CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
cifs
- cifs domain-controller
- cifs profile
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control fctems
- endpoint-control settings
extender-controller
- extender-controller extender
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall consolidated policy
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-append
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall internet-service-ipbl-reason
- firewall internet-service-ipbl-vendor
- firewall internet-service-list
- firewall internet-service-owner
- firewall internet-service-reputation
- firewall internet-service-sld
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy6
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
- ips view-map
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller managed-switch
- switch-controller poe
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy local-access
- switch-controller snmp-community
- switch-controller snmp-user
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-profile
- switch-controller traffic-policy
- switch-controller virtual-port-pool
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geneve
- system geoip-country
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg device-detection-portal
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg nntp
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wan-link
- system virtual-wire-pair
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user password-policy
- user peer
- user peergrp
- user pop3
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.2.6 CLI Reference

6.2.6

vpn ssl settings

Configure SSL VPN.

  config vpn ssl settings
      Description: Configure SSL VPN.
      set reqclientcert [enable|disable]
      set user-peer {string}
      set ssl-max-proto-ver [tls1-0|tls1-1|...]
      set ssl-min-proto-ver [tls1-0|tls1-1|...]
      set tlsv1-0 [enable|disable]
      set tlsv1-1 [enable|disable]
      set tlsv1-2 [enable|disable]
      set tlsv1-3 [enable|disable]
      set banned-cipher {option1}, {option2}, ...
      set ssl-insert-empty-fragment [enable|disable]
      set https-redirect [enable|disable]
      set x-content-type-options [enable|disable]
      set ssl-client-renegotiation [disable|enable]
      set force-two-factor-auth [enable|disable]
      set unsafe-legacy-renegotiation [enable|disable]
      set servercert {string}
      set algorithm [high|medium|...]
      set idle-timeout {integer}
      set auth-timeout {integer}
      set login-attempt-limit {integer}
      set login-block-time {integer}
      set login-timeout {integer}
      set dtls-hello-timeout {integer}
      set tunnel-ip-pools <name1>, <name2>, ...
      set tunnel-ipv6-pools <name1>, <name2>, ...
      set dns-suffix {var-string}
      set dns-server1 {ipv4-address}
      set dns-server2 {ipv4-address}
      set wins-server1 {ipv4-address}
      set wins-server2 {ipv4-address}
      set ipv6-dns-server1 {ipv6-address}
      set ipv6-dns-server2 {ipv6-address}
      set ipv6-wins-server1 {ipv6-address}
      set ipv6-wins-server2 {ipv6-address}
      set route-source-interface [enable|disable]
      set url-obscuration [enable|disable]
      set http-compression [enable|disable]
      set http-only-cookie [enable|disable]
      set deflate-compression-level {integer}
      set deflate-min-data-size {integer}
      set port {integer}
      set port-precedence [enable|disable]
      set auto-tunnel-static-route [enable|disable]
      set header-x-forwarded-for [pass|add|...]
      set source-interface <name1>, <name2>, ...
      set source-address <name1>, <name2>, ...
      set source-address-negate [enable|disable]
      set source-address6 <name1>, <name2>, ...
      set source-address6-negate [enable|disable]
      set default-portal {string}
      config authentication-rule
          Description: Authentication rule for SSL VPN.
          edit <id>
              set source-interface <name1>, <name2>, ...
              set source-address <name1>, <name2>, ...
              set source-address-negate [enable|disable]
              set source-address6 <name1>, <name2>, ...
              set source-address6-negate [enable|disable]
              set users <name1>, <name2>, ...
              set groups <name1>, <name2>, ...
              set portal {string}
              set realm {string}
              set client-cert [enable|disable]
              set user-peer {string}
              set cipher [any|high|...]
              set auth [any|local|...]
          next
      end
      set dtls-tunnel [enable|disable]
      set dtls-max-proto-ver [dtls1-0|dtls1-2]
      set dtls-min-proto-ver [dtls1-0|dtls1-2]
      set check-referer [enable|disable]
      set http-request-header-timeout {integer}
      set http-request-body-timeout {integer}
      set auth-session-check-source-ip [enable|disable]
      set tunnel-connect-without-reauth [enable|disable]
      set tunnel-user-session-timeout {integer}
      set hsts-include-subdomains [enable|disable]
      set encode-2f-sequence [enable|disable]
  end

config vpn ssl settings

Parameter Name	Description	Type	Size
reqclientcert	Enable to require client certificates for all SSL-VPN users. enable: Enable setting. disable: Disable setting.	option	-
user-peer	Name of user peer.	string	Maximum length: 35
ssl-max-proto-ver	SSL maximum protocol version. tls1-0: TLS version 1.0. tls1-1: TLS version 1.1. tls1-2: TLS version 1.2. tls1-3: TLS version 1.3.	option	-
ssl-min-proto-ver	SSL minimum protocol version. tls1-0: TLS version 1.0. tls1-1: TLS version 1.1. tls1-2: TLS version 1.2. tls1-3: TLS version 1.3.	option	-
tlsv1-0	tlsv1-0 enable: Enable setting. disable: Disable setting.	option	-
tlsv1-1	tlsv1-1 enable: Enable setting. disable: Disable setting.	option	-
tlsv1-2	tlsv1-2 enable: Enable setting. disable: Disable setting.	option	-
tlsv1-3	tlsv1-3 enable: Enable setting. disable: Disable setting.	option	-
banned-cipher	Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. RSA: Ban the use of cipher suites using RSA key. DHE: Ban the use of cipher suites using authenticated ephemeral DH key agreement. ECDHE: Ban the use of cipher suites using authenticated ephemeral ECDH key agreement. DSS: Ban the use of cipher suites using DSS authentication. ECDSA: Ban the use of cipher suites using ECDSA authentication. AES: Ban the use of cipher suites using either 128 or 256 bit AES. AESGCM: Ban the use of cipher suites AES in Galois Counter Mode (GCM). CAMELLIA: Ban the use of cipher suites using either 128 or 256 bit CAMELLIA. 3DES: Ban the use of cipher suites using triple DES SHA1: Ban the use of cipher suites using HMAC-SHA1. SHA256: Ban the use of cipher suites using HMAC-SHA256. SHA384: Ban the use of cipher suites using HMAC-SHA384. STATIC: Ban the use of cipher suites using static keys.	option	-
ssl-insert-empty-fragment	Enable/disable insertion of empty fragment. enable: Enable setting. disable: Disable setting.	option	-
https-redirect	Enable/disable redirect of port 80 to SSL-VPN port. enable: Enable setting. disable: Disable setting.	option	-
x-content-type-options	Add HTTP X-Content-Type-Options header. enable: Enable setting. disable: Disable setting.	option	-
ssl-client-renegotiation	Enable to allow client renegotiation by the server if the tunnel goes down. disable: Abort any SSL connection that attempts to renegotiate. enable: Allow a SSL client to renegotiate.	option	-
force-two-factor-auth	Enable only PKI users with two-factor authentication for SSL-VPNs. enable: Enable setting. disable: Disable setting.	option	-
unsafe-legacy-renegotiation	Enable/disable unsafe legacy re-negotiation. enable: Enable setting. disable: Disable setting.	option	-
servercert	Name of the server certificate to be used for SSL-VPNs.	string	Maximum length: 35
algorithm	Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. high: High algorithms. medium: High and medium algorithms. default: default low: All algorithms.	option	-
idle-timeout	SSL VPN disconnects if idle for specified time in seconds.	integer	Minimum value: 0 Maximum value: 259200
auth-timeout	SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).	integer	Minimum value: 0 Maximum value: 259200
login-attempt-limit	SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).	integer	Minimum value: 0 Maximum value: 4294967295
login-block-time	Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).	integer	Minimum value: 0 Maximum value: 4294967295
login-timeout	SSLVPN maximum login timeout (10 - 180 sec, default = 30).	integer	Minimum value: 10 Maximum value: 180
dtls-hello-timeout	SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).	integer	Minimum value: 10 Maximum value: 60
tunnel-ip-pools `<name>`	Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. Address name.	string	Maximum length: 79
tunnel-ipv6-pools `<name>`	Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. Address name.	string	Maximum length: 79
dns-suffix	DNS suffix used for SSL-VPN clients.	var-string	Maximum length: 253
dns-server1	DNS server 1.	ipv4-address	Not Specified
dns-server2	DNS server 2.	ipv4-address	Not Specified
wins-server1	WINS server 1.	ipv4-address	Not Specified
wins-server2	WINS server 2.	ipv4-address	Not Specified
ipv6-dns-server1	IPv6 DNS server 1.	ipv6-address	Not Specified
ipv6-dns-server2	IPv6 DNS server 2.	ipv6-address	Not Specified
ipv6-wins-server1	IPv6 WINS server 1.	ipv6-address	Not Specified
ipv6-wins-server2	IPv6 WINS server 2.	ipv6-address	Not Specified
route-source-interface	Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. enable: Enable setting. disable: Disable setting.	option	-
url-obscuration	Enable to obscure the host name of the URL of the web browser display. enable: Enable setting. disable: Disable setting.	option	-
http-compression	Enable to allow HTTP compression over SSL-VPN tunnels. enable: Enable setting. disable: Disable setting.	option	-
http-only-cookie	Enable/disable SSL-VPN support for HttpOnly cookies. enable: Enable setting. disable: Disable setting.	option	-
deflate-compression-level	Compression level (0~9).	integer	Minimum value: 0 Maximum value: 9
deflate-min-data-size	Minimum amount of data that triggers compression (200 - 65535 bytes).	integer	Minimum value: 200 Maximum value: 65535
port	SSL-VPN access port (1 - 65535).	integer	Minimum value: 1 Maximum value: 65535
port-precedence	Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. enable: Enable setting. disable: Disable setting.	option	-
auto-tunnel-static-route	Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. enable: Enable setting. disable: Disable setting.	option	-
header-x-forwarded-for	Forward the same, add, or remove HTTP header. pass: Forward the same HTTP header. add: Add the HTTP header. remove: Remove the HTTP header.	option	-
source-interface `<name>`	SSL VPN source interface of incoming traffic. Interface name.	string	Maximum length: 35
source-address `<name>`	Source address of incoming traffic. Address name.	string	Maximum length: 79
source-address-negate	Enable/disable negated source address match. enable: Enable setting. disable: Disable setting.	option	-
source-address6 `<name>`	IPv6 source address of incoming traffic. IPv6 address name.	string	Maximum length: 79
source-address6-negate	Enable/disable negated source IPv6 address match. enable: Enable setting. disable: Disable setting.	option	-
default-portal	Default SSL VPN portal.	string	Maximum length: 35
dtls-tunnel	Enable DTLS to prevent eavesdropping, tampering, or message forgery. enable: Enable setting. disable: Disable setting.	option	-
dtls-max-proto-ver	DTLS maximum protocol version. dtls1-0: DTLS version 1.0. dtls1-2: DTLS version 1.2.	option	-
dtls-min-proto-ver	DTLS minimum protocol version. dtls1-0: DTLS version 1.0. dtls1-2: DTLS version 1.2.	option	-
check-referer	Enable/disable verification of referer field in HTTP request header. enable: Enable verification of referer field in HTTP request header. disable: Disable verification of referer field in HTTP request header.	option	-
http-request-header-timeout	SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).	integer	Minimum value: 0 Maximum value: 4294967295
http-request-body-timeout	SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).	integer	Minimum value: 0 Maximum value: 4294967295
auth-session-check-source-ip	Enable/disable checking of source IP for authentication session. enable: Enable checking of source IP for authentication session. disable: Disable checking of source IP for authentication session.	option	-
tunnel-connect-without-reauth	Enable/disable tunnel connection without re-authorization if previous connection dropped. enable: Enable tunnel connection without re-authorization. disable: Disable tunnel connection without re-authorization.	option	-
tunnel-user-session-timeout	Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30).	integer	Minimum value: 1 Maximum value: 255
hsts-include-subdomains	Add HSTS includeSubDomains response header. enable: Enable setting. disable: Disable setting.	option	-
encode-2f-sequence	Encode \2F sequence to forward slash in URLs. enable: Enable setting. disable: Disable setting.	option	-

config authentication-rule

Parameter Name	Description	Type	Size
source-interface `<name>`	SSL VPN source interface of incoming traffic. Interface name.	string	Maximum length: 35
source-address `<name>`	Source address of incoming traffic. Address name.	string	Maximum length: 79
source-address-negate	Enable/disable negated source address match. enable: Enable setting. disable: Disable setting.	option	-
source-address6 `<name>`	IPv6 source address of incoming traffic. IPv6 address name.	string	Maximum length: 79
source-address6-negate	Enable/disable negated source IPv6 address match. enable: Enable setting. disable: Disable setting.	option	-
users `<name>`	User name. User name.	string	Maximum length: 79
groups `<name>`	User groups. Group name.	string	Maximum length: 79
portal	SSL VPN portal.	string	Maximum length: 35
realm	SSL VPN realm.	string	Maximum length: 35
client-cert	Enable/disable SSL VPN client certificate restrictive. enable: Enable setting. disable: Disable setting.	option	-
user-peer	Name of user peer.	string	Maximum length: 35
cipher	SSL VPN cipher strength. any: Any cipher strength. high: High cipher strength (>= 168 bits). medium: Medium cipher strength (>= 128 bits).	option	-
auth	SSL VPN authentication method restriction. any: Any local: Local radius: RADIUS tacacs+: TACACS+ ldap: LDAP	option	-

Configure SSL VPN.

config vpn ssl settings Description: Configure SSL VPN. set reqclientcert [enable|disable] set user-peer {string} set ssl-max-proto-ver [tls1-0|tls1-1|...] set ssl-min-proto-ver [tls1-0|tls1-1|...] set tlsv1-0 [enable|disable] set tlsv1-1 [enable|disable] set tlsv1-2 [enable|disable] set tlsv1-3 [enable|disable] set banned-cipher {option1}, {option2}, ... set ssl-insert-empty-fragment [enable|disable] set https-redirect [enable|disable] set x-content-type-options [enable|disable] set ssl-client-renegotiation [disable|enable] set force-two-factor-auth [enable|disable] set unsafe-legacy-renegotiation [enable|disable] set servercert {string} set algorithm [high|medium|...] set idle-timeout {integer} set auth-timeout {integer} set login-attempt-limit {integer} set login-block-time {integer} set login-timeout {integer} set dtls-hello-timeout {integer} set tunnel-ip-pools <name1>, <name2>, ... set tunnel-ipv6-pools <name1>, <name2>, ... set dns-suffix {var-string} set dns-server1 {ipv4-address} set dns-server2 {ipv4-address} set wins-server1 {ipv4-address} set wins-server2 {ipv4-address} set ipv6-dns-server1 {ipv6-address} set ipv6-dns-server2 {ipv6-address} set ipv6-wins-server1 {ipv6-address} set ipv6-wins-server2 {ipv6-address} set route-source-interface [enable|disable] set url-obscuration [enable|disable] set http-compression [enable|disable] set http-only-cookie [enable|disable] set deflate-compression-level {integer} set deflate-min-data-size {integer} set port {integer} set port-precedence [enable|disable] set auto-tunnel-static-route [enable|disable] set header-x-forwarded-for [pass|add|...] set source-interface <name1>, <name2>, ... set source-address <name1>, <name2>, ... set source-address-negate [enable|disable] set source-address6 <name1>, <name2>, ... set source-address6-negate [enable|disable] set default-portal {string} config authentication-rule Description: Authentication rule for SSL VPN. edit <id> set source-interface <name1>, <name2>, ... set source-address <name1>, <name2>, ... set source-address-negate [enable|disable] set source-address6 <name1>, <name2>, ... set source-address6-negate [enable|disable] set users <name1>, <name2>, ... set groups <name1>, <name2>, ... set portal {string} set realm {string} set client-cert [enable|disable] set user-peer {string} set cipher [any|high|...] set auth [any|local|...] next end set dtls-tunnel [enable|disable] set dtls-max-proto-ver [dtls1-0|dtls1-2] set dtls-min-proto-ver [dtls1-0|dtls1-2] set check-referer [enable|disable] set http-request-header-timeout {integer} set http-request-body-timeout {integer} set auth-session-check-source-ip [enable|disable] set tunnel-connect-without-reauth [enable|disable] set tunnel-user-session-timeout {integer} set hsts-include-subdomains [enable|disable] set encode-2f-sequence [enable|disable] end

config vpn ssl settings

Parameter Name

Description

Type

Size

reqclientcert

Enable to require client certificates for all SSL-VPN users.
enable: Enable setting.
disable: Disable setting.

option

user-peer

Name of user peer.

string

Maximum length: 35

ssl-max-proto-ver

SSL maximum protocol version.
tls1-0: TLS version 1.0.
tls1-1: TLS version 1.1.
tls1-2: TLS version 1.2.
tls1-3: TLS version 1.3.

option

ssl-min-proto-ver

SSL minimum protocol version.
tls1-0: TLS version 1.0.
tls1-1: TLS version 1.1.
tls1-2: TLS version 1.2.
tls1-3: TLS version 1.3.

option

tlsv1-0

tlsv1-0
enable: Enable setting.
disable: Disable setting.

option

tlsv1-1

tlsv1-1
enable: Enable setting.
disable: Disable setting.

option

tlsv1-2

tlsv1-2
enable: Enable setting.
disable: Disable setting.

option

tlsv1-3

tlsv1-3
enable: Enable setting.
disable: Disable setting.

option

banned-cipher

Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
RSA: Ban the use of cipher suites using RSA key.
DHE: Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDHE: Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS: Ban the use of cipher suites using DSS authentication.
ECDSA: Ban the use of cipher suites using ECDSA authentication.
AES: Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM: Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA: Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES: Ban the use of cipher suites using triple DES
SHA1: Ban the use of cipher suites using HMAC-SHA1.
SHA256: Ban the use of cipher suites using HMAC-SHA256.
SHA384: Ban the use of cipher suites using HMAC-SHA384.
STATIC: Ban the use of cipher suites using static keys.

option

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.
enable: Enable setting.
disable: Disable setting.

option

https-redirect

Enable/disable redirect of port 80 to SSL-VPN port.
enable: Enable setting.
disable: Disable setting.

option

x-content-type-options

Add HTTP X-Content-Type-Options header.
enable: Enable setting.
disable: Disable setting.

option

ssl-client-renegotiation

Enable to allow client renegotiation by the server if the tunnel goes down.
disable: Abort any SSL connection that attempts to renegotiate.
enable: Allow a SSL client to renegotiate.

option

force-two-factor-auth

Enable only PKI users with two-factor authentication for SSL-VPNs.
enable: Enable setting.
disable: Disable setting.

option

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.
enable: Enable setting.
disable: Disable setting.

option

servercert

Name of the server certificate to be used for SSL-VPNs.

string

Maximum length: 35

algorithm

Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
high: High algorithms.
medium: High and medium algorithms.
default: default
low: All algorithms.

option

idle-timeout

SSL VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

auth-timeout

SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).

integer

Minimum value: 0 Maximum value: 259200

SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).

integer

Minimum value: 0 Maximum value: 4294967295

Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).

integer

Minimum value: 0 Maximum value: 4294967295

SSLVPN maximum login timeout (10 - 180 sec, default = 30).

integer

Minimum value: 10 Maximum value: 180

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).

integer

Minimum value: 10 Maximum value: 60

tunnel-ip-pools <name>

Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
Address name.

string

Maximum length: 79

tunnel-ipv6-pools <name>

Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
Address name.

string

Maximum length: 79

dns-suffix

DNS suffix used for SSL-VPN clients.

var-string

Maximum length: 253

dns-server1

DNS server 1.

ipv4-address

Not Specified

dns-server2

DNS server 2.

ipv4-address

Not Specified

wins-server1

WINS server 1.

ipv4-address

Not Specified

wins-server2

WINS server 2.

ipv4-address

Not Specified

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

route-source-interface

Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
enable: Enable setting.
disable: Disable setting.

option

url-obscuration

Enable to obscure the host name of the URL of the web browser display.
enable: Enable setting.
disable: Disable setting.

option

http-compression

Enable to allow HTTP compression over SSL-VPN tunnels.
enable: Enable setting.
disable: Disable setting.

option

http-only-cookie

Enable/disable SSL-VPN support for HttpOnly cookies.
enable: Enable setting.
disable: Disable setting.

option

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

deflate-min-data-size

Minimum amount of data that triggers compression (200 - 65535 bytes).

integer

Minimum value: 200 Maximum value: 65535

port

SSL-VPN access port (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

port-precedence

Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
enable: Enable setting.
disable: Disable setting.

option

auto-tunnel-static-route

Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
enable: Enable setting.
disable: Disable setting.

option

header-x-forwarded-for

Forward the same, add, or remove HTTP header.
pass: Forward the same HTTP header.
add: Add the HTTP header.
remove: Remove the HTTP header.

option

source-interface <name>

SSL VPN source interface of incoming traffic.
Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.
Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.
enable: Enable setting.
disable: Disable setting.

option

source-address6 <name>

IPv6 source address of incoming traffic.
IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.
enable: Enable setting.
disable: Disable setting.

option

default-portal

Default SSL VPN portal.

string

Maximum length: 35

dtls-tunnel

Enable DTLS to prevent eavesdropping, tampering, or message forgery.
enable: Enable setting.
disable: Disable setting.

option

dtls-max-proto-ver

DTLS maximum protocol version.
dtls1-0: DTLS version 1.0.
dtls1-2: DTLS version 1.2.

option

dtls-min-proto-ver

DTLS minimum protocol version.
dtls1-0: DTLS version 1.0.
dtls1-2: DTLS version 1.2.

option

check-referer

Enable/disable verification of referer field in HTTP request header.
enable: Enable verification of referer field in HTTP request header.
disable: Disable verification of referer field in HTTP request header.

option

http-request-header-timeout

SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

http-request-body-timeout

SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.
enable: Enable checking of source IP for authentication session.
disable: Disable checking of source IP for authentication session.

option

tunnel-connect-without-reauth

Enable/disable tunnel connection without re-authorization if previous connection dropped.
enable: Enable tunnel connection without re-authorization.
disable: Disable tunnel connection without re-authorization.

option

tunnel-user-session-timeout

Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30).

integer

Minimum value: 1 Maximum value: 255

hsts-include-subdomains

Add HSTS includeSubDomains response header.
enable: Enable setting.
disable: Disable setting.

option

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.
enable: Enable setting.
disable: Disable setting.

option

config authentication-rule

Parameter Name

Description

Type

Size

source-interface <name>

SSL VPN source interface of incoming traffic.
Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.
Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.
enable: Enable setting.
disable: Disable setting.

option

source-address6 <name>

IPv6 source address of incoming traffic.
IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.
enable: Enable setting.
disable: Disable setting.

option

users <name>

User name.
User name.

string

Maximum length: 79

groups <name>

User groups.
Group name.

string

Maximum length: 79

portal

SSL VPN portal.

string

Maximum length: 35

realm

SSL VPN realm.

string

Maximum length: 35

client-cert

Enable/disable SSL VPN client certificate restrictive.
enable: Enable setting.
disable: Disable setting.

option

user-peer

Name of user peer.

string

Maximum length: 35

cipher

SSL VPN cipher strength.
any: Any cipher strength.
high: High cipher strength (>= 168 bits).
medium: Medium cipher strength (>= 128 bits).

option

auth

SSL VPN authentication method restriction.
any: Any
local: Local
radius: RADIUS
tacacs+: TACACS+
ldap: LDAP

option

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

vpn ssl settings

Configure SSL VPN.

config vpn ssl settings

config authentication-rule

vpn ssl settings

Configure SSL VPN.

config vpn ssl settings

config authentication-rule