Fortinet black logo

CLI Reference

vpn ssl web portal

vpn ssl web portal

Use this command to configure the SSL VPN portal service, allowing you to access network resources through a secure channel using a web browser. Administrators can configure login privileges for users and define which network resources are available to the users, including HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP, and SSH.

The portal configuration determines what the user sees when they log in to the FortiGate. Both the administrator and the user have the ability to customize the SSL VPN portal.

There are three pre-defined default web portal configurations available:

  • full-access: Includes all widgets available to the user – Session Information, Connection Tool, Bookmarks, and Tunnel Mode.
  • tunnel-access: Includes Session Information and Tunnel Mode widgets.
  • web-access: Includes Session Information and Bookmarks widgets.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

config bookmarks

edit <name>

set apptype rdp

set server-layout

en-gb-qwerty

es-es-qwerty

fr-ch-qwertz

ja-jp-qwerty

pt-br-qwerty

tr-tr-qwerty

set preconnection-id

set preconnection-bloc

set load-balanceing-info

New RDP application settings.

New server keyboard layouts include en-gb-qwerty (UK English), es-es-qwerty (Spanish), fr-ch-qwertz (Swiss French, qwertz), ja-jp-qwerty (Japanese), pt-br-qwerty (Portuguese/Brazilian), tr-tr-qwerty (Turkish).

preconnection-id is the numeric ID of the RDP source (0-2147483648).

preconnection-blob is an arbitrary string that identifies the RDP source.

load-balancing-info is the load balancing information or cookie that should be provided to the connection broker.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set hide-sso-credential {enable | disable}

Enable to prevent SSO credentials being sent in a javascript file to client.

set smbv1 {enable | disable}

Enable or disable (by default) support of SMBv1 for Samba.

Note that this command is only available for high-end FortiGate models.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set hide-sso-credential {enable | disable}

Enable to prevent SSO credentials being sent in a javascript file to client.

set smbv1 {enable | disable}

Enable or disable (by default) support of SMBv1 for Samba.

Note that this command is only available for high-end FortiGate models.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config split-dns

edit <name>

set domains "abc.com, cde.com"

set dns-server1 <dns-server-ip>

set dns-server2 <dns-server-ip>

set ipv6-dns-server1 <dns-server-ip>

set ipv6-dns-server2 <dns-server-ip>

next

...

New DNS split tunneling option for SSL VPN portals, allowing you to specify which domains are resolved by the DNS server specified by the VPN, while all other domains are resolved by the DNS specified locally.

config os-check-list {macos-high-sierra-10.13 | macos-sierra-10.12 | os-x-el-capitan-10.11 | os-x-mavericks-10.9 | os-x-yosemite-10.10}

set action {deny | allow | check-up-to-date}

set tolerance <value>

set latest-patch-level <value>

next

...

New Mac OS host check function for SSL VPN.

Note that config os-check-list is only available when os-check is set to enable.

Also, the tolerance and latest-patch-level entries are only available when action is set to check-up-to-date.

config vpn ssl web portal
    edit {name}
    # Portal.
        set name {string}   Portal name. size[35]
        set tunnel-mode {enable | disable}   Enable/disable IPv4 SSL-VPN tunnel mode.
        set ip-mode {range | user-group}   Method by which users of this SSL-VPN tunnel obtain IP addresses.
                range       Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.
                user-group  Use IP the addresses associated with individual users or user groups (usually from external auth servers).
        set auto-connect {enable | disable}   Enable/disable automatic connect by client when system is up.
        set keep-alive {enable | disable}   Enable/disable automatic reconnect for FortiClient connections.
        set save-password {enable | disable}   Enable/disable FortiClient saving the user's password.
        config ip-pools
            edit {name}
            # IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set exclusive-routing {enable | disable}   Enable/disable all traffic go through tunnel only.
        set service-restriction {enable | disable}   Enable/disable tunnel service restriction.
        set split-tunneling {enable | disable}   Enable/disable IPv4 split tunneling.
        config split-tunneling-routing-address
            edit {name}
            # IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set dns-server1 {ipv4 address}   IPv4 DNS server 1.
        set dns-server2 {ipv4 address}   IPv4 DNS server 2.
        set dns-suffix {string}   DNS suffix. size[253]
        set wins-server1 {ipv4 address}   IPv4 WINS server 1.
        set wins-server2 {ipv4 address}   IPv4 WINS server 1.
        set ipv6-tunnel-mode {enable | disable}   Enable/disable IPv6 SSL-VPN tunnel mode.
        config ipv6-pools
            edit {name}
            # IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        set ipv6-exclusive-routing {enable | disable}   Enable/disable all IPv6 traffic go through tunnel only.
        set ipv6-service-restriction {enable | disable}   Enable/disable IPv6 tunnel service restriction.
        set ipv6-split-tunneling {enable | disable}   Enable/disable IPv6 split tunneling.
        config ipv6-split-tunneling-routing-address
            edit {name}
            # IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
        set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
        set ipv6-wins-server1 {ipv6 address}   IPv6 WINS server 1.
        set ipv6-wins-server2 {ipv6 address}   IPv6 WINS server 2.
        set web-mode {enable | disable}   Enable/disable SSL VPN web mode.
        set display-bookmark {enable | disable}   Enable to display the web portal bookmark widget.
        set user-bookmark {enable | disable}   Enable to allow web portal users to create their own bookmarks.
        set allow-user-access {option}   Allow user access to SSL-VPN applications.
                web          HTTP/HTTPS access.
                ftp          FTP access.
                smb          SMB/CIFS access.
                telnet       TELNET access.
                ssh          SSH access.
                vnc          VNC access.
                rdp          RDP access.
                ping         PING access.
                citrix       CITRIX access.
                portforward  Port Forward access.
        set user-group-bookmark {enable | disable}   Enable to allow web portal users to create bookmarks for all users in the same user group.
        config bookmark-group
            edit {name}
            # Portal bookmark group.
                set name {string}   Bookmark group name. size[35]
                config bookmarks
                    edit {name}
                    # Bookmark table.
                        set name {string}   Bookmark name. size[35]
                        set apptype {option}   Application type.
                                citrix       Citrix.
                                ftp          FTP.
                                portforward  Port Forward.
                                rdp          RDP.
                                smb          SMB/CIFS.
                                ssh          SSH.
                                telnet       Telnet.
                                vnc          VNC.
                                web          HTTP/HTTPS.
                        set url {string}   URL parameter. size[128]
                        set host {string}   Host name/IP parameter. size[128]
                        set folder {string}   Network shared file folder parameter. size[128]
                        set additional-params {string}   Additional parameters. size[128]
                        set listening-port {integer}   Listening port (0 - 65535). range[0-65535]
                        set remote-port {integer}   Remote port (0 - 65535). range[0-65535]
                        set show-status-window {enable | disable}   Enable/disable showing of status window.
                        set description {string}   Description. size[128]
                        set server-layout {option}   Server side keyboard layout.
                                de-de-qwertz  German (qwertz).
                                en-gb-qwerty  Engligh (UK).
                                en-us-qwerty  English (US).
                                es-es-qwerty  Spanish.
                                fr-fr-azerty  French (azerty).
                                fr-ch-qwertz  Swiss French (qwertz).
                                it-it-qwerty  Italian.
                                ja-jp-qwerty  Japanese.
                                pt-br-qwerty  Portuguese/Brazilian.
                                sv-se-qwerty  Swedish.
                                tr-tr-qwerty  Turkish.
                                failsafe      Unknown keyboard.
                        set security {rdp | nla | tls | any}   Security mode for RDP connection.
                                rdp  Standard RDP encryption.
                                nla  Network Level Authentication.
                                tls  TLS encryption.
                                any  Allow the server to choose the type of security.
                        set preconnection-id {integer}   The numeric ID of the RDP source (0-2147483648). range[0-2147483648]
                        set preconnection-blob {string}   An arbitrary string which identifies the RDP source. size[511]
                        set load-balancing-info {string}   The load balancing information or cookie which should be provided to the connection broker. size[511]
                        set port {integer}   Remote port. range[0-65535]
                        set logon-user {string}   Logon user. size[35]
                        set logon-password {password_string}   Logon password. size[128]
                        set sso {disable | static | auto}   Single Sign-On.
                                disable  Disable SSO.
                                static   Static SSO.
                                auto     Auto SSO.
                        config form-data
                            edit {name}
                            # Form data.
                                set name {string}   Name. size[35]
                                set value {string}   Value. size[63]
                            next
                        set sso-credential {sslvpn-login | alternative}   Single sign-on credentials.
                                sslvpn-login  SSL-VPN login.
                                alternative   Alternative.
                        set sso-username {string}   SSO user name. size[35]
                        set sso-password {password_string}   SSO password. size[128]
                        set sso-credential-sent-once {enable | disable}   Single sign-on credentials are only sent once to remote server.
                    next
            next
        set display-connection-tools {enable | disable}   Enable to display the web portal connection tools widget.
        set display-history {enable | disable}   Enable to display the web portal user login history widget.
        set display-status {enable | disable}   Enable to display the web portal status widget.
        set heading {string}   Web portal heading message. size[31]
        set redir-url {string}   Client login redirect URL. size[255]
        set theme {option}   Web portal color scheme.
                blue       Light blue theme.
                green      Green theme.
                red        Red theme.
                melongene  Melongene theme (eggplant color).
                mariner    Mariner theme (dark blue color).
        set custom-lang {string}   Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files. size[35] - datasource(s): system.custom-language.name
        set smb-ntlmv1-auth {enable | disable}   Enable support of NTLMv1 for Samba authentication.
        set smbv1 {enable | disable}   Enable/disable support of SMBv1 for Samba.
        set host-check {option}   Type of host checking performed on endpoints.
                none    No host checking.
                av      AntiVirus software recognized by the Windows Security Center.
                fw      Firewall software recognized by the Windows Security Center.
                av-fw   AntiVirus and firewall software recognized by the Windows Security Center.
                custom  Custom.
        set host-check-interval {integer}   Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects. range[120-259200]
        config host-check-policy
            edit {name}
            # One or more policies to require the endpoint to have specific security software.
                set name {string}   Host check software list name. size[64] - datasource(s): vpn.ssl.web.host-check-software.name
            next
        set limit-user-logins {enable | disable}   Enable to limit each user to one SSL-VPN session at a time.
        set mac-addr-check {enable | disable}   Enable/disable MAC address host checking.
        set mac-addr-action {allow | deny}   Client MAC address action.
                allow  Allow connection when client MAC address is matched.
                deny   Deny connection when client MAC address is matched.
        config mac-addr-check-rule
            edit {name}
            # Client MAC address check rule.
                set name {string}   Client MAC address check rule name. size[35]
                set mac-addr-mask {integer}   Client MAC address mask. range[1-48]
                config mac-addr-list
                    edit {addr}
                    # Client MAC address list.
                        set addr {mac address}   Client MAC address.
                    next
            next
        set os-check {enable | disable}   Enable to let the FortiGate decide action based on client OS.
        config os-check-list
            edit {name}
            # SSL VPN OS checks.
                set name {string}   Name. size[35]
                set action {deny | allow | check-up-to-date}   OS check options.
                        deny              Deny all OS versions.
                        allow             Allow any OS version.
                        check-up-to-date  Verify OS is up-to-date.
                set tolerance {integer}   OS patch level tolerance. range[0-255]
                set latest-patch-level {string}   Latest OS patch level.
            next
        set forticlient-download {enable | disable}   Enable/disable download option for FortiClient.
        set forticlient-download-method {direct | ssl-vpn}   FortiClient download method.
                direct   Download via direct link.
                ssl-vpn  Download via SSL-VPN.
        set customize-forticlient-download-url {enable | disable}   Enable support of customized download URL for FortiClient.
        set windows-forticlient-download-url {string}   Download URL for Windows FortiClient. size[1023]
        set macos-forticlient-download-url {string}   Download URL for Mac FortiClient. size[1023]
        set skip-check-for-unsupported-os {enable | disable}   Enable to skip host check if client OS does not support it.
        set skip-check-for-unsupported-browser {enable | disable}   Enable to skip host check if browser does not support it.
        set hide-sso-credential {enable | disable}   Enable to prevent SSO credential being sent to client.
        config split-dns
            edit {id}
            # Split DNS for SSL VPN.
                set id {integer}   ID. range[0-4294967294]
                set domains {string}   Split DNS domains used for SSL-VPN clients separated by comma(,). size[1024]
                set dns-server1 {ipv4 address}   DNS server 1.
                set dns-server2 {ipv4 address}   DNS server 2.
                set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
                set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

reqclientcert {enable | disable}

Enable or disable (by default) the requirement of a client certificate. When enabled, the SSL VPN daemon will require a client certificate for all SSL VPN users, regardless of policy.

{tunnel-mode | ipv6-tunnel-mode} {enable | disable}

Enable (by default) or disable IPv4 or IPv6 tunnel mode.

ip-mode {range | usrgrp}

Note: This entry is only available when tunnel-mode is set to enable.

How users of this SSL VPN tunnel get IP addresses:

  • range use the IP addresses available for all SSL VPN users as defined by the config vpn ssl settings command.
  • user-group use IP addresses associated with individual users or user groups (usually from external authentication servers (such as RADIUS, LDAP, etc.).

auto-connect {enable | disable}

Note: This entry is only available when either tunnel-mode or ipv6-tunnel-mode is set to enable.

Enable or disable (by default) FortiClient automatic connection when the system is up.

forticlient-download {enable | disable}

You can use the following options to enable or disable allowing SSL VPN users to download FortiClient from the SSL VPN web portal. If forticlient-download is enabled, you can select the download method (direct or over the ssl_vpn). You can also optionally specify a custom URL for downloading the Windows and Mac OS versions of FortiClient.

Syntax

config vpn ssl web portal

edit <portal name>

set forticlient-download {enable | disable}

set forticlient-download-method {direct | ssl-vpn}

set customize-forticlient-download-url {enable | disable}

set windows-forticlient-download-url <url>

set macos-forticlient-download-url <url>

end

keep-alive {enable | disable}

Note: This entry is only available when either tunnel-mode or ipv6-tunnel-mode is set to enable.

Enable or disable (by default) the automatic reconnection for FortiClient connections by the client.

save-password {enable | disable}

Note: This entry is only available when either tunnel-mode or ipv6-tunnel-mode is set to enable.

Enable or disable (by default) FortiClient saving the user’s password.

{ip-pools | ipv6-pools} <pool-names>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The names of the IPv4 or IPv6 firewall address objects reserved for SSL VPN tunnel mode clients.

{split-tunneling | ipv6-split-tunneling} {enable | disable}

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

Enable (by default) or disable IPv4 or IPv6 split tunneling, ensuring that only the traffic for the private network is sent to the SSL VPN gateway.

{split-tunneling-routing-address | ipv6-split-tunneling-routing-address} <address-name>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

IPv4 or IPv6 SSL VPN tunnel mode firewall address objects that override firewall policy destination addresses to control spit-tunneling access.

{dns-server1 | ipv6-dns-server1} <addr-ip4/6>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The IPv4 or IPv6 IP address of the primary DNS server that SSL VPN clients will be able to access after a connection has been established. Use the dns-server2 or ipv6-dns-server-2 entries to specify a secondary DNS server (see entry below).

{dns-server2 | ipv6-dns-server2} <addr-ip4/6>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The IPv4 or IPv6 IP address of the secondary DNS server that SSL VPN clients will be able to access after a connection has been established.

{wins-server1 | ipv6-wins-server1} <addr-ip4/6>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The IPv4 or IPv6 IP address of the primary WINS server that SSL VPN clients will be able to access after a connection has been established. Use the wins-server2 or ipv6-wins-server2 entries to specify a secondary WINS server (see entry below).

{wins-server2 | ipv6-wins-server2}

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The IPv4 or IPv6 IP address of the secondary WINS server that SSL VPN clients will be able to access after a connection has been established.

web-mode {enable | disable}

Enable or disable (by default) web mode.

display-bookmark {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable the web mode bookmark widget.

user-bookmark {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable allowing web portal users to create their own bookmarks.

user-group-bookmark {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable allowing web portal users to create bookmarks for all users in the same user group.

display-connection-tools {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable the web portal connection tools widget.

display-history {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable the web portal user login history widget.

display-status {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable the web portal status widget.

heading <message>

The portal heading message.

redir-url <url>

Note: This entry is only available when web-mode is set to enable.

The URL of the web page that enables the FortiGate to display a second HTML page when the web portal home page is displayed. The web server for this URL must reside on the private network behind the FortiGate unit.

theme <color>

Note: This entry is only available when web-mode is set to enable.

The web portal color scheme: blue (by default), gray, or orange.

custom-lang <langauge>

Note: This entry is only available when web-mode is set to enable.

Change the display language for this web portal. Select from the following options. The options are named according to the config system custom-language command that you can use to customize the content of these language files. By default the content of these language files is provided by Fortinet in the languages listed below.

  • GB2312: Simplified Chinese (using the Guojia Biaozhun (GB), or ‘national standard’ in Chinese, is the registered character set of the People’s Republic of China used for Simplified Chinese characters).
  • big5: Traditional Chinese (using Big5, or Big-5, is a Chinese character encoding method used in Taiwan, Hong Kong, and Macau for Traditional Chinese characters).
  • en: English (using the English character set (Caribbean)).
  • euc-kr: Korean (using the Wxtended Unix Code (EUC) is a character encoding system used for Japanese, Korean, and Simplified Chinese. This featured option is specifically for Korean).
  • fr: French (Using the French character set (Standard)).
  • pg: Portuguese (Using the Proto-Germanic (PG), also called Common Germanic, character set).
  • sp: Spanish (using the Spanish character set).
  • x-sjis: Japanese (using the Shift Japanese Industrial Standards (SJIS), is a character encoding method for Japanese).

host-check {none | av | fw | av-fw | custom}

The type of host checking to perform on endpoints.

  • none: Do not perform host checking.
  • av: Check for antivirus software recognized by the Windows Security Center.
  • fw: Check for firewall software recognized by the Windows Security Center.
  • av-fw: Check for both antivirus and firewall software recognized by the Windows Security Center.
  • custom: Check for the software defined in the host-check-policy entry.

host-check-interval <seconds>

How often the host check function periodically verifies the host check status of endpoints. Range is 120 to 259200 seconds. Default is 0, which disables periodic host checking. If disabled host checking only happens when the endpoint initially connects to the SSL VPN. Only available if host-check is enabled.

host-check-policy {<policy> [<policy>…]}

Select one or more host-check policy to perform different types of host checking. You can use this option to add a wide range of host checking options to require endpoints to have a wide range of security software. You can see the complete list of host check policies and add more using the config vpn ssl host-check-software command.

This option is available when host-check is set to custom.

limit-user-logins {enable | disable}

Enable or disable (by default) permitting each user one SSL VPN session at a time.

mac-addr-check {enable | disable}

Enable or disable (by default) MAC address host checking.

os-check {enable | disable}

Enable or disable (by default) the FortiGate unit to determine what action to take depending on what operating system the client has.

skip-check-for-unsupported-os {enable | disable}

Note: This entry is only available when os-check is set to enable.

Enable (by default) or disable skipping the host check if the client operating system doesn’t support it.

skip-check-for-unsupported-browser {enable | disable}

Note: This entry is only available when either os-check is set to enable.

Enable (by default) or disable skipping the host check if the browser doesn’t support it.

vpn ssl web portal

Use this command to configure the SSL VPN portal service, allowing you to access network resources through a secure channel using a web browser. Administrators can configure login privileges for users and define which network resources are available to the users, including HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP, and SSH.

The portal configuration determines what the user sees when they log in to the FortiGate. Both the administrator and the user have the ability to customize the SSL VPN portal.

There are three pre-defined default web portal configurations available:

  • full-access: Includes all widgets available to the user – Session Information, Connection Tool, Bookmarks, and Tunnel Mode.
  • tunnel-access: Includes Session Information and Tunnel Mode widgets.
  • web-access: Includes Session Information and Bookmarks widgets.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

config bookmarks

edit <name>

set apptype rdp

set server-layout

en-gb-qwerty

es-es-qwerty

fr-ch-qwertz

ja-jp-qwerty

pt-br-qwerty

tr-tr-qwerty

set preconnection-id

set preconnection-bloc

set load-balanceing-info

New RDP application settings.

New server keyboard layouts include en-gb-qwerty (UK English), es-es-qwerty (Spanish), fr-ch-qwertz (Swiss French, qwertz), ja-jp-qwerty (Japanese), pt-br-qwerty (Portuguese/Brazilian), tr-tr-qwerty (Turkish).

preconnection-id is the numeric ID of the RDP source (0-2147483648).

preconnection-blob is an arbitrary string that identifies the RDP source.

load-balancing-info is the load balancing information or cookie that should be provided to the connection broker.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set hide-sso-credential {enable | disable}

Enable to prevent SSO credentials being sent in a javascript file to client.

set smbv1 {enable | disable}

Enable or disable (by default) support of SMBv1 for Samba.

Note that this command is only available for high-end FortiGate models.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set hide-sso-credential {enable | disable}

Enable to prevent SSO credentials being sent in a javascript file to client.

set smbv1 {enable | disable}

Enable or disable (by default) support of SMBv1 for Samba.

Note that this command is only available for high-end FortiGate models.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config split-dns

edit <name>

set domains "abc.com, cde.com"

set dns-server1 <dns-server-ip>

set dns-server2 <dns-server-ip>

set ipv6-dns-server1 <dns-server-ip>

set ipv6-dns-server2 <dns-server-ip>

next

...

New DNS split tunneling option for SSL VPN portals, allowing you to specify which domains are resolved by the DNS server specified by the VPN, while all other domains are resolved by the DNS specified locally.

config os-check-list {macos-high-sierra-10.13 | macos-sierra-10.12 | os-x-el-capitan-10.11 | os-x-mavericks-10.9 | os-x-yosemite-10.10}

set action {deny | allow | check-up-to-date}

set tolerance <value>

set latest-patch-level <value>

next

...

New Mac OS host check function for SSL VPN.

Note that config os-check-list is only available when os-check is set to enable.

Also, the tolerance and latest-patch-level entries are only available when action is set to check-up-to-date.

config vpn ssl web portal
    edit {name}
    # Portal.
        set name {string}   Portal name. size[35]
        set tunnel-mode {enable | disable}   Enable/disable IPv4 SSL-VPN tunnel mode.
        set ip-mode {range | user-group}   Method by which users of this SSL-VPN tunnel obtain IP addresses.
                range       Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.
                user-group  Use IP the addresses associated with individual users or user groups (usually from external auth servers).
        set auto-connect {enable | disable}   Enable/disable automatic connect by client when system is up.
        set keep-alive {enable | disable}   Enable/disable automatic reconnect for FortiClient connections.
        set save-password {enable | disable}   Enable/disable FortiClient saving the user's password.
        config ip-pools
            edit {name}
            # IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set exclusive-routing {enable | disable}   Enable/disable all traffic go through tunnel only.
        set service-restriction {enable | disable}   Enable/disable tunnel service restriction.
        set split-tunneling {enable | disable}   Enable/disable IPv4 split tunneling.
        config split-tunneling-routing-address
            edit {name}
            # IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set dns-server1 {ipv4 address}   IPv4 DNS server 1.
        set dns-server2 {ipv4 address}   IPv4 DNS server 2.
        set dns-suffix {string}   DNS suffix. size[253]
        set wins-server1 {ipv4 address}   IPv4 WINS server 1.
        set wins-server2 {ipv4 address}   IPv4 WINS server 1.
        set ipv6-tunnel-mode {enable | disable}   Enable/disable IPv6 SSL-VPN tunnel mode.
        config ipv6-pools
            edit {name}
            # IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        set ipv6-exclusive-routing {enable | disable}   Enable/disable all IPv6 traffic go through tunnel only.
        set ipv6-service-restriction {enable | disable}   Enable/disable IPv6 tunnel service restriction.
        set ipv6-split-tunneling {enable | disable}   Enable/disable IPv6 split tunneling.
        config ipv6-split-tunneling-routing-address
            edit {name}
            # IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
        set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
        set ipv6-wins-server1 {ipv6 address}   IPv6 WINS server 1.
        set ipv6-wins-server2 {ipv6 address}   IPv6 WINS server 2.
        set web-mode {enable | disable}   Enable/disable SSL VPN web mode.
        set display-bookmark {enable | disable}   Enable to display the web portal bookmark widget.
        set user-bookmark {enable | disable}   Enable to allow web portal users to create their own bookmarks.
        set allow-user-access {option}   Allow user access to SSL-VPN applications.
                web          HTTP/HTTPS access.
                ftp          FTP access.
                smb          SMB/CIFS access.
                telnet       TELNET access.
                ssh          SSH access.
                vnc          VNC access.
                rdp          RDP access.
                ping         PING access.
                citrix       CITRIX access.
                portforward  Port Forward access.
        set user-group-bookmark {enable | disable}   Enable to allow web portal users to create bookmarks for all users in the same user group.
        config bookmark-group
            edit {name}
            # Portal bookmark group.
                set name {string}   Bookmark group name. size[35]
                config bookmarks
                    edit {name}
                    # Bookmark table.
                        set name {string}   Bookmark name. size[35]
                        set apptype {option}   Application type.
                                citrix       Citrix.
                                ftp          FTP.
                                portforward  Port Forward.
                                rdp          RDP.
                                smb          SMB/CIFS.
                                ssh          SSH.
                                telnet       Telnet.
                                vnc          VNC.
                                web          HTTP/HTTPS.
                        set url {string}   URL parameter. size[128]
                        set host {string}   Host name/IP parameter. size[128]
                        set folder {string}   Network shared file folder parameter. size[128]
                        set additional-params {string}   Additional parameters. size[128]
                        set listening-port {integer}   Listening port (0 - 65535). range[0-65535]
                        set remote-port {integer}   Remote port (0 - 65535). range[0-65535]
                        set show-status-window {enable | disable}   Enable/disable showing of status window.
                        set description {string}   Description. size[128]
                        set server-layout {option}   Server side keyboard layout.
                                de-de-qwertz  German (qwertz).
                                en-gb-qwerty  Engligh (UK).
                                en-us-qwerty  English (US).
                                es-es-qwerty  Spanish.
                                fr-fr-azerty  French (azerty).
                                fr-ch-qwertz  Swiss French (qwertz).
                                it-it-qwerty  Italian.
                                ja-jp-qwerty  Japanese.
                                pt-br-qwerty  Portuguese/Brazilian.
                                sv-se-qwerty  Swedish.
                                tr-tr-qwerty  Turkish.
                                failsafe      Unknown keyboard.
                        set security {rdp | nla | tls | any}   Security mode for RDP connection.
                                rdp  Standard RDP encryption.
                                nla  Network Level Authentication.
                                tls  TLS encryption.
                                any  Allow the server to choose the type of security.
                        set preconnection-id {integer}   The numeric ID of the RDP source (0-2147483648). range[0-2147483648]
                        set preconnection-blob {string}   An arbitrary string which identifies the RDP source. size[511]
                        set load-balancing-info {string}   The load balancing information or cookie which should be provided to the connection broker. size[511]
                        set port {integer}   Remote port. range[0-65535]
                        set logon-user {string}   Logon user. size[35]
                        set logon-password {password_string}   Logon password. size[128]
                        set sso {disable | static | auto}   Single Sign-On.
                                disable  Disable SSO.
                                static   Static SSO.
                                auto     Auto SSO.
                        config form-data
                            edit {name}
                            # Form data.
                                set name {string}   Name. size[35]
                                set value {string}   Value. size[63]
                            next
                        set sso-credential {sslvpn-login | alternative}   Single sign-on credentials.
                                sslvpn-login  SSL-VPN login.
                                alternative   Alternative.
                        set sso-username {string}   SSO user name. size[35]
                        set sso-password {password_string}   SSO password. size[128]
                        set sso-credential-sent-once {enable | disable}   Single sign-on credentials are only sent once to remote server.
                    next
            next
        set display-connection-tools {enable | disable}   Enable to display the web portal connection tools widget.
        set display-history {enable | disable}   Enable to display the web portal user login history widget.
        set display-status {enable | disable}   Enable to display the web portal status widget.
        set heading {string}   Web portal heading message. size[31]
        set redir-url {string}   Client login redirect URL. size[255]
        set theme {option}   Web portal color scheme.
                blue       Light blue theme.
                green      Green theme.
                red        Red theme.
                melongene  Melongene theme (eggplant color).
                mariner    Mariner theme (dark blue color).
        set custom-lang {string}   Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files. size[35] - datasource(s): system.custom-language.name
        set smb-ntlmv1-auth {enable | disable}   Enable support of NTLMv1 for Samba authentication.
        set smbv1 {enable | disable}   Enable/disable support of SMBv1 for Samba.
        set host-check {option}   Type of host checking performed on endpoints.
                none    No host checking.
                av      AntiVirus software recognized by the Windows Security Center.
                fw      Firewall software recognized by the Windows Security Center.
                av-fw   AntiVirus and firewall software recognized by the Windows Security Center.
                custom  Custom.
        set host-check-interval {integer}   Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects. range[120-259200]
        config host-check-policy
            edit {name}
            # One or more policies to require the endpoint to have specific security software.
                set name {string}   Host check software list name. size[64] - datasource(s): vpn.ssl.web.host-check-software.name
            next
        set limit-user-logins {enable | disable}   Enable to limit each user to one SSL-VPN session at a time.
        set mac-addr-check {enable | disable}   Enable/disable MAC address host checking.
        set mac-addr-action {allow | deny}   Client MAC address action.
                allow  Allow connection when client MAC address is matched.
                deny   Deny connection when client MAC address is matched.
        config mac-addr-check-rule
            edit {name}
            # Client MAC address check rule.
                set name {string}   Client MAC address check rule name. size[35]
                set mac-addr-mask {integer}   Client MAC address mask. range[1-48]
                config mac-addr-list
                    edit {addr}
                    # Client MAC address list.
                        set addr {mac address}   Client MAC address.
                    next
            next
        set os-check {enable | disable}   Enable to let the FortiGate decide action based on client OS.
        config os-check-list
            edit {name}
            # SSL VPN OS checks.
                set name {string}   Name. size[35]
                set action {deny | allow | check-up-to-date}   OS check options.
                        deny              Deny all OS versions.
                        allow             Allow any OS version.
                        check-up-to-date  Verify OS is up-to-date.
                set tolerance {integer}   OS patch level tolerance. range[0-255]
                set latest-patch-level {string}   Latest OS patch level.
            next
        set forticlient-download {enable | disable}   Enable/disable download option for FortiClient.
        set forticlient-download-method {direct | ssl-vpn}   FortiClient download method.
                direct   Download via direct link.
                ssl-vpn  Download via SSL-VPN.
        set customize-forticlient-download-url {enable | disable}   Enable support of customized download URL for FortiClient.
        set windows-forticlient-download-url {string}   Download URL for Windows FortiClient. size[1023]
        set macos-forticlient-download-url {string}   Download URL for Mac FortiClient. size[1023]
        set skip-check-for-unsupported-os {enable | disable}   Enable to skip host check if client OS does not support it.
        set skip-check-for-unsupported-browser {enable | disable}   Enable to skip host check if browser does not support it.
        set hide-sso-credential {enable | disable}   Enable to prevent SSO credential being sent to client.
        config split-dns
            edit {id}
            # Split DNS for SSL VPN.
                set id {integer}   ID. range[0-4294967294]
                set domains {string}   Split DNS domains used for SSL-VPN clients separated by comma(,). size[1024]
                set dns-server1 {ipv4 address}   DNS server 1.
                set dns-server2 {ipv4 address}   DNS server 2.
                set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
                set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

reqclientcert {enable | disable}

Enable or disable (by default) the requirement of a client certificate. When enabled, the SSL VPN daemon will require a client certificate for all SSL VPN users, regardless of policy.

{tunnel-mode | ipv6-tunnel-mode} {enable | disable}

Enable (by default) or disable IPv4 or IPv6 tunnel mode.

ip-mode {range | usrgrp}

Note: This entry is only available when tunnel-mode is set to enable.

How users of this SSL VPN tunnel get IP addresses:

  • range use the IP addresses available for all SSL VPN users as defined by the config vpn ssl settings command.
  • user-group use IP addresses associated with individual users or user groups (usually from external authentication servers (such as RADIUS, LDAP, etc.).

auto-connect {enable | disable}

Note: This entry is only available when either tunnel-mode or ipv6-tunnel-mode is set to enable.

Enable or disable (by default) FortiClient automatic connection when the system is up.

forticlient-download {enable | disable}

You can use the following options to enable or disable allowing SSL VPN users to download FortiClient from the SSL VPN web portal. If forticlient-download is enabled, you can select the download method (direct or over the ssl_vpn). You can also optionally specify a custom URL for downloading the Windows and Mac OS versions of FortiClient.

Syntax

config vpn ssl web portal

edit <portal name>

set forticlient-download {enable | disable}

set forticlient-download-method {direct | ssl-vpn}

set customize-forticlient-download-url {enable | disable}

set windows-forticlient-download-url <url>

set macos-forticlient-download-url <url>

end

keep-alive {enable | disable}

Note: This entry is only available when either tunnel-mode or ipv6-tunnel-mode is set to enable.

Enable or disable (by default) the automatic reconnection for FortiClient connections by the client.

save-password {enable | disable}

Note: This entry is only available when either tunnel-mode or ipv6-tunnel-mode is set to enable.

Enable or disable (by default) FortiClient saving the user’s password.

{ip-pools | ipv6-pools} <pool-names>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The names of the IPv4 or IPv6 firewall address objects reserved for SSL VPN tunnel mode clients.

{split-tunneling | ipv6-split-tunneling} {enable | disable}

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

Enable (by default) or disable IPv4 or IPv6 split tunneling, ensuring that only the traffic for the private network is sent to the SSL VPN gateway.

{split-tunneling-routing-address | ipv6-split-tunneling-routing-address} <address-name>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

IPv4 or IPv6 SSL VPN tunnel mode firewall address objects that override firewall policy destination addresses to control spit-tunneling access.

{dns-server1 | ipv6-dns-server1} <addr-ip4/6>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The IPv4 or IPv6 IP address of the primary DNS server that SSL VPN clients will be able to access after a connection has been established. Use the dns-server2 or ipv6-dns-server-2 entries to specify a secondary DNS server (see entry below).

{dns-server2 | ipv6-dns-server2} <addr-ip4/6>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The IPv4 or IPv6 IP address of the secondary DNS server that SSL VPN clients will be able to access after a connection has been established.

{wins-server1 | ipv6-wins-server1} <addr-ip4/6>

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The IPv4 or IPv6 IP address of the primary WINS server that SSL VPN clients will be able to access after a connection has been established. Use the wins-server2 or ipv6-wins-server2 entries to specify a secondary WINS server (see entry below).

{wins-server2 | ipv6-wins-server2}

Note: These entries are only available when tunnel-mode or ipv6-tunnel-mode are set to enable.

The IPv4 or IPv6 IP address of the secondary WINS server that SSL VPN clients will be able to access after a connection has been established.

web-mode {enable | disable}

Enable or disable (by default) web mode.

display-bookmark {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable the web mode bookmark widget.

user-bookmark {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable allowing web portal users to create their own bookmarks.

user-group-bookmark {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable allowing web portal users to create bookmarks for all users in the same user group.

display-connection-tools {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable the web portal connection tools widget.

display-history {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable the web portal user login history widget.

display-status {enable | disable}

Note: This entry is only available when web-mode is set to enable.

Enable (by default) or disable the web portal status widget.

heading <message>

The portal heading message.

redir-url <url>

Note: This entry is only available when web-mode is set to enable.

The URL of the web page that enables the FortiGate to display a second HTML page when the web portal home page is displayed. The web server for this URL must reside on the private network behind the FortiGate unit.

theme <color>

Note: This entry is only available when web-mode is set to enable.

The web portal color scheme: blue (by default), gray, or orange.

custom-lang <langauge>

Note: This entry is only available when web-mode is set to enable.

Change the display language for this web portal. Select from the following options. The options are named according to the config system custom-language command that you can use to customize the content of these language files. By default the content of these language files is provided by Fortinet in the languages listed below.

  • GB2312: Simplified Chinese (using the Guojia Biaozhun (GB), or ‘national standard’ in Chinese, is the registered character set of the People’s Republic of China used for Simplified Chinese characters).
  • big5: Traditional Chinese (using Big5, or Big-5, is a Chinese character encoding method used in Taiwan, Hong Kong, and Macau for Traditional Chinese characters).
  • en: English (using the English character set (Caribbean)).
  • euc-kr: Korean (using the Wxtended Unix Code (EUC) is a character encoding system used for Japanese, Korean, and Simplified Chinese. This featured option is specifically for Korean).
  • fr: French (Using the French character set (Standard)).
  • pg: Portuguese (Using the Proto-Germanic (PG), also called Common Germanic, character set).
  • sp: Spanish (using the Spanish character set).
  • x-sjis: Japanese (using the Shift Japanese Industrial Standards (SJIS), is a character encoding method for Japanese).

host-check {none | av | fw | av-fw | custom}

The type of host checking to perform on endpoints.

  • none: Do not perform host checking.
  • av: Check for antivirus software recognized by the Windows Security Center.
  • fw: Check for firewall software recognized by the Windows Security Center.
  • av-fw: Check for both antivirus and firewall software recognized by the Windows Security Center.
  • custom: Check for the software defined in the host-check-policy entry.

host-check-interval <seconds>

How often the host check function periodically verifies the host check status of endpoints. Range is 120 to 259200 seconds. Default is 0, which disables periodic host checking. If disabled host checking only happens when the endpoint initially connects to the SSL VPN. Only available if host-check is enabled.

host-check-policy {<policy> [<policy>…]}

Select one or more host-check policy to perform different types of host checking. You can use this option to add a wide range of host checking options to require endpoints to have a wide range of security software. You can see the complete list of host check policies and add more using the config vpn ssl host-check-software command.

This option is available when host-check is set to custom.

limit-user-logins {enable | disable}

Enable or disable (by default) permitting each user one SSL VPN session at a time.

mac-addr-check {enable | disable}

Enable or disable (by default) MAC address host checking.

os-check {enable | disable}

Enable or disable (by default) the FortiGate unit to determine what action to take depending on what operating system the client has.

skip-check-for-unsupported-os {enable | disable}

Note: This entry is only available when os-check is set to enable.

Enable (by default) or disable skipping the host check if the client operating system doesn’t support it.

skip-check-for-unsupported-browser {enable | disable}

Note: This entry is only available when either os-check is set to enable.

Enable (by default) or disable skipping the host check if the browser doesn’t support it.