config vpn ssl settings
Description: Configure SSL VPN.
set reqclientcert [enable|disable]
set user-peer {string}
set ssl-max-proto-ver [tls1-0|tls1-1|...]
set ssl-min-proto-ver [tls1-0|tls1-1|...]
set tlsv1-0 [enable|disable]
set tlsv1-1 [enable|disable]
set tlsv1-2 [enable|disable]
set tlsv1-3 [enable|disable]
set banned-cipher {option1}, {option2}, ...
set ssl-insert-empty-fragment [enable|disable]
set https-redirect [enable|disable]
set x-content-type-options [enable|disable]
set ssl-client-renegotiation [disable|enable]
set force-two-factor-auth [enable|disable]
set unsafe-legacy-renegotiation [enable|disable]
set servercert {string}
set algorithm [high|medium|...]
set idle-timeout {integer}
set auth-timeout {integer}
set login-attempt-limit {integer}
set login-block-time {integer}
set login-timeout {integer}
set dtls-hello-timeout {integer}
set tunnel-ip-pools <name1>, <name2>, ...
set tunnel-ipv6-pools <name1>, <name2>, ...
set dns-suffix {var-string}
set dns-server1 {ipv4-address}
set dns-server2 {ipv4-address}
set wins-server1 {ipv4-address}
set wins-server2 {ipv4-address}
set ipv6-dns-server1 {ipv6-address}
set ipv6-dns-server2 {ipv6-address}
set ipv6-wins-server1 {ipv6-address}
set ipv6-wins-server2 {ipv6-address}
set route-source-interface [enable|disable]
set url-obscuration [enable|disable]
set http-compression [enable|disable]
set http-only-cookie [enable|disable]
set deflate-compression-level {integer}
set deflate-min-data-size {integer}
set port {integer}
set port-precedence [enable|disable]
set auto-tunnel-static-route [enable|disable]
set header-x-forwarded-for [pass|add|...]
set source-interface <name1>, <name2>, ...
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set default-portal {string}
config authentication-rule
Description: Authentication rule for SSL VPN.
edit <id>
set source-interface <name1>, <name2>, ...
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set users <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set portal {string}
set realm {string}
set client-cert [enable|disable]
set user-peer {string}
set cipher [any|high|...]
set auth [any|local|...]
next
end
set dtls-tunnel [enable|disable]
set dtls-max-proto-ver [dtls1-0|dtls1-2]
set dtls-min-proto-ver [dtls1-0|dtls1-2]
set check-referer [enable|disable]
set http-request-header-timeout {integer}
set http-request-body-timeout {integer}
set auth-session-check-source-ip [enable|disable]
set tunnel-connect-without-reauth [enable|disable]
set tunnel-user-session-timeout {integer}
set hsts-include-subdomains [enable|disable]
set transform-backward-slashes [enable|disable]
set encode-2f-sequence [enable|disable]
set encrypt-and-store-password [enable|disable]
end
Parameter Name | Description | Type | Size |
---|---|---|---|
reqclientcert | Enable to require client certificates for all SSL-VPN users. enable: Enable setting. disable: Disable setting. |
option | - |
user-peer | Name of user peer. | string | Maximum length: 35 |
ssl-max-proto-ver | SSL maximum protocol version. tls1-0: TLS version 1.0. tls1-1: TLS version 1.1. tls1-2: TLS version 1.2. tls1-3: TLS version 1.3. |
option | - |
ssl-min-proto-ver | SSL minimum protocol version. tls1-0: TLS version 1.0. tls1-1: TLS version 1.1. tls1-2: TLS version 1.2. tls1-3: TLS version 1.3. |
option | - |
tlsv1-0 | tlsv1-0 enable: Enable setting. disable: Disable setting. |
option | - |
tlsv1-1 | tlsv1-1 enable: Enable setting. disable: Disable setting. |
option | - |
tlsv1-2 | tlsv1-2 enable: Enable setting. disable: Disable setting. |
option | - |
tlsv1-3 | tlsv1-3 enable: Enable setting. disable: Disable setting. |
option | - |
banned-cipher | Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. RSA: Ban the use of cipher suites using RSA key. DHE: Ban the use of cipher suites using authenticated ephemeral DH key agreement. ECDHE: Ban the use of cipher suites using authenticated ephemeral ECDH key agreement. DSS: Ban the use of cipher suites using DSS authentication. ECDSA: Ban the use of cipher suites using ECDSA authentication. AES: Ban the use of cipher suites using either 128 or 256 bit AES. AESGCM: Ban the use of cipher suites AES in Galois Counter Mode (GCM). CAMELLIA: Ban the use of cipher suites using either 128 or 256 bit CAMELLIA. 3DES: Ban the use of cipher suites using triple DES SHA1: Ban the use of cipher suites using HMAC-SHA1. SHA256: Ban the use of cipher suites using HMAC-SHA256. SHA384: Ban the use of cipher suites using HMAC-SHA384. STATIC: Ban the use of cipher suites using static keys. |
option | - |
ssl-insert-empty-fragment | Enable/disable insertion of empty fragment. enable: Enable setting. disable: Disable setting. |
option | - |
https-redirect | Enable/disable redirect of port 80 to SSL-VPN port. enable: Enable setting. disable: Disable setting. |
option | - |
x-content-type-options | Add HTTP X-Content-Type-Options header. enable: Enable setting. disable: Disable setting. |
option | - |
ssl-client-renegotiation | Enable to allow client renegotiation by the server if the tunnel goes down. disable: Abort any SSL connection that attempts to renegotiate. enable: Allow a SSL client to renegotiate. |
option | - |
force-two-factor-auth | Enable only PKI users with two-factor authentication for SSL-VPNs. enable: Enable setting. disable: Disable setting. |
option | - |
unsafe-legacy-renegotiation | Enable/disable unsafe legacy re-negotiation. enable: Enable setting. disable: Disable setting. |
option | - |
servercert | Name of the server certificate to be used for SSL-VPNs. | string | Maximum length: 35 |
algorithm | Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. high: High algorithms. medium: High and medium algorithms. default: default low: All algorithms. |
option | - |
idle-timeout | SSL VPN disconnects if idle for specified time in seconds. | integer | Minimum value: 0 Maximum value: 259200 |
auth-timeout | SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). | integer | Minimum value: 0 Maximum value: 259200 |
login-attempt-limit | SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). | integer | Minimum value: 0 Maximum value: 4294967295 |
login-block-time | Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). | integer | Minimum value: 0 Maximum value: 4294967295 |
login-timeout | SSLVPN maximum login timeout (10 - 180 sec, default = 30). | integer | Minimum value: 10 Maximum value: 180 |
dtls-hello-timeout | SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). | integer | Minimum value: 10 Maximum value: 60 |
tunnel-ip-pools <name> |
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. Address name. |
string | Maximum length: 79 |
tunnel-ipv6-pools <name> |
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. Address name. |
string | Maximum length: 79 |
dns-suffix | DNS suffix used for SSL-VPN clients. | var-string | Maximum length: 253 |
dns-server1 | DNS server 1. | ipv4-address | Not Specified |
dns-server2 | DNS server 2. | ipv4-address | Not Specified |
wins-server1 | WINS server 1. | ipv4-address | Not Specified |
wins-server2 | WINS server 2. | ipv4-address | Not Specified |
ipv6-dns-server1 | IPv6 DNS server 1. | ipv6-address | Not Specified |
ipv6-dns-server2 | IPv6 DNS server 2. | ipv6-address | Not Specified |
ipv6-wins-server1 | IPv6 WINS server 1. | ipv6-address | Not Specified |
ipv6-wins-server2 | IPv6 WINS server 2. | ipv6-address | Not Specified |
route-source-interface | Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. enable: Enable setting. disable: Disable setting. |
option | - |
url-obscuration | Enable to obscure the host name of the URL of the web browser display. enable: Enable setting. disable: Disable setting. |
option | - |
http-compression | Enable to allow HTTP compression over SSL-VPN tunnels. enable: Enable setting. disable: Disable setting. |
option | - |
http-only-cookie | Enable/disable SSL-VPN support for HttpOnly cookies. enable: Enable setting. disable: Disable setting. |
option | - |
deflate-compression-level | Compression level (0~9). | integer | Minimum value: 0 Maximum value: 9 |
deflate-min-data-size | Minimum amount of data that triggers compression (200 - 65535 bytes). | integer | Minimum value: 200 Maximum value: 65535 |
port | SSL-VPN access port (1 - 65535). | integer | Minimum value: 1 Maximum value: 65535 |
port-precedence | Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. enable: Enable setting. disable: Disable setting. |
option | - |
auto-tunnel-static-route | Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. enable: Enable setting. disable: Disable setting. |
option | - |
header-x-forwarded-for | Forward the same, add, or remove HTTP header. pass: Forward the same HTTP header. add: Add the HTTP header. remove: Remove the HTTP header. |
option | - |
source-interface <name> |
SSL VPN source interface of incoming traffic. Interface name. |
string | Maximum length: 35 |
source-address <name> |
Source address of incoming traffic. Address name. |
string | Maximum length: 79 |
source-address-negate | Enable/disable negated source address match. enable: Enable setting. disable: Disable setting. |
option | - |
source-address6 <name> |
IPv6 source address of incoming traffic. IPv6 address name. |
string | Maximum length: 79 |
source-address6-negate | Enable/disable negated source IPv6 address match. enable: Enable setting. disable: Disable setting. |
option | - |
default-portal | Default SSL VPN portal. | string | Maximum length: 35 |
dtls-tunnel | Enable DTLS to prevent eavesdropping, tampering, or message forgery. enable: Enable setting. disable: Disable setting. |
option | - |
dtls-max-proto-ver | DTLS maximum protocol version. dtls1-0: DTLS version 1.0. dtls1-2: DTLS version 1.2. |
option | - |
dtls-min-proto-ver | DTLS minimum protocol version. dtls1-0: DTLS version 1.0. dtls1-2: DTLS version 1.2. |
option | - |
check-referer | Enable/disable verification of referer field in HTTP request header. enable: Enable verification of referer field in HTTP request header. disable: Disable verification of referer field in HTTP request header. |
option | - |
http-request-header-timeout | SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). | integer | Minimum value: 0 Maximum value: 4294967295 |
http-request-body-timeout | SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). | integer | Minimum value: 0 Maximum value: 4294967295 |
auth-session-check-source-ip | Enable/disable checking of source IP for authentication session. enable: Enable checking of source IP for authentication session. disable: Disable checking of source IP for authentication session. |
option | - |
tunnel-connect-without-reauth | Enable/disable tunnel connection without re-authorization if previous connection dropped. enable: Enable tunnel connection without re-authorization. disable: Disable tunnel connection without re-authorization. |
option | - |
tunnel-user-session-timeout | Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30). | integer | Minimum value: 1 Maximum value: 255 |
hsts-include-subdomains | Add HSTS includeSubDomains response header. enable: Enable setting. disable: Disable setting. |
option | - |
transform-backward-slashes | Transform backward slashes to forward slashes in URLs. enable: Enable setting. disable: Disable setting. |
option | - |
encode-2f-sequence | Encode \2F sequence to forward slash in URLs. enable: Enable setting. disable: Disable setting. |
option | - |
encrypt-and-store-password | Encrypt and store user passwords for SSL-VPN web sessions. enable: Enable setting. disable: Disable setting. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
source-interface <name> |
SSL VPN source interface of incoming traffic. Interface name. |
string | Maximum length: 35 |
source-address <name> |
Source address of incoming traffic. Address name. |
string | Maximum length: 79 |
source-address-negate | Enable/disable negated source address match. enable: Enable setting. disable: Disable setting. |
option | - |
source-address6 <name> |
IPv6 source address of incoming traffic. IPv6 address name. |
string | Maximum length: 79 |
source-address6-negate | Enable/disable negated source IPv6 address match. enable: Enable setting. disable: Disable setting. |
option | - |
users <name> |
User name. User name. |
string | Maximum length: 79 |
groups <name> |
User groups. Group name. |
string | Maximum length: 79 |
portal | SSL VPN portal. | string | Maximum length: 35 |
realm | SSL VPN realm. | string | Maximum length: 35 |
client-cert | Enable/disable SSL VPN client certificate restrictive. enable: Enable setting. disable: Disable setting. |
option | - |
user-peer | Name of user peer. | string | Maximum length: 35 |
cipher | SSL VPN cipher strength. any: Any cipher strength. high: High cipher strength (>= 168 bits). medium: Medium cipher strength (>= 128 bits). |
option | - |
auth | SSL VPN authentication method restriction. any: Any local: Local radius: RADIUS tacacs+: TACACS+ ldap: LDAP |
option | - |
config vpn ssl settings
Description: Configure SSL VPN.
set reqclientcert [enable|disable]
set user-peer {string}
set ssl-max-proto-ver [tls1-0|tls1-1|...]
set ssl-min-proto-ver [tls1-0|tls1-1|...]
set tlsv1-0 [enable|disable]
set tlsv1-1 [enable|disable]
set tlsv1-2 [enable|disable]
set tlsv1-3 [enable|disable]
set banned-cipher {option1}, {option2}, ...
set ssl-insert-empty-fragment [enable|disable]
set https-redirect [enable|disable]
set x-content-type-options [enable|disable]
set ssl-client-renegotiation [disable|enable]
set force-two-factor-auth [enable|disable]
set unsafe-legacy-renegotiation [enable|disable]
set servercert {string}
set algorithm [high|medium|...]
set idle-timeout {integer}
set auth-timeout {integer}
set login-attempt-limit {integer}
set login-block-time {integer}
set login-timeout {integer}
set dtls-hello-timeout {integer}
set tunnel-ip-pools <name1>, <name2>, ...
set tunnel-ipv6-pools <name1>, <name2>, ...
set dns-suffix {var-string}
set dns-server1 {ipv4-address}
set dns-server2 {ipv4-address}
set wins-server1 {ipv4-address}
set wins-server2 {ipv4-address}
set ipv6-dns-server1 {ipv6-address}
set ipv6-dns-server2 {ipv6-address}
set ipv6-wins-server1 {ipv6-address}
set ipv6-wins-server2 {ipv6-address}
set route-source-interface [enable|disable]
set url-obscuration [enable|disable]
set http-compression [enable|disable]
set http-only-cookie [enable|disable]
set deflate-compression-level {integer}
set deflate-min-data-size {integer}
set port {integer}
set port-precedence [enable|disable]
set auto-tunnel-static-route [enable|disable]
set header-x-forwarded-for [pass|add|...]
set source-interface <name1>, <name2>, ...
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set default-portal {string}
config authentication-rule
Description: Authentication rule for SSL VPN.
edit <id>
set source-interface <name1>, <name2>, ...
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set users <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set portal {string}
set realm {string}
set client-cert [enable|disable]
set user-peer {string}
set cipher [any|high|...]
set auth [any|local|...]
next
end
set dtls-tunnel [enable|disable]
set dtls-max-proto-ver [dtls1-0|dtls1-2]
set dtls-min-proto-ver [dtls1-0|dtls1-2]
set check-referer [enable|disable]
set http-request-header-timeout {integer}
set http-request-body-timeout {integer}
set auth-session-check-source-ip [enable|disable]
set tunnel-connect-without-reauth [enable|disable]
set tunnel-user-session-timeout {integer}
set hsts-include-subdomains [enable|disable]
set transform-backward-slashes [enable|disable]
set encode-2f-sequence [enable|disable]
set encrypt-and-store-password [enable|disable]
end
Parameter Name | Description | Type | Size |
---|---|---|---|
reqclientcert | Enable to require client certificates for all SSL-VPN users. enable: Enable setting. disable: Disable setting. |
option | - |
user-peer | Name of user peer. | string | Maximum length: 35 |
ssl-max-proto-ver | SSL maximum protocol version. tls1-0: TLS version 1.0. tls1-1: TLS version 1.1. tls1-2: TLS version 1.2. tls1-3: TLS version 1.3. |
option | - |
ssl-min-proto-ver | SSL minimum protocol version. tls1-0: TLS version 1.0. tls1-1: TLS version 1.1. tls1-2: TLS version 1.2. tls1-3: TLS version 1.3. |
option | - |
tlsv1-0 | tlsv1-0 enable: Enable setting. disable: Disable setting. |
option | - |
tlsv1-1 | tlsv1-1 enable: Enable setting. disable: Disable setting. |
option | - |
tlsv1-2 | tlsv1-2 enable: Enable setting. disable: Disable setting. |
option | - |
tlsv1-3 | tlsv1-3 enable: Enable setting. disable: Disable setting. |
option | - |
banned-cipher | Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. RSA: Ban the use of cipher suites using RSA key. DHE: Ban the use of cipher suites using authenticated ephemeral DH key agreement. ECDHE: Ban the use of cipher suites using authenticated ephemeral ECDH key agreement. DSS: Ban the use of cipher suites using DSS authentication. ECDSA: Ban the use of cipher suites using ECDSA authentication. AES: Ban the use of cipher suites using either 128 or 256 bit AES. AESGCM: Ban the use of cipher suites AES in Galois Counter Mode (GCM). CAMELLIA: Ban the use of cipher suites using either 128 or 256 bit CAMELLIA. 3DES: Ban the use of cipher suites using triple DES SHA1: Ban the use of cipher suites using HMAC-SHA1. SHA256: Ban the use of cipher suites using HMAC-SHA256. SHA384: Ban the use of cipher suites using HMAC-SHA384. STATIC: Ban the use of cipher suites using static keys. |
option | - |
ssl-insert-empty-fragment | Enable/disable insertion of empty fragment. enable: Enable setting. disable: Disable setting. |
option | - |
https-redirect | Enable/disable redirect of port 80 to SSL-VPN port. enable: Enable setting. disable: Disable setting. |
option | - |
x-content-type-options | Add HTTP X-Content-Type-Options header. enable: Enable setting. disable: Disable setting. |
option | - |
ssl-client-renegotiation | Enable to allow client renegotiation by the server if the tunnel goes down. disable: Abort any SSL connection that attempts to renegotiate. enable: Allow a SSL client to renegotiate. |
option | - |
force-two-factor-auth | Enable only PKI users with two-factor authentication for SSL-VPNs. enable: Enable setting. disable: Disable setting. |
option | - |
unsafe-legacy-renegotiation | Enable/disable unsafe legacy re-negotiation. enable: Enable setting. disable: Disable setting. |
option | - |
servercert | Name of the server certificate to be used for SSL-VPNs. | string | Maximum length: 35 |
algorithm | Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. high: High algorithms. medium: High and medium algorithms. default: default low: All algorithms. |
option | - |
idle-timeout | SSL VPN disconnects if idle for specified time in seconds. | integer | Minimum value: 0 Maximum value: 259200 |
auth-timeout | SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). | integer | Minimum value: 0 Maximum value: 259200 |
login-attempt-limit | SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). | integer | Minimum value: 0 Maximum value: 4294967295 |
login-block-time | Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). | integer | Minimum value: 0 Maximum value: 4294967295 |
login-timeout | SSLVPN maximum login timeout (10 - 180 sec, default = 30). | integer | Minimum value: 10 Maximum value: 180 |
dtls-hello-timeout | SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). | integer | Minimum value: 10 Maximum value: 60 |
tunnel-ip-pools <name> |
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. Address name. |
string | Maximum length: 79 |
tunnel-ipv6-pools <name> |
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. Address name. |
string | Maximum length: 79 |
dns-suffix | DNS suffix used for SSL-VPN clients. | var-string | Maximum length: 253 |
dns-server1 | DNS server 1. | ipv4-address | Not Specified |
dns-server2 | DNS server 2. | ipv4-address | Not Specified |
wins-server1 | WINS server 1. | ipv4-address | Not Specified |
wins-server2 | WINS server 2. | ipv4-address | Not Specified |
ipv6-dns-server1 | IPv6 DNS server 1. | ipv6-address | Not Specified |
ipv6-dns-server2 | IPv6 DNS server 2. | ipv6-address | Not Specified |
ipv6-wins-server1 | IPv6 WINS server 1. | ipv6-address | Not Specified |
ipv6-wins-server2 | IPv6 WINS server 2. | ipv6-address | Not Specified |
route-source-interface | Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. enable: Enable setting. disable: Disable setting. |
option | - |
url-obscuration | Enable to obscure the host name of the URL of the web browser display. enable: Enable setting. disable: Disable setting. |
option | - |
http-compression | Enable to allow HTTP compression over SSL-VPN tunnels. enable: Enable setting. disable: Disable setting. |
option | - |
http-only-cookie | Enable/disable SSL-VPN support for HttpOnly cookies. enable: Enable setting. disable: Disable setting. |
option | - |
deflate-compression-level | Compression level (0~9). | integer | Minimum value: 0 Maximum value: 9 |
deflate-min-data-size | Minimum amount of data that triggers compression (200 - 65535 bytes). | integer | Minimum value: 200 Maximum value: 65535 |
port | SSL-VPN access port (1 - 65535). | integer | Minimum value: 1 Maximum value: 65535 |
port-precedence | Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. enable: Enable setting. disable: Disable setting. |
option | - |
auto-tunnel-static-route | Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. enable: Enable setting. disable: Disable setting. |
option | - |
header-x-forwarded-for | Forward the same, add, or remove HTTP header. pass: Forward the same HTTP header. add: Add the HTTP header. remove: Remove the HTTP header. |
option | - |
source-interface <name> |
SSL VPN source interface of incoming traffic. Interface name. |
string | Maximum length: 35 |
source-address <name> |
Source address of incoming traffic. Address name. |
string | Maximum length: 79 |
source-address-negate | Enable/disable negated source address match. enable: Enable setting. disable: Disable setting. |
option | - |
source-address6 <name> |
IPv6 source address of incoming traffic. IPv6 address name. |
string | Maximum length: 79 |
source-address6-negate | Enable/disable negated source IPv6 address match. enable: Enable setting. disable: Disable setting. |
option | - |
default-portal | Default SSL VPN portal. | string | Maximum length: 35 |
dtls-tunnel | Enable DTLS to prevent eavesdropping, tampering, or message forgery. enable: Enable setting. disable: Disable setting. |
option | - |
dtls-max-proto-ver | DTLS maximum protocol version. dtls1-0: DTLS version 1.0. dtls1-2: DTLS version 1.2. |
option | - |
dtls-min-proto-ver | DTLS minimum protocol version. dtls1-0: DTLS version 1.0. dtls1-2: DTLS version 1.2. |
option | - |
check-referer | Enable/disable verification of referer field in HTTP request header. enable: Enable verification of referer field in HTTP request header. disable: Disable verification of referer field in HTTP request header. |
option | - |
http-request-header-timeout | SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). | integer | Minimum value: 0 Maximum value: 4294967295 |
http-request-body-timeout | SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). | integer | Minimum value: 0 Maximum value: 4294967295 |
auth-session-check-source-ip | Enable/disable checking of source IP for authentication session. enable: Enable checking of source IP for authentication session. disable: Disable checking of source IP for authentication session. |
option | - |
tunnel-connect-without-reauth | Enable/disable tunnel connection without re-authorization if previous connection dropped. enable: Enable tunnel connection without re-authorization. disable: Disable tunnel connection without re-authorization. |
option | - |
tunnel-user-session-timeout | Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30). | integer | Minimum value: 1 Maximum value: 255 |
hsts-include-subdomains | Add HSTS includeSubDomains response header. enable: Enable setting. disable: Disable setting. |
option | - |
transform-backward-slashes | Transform backward slashes to forward slashes in URLs. enable: Enable setting. disable: Disable setting. |
option | - |
encode-2f-sequence | Encode \2F sequence to forward slash in URLs. enable: Enable setting. disable: Disable setting. |
option | - |
encrypt-and-store-password | Encrypt and store user passwords for SSL-VPN web sessions. enable: Enable setting. disable: Disable setting. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
source-interface <name> |
SSL VPN source interface of incoming traffic. Interface name. |
string | Maximum length: 35 |
source-address <name> |
Source address of incoming traffic. Address name. |
string | Maximum length: 79 |
source-address-negate | Enable/disable negated source address match. enable: Enable setting. disable: Disable setting. |
option | - |
source-address6 <name> |
IPv6 source address of incoming traffic. IPv6 address name. |
string | Maximum length: 79 |
source-address6-negate | Enable/disable negated source IPv6 address match. enable: Enable setting. disable: Disable setting. |
option | - |
users <name> |
User name. User name. |
string | Maximum length: 79 |
groups <name> |
User groups. Group name. |
string | Maximum length: 79 |
portal | SSL VPN portal. | string | Maximum length: 35 |
realm | SSL VPN realm. | string | Maximum length: 35 |
client-cert | Enable/disable SSL VPN client certificate restrictive. enable: Enable setting. disable: Disable setting. |
option | - |
user-peer | Name of user peer. | string | Maximum length: 35 |
cipher | SSL VPN cipher strength. any: Any cipher strength. high: High cipher strength (>= 168 bits). medium: Medium cipher strength (>= 128 bits). |
option | - |
auth | SSL VPN authentication method restriction. any: Any local: Local radius: RADIUS tacacs+: TACACS+ ldap: LDAP |
option | - |