reqclientcert

Enable to require client certificates for all SSL-VPN users.

option

user-peer

Name of user peer.

string

ssl-max-proto-ver

SSL maximum protocol version.

option

ssl-min-proto-ver

SSL minimum protocol version.

option

tlsv1-0

tlsv1-0

option

tlsv1-1

tlsv1-1

option

tlsv1-2

tlsv1-2

option

tlsv1-3

tlsv1-3

option

banned-cipher

Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.

option

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

https-redirect

Enable/disable redirect of port 80 to SSL-VPN port.

option

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

ssl-client-renegotiation

Enable to allow client renegotiation by the server if the tunnel goes down.

option

force-two-factor-auth

Enable only PKI users with two-factor authentication for SSL-VPNs.

option

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

servercert

Name of the server certificate to be used for SSL-VPNs.

string

algorithm

Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

idle-timeout

SSL VPN disconnects if idle for specified time in seconds.

integer

auth-timeout

SSL-VPN authentication timeout .

integer

login-attempt-limit

SSL VPN maximum login attempt times before block .

integer

login-block-time

Time for which a user is blocked from logging in after too many failed login attempts .

integer

login-timeout

SSLVPN maximum login timeout .

integer

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout .

integer

tunnel-ip-pools <name>

Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

tunnel-ipv6-pools <name>

Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

dns-suffix

DNS suffix used for SSL-VPN clients.

var-string

dns-server1

DNS server 1.

ipv4-address

dns-server2

DNS server 2.

ipv4-address

wins-server1

WINS server 1.

ipv4-address

wins-server2

WINS server 2.

ipv4-address

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

route-source-interface

Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.

option

url-obscuration

Enable to obscure the host name of the URL of the web browser display.

option

http-compression

Enable to allow HTTP compression over SSL-VPN tunnels.

option

http-only-cookie

Enable/disable SSL-VPN support for HttpOnly cookies.

option

deflate-compression-level

Compression level (0~9).

integer

deflate-min-data-size

Minimum amount of data that triggers compression .

integer

port

SSL-VPN access port .

integer

port-precedence

Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

auto-tunnel-static-route

Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.

option

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

source-interface <name>

SSL VPN source interface of incoming traffic.

Interface name.

string

source-address <name>

Source address of incoming traffic.

Address name.

string

source-address-negate

Enable/disable negated source address match.

option

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

source-address6-negate

Enable/disable negated source IPv6 address match.

option

default-portal

Default SSL VPN portal.

string

dtls-tunnel

Enable DTLS to prevent eavesdropping, tampering, or message forgery.

option

dtls-max-proto-ver

DTLS maximum protocol version.

option

dtls-min-proto-ver

DTLS minimum protocol version.

option

check-referer

Enable/disable verification of referer field in HTTP request header.

option

http-request-header-timeout

SSL-VPN session is disconnected if an HTTP request header is not received within this time .

integer

http-request-body-timeout

SSL-VPN session is disconnected if an HTTP request body is not received within this time .

integer

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

tunnel-connect-without-reauth

Enable/disable tunnel connection without re-authorization if previous connection dropped.

option

tunnel-user-session-timeout

Time out value to clean up user session after tunnel connection is dropped .

integer

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

source-interface <name>

SSL VPN source interface of incoming traffic.

Interface name.

string

source-address <name>

Source address of incoming traffic.

Address name.

string

source-address-negate

Enable/disable negated source address match.

option

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

source-address6-negate

Enable/disable negated source IPv6 address match.

option

users <name>

User name.

User name.

string

groups <name>

User groups.

Group name.

string

portal

SSL VPN portal.

string

realm

SSL VPN realm.

string

client-cert

Enable/disable SSL VPN client certificate restrictive.

option

user-peer

Name of user peer.

string

cipher

SSL VPN cipher strength.

option

auth

SSL VPN authentication method restriction.

option