Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config vpn ssl settings

Configure SSL VPN.

config vpn ssl settings

Description: Configure SSL VPN.

set reqclientcert [enable|disable]

set user-peer {string}

set ssl-max-proto-ver [tls1-0|tls1-1|...]

set ssl-min-proto-ver [tls1-0|tls1-1|...]

set tlsv1-0 [enable|disable]

set tlsv1-1 [enable|disable]

set tlsv1-2 [enable|disable]

set tlsv1-3 [enable|disable]

set banned-cipher {option1}, {option2}, ...

set ssl-insert-empty-fragment [enable|disable]

set https-redirect [enable|disable]

set x-content-type-options [enable|disable]

set ssl-client-renegotiation [disable|enable]

set force-two-factor-auth [enable|disable]

set unsafe-legacy-renegotiation [enable|disable]

set servercert {string}

set algorithm [high|medium|...]

set idle-timeout {integer}

set auth-timeout {integer}

set login-attempt-limit {integer}

set login-block-time {integer}

set login-timeout {integer}

set dtls-hello-timeout {integer}

set tunnel-ip-pools <name1>, <name2>, ...

set tunnel-ipv6-pools <name1>, <name2>, ...

set dns-suffix {var-string}

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-wins-server1 {ipv6-address}

set ipv6-wins-server2 {ipv6-address}

set route-source-interface [enable|disable]

set url-obscuration [enable|disable]

set http-compression [enable|disable]

set http-only-cookie [enable|disable]

set deflate-compression-level {integer}

set deflate-min-data-size {integer}

set port {integer}

set port-precedence [enable|disable]

set auto-tunnel-static-route [enable|disable]

set header-x-forwarded-for [pass|add|...]

set source-interface <name1>, <name2>, ...

set source-address <name1>, <name2>, ...

set source-address-negate [enable|disable]

set source-address6 <name1>, <name2>, ...

set source-address6-negate [enable|disable]

set default-portal {string}

config authentication-rule

Description: Authentication rule for SSL VPN.

edit <id>

set source-interface <name1>, <name2>, ...

set source-address <name1>, <name2>, ...

set source-address-negate [enable|disable]

set source-address6 <name1>, <name2>, ...

set source-address6-negate [enable|disable]

set users <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set portal {string}

set realm {string}

set client-cert [enable|disable]

set user-peer {string}

set cipher [any|high|...]

set auth [any|local|...]

next

end

set dtls-tunnel [enable|disable]

set dtls-max-proto-ver [dtls1-0|dtls1-2]

set dtls-min-proto-ver [dtls1-0|dtls1-2]

set check-referer [enable|disable]

set http-request-header-timeout {integer}

set http-request-body-timeout {integer}

set auth-session-check-source-ip [enable|disable]

set tunnel-connect-without-reauth [enable|disable]

set tunnel-user-session-timeout {integer}

set hsts-include-subdomains [enable|disable]

set encode-2f-sequence [enable|disable]

end

config vpn ssl settings

Parameter name

Description

Type

Size

reqclientcert

Enable to require client certificates for all SSL-VPN users.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

ssl-max-proto-ver

SSL maximum protocol version.

option

-

 

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

-

 

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

tlsv1-0

tlsv1-0

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

tlsv1-1

tlsv1-1

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

tlsv1-2

tlsv1-2

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

tlsv1-3

tlsv1-3

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

banned-cipher

Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.

option

-

 

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

https-redirect

Enable/disable redirect of port 80 to SSL-VPN port.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-client-renegotiation

Enable to allow client renegotiation by the server if the tunnel goes down.

option

-

 

Option

Description

disable

Abort any SSL connection that attempts to renegotiate.

enable

Allow a SSL client to renegotiate.

force-two-factor-auth

Enable only PKI users with two-factor authentication for SSL-VPNs.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

servercert

Name of the server certificate to be used for SSL-VPNs.

string

Maximum length: 35

algorithm

Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

-

 

Option

Description

high

High algorithms.

medium

High and medium algorithms.

default

default

low

All algorithms.

idle-timeout

SSL VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

auth-timeout

SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).

integer

Minimum value: 0 Maximum value: 259200

login-attempt-limit

SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).

integer

Minimum value: 0 Maximum value: 4294967295

login-block-time

Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).

integer

Minimum value: 0 Maximum value: 4294967295

login-timeout

SSLVPN maximum login timeout (10 - 180 sec, default = 30).

integer

Minimum value: 10 Maximum value: 180

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).

integer

Minimum value: 10 Maximum value: 60

tunnel-ip-pools <name>

Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

tunnel-ipv6-pools <name>

Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

dns-suffix

DNS suffix used for SSL-VPN clients.

var-string

Maximum length: 253

dns-server1

DNS server 1.

ipv4-address

Not Specified

dns-server2

DNS server 2.

ipv4-address

Not Specified

wins-server1

WINS server 1.

ipv4-address

Not Specified

wins-server2

WINS server 2.

ipv4-address

Not Specified

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

route-source-interface

Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

url-obscuration

Enable to obscure the host name of the URL of the web browser display.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

http-compression

Enable to allow HTTP compression over SSL-VPN tunnels.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

http-only-cookie

Enable/disable SSL-VPN support for HttpOnly cookies.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

deflate-min-data-size

Minimum amount of data that triggers compression (200 - 65535 bytes).

integer

Minimum value: 200 Maximum value: 65535

port

SSL-VPN access port (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

port-precedence

Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-tunnel-static-route

Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

-

 

Option

Description

pass

Forward the same HTTP header.

add

Add the HTTP header.

remove

Remove the HTTP header.

source-interface <name>

SSL VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

default-portal

Default SSL VPN portal.

string

Maximum length: 35

dtls-tunnel

Enable DTLS to prevent eavesdropping, tampering, or message forgery.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

dtls-max-proto-ver

DTLS maximum protocol version.

option

-

 

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

dtls-min-proto-ver

DTLS minimum protocol version.

option

-

 

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

check-referer

Enable/disable verification of referer field in HTTP request header.

option

-

 

Option

Description

enable

Enable verification of referer field in HTTP request header.

disable

Disable verification of referer field in HTTP request header.

http-request-header-timeout

SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

http-request-body-timeout

SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

-

 

Option

Description

enable

Enable checking of source IP for authentication session.

disable

Disable checking of source IP for authentication session.

tunnel-connect-without-reauth

Enable/disable tunnel connection without re-authorization if previous connection dropped.

option

-

 

Option

Description

enable

Enable tunnel connection without re-authorization.

disable

Disable tunnel connection without re-authorization.

tunnel-user-session-timeout

Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30).

integer

Minimum value: 1 Maximum value: 255

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

Parameter name

Description

Type

Size

source-interface <name>

SSL VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

users <name>

User name.

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

portal

SSL VPN portal.

string

Maximum length: 35

realm

SSL VPN realm.

string

Maximum length: 35

client-cert

Enable/disable SSL VPN client certificate restrictive.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

cipher

SSL VPN cipher strength.

option

-

 

Option

Description

any

Any cipher strength.

high

High cipher strength (>= 168 bits).

medium

Medium cipher strength (>= 128 bits).

auth

SSL VPN authentication method restriction.

option

-

 

Option

Description

any

Any

local

Local

radius

RADIUS

tacacs+

TACACS+

ldap

LDAP

config vpn ssl settings

Configure SSL VPN.

config vpn ssl settings

Description: Configure SSL VPN.

set reqclientcert [enable|disable]

set user-peer {string}

set ssl-max-proto-ver [tls1-0|tls1-1|...]

set ssl-min-proto-ver [tls1-0|tls1-1|...]

set tlsv1-0 [enable|disable]

set tlsv1-1 [enable|disable]

set tlsv1-2 [enable|disable]

set tlsv1-3 [enable|disable]

set banned-cipher {option1}, {option2}, ...

set ssl-insert-empty-fragment [enable|disable]

set https-redirect [enable|disable]

set x-content-type-options [enable|disable]

set ssl-client-renegotiation [disable|enable]

set force-two-factor-auth [enable|disable]

set unsafe-legacy-renegotiation [enable|disable]

set servercert {string}

set algorithm [high|medium|...]

set idle-timeout {integer}

set auth-timeout {integer}

set login-attempt-limit {integer}

set login-block-time {integer}

set login-timeout {integer}

set dtls-hello-timeout {integer}

set tunnel-ip-pools <name1>, <name2>, ...

set tunnel-ipv6-pools <name1>, <name2>, ...

set dns-suffix {var-string}

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-wins-server1 {ipv6-address}

set ipv6-wins-server2 {ipv6-address}

set route-source-interface [enable|disable]

set url-obscuration [enable|disable]

set http-compression [enable|disable]

set http-only-cookie [enable|disable]

set deflate-compression-level {integer}

set deflate-min-data-size {integer}

set port {integer}

set port-precedence [enable|disable]

set auto-tunnel-static-route [enable|disable]

set header-x-forwarded-for [pass|add|...]

set source-interface <name1>, <name2>, ...

set source-address <name1>, <name2>, ...

set source-address-negate [enable|disable]

set source-address6 <name1>, <name2>, ...

set source-address6-negate [enable|disable]

set default-portal {string}

config authentication-rule

Description: Authentication rule for SSL VPN.

edit <id>

set source-interface <name1>, <name2>, ...

set source-address <name1>, <name2>, ...

set source-address-negate [enable|disable]

set source-address6 <name1>, <name2>, ...

set source-address6-negate [enable|disable]

set users <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set portal {string}

set realm {string}

set client-cert [enable|disable]

set user-peer {string}

set cipher [any|high|...]

set auth [any|local|...]

next

end

set dtls-tunnel [enable|disable]

set dtls-max-proto-ver [dtls1-0|dtls1-2]

set dtls-min-proto-ver [dtls1-0|dtls1-2]

set check-referer [enable|disable]

set http-request-header-timeout {integer}

set http-request-body-timeout {integer}

set auth-session-check-source-ip [enable|disable]

set tunnel-connect-without-reauth [enable|disable]

set tunnel-user-session-timeout {integer}

set hsts-include-subdomains [enable|disable]

set encode-2f-sequence [enable|disable]

end

config vpn ssl settings

Parameter name

Description

Type

Size

reqclientcert

Enable to require client certificates for all SSL-VPN users.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

ssl-max-proto-ver

SSL maximum protocol version.

option

-

 

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

-

 

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

tlsv1-0

tlsv1-0

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

tlsv1-1

tlsv1-1

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

tlsv1-2

tlsv1-2

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

tlsv1-3

tlsv1-3

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

banned-cipher

Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.

option

-

 

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

https-redirect

Enable/disable redirect of port 80 to SSL-VPN port.

option

-