Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

vpn ssl settings

Use this command to configure basic SSL VPN settings including idle-timeout values and SSL encryption preferences. If required, you can also enable the use of digital certificates for authenticating remote clients, and specify the IP address of any DNS and/or WINS server that resides on the private network behind the FortiGate unit.

Note: SSL VPNs and their commands are only configurable in NAT mode.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set route-source-interface {enable | disable}

This command has been removed. See preserve-session-route under config system interface for a similar command.

set ssl-big-buffer {enable | disable}

This command has been removed.

config vpn ssl settings
    set reqclientcert {enable | disable}   Enable to require client certificates for all SSL-VPN users.
    set tlsv1-0 {enable | disable}   Enable/disable TLSv1.0.
    set tlsv1-1 {enable | disable}   Enable/disable TLSv1.1.
    set tlsv1-2 {enable | disable}   Enable/disable TLSv1.2.
    set banned-cipher {option}   Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
            RSA       Ban the use of cipher suites using RSA key.
            DH        Ban the use of cipher suites using DH.
            DHE       Ban the use of cipher suites using authenticated ephemeral DH key agreement.
            ECDH      Ban the use of cipher suites using ECDH key exchange.
            ECDHE     Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
            DSS       Ban the use of cipher suites using DSS authentication.
            ECDSA     Ban the use of cipher suites using ECDSA authentication.
            AES       Ban the use of cipher suites using either 128 or 256 bit AES.
            AESGCM    Ban the use of cipher suites AES in Galois Counter Mode (GCM).
            CAMELLIA  Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
            3DES      Ban the use of cipher suites using triple DES
            SHA1      Ban the use of cipher suites using SHA1.
            SHA256    Ban the use of cipher suites using SHA256.
            SHA384    Ban the use of cipher suites using SHA384.
            STATIC    Ban the use of cipher suites using static keys.
    set ssl-insert-empty-fragment {enable | disable}   Enable/disable insertion of empty fragment.
    set https-redirect {enable | disable}   Enable/disable redirect of port 80 to SSL-VPN port.
    set x-content-type-options {enable | disable}   Add HTTP X-Content-Type-Options header.
    set ssl-client-renegotiation {disable | enable}   Enable to allow client renegotiation by the server if the tunnel goes down.
    set force-two-factor-auth {enable | disable}   Enable to force two-factor authentication for all SSL-VPNs.
    set unsafe-legacy-renegotiation {enable | disable}   Enable/disable unsafe legacy re-negotiation.
    set servercert {string}   Name of the server certificate to be used for SSL-VPNs. size[35] - datasource(s): vpn.certificate.local.name
    set algorithm {high | medium | default | low}   Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
            high     High algorithms.
            medium   High and medium algorithms.
            default  default
            low      All algorithms.
    set idle-timeout {integer}   SSL VPN disconnects if idle for specified time in seconds. range[0-259200]
    set auth-timeout {integer}   SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). range[0-259200]
    set login-attempt-limit {integer}   SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). range[0-4294967295]
    set login-block-time {integer}   Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). range[0-4294967295]
    set login-timeout {integer}   SSLVPN maximum login timeout (10 - 180 sec, default = 30). range[10-180]
    set dtls-hello-timeout {integer}   SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). range[10-60]
    config tunnel-ip-pools
        edit {name}
        # Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
            set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
        next
    config tunnel-ipv6-pools
        edit {name}
        # Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
            set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        next
    set dns-suffix {string}   DNS suffix used for SSL-VPN clients. size[253]
    set dns-server1 {ipv4 address}   DNS server 1.
    set dns-server2 {ipv4 address}   DNS server 2.
    set wins-server1 {ipv4 address}   WINS server 1.
    set wins-server2 {ipv4 address}   WINS server 2.
    set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
    set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
    set ipv6-wins-server1 {ipv6 address}   IPv6 WINS server 1.
    set ipv6-wins-server2 {ipv6 address}   IPv6 WINS server 2.
    set route-source-interface {enable | disable}   Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
    set url-obscuration {enable | disable}   Enable to obscure the host name of the URL of the web browser display.
    set http-compression {enable | disable}   Enable to allow HTTP compression over SSL-VPN tunnels.
    set http-only-cookie {enable | disable}   Enable/disable SSL-VPN support for HttpOnly cookies.
    set deflate-compression-level {integer}   Compression level (0~9). range[0-9]
    set deflate-min-data-size {integer}   Minimum amount of data that triggers compression (200 - 65535 bytes). range[200-65535]
    set port {integer}   SSL-VPN access port (1 - 65535). range[1-65535]
    set port-precedence {enable | disable}   Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
    set auto-tunnel-static-route {enable | disable}   Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
    set header-x-forwarded-for {pass | add | remove}   Forward the same, add, or remove HTTP header.
            pass    Forward the same HTTP header.
            add     Add the HTTP header.
            remove  Remove the HTTP header.
    config source-interface
        edit {name}
        # SSL VPN source interface of incoming traffic.
            set name {string}   Interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        next
    config source-address
        edit {name}
        # Source address of incoming traffic.
            set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
        next
    set source-address-negate {enable | disable}   Enable/disable negated source address match.
    config source-address6
        edit {name}
        # IPv6 source address of incoming traffic.
            set name {string}   IPv6 address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        next
    set source-address6-negate {enable | disable}   Enable/disable negated source IPv6 address match.
    set default-portal {string}   Default SSL VPN portal. size[35] - datasource(s): vpn.ssl.web.portal.name
    config authentication-rule
        edit {id}
        # Authentication rule for SSL VPN.
            set id {integer}   ID (0 - 4294967295). range[0-4294967295]
            config source-interface
                edit {name}
                # SSL VPN source interface of incoming traffic.
                    set name {string}   Interface name. size[35] - datasource(s): system.interface.name,system.zone.name
                next
            config source-address
                edit {name}
                # Source address of incoming traffic.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            set source-address-negate {enable | disable}   Enable/disable negated source address match.
            config source-address6
                edit {name}
                # IPv6 source address of incoming traffic.
                    set name {string}   IPv6 address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                next
            set source-address6-negate {enable | disable}   Enable/disable negated source IPv6 address match.
            config users
                edit {name}
                # User name.
                    set name {string}   User name. size[64] - datasource(s): user.local.name
                next
            config groups
                edit {name}
                # User groups.
                    set name {string}   Group name. size[64] - datasource(s): user.group.name
                next
            set portal {string}   SSL VPN portal. size[35] - datasource(s): vpn.ssl.web.portal.name
            set realm {string}   SSL VPN realm. size[35] - datasource(s): vpn.ssl.web.realm.url-path
            set client-cert {enable | disable}   Enable/disable SSL VPN client certificate restrictive.
            set cipher {any | high | medium}   SSL VPN cipher strength.
                    any     Any cipher strength.
                    high    High cipher strength (>= 168 bits).
                    medium  Medium cipher strength (>= 128 bits).
            set auth {option}   SSL VPN authentication method restriction.
                    any      Any
                    local    Local
                    radius   RADIUS
                    tacacs+  TACACS+
                    ldap     LDAP
        next
    set dtls-tunnel {enable | disable}   Enable DTLS to prevent eavesdropping, tampering, or message forgery.
    set check-referer {enable | disable}   Enable/disable verification of referer field in HTTP request header.
    set http-request-header-timeout {integer}   SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). range[0-4294967295]
    set http-request-body-timeout {integer}   SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). range[0-4294967295]
end

Additional information

The following section is for those options that require additional explanation.

config authentication-rule

A configuration method to create authentication rules for SSL VPN. Edit to create new and specify the rules using the entries available.

reqclientcert {enable | disable}

Enable or disable (by default) the requirement of a client certificate. When enabled, the SSL VPN daemon will require a client certificate for all SSL VPN users, regardless of policy.

sslv3 {enable | disable}

Enable or disable (by default) SSLv3.

SSLv3 is no longer commonly used, and it is recommended to not use this security measure.

tlsv1-0 {enable | disable}

Enable or disable (by default) Transport Layer Security (TLS) version 1.0 (TLSv1.0).

tlsv1-1 {enable | disable}

Enable (by default) or disable TLSv1.1.

tlsv1-2 {enable | disable}

Enable (by default) or disable TLSv1.2, currently the most recent version.

banned-cipher <cipher>

Banned ciphers for SSL VPN. Set one or more of the following to ban the use of cipher suites using:

  • RSA: Rivest-Shamir-Adleman key
  • DH: Diffie Hellman
  • DHE: Authenticated ephemeral DH key agreement
  • ECDH: Elliptic Curve DH key exchange
  • ECDHE: Authenticated ephemeral ECDH key agreement
  • DSS: Digital Signature Standard authentication
  • ECDSA: Elliptic Curve Digital Signature Algorithm authentication
  • AES: Advanced Encryption Standard, either 128 or 256 bit
  • AESGCM: AES in Galois Counter Mode
  • CAMELLIA: A symmetric block cipher algorithm, either 128 or 256 bit
  • 3DES: Triple Data Encryption Standard
  • SHA1: 160 bit Secure Hash Algorithm
  • SHA256: 256 bit SHA
  • SHA384: 384 bit SHA

ssl-insert-empty-fragment {enable | disable}

Enable (by default) or disable the insertion of empty fragments, a counter measure to avoid Browser Exploit Against SSL/TLS (BEAST) attacks.

https-redirect {enable | disable}

Enable or disable (by default) the redirection of port 80 to the SSL VPN port.

ssl-client-renegotiation {enable | disable}

Enable (allow) or disable (block, by default) client renegotiation by the server if the tunnel goes down.

force-two-factor-auth {enable | disable}

Enable or disable (by default) the imposition of two-factor authentication. When enabled, PKI (peer) users will be required to authenticate with their password and certificate authentication. In addition, only PKI users with two-factor authentication enabled will be able to log on to the SSL VPN.

servercert <cert-name>

The server’s certificate used to identify the FortiGate unit during the SSL handshake with a web browser when the web browser connects to the login page. The certificate must have already been configured on the FortiGate before entering it here. The default is set to Fortinet_Factory.

algorithm {high | medium | low}

Force the SSL VPN security level. high allows only high security algorithms. medium allows medium and high. low allows any.

idle-timeout <timeout>

The period of time in seconds that the SSL VPN will wait before timing out. Set the value between 1-259200 (or 1 second to 3 days), or 0 for no timeout. The default is set to 300.

auth-timeout <timeout>

The period of time in seconds that the SSL VPN will wait before re-authentication is enforced. Set the value between 1-259200 (or 1 second 3 days), or 0 for no timeout. The default is set to 28800.

{tunnel-ip-pools | tunnel-ipv6-pools} <pool-name>

The tunnel IPv4 or IPv6 pools reserved for remote clients. The addresses and address groups must have already been configured on the FortiGate unit before entering them here.

dns-suffix <string>

The DNS suffix, with a maximum length of 253 characters.

{dns-server1 | ipv6-dns-server1} <addr-ip4/6>

The IPv4 or IPv6 IP address of the primary DNS server that SSL VPN clients will be able to access after a connection has been established. Use the dns-server2 or ipv6-dns-server-2 entries to specify a secondary DNS server (see entry below).

{dns-server2 | ipv6-dns-server2} <addr-ip4/6>

The IPv4 or IPv6 IP address of the secondary DNS server that SSL VPN clients will be able to access after a connection has been established.

{wins-server1 | ipv6-wins-server1} <addr-ip4/6>

The IPv4 or IPv6 IP address of the primary WINS server that SSL VPN clients will be able to access after a connection has been established. Use the wins-server2 or ipv6-wins-server2 entries to specify a secondary WINS server (see entry below).

{wins-server2 | ipv6-wins-server2} <addr-ip4/6>

The IPv4 or IPv6 IP address of the secondary WINS server that SSL VPN clients will be able to access after a connection has been established.


route-source-interface {enable | disable}

Enable or disable (by default) allowing SSL VPN connections to bypass routing and bind to the incoming interface.

url-obscuration {enable | disable}

Enable or disable (by default) encryption of the host name of the URL in the display (web address) of the web browser (for web mode only).

Enabling this feature is required for International Computer Security Association (ICSA) SSL VPN certification. Note that, when enabled, bookmark details are not visible.

http-compression {enable | disable}

Enable or disable (by default) the use of compression between the FortiGate unit and the client web browser. When enabled, use the deflate-compression-level and deflate-min-data-size entries to tune performance (see entries below).

http-only-cookie {enable | disable}

Enable (by default) or disable SSL VPN support for HttpOnly cookies.

deflate-compression-level <integer>

Note: This entry is only available when http-compression is set to enable.

The compression level. Set the value between 1-9. Higher compression values reduce the volume of data but requires more processing time. The default is set to 6.

deflate-min-data-size <integer>

Note: This entry is only available when http-compression is set to enable.

The minimum amount of data in bytes that will trigger compression. Set the value between 200-65535. The default is set to 300.

port <integer>

The SSL VPN access port. Set the value between 1-65535. When VDOMs are enabled, this feature is set per VDOM. The default value is set to 10443.

port-precedence {enable | disable}

Use this command to control how the FortiGate handles a connection attempt if there is a conflict between administrator access to the GUI and to SSL VPN. This can happen if both SSL VPN and HTTPS admin GUI access use the same port on the same FortiGate interface. When this happens, if port-precedence is enabled when an HTTPS connection attempt is received on an interface with an SSL VPN portal the FortiGate assumes its an SSL VPN connection attempt and admin GUI access is not allowed. If port-precedence is disabled the FortiGate assumes its an admin GUI access attempt and SSL VPN access is not allowed.

Enabled by default.

auto-tunnel-static-route {enable | disable}

Enable (by default) or disable the automatic creation of static routes for the networks that can be accessed through the SSL VPN tunnel. This is only possible if tunnel mode is enabled.

header-x-forwarded-for {pass | add | remove}

Action when HTTP x-forwarded-for header to forwarded requests.

  • pass forwards the same HTTP header.
  • add (by default) adds the HTTP header.
  • remove removes the HTTP header.

source-interface <interface>

The interface(s) to listen on for SSL clients. You must have already configured the interfaces on the FortiGate unit before entering them here. Enter any to match any interface in the virtual domain.

{source-address | source-address6} [addr-ip4/6]

An optional feature to specify IPv4 or IPv6 addresses from which users can log in. Leave this entry blank to allow login from any address.

{source-address-negate | source-address6-negate} {enable | disable}

Enable or disable {by default} inverting the source-address or source-address6 entries so that it instead specifies IPv4 or IPv6 addresses to not allow.

default-portal <portal-name>

The name of the default SSL VPN portal, either one of the defaults (full-access, tunnel-access, or web-access) or a custom portal created on the FortiGate unit.

dtls-tunnel {enable | disable}

Enable (by default) or disable the Datagram Transport Layer Security (DTLS) tunnel, allowing datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery.

check-referer {enable | disable}

Enable or disable (by default) the verification of referer field in HTTP request header.

http-request-header-timeout <timeout>

The amount of time in seconds before the HTTP connection disconnects if HTTP request header is not complete. Set value between 1-60 (or one second to one minute). The default is set to 20.

http-request-body-timeout <timeout>

The amount of time in seconds before the HTTP connection disconnects if HTTP request body is not complete. Set value between 1-60 (or one second to one minute). The default is set to 30.

vpn ssl settings

Use this command to configure basic SSL VPN settings including idle-timeout values and SSL encryption preferences. If required, you can also enable the use of digital certificates for authenticating remote clients, and specify the IP address of any DNS and/or WINS server that resides on the private network behind the FortiGate unit.

Note: SSL VPNs and their commands are only configurable in NAT mode.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set route-source-interface {enable | disable}

This command has been removed. See preserve-session-route under config system interface for a similar command.

set ssl-big-buffer {enable | disable}

This command has been removed.

config vpn ssl settings
    set reqclientcert {enable | disable}   Enable to require client certificates for all SSL-VPN users.
    set tlsv1-0 {enable | disable}   Enable/disable TLSv1.0.
    set tlsv1-1 {enable | disable}   Enable/disable TLSv1.1.
    set tlsv1-2 {enable | disable}   Enable/disable TLSv1.2.
    set banned-cipher {option}   Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
            RSA       Ban the use of cipher suites using RSA key.
            DH        Ban the use of cipher suites using DH.
            DHE       Ban the use of cipher suites using authenticated ephemeral DH key agreement.
            ECDH      Ban the use of cipher suites using ECDH key exchange.
            ECDHE     Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
            DSS       Ban the use of cipher suites using DSS authentication.
            ECDSA     Ban the use of cipher suites using ECDSA authentication.
            AES       Ban the use of cipher suites using either 128 or 256 bit AES.
            AESGCM    Ban the use of cipher suites AES in Galois Counter Mode (GCM).
            CAMELLIA  Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
            3DES      Ban the use of cipher suites using triple DES
            SHA1      Ban the use of cipher suites using SHA1.
            SHA256    Ban the use of cipher suites using SHA256.
            SHA384    Ban the use of cipher suites using SHA384.
            STATIC    Ban the use of cipher suites using static keys.
    set ssl-insert-empty-fragment {enable | disable}   Enable/disable insertion of empty fragment.
    set https-redirect {enable | disable}   Enable/disable redirect of port 80 to SSL-VPN port.
    set x-content-type-options {enable | disable}   Add HTTP X-Content-Type-Options header.
    set ssl-client-renegotiation {disable | enable}   Enable to allow client renegotiation by the server if the tunnel goes down.
    set force-two-factor-auth {enable | disable}   Enable to force two-factor authentication for all SSL-VPNs.
    set unsafe-legacy-renegotiation {enable | disable}   Enable/disable unsafe legacy re-negotiation.
    set servercert {string}   Name of the server certificate to be used for SSL-VPNs. size[35] - datasource(s): vpn.certificate.local.name
    set algorithm {high | medium | default | low}   Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
            high     High algorithms.
            medium   High and medium algorithms.
            default  default
            low      All algorithms.
    set idle-timeout {integer}   SSL VPN disconnects if idle for specified time in seconds. range[0-259200]
    set auth-timeout {integer}   SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). range[0-259200]
    set login-attempt-limit {integer}   SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). range[0-4294967295]
    set login-block-time {integer}   Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). range[0-4294967295]
    set login-timeout {integer}   SSLVPN maximum login timeout (10 - 180 sec, default = 30). range[10-180]
    set dtls-hello-timeout {integer}   SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). range[10-60]
    config tunnel-ip-pools
        edit {name}
        # Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
            set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
        next
    config tunnel-ipv6-pools
        edit {name}
        # Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
            set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        next
    set dns-suffix {string}   DNS suffix used for SSL-VPN clients. size[253]
    set dns-server1 {ipv4 address}   DNS server 1.
    set dns-server2 {ipv4 address}   DNS server 2.
    set wins-server1 {ipv4 address}   WINS server 1.
    set wins-server2 {ipv4 address}   WINS server 2.
    set ipv6-dns-server1 {ipv6 address}   IPv6 DNS server 1.
    set ipv6-dns-server2 {ipv6 address}   IPv6 DNS server 2.
    set ipv6-wins-server1 {ipv6 address}   IPv6 WINS server 1.
    set ipv6-wins-server2 {ipv6 address}   IPv6 WINS server 2.
    set route-source-interface {enable | disable}   Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
    set url-obscuration {enable | disable}   Enable to obscure the host name of the URL of the web browser display.
    set http-compression {enable | disable}   Enable to allow HTTP compression over SSL-VPN tunnels.
    set http-only-cookie {enable | disable}   Enable/disable SSL-VPN support for HttpOnly cookies.
    set deflate-compression-level {integer}   Compression level (0~9). range[0-9]
    set deflate-min-data-size {integer}   Minimum amount of data that triggers compression (200 - 65535 bytes). range[200-65535]
    set port {integer}   SSL-VPN access port (1 - 65535). range[1-65535]
    set port-precedence {enable | disable}   Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
    set auto-tunnel-static-route {enable | disable}   Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
    set header-x-forwarded-for {pass | add | remove}   Forward the same, add, or remove HTTP header.
            pass    Forward the same HTTP header.
            add     Add the HTTP header.
            remove  Remove the HTTP header.
    config source-interface
        edit {name}
        # SSL VPN source interface of incoming traffic.
            set name {string}   Interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        next
    config source-address
        edit {name}
        # Source address of incoming traffic.
            set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
        next
    set source-address-negate {enable | disable}   Enable/disable negated source address match.
    config source-address6
        edit {name}
        # IPv6 source address of incoming traffic.
            set name {string}   IPv6 address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
        next
    set source-address6-negate {enable | disable}   Enable/disable negated source IPv6 address match.
    set default-portal {string}   Default SSL VPN portal. size[35] - datasource(s): vpn.ssl.web.portal.name
    config authentication-rule
        edit {id}
        # Authentication rule for SSL VPN.
            set id {integer}   ID (0 - 4294967295). range[0-4294967295]
            config source-interface
                edit {name}
                # SSL VPN source interface of incoming traffic.
                    set name {string}   Interface name. size[35] - datasource(s): system.interface.name,system.zone.name
                next
            config source-address
                edit {name}
                # Source address of incoming traffic.
                    set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
                next
            set source-address-negate {enable | disable}   Enable/disable negated source address match.
            config source-address6
                edit {name}
                # IPv6 source address of incoming traffic.
                    set name {string}   IPv6 address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                next
            set source-address6-negate {enable | disable}   Enable/disable negated source IPv6 address match.
            config users
                edit {name}
                # User name.
                    set name {string}   User name. size[64] - datasource(s): user.local.name
                next
            config groups
                edit {name}
                # User groups.
                    set name {string}   Group name. size[64] - datasource(s): user.group.name
                next
            set portal {string}   SSL VPN portal. size[35] - datasource(s): vpn.ssl.web.portal.name
            set realm {string}   SSL VPN realm. size[35] - datasource(s): vpn.ssl.web.realm.url-path
            set client-cert {enable | disable}   Enable/disable SSL VPN client certificate restrictive.
            set cipher {any | high | medium}   SSL VPN cipher strength.
                    any     Any cipher strength.
                    high    High cipher strength (>= 168 bits).
                    medium  Medium cipher strength (>= 128 bits).
            set auth {option}   SSL VPN authentication method restriction.
                    any      Any
                    local    Local
                    radius   RADIUS
                    tacacs+  TACACS+
                    ldap     LDAP
        next
    set dtls-tunnel {enable | disable}   Enable DTLS to prevent eavesdropping, tampering, or message forgery.
    set check-referer {enable | disable}   Enable/disable verification of referer field in HTTP request header.
    set http-request-header-timeout {integer}   SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). range[0-4294967295]
    set http-request-body-timeout {integer}   SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). range[0-4294967295]
end

Additional information

The following section is for those options that require additional explanation.

config authentication-rule

A configuration method to create authentication rules for SSL VPN. Edit to create new and specify the rules using the entries available.

reqclientcert {enable | disable}

Enable or disable (by default) the requirement of a client certificate. When enabled, the SSL VPN daemon will require a client certificate for all SSL VPN users, regardless of policy.

sslv3 {enable | disable}

Enable or disable (by default) SSLv3.

SSLv3 is no longer commonly used, and it is recommended to not use this security measure.

tlsv1-0 {enable | disable}

Enable or disable (by default) Transport Layer Security (TLS) version 1.0 (TLSv1.0).

tlsv1-1 {enable | disable}

Enable (by default) or disable TLSv1.1.

tlsv1-2 {enable | disable}

Enable (by default) or disable TLSv1.2, currently the most recent version.

banned-cipher <cipher>

Banned ciphers for SSL VPN. Set one or more of the following to ban the use of cipher suites using:

  • RSA: Rivest-Shamir-Adleman key
  • DH: Diffie Hellman
  • DHE: Authenticated ephemeral DH key agreement
  • ECDH: Elliptic Curve DH key exchange
  • ECDHE: Authenticated ephemeral ECDH key agreement
  • DSS: Digital Signature Standard authentication
  • ECDSA: Elliptic Curve Digital Signature Algorithm authentication
  • AES: Advanced Encryption Standard, either 128 or 256 bit
  • AESGCM: AES in Galois Counter Mode
  • CAMELLIA: A symmetric block cipher algorithm, either 128 or 256 bit
  • 3DES: Triple Data Encryption Standard
  • SHA1: 160 bit Secure Hash Algorithm
  • SHA256: 256 bit SHA
  • SHA384: 384 bit SHA

ssl-insert-empty-fragment {enable | disable}

Enable (by default) or disable the insertion of empty fragments, a counter measure to avoid Browser Exploit Against SSL/TLS (BEAST) attacks.

https-redirect {enable | disable}

Enable or disable (by default) the redirection of port 80 to the SSL VPN port.

ssl-client-renegotiation {enable | disable}

Enable (allow) or disable (block, by default) client renegotiation by the server if the tunnel goes down.

force-two-factor-auth {enable | disable}

Enable or disable (by default) the imposition of two-factor authentication. When enabled, PKI (peer) users will be required to authenticate with their password and certificate authentication. In addition, only PKI users with two-factor authentication enabled will be able to log on to the SSL VPN.

servercert <cert-name>

The server’s certificate used to identify the FortiGate unit during the SSL handshake with a web browser when the web browser connects to the login page. The certificate must have already been configured on the FortiGate before entering it here. The default is set to Fortinet_Factory.

algorithm {high | medium | low}

Force the SSL VPN security level. high allows only high security algorithms. medium allows medium and high. low allows any.

idle-timeout <timeout>

The period of time in seconds that the SSL VPN will wait before timing out. Set the value between 1-259200 (or 1 second to 3 days), or 0 for no timeout. The default is set to 300.

auth-timeout <timeout>

The period of time in seconds that the SSL VPN will wait before re-authentication is enforced. Set the value between 1-259200 (or 1 second 3 days), or 0 for no timeout. The default is set to 28800.

{tunnel-ip-pools | tunnel-ipv6-pools} <pool-name>

The tunnel IPv4 or IPv6 pools reserved for remote clients. The addresses and address groups must have already been configured on the FortiGate unit before entering them here.

dns-suffix <string>

The DNS suffix, with a maximum length of 253 characters.

{dns-server1 | ipv6-dns-server1} <addr-ip4/6>

The IPv4 or IPv6 IP address of the primary DNS server that SSL VPN clients will be able to access after a connection has been established. Use the dns-server2 or ipv6-dns-server-2 entries to specify a secondary DNS server (see entry below).

{dns-server2 | ipv6-dns-server2} <addr-ip4/6>

The IPv4 or IPv6 IP address of the secondary DNS server that SSL VPN clients will be able to access after a connection has been established.

{wins-server1 | ipv6-wins-server1} <addr-ip4/6>

The IPv4 or IPv6 IP address of the primary WINS server that SSL VPN clients will be able to access after a connection has been established. Use the wins-server2 or ipv6-wins-server2 entries to specify a secondary WINS server (see entry below).

{wins-server2 | ipv6-wins-server2} <addr-ip4/6>

The IPv4 or IPv6 IP address of the secondary WINS server that SSL VPN clients will be able to access after a connection has been established.


route-source-interface {enable | disable}

Enable or disable (by default) allowing SSL VPN connections to bypass routing and bind to the incoming interface.

url-obscuration {enable | disable}

Enable or disable (by default) encryption of the host name of the URL in the display (web address) of the web browser (for web mode only).

Enabling this feature is required for International Computer Security Association (ICSA) SSL VPN certification. Note that, when enabled, bookmark details are not visible.

http-compression {enable | disable}

Enable or disable (by default) the use of compression between the FortiGate unit and the client web browser. When enabled, use the deflate-compression-level and deflate-min-data-size entries to tune performance (see entries below).

http-only-cookie {enable | disable}

Enable (by default) or disable SSL VPN support for HttpOnly cookies.

deflate-compression-level <integer>

Note: This entry is only available when http-compression is set to enable.

The compression level. Set the value between 1-9. Higher compression values reduce the volume of data but requires more processing time. The default is set to 6.

deflate-min-data-size <integer>

Note: This entry is only available when http-compression is set to enable.

The minimum amount of data in bytes that will trigger compression. Set the value between 200-65535. The default is set to 300.

port <integer>

The SSL VPN access port. Set the value between 1-65535. When VDOMs are enabled, this feature is set per VDOM. The default value is set to 10443.

port-precedence {enable | disable}

Use this command to control how the FortiGate handles a connection attempt if there is a conflict between administrator access to the GUI and to SSL VPN. This can happen if both SSL VPN and HTTPS admin GUI access use the same port on the same FortiGate interface. When this happens, if port-precedence is enabled when an HTTPS connection attempt is received on an interface with an SSL VPN portal the FortiGate assumes its an SSL VPN connection attempt and admin GUI access is not allowed. If port-precedence is disabled the FortiGate assumes its an admin GUI access attempt and SSL VPN access is not allowed.

Enabled by default.

auto-tunnel-static-route {enable | disable}

Enable (by default) or disable the automatic creation of static routes for the networks that can be accessed through the SSL VPN tunnel. This is only possible if tunnel mode is enabled.

header-x-forwarded-for {pass | add | remove}

Action when HTTP x-forwarded-for header to forwarded requests.

  • pass forwards the same HTTP header.
  • add (by default) adds the HTTP header.
  • remove removes the HTTP header.

source-interface <interface>

The interface(s) to listen on for SSL clients. You must have already configured the interfaces on the FortiGate unit before entering them here. Enter any to match any interface in the virtual domain.

{source-address | source-address6} [addr-ip4/6]

An optional feature to specify IPv4 or IPv6 addresses from which users can log in. Leave this entry blank to allow login from any address.

{source-address-negate | source-address6-negate} {enable | disable}

Enable or disable {by default} inverting the source-address or source-address6 entries so that it instead specifies IPv4 or IPv6 addresses to not allow.

default-portal <portal-name>

The name of the default SSL VPN portal, either one of the defaults (full-access, tunnel-access, or web-access) or a custom portal created on the FortiGate unit.

dtls-tunnel {enable | disable}

Enable (by default) or disable the Datagram Transport Layer Security (DTLS) tunnel, allowing datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery.

check-referer {enable | disable}

Enable or disable (by default) the verification of referer field in HTTP request header.

http-request-header-timeout <timeout>

The amount of time in seconds before the HTTP connection disconnects if HTTP request header is not complete. Set value between 1-60 (or one second to one minute). The default is set to 20.

http-request-body-timeout <timeout>

The amount of time in seconds before the HTTP connection disconnects if HTTP request body is not complete. Set value between 1-60 (or one second to one minute). The default is set to 30.