config vpn ssl web portal

Portal.

config vpn ssl web portal

Description: Portal.

edit <name>

set tunnel-mode [enable|disable]

set ip-mode [range|user-group]

set auto-connect [enable|disable]

set keep-alive [enable|disable]

set save-password [enable|disable]

set ip-pools <name1>, <name2>, ...

set exclusive-routing [enable|disable]

set service-restriction [enable|disable]

set split-tunneling [enable|disable]

set split-tunneling-routing-address <name1>, <name2>, ...

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set dns-suffix {var-string}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set ipv6-tunnel-mode [enable|disable]

set ipv6-pools <name1>, <name2>, ...

set ipv6-exclusive-routing [enable|disable]

set ipv6-service-restriction [enable|disable]

set ipv6-split-tunneling [enable|disable]

set ipv6-split-tunneling-routing-address <name1>, <name2>, ...

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-wins-server1 {ipv6-address}

set ipv6-wins-server2 {ipv6-address}

set web-mode [enable|disable]

set display-bookmark [enable|disable]

set user-bookmark [enable|disable]

set allow-user-access {option1}, {option2}, ...

set user-group-bookmark [enable|disable]

config bookmark-group

Description: Portal bookmark group.

edit <name>

config bookmarks

Description: Bookmark table.

edit <name>

set apptype [ftp|rdp|...]

set url {var-string}

set host {var-string}

set folder {var-string}

set additional-params {var-string}

set listening-port {integer}

set remote-port {integer}

set show-status-window [enable|disable]

set description {var-string}

set server-layout [de-de-qwertz|en-gb-qwerty|...]

set security [rdp|nla|...]

set preconnection-id {integer}

set preconnection-blob {var-string}

set load-balancing-info {var-string}

set port {integer}

set logon-user {var-string}

set logon-password {password}

set sso [disable|static|...]

config form-data

Description: Form data.

edit <name>

set value {var-string}

next

end

set sso-credential [sslvpn-login|alternative]

set sso-username {var-string}

set sso-password {password}

set sso-credential-sent-once [enable|disable]

next

end

next

end

set display-connection-tools [enable|disable]

set display-history [enable|disable]

set display-status [enable|disable]

set heading {string}

set redir-url {var-string}

set theme [blue|green|...]

set custom-lang {string}

set smb-ntlmv1-auth [enable|disable]

set smbv1 [enable|disable]

set smb-min-version [smbv1|smbv2|...]

set smb-max-version [smbv1|smbv2|...]

set transform-backward-slashes [enable|disable]

set use-sdwan [enable|disable]

set host-check [none|av|...]

set host-check-interval {integer}

set host-check-policy <name1>, <name2>, ...

set limit-user-logins [enable|disable]

set mac-addr-check [enable|disable]

set mac-addr-action [allow|deny]

config mac-addr-check-rule

Description: Client MAC address check rule.

edit <name>

set mac-addr-mask {integer}

set mac-addr-list <addr1>, <addr2>, ...

next

end

set os-check [enable|disable]

config os-check-list

Description: SSL VPN OS checks.

edit <name>

set action [deny|allow|...]

set tolerance {integer}

set latest-patch-level {user}

next

end

set forticlient-download [enable|disable]

set forticlient-download-method [direct|ssl-vpn]

set customize-forticlient-download-url [enable|disable]

set windows-forticlient-download-url {var-string}

set macos-forticlient-download-url {var-string}

set skip-check-for-unsupported-os [enable|disable]

set skip-check-for-browser [enable|disable]

set hide-sso-credential [enable|disable]

config split-dns

Description: Split DNS for SSL VPN.

edit <id>

set domains {var-string}

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

next

end

next

end

config vpn ssl web portal

Parameter name

Description

Type

Size

tunnel-mode

Enable/disable IPv4 SSL-VPN tunnel mode.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-mode

Method by which users of this SSL-VPN tunnel obtain IP addresses.

option

-

 

Option

Description

range

Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.

user-group

Use IP the addresses associated with individual users or user groups (usually from external auth servers).

auto-connect

Enable/disable automatic connect by client when system is up.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

keep-alive

Enable/disable automatic reconnect for FortiClient connections.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

save-password

Enable/disable FortiClient saving the user's password.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-pools <name>

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

exclusive-routing

Enable/disable all traffic go through tunnel only.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

service-restriction

Enable/disable tunnel service restriction.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling

Enable/disable IPv4 split tunneling.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-address <name>

IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

dns-server1

IPv4 DNS server 1.

ipv4-address

Not Specified

dns-server2

IPv4 DNS server 2.

ipv4-address

Not Specified

dns-suffix

DNS suffix.

var-string

Maximum length: 253

wins-server1

IPv4 WINS server 1.

ipv4-address

Not Specified

wins-server2

IPv4 WINS server 1.

ipv4-address

Not Specified

ipv6-tunnel-mode

Enable/disable IPv6 SSL-VPN tunnel mode.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-pools <name>

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

ipv6-exclusive-routing

Enable/disable all IPv6 traffic go through tunnel only.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-service-restriction

Enable/disable IPv6 tunnel service restriction.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling

Enable/disable IPv6 split tunneling.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-address <name>

IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

web-mode

Enable/disable SSL VPN web mode.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

display-bookmark

Enable to display the web portal bookmark widget.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

user-bookmark

Enable to allow web portal users to create their own bookmarks.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

allow-user-access

Allow user access to SSL-VPN applications.

option

-

 

Option

Description

web

HTTP/HTTPS access.

ftp

FTP access.

smb

SMB/CIFS access.

sftp

SFTP access.

telnet

TELNET access.

ssh

SSH access.

vnc

VNC access.

rdp

RDP access.

ping

PING access.

citrix

CITRIX access.

portforward

Port Forward access.

user-group-bookmark

Enable to allow web portal users to create bookmarks for all users in the same user group.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

display-connection-tools

Enable to display the web portal connection tools widget.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

display-history

Enable to display the web portal user login history widget.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

display-status

Enable to display the web portal status widget.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

heading

Web portal heading message.

string

Maximum length: 31

redir-url

Client login redirect URL.

var-string

Maximum length: 255

theme

Web portal color scheme.

option

-

 

Option

Description

blue

Light blue theme.

green

Green theme.

neutrino

Neutrino theme.

melongene

Melongene theme (eggplant color).

mariner

Mariner theme (dark blue color).

custom-lang

Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.

string

Maximum length: 35

smb-ntlmv1-auth

Enable support of NTLMv1 for Samba authentication.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

smbv1

smbv1

option

-

 

Option

Description

enable

enable

disable

disable

smb-min-version

SMB minimum client protocol version.

option

-

 

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

smb-max-version

SMB maximum client protocol version.

option

-

 

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

transform-backward-slashes

Transform backward slashes to forward slashes in URLs.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

use-sdwan

Use SD-WAN rules to get output interface.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

host-check

Type of host checking performed on endpoints.

option

-

 

Option

Description

none

No host checking.

av

AntiVirus software recognized by the Windows Security Center.

fw

Firewall software recognized by the Windows Security Center.

av-fw

AntiVirus and firewall software recognized by the Windows Security Center.

custom

Custom.

host-check-interval

Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

integer

Minimum value: 120 Maximum value: 259200

host-check-policy <name>

One or more policies to require the endpoint to have specific security software.

Host check software list name.

string

Maximum length: 79

limit-user-logins

Enable to limit each user to one SSL-VPN session at a time.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-check

Enable/disable MAC address host checking.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-action

Client MAC address action.

option

-

 

Option

Description

allow

Allow connection when client MAC address is matched.

deny

Deny connection when client MAC address is matched.

os-check

Enable to let the FortiGate decide action based on client OS.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download

Enable/disable download option for FortiClient.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download-method

FortiClient download method.

option

-

 

Option

Description

direct

Download via direct link.

ssl-vpn

Download via SSL-VPN.

customize-forticlient-download-url

Enable support of customized download URL for FortiClient.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

windows-forticlient-download-url

Download URL for Windows FortiClient.

var-string

Maximum length: 1023

macos-forticlient-download-url

Download URL for Mac FortiClient.

var-string

Maximum length: 1023

skip-check-for-unsupported-os

Enable to skip host check if client OS does not support it.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

skip-check-for-browser

Enable to skip host check for browser support.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

hide-sso-credential

Enable to prevent SSO credential being sent to client.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

config bookmarks

Parameter name

Description

Type

Size

apptype

Application type.

option

-

 

Option

Description

ftp

FTP.

rdp

RDP.

sftp

SFTP.

smb

SMB/CIFS.

ssh

SSH.

telnet

Telnet.

vnc

VNC.

web

HTTP/HTTPS.

url

URL parameter.

var-string

Maximum length: 128

host

Host name/IP parameter.

var-string

Maximum length: 128

folder

Network shared file folder parameter.

var-string

Maximum length: 128

additional-params

Additional parameters.

var-string

Maximum length: 128

listening-port

Listening port (0 - 65535).

integer

Minimum value: 0 Maximum value: 65535

remote-port

Remote port (0 - 65535).

integer

Minimum value: 0 Maximum value: 65535

show-status-window

Enable/disable showing of status window.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

description

Description.

var-string

Maximum length: 128

server-layout

Server side keyboard layout.

option

-

 

Option

Description

de-de-qwertz

German (qwertz).

en-gb-qwerty

Engligh (UK).

en-us-qwerty

English (US).

es-es-qwerty

Spanish.

fr-ca-qwerty

Canadian French (qwerty).

fr-fr-azerty

French (azerty).

fr-ch-qwertz

Swiss French (qwertz).

it-it-qwerty

Italian.

ja-jp-qwerty

Japanese.

pt-br-qwerty

Portuguese/Brazilian.

sv-se-qwerty

Swedish.

tr-tr-qwerty

Turkish.

failsafe

Unknown keyboard.

security

Security mode for RDP connection.

option

-

 

Option

Description

rdp

Standard RDP encryption.

nla

Network Level Authentication.

tls

TLS encryption.

any

Allow the server to choose the type of security.

preconnection-id

The numeric ID of the RDP source (0-2147483648).

integer

Minimum value: 0 Maximum value: 2147483648

preconnection-blob

An arbitrary string which identifies the RDP source.

var-string

Maximum length: 511

load-balancing-info

The load balancing information or cookie which should be provided to the connection broker.

var-string

Maximum length: 511

port

Remote port.

integer

Minimum value: 0 Maximum value: 65535

logon-user

Logon user.

var-string

Maximum length: 35

logon-password

Logon password.

password

Not Specified

sso

Single Sign-On.

option

-

 

Option

Description

disable

Disable SSO.

static

Static SSO.

auto

Auto SSO.

sso-credential

Single sign-on credentials.

option

-

 

Option

Description

sslvpn-login

SSL-VPN login.

alternative

Alternative.

sso-username

SSO user name.

var-string

Maximum length: 35

sso-password

SSO password.

password

Not Specified

sso-credential-sent-once

Single sign-on credentials are only sent once to remote server.

option

-

 

Option

Description

enable

Single sign-on credentials are only sent once to remote server.

disable

Single sign-on credentials are sent to remote server for every HTTP request.

config form-data

Parameter name

Description

Type

Size

value

Value.

var-string

Maximum length: 63

config mac-addr-check-rule

Parameter name

Description

Type

Size

mac-addr-mask

Client MAC address mask.

integer

Minimum value: 1 Maximum value: 48

mac-addr-list <addr>

Client MAC address list.

Client MAC address.

mac-address

Not Specified

config os-check-list

Parameter name

Description

Type

Size

action

OS check options.

option

-

 

Option

Description

deny

Deny all OS versions.

allow

Allow any OS version.

check-up-to-date

Verify OS is up-to-date.

tolerance

OS patch level tolerance.

integer

Minimum value: 0 Maximum value: 65535

latest-patch-level

Latest OS patch level.

user

Not Specified

config split-dns