start_connect_has_priority>

When you disable this setting, FortiClient connects to a per-user VPN tunnel after user logon. If FortiClient was previously connected to a VPN tunnel configured with the <machine> element, it disconnects from that tunnel to connect to the per-user tunnel.

When this element is enabled, the tunnel configured with the <machine> element takes priority over any per-user tunnel configured. The machine tunnel remains connected after user logon.

Boolean value: [0 | 1]

<show_vpn_before_logon>

Allow user to select a VPN connection before logging into the system.

Boolean value: [0 | 1]

<use_windows_credentials>

Connect with the current username and password.

You must enable <show_vpn_before_logon> before enabling <use_windows_credentials>.

Boolean value: [0 | 1]

<disable_dead_gateway_detection>

Notifies the Windows OS to disable the detection of dead gateway. You may enable this element if you observe that IPsec VPN sends packets using an IP address other than those in the IP address pool assigned by the IPsec VPN server.

Boolean value: [0 | 1]

<vendor_id>

The default value is empty, signifying that FortiClient should use its hard-coded ID during IPsec VPN connection.

<disable_internet_check>

When this setting is disabled, VPN autoconnect only starts FortiClient can access the internet. When enabled, VPN autoconnect starts even if FortiClient cannot access the internet.

Boolean value: [0 | 1]

<suppress_vpn_notification>

Block FortiClient from displaying any VPN connection or error notifications.

Boolean value: [0 | 1]

<before_logon_saml_auth>

Depending on the SAML authentication use case, you may need to use a specific authentication framework. Configure the desired framework to use if connecting to VPN before logon:

1 - Electron (Chromium)—Recommended as it provides enhanced security and aligns with modern web standards.

2 - WebBrowser (Internet Explorer)

Microsoft Edge WebView2 is unsupported.

<after_logon_saml_auth>

Depending on the SAML authentication use case, you may need to use a specific authentication framework. Configure the desired framework to use if connecting to VPN after logon:

0 - Microsoft Edge WebView2

1 - Electron (Chromium)

2 - WebBrowser (Internet Explorer) —If Microsoft Entra ID is used as an identity provider and the endpoint is Azure-joined or added to an Azure account, the VPN connection establishes seamlessly without prompting for Azure credentials, regardless of the Save Password configuration.

Microsoft Edge WebView2 or Electron is recommended as they provide enhanced security and align with modern web standards.

<certs_require_keyspec>

If this element is disabled, FortiClient includes all certificates that have a NULL key specification when prompting the user to select a certificate.

If this element is enabled, FortiClient only lists certificates that include AT_KEYEXCHANGE/AT_SIGNATURE/CERT_NCRYPT_KEY_SPEC when prompting the user to select a certificate. The state of the key spec is only accessible by querying the certificate for its private key. If the certificate is on a smartcard or if the private key is password-protected, Windows requests a PIN or password. This can result in unwanted PIN or password prompts when the user opens the FortiClient GUI. For example, it can result in PIN or password prompts when viewing the Remote Access tab in the FortiClient GUI, potentially one prompt for each certificate on the smartcard.

Boolean value: [0 | 1]

<vpn_before_logon_style>

If this element is disabled, FortiClient displays the VPN tunnel list below the Windows username and password fields for VPN before logon.

If this element is enabled, FortiClient displays the VPN tunnel list above the Windows username and password fields for VPN before logon.

Boolean value: [0 | 1]

<keep_running_delay>

Delay in seconds between a tunnel being detected as unexpectedly disconnected and the VPN controller attempting to reconnect the tunnel.

<failover_delay>

Used when <failover_sslvpn_connection> is defined in an IPsec VPN tunnel.

Delay in seconds between failing to connect the IPsec VPN tunnel and attempting to connect the failover SSL VPN connection tunnel.

<power_resume_autoconnect_delay>

Requires an autoconnect tunnel to be defined (user or machine).

Delay in seconds between the OS signaling power resume, such as waking up, and the VPN controller attempting to connect the autoconnect tunnel.

<user_login_autoconnect_delay>

Requires an autoconnect tunnel to be defined (per-user autoconnect, not machine autoconnect).

Delay in seconds between the OS signaling a user has logged into the OS and the VPN controller attempting to connect the user's autoconnect tunnel.

<enable_multi_vpn>

Enable FortiClient to connect to multiple tunnels concurrently. This feature is in beta and only supports IPsec VPN IKEv2 tunnels.

Boolean value: [0 | 1]

<enable_view_selected_vpns>

Enable for FortiClient to display pinned tunnels by default.

If disabled, the FortiClient GUI displays all configured VPN tunnels. The user can select View > Selected VPNs to only display pinned tunnels. FortiClient remembers this setting and only shows pinned tunnels for that user when they open the FortiClient console in the future. FortiClient respects the local setting over the EMS setting in this case.

Boolean value: [0 | 1]

<disconnect_password>

Configure the password for users to disconnect FortiClient from FortiOS. The password will be encrypted using the PBKDF2 method. The default is no password.

When a disconnect password is set, the Disconnect option will remain visible to end users using autoconnect VPN even if <disable_connect_disconnect> is set to 1.

<enforce_disabling_smartdns>

This element changes the status of the following registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DisableSmartNameResolution or in a group policy, Computer Configuration > Administrative Templates > Network > DNS Client > Turn off smart multi-homed name resolution.

When using IPsec or SSL VPN split DNS, if this element is enabled, it may prevent the client from sending simultaneous DNS queries on multiple network interfaces. However, in cases where DNS queries via the FortiClient VPN virtual network interface are slow or fail, Windows may still attempt to resolve DNS queries through the physical network adapter. If you want to route DNS queries primarily through the FortiClient VPN interface, enabling the element helps ensure that queries are typically restricted to a single interface, though this behavior cannot be fully guaranteed.

Boolean value: [0 | 1]

<enabled>

Configure network lockdown for off-Fabric endpoints when they are not connected to VPN.

When network lockdown is configured, when an endpoint goes off-fabric, a grace period that the EMS administrator configured comes into effect. During the grace period, an endpoint can continue to access LAN and the internet without restrictions. If the endpoint does not connect to VPN by the end of the grace period, the endpoint cannot access LAN and the internet. It can still access IP addresses and applications that the EMS administrator has configured as exceptions, as well as connect to VPN to regain internet access. For a full tunnel VPN, LAN is only accessible if exclusive routing is disabled. The administrator configures a limited number of attempts for the end user to enter valid VPN credentials. Once the user reaches the limit, the endpoint is in network lockdown.

Boolean value: [0 | 1]

<grace_period>

Configure a grace period in seconds during which an off-fabric endpoint that is not connected to VPN can continue to access LAN and the internet without restrictions. Enter a value between 20 and 3600.

<max_attempts>

Configure the maximum number of attempts for the end user of an off-Fabric endpoint to enter valid VPN credentials.

<apps><app>

Enter the path to applications that an off-Fabric endpoint that is not connected to VPN can still access.

<ips><ip>

Enter IP addresses that an off-Fabric endpoint that is not connected to VPN can still access. This element supports entering an IP address or subnet. You can specify a port or port range to access the IP address or subnet on. TCP, UDP, and ICMP are supported.

<icdb_domains><name>

Enter a SaaS application name that an off-Fabric endpoint that is not connected to VPN can still access.

<domains><domain>

Enter domains or fully qualified domain names that an off-Fabric endpoint that is not connected to VPN can still access.

<enabled>

Enable captive portal detection.

Boolean value: [0 | 1]

<login_method>

Specify the method used to handle captive portal login. This element only supports the FortiClient embedded browser.

Boolean value: [0 | 1]