vpn ssl settings
Use this command to configure basic SSL VPN settings including idle-timeout values and SSL encryption preferences. If required, you can also enable the use of digital certificates for authenticating remote clients, and specify the IP address of any DNS and/or WINS server that resides on the private network behind the FortiGate unit.
Note: SSL VPNs and their commands are only configurable in NAT mode.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
| Command | Description |
|---|---|
|
set route-source-interface {enable | disable} |
This command has been removed. See preserve-session-route under config system interface for a similar command. |
|
set ssl-big-buffer {enable | disable} |
This command has been removed. |
config vpn ssl settings
set reqclientcert {enable | disable} Enable to require client certificates for all SSL-VPN users.
set tlsv1-0 {enable | disable} Enable/disable TLSv1.0.
set tlsv1-1 {enable | disable} Enable/disable TLSv1.1.
set tlsv1-2 {enable | disable} Enable/disable TLSv1.2.
set banned-cipher {option} Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
RSA Ban the use of cipher suites using RSA key.
DH Ban the use of cipher suites using DH.
DHE Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDH Ban the use of cipher suites using ECDH key exchange.
ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS Ban the use of cipher suites using DSS authentication.
ECDSA Ban the use of cipher suites using ECDSA authentication.
AES Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES Ban the use of cipher suites using triple DES
SHA1 Ban the use of cipher suites using SHA1.
SHA256 Ban the use of cipher suites using SHA256.
SHA384 Ban the use of cipher suites using SHA384.
STATIC Ban the use of cipher suites using static keys.
set ssl-insert-empty-fragment {enable | disable} Enable/disable insertion of empty fragment.
set https-redirect {enable | disable} Enable/disable redirect of port 80 to SSL-VPN port.
set x-content-type-options {enable | disable} Add HTTP X-Content-Type-Options header.
set ssl-client-renegotiation {disable | enable} Enable to allow client renegotiation by the server if the tunnel goes down.
set force-two-factor-auth {enable | disable} Enable to force two-factor authentication for all SSL-VPNs.
set unsafe-legacy-renegotiation {enable | disable} Enable/disable unsafe legacy re-negotiation.
set servercert {string} Name of the server certificate to be used for SSL-VPNs. size[35] - datasource(s): vpn.certificate.local.name
set algorithm {high | medium | default | low} Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
high High algorithms.
medium High and medium algorithms.
default default
low All algorithms.
set idle-timeout {integer} SSL VPN disconnects if idle for specified time in seconds. range[0-259200]
set auth-timeout {integer} SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). range[0-259200]
set login-attempt-limit {integer} SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). range[0-4294967295]
set login-block-time {integer} Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). range[0-4294967295]
set login-timeout {integer} SSLVPN maximum login timeout (10 - 180 sec, default = 30). range[10-180]
set dtls-hello-timeout {integer} SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). range[10-60]
config tunnel-ip-pools
edit {name}
# Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
config tunnel-ipv6-pools
edit {name}
# Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
next
set dns-suffix {string} DNS suffix used for SSL-VPN clients. size[253]
set dns-server1 {ipv4 address} DNS server 1.
set dns-server2 {ipv4 address} DNS server 2.
set wins-server1 {ipv4 address} WINS server 1.
set wins-server2 {ipv4 address} WINS server 2.
set ipv6-dns-server1 {ipv6 address} IPv6 DNS server 1.
set ipv6-dns-server2 {ipv6 address} IPv6 DNS server 2.
set ipv6-wins-server1 {ipv6 address} IPv6 WINS server 1.
set ipv6-wins-server2 {ipv6 address} IPv6 WINS server 2.
set route-source-interface {enable | disable} Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
set url-obscuration {enable | disable} Enable to obscure the host name of the URL of the web browser display.
set http-compression {enable | disable} Enable to allow HTTP compression over SSL-VPN tunnels.
set http-only-cookie {enable | disable} Enable/disable SSL-VPN support for HttpOnly cookies.
set deflate-compression-level {integer} Compression level (0~9). range[0-9]
set deflate-min-data-size {integer} Minimum amount of data that triggers compression (200 - 65535 bytes). range[200-65535]
set port {integer} SSL-VPN access port (1 - 65535). range[1-65535]
set port-precedence {enable | disable} Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
set auto-tunnel-static-route {enable | disable} Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
set header-x-forwarded-for {pass | add | remove} Forward the same, add, or remove HTTP header.
pass Forward the same HTTP header.
add Add the HTTP header.
remove Remove the HTTP header.
config source-interface
edit {name}
# SSL VPN source interface of incoming traffic.
set name {string} Interface name. size[35] - datasource(s): system.interface.name,system.zone.name
next
config source-address
edit {name}
# Source address of incoming traffic.
set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
set source-address-negate {enable | disable} Enable/disable negated source address match.
config source-address6
edit {name}
# IPv6 source address of incoming traffic.
set name {string} IPv6 address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
next
set source-address6-negate {enable | disable} Enable/disable negated source IPv6 address match.
set default-portal {string} Default SSL VPN portal. size[35] - datasource(s): vpn.ssl.web.portal.name
config authentication-rule
edit {id}
# Authentication rule for SSL VPN.
set id {integer} ID (0 - 4294967295). range[0-4294967295]
config source-interface
edit {name}
# SSL VPN source interface of incoming traffic.
set name {string} Interface name. size[35] - datasource(s): system.interface.name,system.zone.name
next
config source-address
edit {name}
# Source address of incoming traffic.
set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
set source-address-negate {enable | disable} Enable/disable negated source address match.
config source-address6
edit {name}
# IPv6 source address of incoming traffic.
set name {string} IPv6 address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
next
set source-address6-negate {enable | disable} Enable/disable negated source IPv6 address match.
config users
edit {name}
# User name.
set name {string} User name. size[64] - datasource(s): user.local.name
next
config groups
edit {name}
# User groups.
set name {string} Group name. size[64] - datasource(s): user.group.name
next
set portal {string} SSL VPN portal. size[35] - datasource(s): vpn.ssl.web.portal.name
set realm {string} SSL VPN realm. size[35] - datasource(s): vpn.ssl.web.realm.url-path
set client-cert {enable | disable} Enable/disable SSL VPN client certificate restrictive.
set cipher {any | high | medium} SSL VPN cipher strength.
any Any cipher strength.
high High cipher strength (>= 168 bits).
medium Medium cipher strength (>= 128 bits).
set auth {option} SSL VPN authentication method restriction.
any Any
local Local
radius RADIUS
tacacs+ TACACS+
ldap LDAP
next
set dtls-tunnel {enable | disable} Enable DTLS to prevent eavesdropping, tampering, or message forgery.
set check-referer {enable | disable} Enable/disable verification of referer field in HTTP request header.
set http-request-header-timeout {integer} SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). range[0-4294967295]
set http-request-body-timeout {integer} SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). range[0-4294967295]
end
Additional information
The following section is for those options that require additional explanation.
config authentication-rule
A configuration method to create authentication rules for SSL VPN. Edit to create new and specify the rules using the entries available.
reqclientcert {enable | disable}
Enable or disable (by default) the requirement of a client certificate. When enabled, the SSL VPN daemon will require a client certificate for all SSL VPN users, regardless of policy.
tlsv1-0 {enable | disable}
Enable or disable (by default) Transport Layer Security (TLS) version 1.0 (TLSv1.0).
tlsv1-1 {enable | disable}
Enable (by default) or disable TLSv1.1.
tlsv1-2 {enable | disable}
Enable (by default) or disable TLSv1.2, currently the most recent version.
banned-cipher <cipher>
Banned ciphers for SSL VPN. Set one or more of the following to ban the use of cipher suites using:
RSA: Rivest-Shamir-Adleman keyDH: Diffie HellmanDHE: Authenticated ephemeral DH key agreementECDH: Elliptic Curve DH key exchangeECDHE: Authenticated ephemeral ECDH key agreementDSS: Digital Signature Standard authenticationECDSA: Elliptic Curve Digital Signature Algorithm authenticationAES: Advanced Encryption Standard, either 128 or 256 bitAESGCM: AES in Galois Counter ModeCAMELLIA: A symmetric block cipher algorithm, either 128 or 256 bit3DES: Triple Data Encryption StandardSHA1: 160 bit Secure Hash AlgorithmSHA256: 256 bit SHASHA384: 384 bit SHA
ssl-insert-empty-fragment {enable | disable}
Enable (by default) or disable the insertion of empty fragments, a counter measure to avoid Browser Exploit Against SSL/TLS (BEAST) attacks.
https-redirect {enable | disable}
Enable or disable (by default) the redirection of port 80 to the SSL VPN port.
ssl-client-renegotiation {enable | disable}
Enable (allow) or disable (block, by default) client renegotiation by the server if the tunnel goes down.
force-two-factor-auth {enable | disable}
Enable or disable (by default) the imposition of two-factor authentication. When enabled, PKI (peer) users will be required to authenticate with their password and certificate authentication. In addition, only PKI users with two-factor authentication enabled will be able to log on to the SSL VPN.
servercert <cert-name>
The server’s certificate used to identify the FortiGate unit during the SSL handshake with a web browser when the web browser connects to the login page. The certificate must have already been configured on the FortiGate before entering it here. The default is set to Fortinet_Factory.
algorithm {high | medium | low}
Force the SSL VPN security level. high allows only high security algorithms. medium allows medium and high. low allows any.
idle-timeout <timeout>
The period of time in seconds that the SSL VPN will wait before timing out. Set the value between 1-259200 (or 1 second to 3 days), or 0 for no timeout. The default is set to 300.
auth-timeout <timeout>
The period of time in seconds that the SSL VPN will wait before re-authentication is enforced. Set the value between 1-259200 (or 1 second 3 days), or 0 for no timeout. The default is set to 28800.
{tunnel-ip-pools | tunnel-ipv6-pools} <pool-name>
The tunnel IPv4 or IPv6 pools reserved for remote clients. The addresses and address groups must have already been configured on the FortiGate unit before entering them here.
dns-suffix <string>
The DNS suffix, with a maximum length of 253 characters.
{dns-server1 | ipv6-dns-server1} <addr-ip4/6>
The IPv4 or IPv6 IP address of the primary DNS server that SSL VPN clients will be able to access after a connection has been established. Use the dns-server2 or ipv6-dns-server-2 entries to specify a secondary DNS server (see entry below).
{dns-server2 | ipv6-dns-server2} <addr-ip4/6>
The IPv4 or IPv6 IP address of the secondary DNS server that SSL VPN clients will be able to access after a connection has been established.
{wins-server1 | ipv6-wins-server1} <addr-ip4/6>
The IPv4 or IPv6 IP address of the primary WINS server that SSL VPN clients will be able to access after a connection has been established. Use the wins-server2 or ipv6-wins-server2 entries to specify a secondary WINS server (see entry below).
{wins-server2 | ipv6-wins-server2} <addr-ip4/6>
The IPv4 or IPv6 IP address of the secondary WINS server that SSL VPN clients will be able to access after a connection has been established.
route-source-interface {enable | disable}
Enable or disable (by default) allowing SSL VPN connections to bypass routing and bind to the incoming interface.
url-obscuration {enable | disable}
Enable or disable (by default) encryption of the host name of the URL in the display (web address) of the web browser (for web mode only).
Enabling this feature is required for International Computer Security Association (ICSA) SSL VPN certification. Note that, when enabled, bookmark details are not visible.
http-compression {enable | disable}
Enable or disable (by default) the use of compression between the FortiGate unit and the client web browser. When enabled, use the deflate-compression-level and deflate-min-data-size entries to tune performance (see entries below).
http-only-cookie {enable | disable}
Enable (by default) or disable SSL VPN support for HttpOnly cookies.
deflate-compression-level <integer>
Note: This entry is only available when http-compression is set to enable.
The compression level. Set the value between 1-9. Higher compression values reduce the volume of data but requires more processing time. The default is set to 6.
deflate-min-data-size <integer>
Note: This entry is only available when http-compression is set to enable.
The minimum amount of data in bytes that will trigger compression. Set the value between 200-65535. The default is set to 300.
port <integer>
The SSL VPN access port. Set the value between 1-65535. When VDOMs are enabled, this feature is set per VDOM. The default value is set to 10443.
port-precedence {enable | disable}
Use this command to control how the FortiGate handles a connection attempt if there is a conflict between administrator access to the GUI and to SSL VPN. This can happen if both SSL VPN and HTTPS admin GUI access use the same port on the same FortiGate interface. When this happens, if port-precedence is enabled when an HTTPS connection attempt is received on an interface with an SSL VPN portal the FortiGate assumes its an SSL VPN connection attempt and admin GUI access is not allowed. If port-precedence is disabled the FortiGate assumes its an admin GUI access attempt and SSL VPN access is not allowed.
Enabled by default.
auto-tunnel-static-route {enable | disable}
Enable (by default) or disable the automatic creation of static routes for the networks that can be accessed through the SSL VPN tunnel. This is only possible if tunnel mode is enabled.
header-x-forwarded-for {pass | add | remove}
Action when HTTP x-forwarded-for header to forwarded requests.
passforwards the same HTTP header.add(by default) adds the HTTP header.removeremoves the HTTP header.
source-interface <interface>
The interface(s) to listen on for SSL clients. You must have already configured the interfaces on the FortiGate unit before entering them here. Enter any to match any interface in the virtual domain.
{source-address | source-address6} [addr-ip4/6]
An optional feature to specify IPv4 or IPv6 addresses from which users can log in. Leave this entry blank to allow login from any address.
{source-address-negate | source-address6-negate} {enable | disable}
Enable or disable {by default} inverting the source-address or source-address6 entries so that it instead specifies IPv4 or IPv6 addresses to not allow.
default-portal <portal-name>
The name of the default SSL VPN portal, either one of the defaults (full-access, tunnel-access, or web-access) or a custom portal created on the FortiGate unit.
dtls-tunnel {enable | disable}
Enable (by default) or disable the Datagram Transport Layer Security (DTLS) tunnel, allowing datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery.
check-referer {enable | disable}
Enable or disable (by default) the verification of referer field in HTTP request header.
http-request-header-timeout <timeout>
The amount of time in seconds before the HTTP connection disconnects if HTTP request header is not complete. Set value between 1-60 (or one second to one minute). The default is set to 20.
http-request-body-timeout <timeout>
The amount of time in seconds before the HTTP connection disconnects if HTTP request body is not complete. Set value between 1-60 (or one second to one minute). The default is set to 30.