Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    6.4.16
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config vpn ssl web portal

    config vpn ssl web portal

    Portal.

    config vpn ssl web portal
    Description: Portal.
    edit <name>
        set allow-user-access {option1}, {option2}, ...
        set auto-connect [enable|disable]
        config bookmark-group
            Description: Portal bookmark group.
            edit <name>
                config bookmarks
                    Description: Bookmark table.
                    edit <name>
                        set additional-params {var-string}
                        set apptype [ftp|rdp|...]
                        set color-depth [32|16|...]
                        set description {var-string}
                        set domain {var-string}
                        set folder {var-string}
                        config form-data
                            Description: Form data.
                            edit <name>
                                set value {var-string}
                            next
                        end
                        set host {var-string}
                        set keyboard-layout [ar-101|ar-102|...]
                        set load-balancing-info {var-string}
                        set logon-password {password}
                        set logon-user {var-string}
                        set port {integer}
                        set preconnection-blob {var-string}
                        set preconnection-id {integer}
                        set restricted-admin [enable|disable]
                        set security [any|rdp|...]
                        set send-preconnection-id [enable|disable]
                        set sso [disable|static|...]
                        set sso-credential [sslvpn-login|alternative]
                        set sso-credential-sent-once [enable|disable]
                        set sso-password {password}
                        set sso-username {var-string}
                        set url {var-string}
                    next
                end
            next
        end
        set clipboard [enable|disable]
        set custom-lang {string}
        set customize-forticlient-download-url [enable|disable]
        set display-bookmark [enable|disable]
        set display-connection-tools [enable|disable]
        set display-history [enable|disable]
        set display-status [enable|disable]
        set dns-server1 {ipv4-address}
        set dns-server2 {ipv4-address}
        set dns-suffix {var-string}
        set exclusive-routing [enable|disable]
        set forticlient-download [enable|disable]
        set forticlient-download-method [direct|ssl-vpn]
        set heading {string}
        set hide-sso-credential [enable|disable]
        set host-check [none|av|...]
        set host-check-interval {integer}
        set host-check-policy <name1>, <name2>, ...
        set ip-mode [range|user-group]
        set ip-pools <name1>, <name2>, ...
        set ipv6-dns-server1 {ipv6-address}
        set ipv6-dns-server2 {ipv6-address}
        set ipv6-exclusive-routing [enable|disable]
        set ipv6-pools <name1>, <name2>, ...
        set ipv6-service-restriction [enable|disable]
        set ipv6-split-tunneling [enable|disable]
        set ipv6-split-tunneling-routing-address <name1>, <name2>, ...
        set ipv6-split-tunneling-routing-negate [enable|disable]
        set ipv6-tunnel-mode [enable|disable]
        set ipv6-wins-server1 {ipv6-address}
        set ipv6-wins-server2 {ipv6-address}
        set keep-alive [enable|disable]
        set limit-user-logins [enable|disable]
        set mac-addr-action [allow|deny]
        set mac-addr-check [enable|disable]
        config mac-addr-check-rule
            Description: Client MAC address check rule.
            edit <name>
                set mac-addr-list <addr1>, <addr2>, ...
                set mac-addr-mask {integer}
            next
        end
        set macos-forticlient-download-url {var-string}
        set os-check [enable|disable]
        config os-check-list
            Description: SSL-VPN OS checks. Read-only.
            edit <name>
                set action [deny|allow|...]
                set latest-patch-level {user}
                set tolerance {integer}
            next
        end
        set redir-url {var-string}
        set save-password [enable|disable]
        set service-restriction [enable|disable]
        set skip-check-for-browser [enable|disable]
        set skip-check-for-unsupported-os [enable|disable]
        set smb-max-version [smbv1|smbv2|...]
        set smb-min-version [smbv1|smbv2|...]
        set smb-ntlmv1-auth [enable|disable]
        set smbv1 [enable|disable]
        config split-dns
            Description: Split DNS for SSL-VPN.
            edit <id>
                set dns-server1 {ipv4-address}
                set dns-server2 {ipv4-address}
                set domains {var-string}
                set ipv6-dns-server1 {ipv6-address}
                set ipv6-dns-server2 {ipv6-address}
            next
        end
        set split-tunneling [enable|disable]
        set split-tunneling-routing-address <name1>, <name2>, ...
        set split-tunneling-routing-negate [enable|disable]
        set theme [blue|green|...]
        set tunnel-mode [enable|disable]
        set use-sdwan [enable|disable]
        set user-bookmark [enable|disable]
        set user-group-bookmark [enable|disable]
        set web-mode [enable|disable]
        set windows-forticlient-download-url {var-string}
        set wins-server1 {ipv4-address}
        set wins-server2 {ipv4-address}
    next
end

    config vpn ssl web portal

    Parameter

    Description

    Type

    Size

    Default

    allow-user-access

    Allow user access to SSL-VPN applications.

    option

    -

    web ftp smb sftp telnet ssh vnc rdp ping

    Option

    Description

    web

    HTTP/HTTPS access.

    ftp

    FTP access.

    smb

    SMB/CIFS access.

    sftp

    SFTP access.

    telnet

    TELNET access.

    ssh

    SSH access.

    vnc

    VNC access.

    rdp

    RDP access.

    ping

    PING access.

    auto-connect

    Enable/disable automatic connect by client when system is up.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    clipboard

    Enable to support RDP/VPC clipboard functionality.

    option

    -

    enable

    Option

    Description

    enable

    Enable support of RDP/VNC clipboard.

    disable

    Disable support of RDP/VNC clipboard.

    custom-lang

    Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.

    string

    Maximum length: 35

    customize-forticlient-download-url

    Enable support of customized download URL for FortiClient.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    display-bookmark

    Enable to display the web portal bookmark widget.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    display-connection-tools

    Enable to display the web portal connection tools widget.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    display-history

    Enable to display the web portal user login history widget.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    display-status

    Enable to display the web portal status widget.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    dns-server1

    IPv4 DNS server 1.

    ipv4-address

    Not Specified

    0.0.0.0

    dns-server2

    IPv4 DNS server 2.

    ipv4-address

    Not Specified

    0.0.0.0

    dns-suffix

    DNS suffix.

    var-string

    Maximum length: 253

    exclusive-routing

    Enable/disable all traffic go through tunnel only.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    forticlient-download

    Enable/disable download option for FortiClient.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    forticlient-download-method

    FortiClient download method.

    option

    -

    direct

    Option

    Description

    direct

    Download via direct link.

    ssl-vpn

    Download via SSL-VPN.

    heading

    Web portal heading message.

    string

    Maximum length: 31

    SSL-VPN Portal

    hide-sso-credential

    Enable to prevent SSO credential being sent to client.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    host-check

    Type of host checking performed on endpoints.

    option

    -

    none

    Option

    Description

    none

    No host checking.

    av

    AntiVirus software recognized by the Windows Security Center.

    fw

    Firewall software recognized by the Windows Security Center.

    av-fw

    AntiVirus and firewall software recognized by the Windows Security Center.

    custom

    Custom.

    host-check-interval

    Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

    integer

    Minimum value: 120 Maximum value: 259200

    0

    host-check-policy <name>

    One or more policies to require the endpoint to have specific security software.

    Host check software list name.

    string

    Maximum length: 79

    ip-mode

    Method by which users of this SSL-VPN tunnel obtain IP addresses.

    option

    -

    range

    Option

    Description

    range

    Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.

    user-group

    Use IP the addresses associated with individual users or user groups (usually from external auth servers).

    ip-pools <name>

    IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

    Address name.

    string

    Maximum length: 79

    ipv6-dns-server1

    IPv6 DNS server 1.

    ipv6-address

    Not Specified

    ::

    ipv6-dns-server2

    IPv6 DNS server 2.

    ipv6-address

    Not Specified

    ::

    ipv6-exclusive-routing

    Enable/disable all IPv6 traffic go through tunnel only.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-pools <name>

    IPv6 firewall source address objects reserved for SSL-VPN tunnel mode clients.

    Address name.

    string

    Maximum length: 79

    ipv6-service-restriction

    Enable/disable IPv6 tunnel service restriction.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-split-tunneling

    Enable/disable IPv6 split tunneling.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-split-tunneling-routing-address <name>

    IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

    Address name.

    string

    Maximum length: 79

    ipv6-split-tunneling-routing-negate

    Enable to negate IPv6 split tunneling routing address.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-tunnel-mode

    Enable/disable IPv6 SSL-VPN tunnel mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-wins-server1

    IPv6 WINS server 1.

    ipv6-address

    Not Specified

    ::

    ipv6-wins-server2

    IPv6 WINS server 2.

    ipv6-address

    Not Specified

    ::

    keep-alive

    Enable/disable automatic reconnect for FortiClient connections.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    limit-user-logins

    Enable to limit each user to one SSL-VPN session at a time.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    mac-addr-action

    Client MAC address action.

    option

    -

    allow

    Option

    Description

    allow

    Allow connection when client MAC address is matched.

    deny

    Deny connection when client MAC address is matched.

    mac-addr-check

    Enable/disable MAC address host checking.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    macos-forticlient-download-url

    Download URL for Mac FortiClient.

    var-string

    Maximum length: 1023

    name

    Portal name.

    string

    Maximum length: 35

    os-check

    Enable to let the FortiGate decide action based on client OS.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    redir-url

    Client login redirect URL.

    var-string

    Maximum length: 255

    save-password

    Enable/disable FortiClient saving the user's password.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    service-restriction

    Enable/disable tunnel service restriction.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    skip-check-for-browser

    Enable to skip host check for browser support.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    skip-check-for-unsupported-os

    Enable to skip host check if client OS does not support it.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    smb-max-version

    SMB maximum client protocol version.

    option

    -

    smbv3

    Option

    Description

    smbv1

    SMB version 1.

    smbv2

    SMB version 2.

    smbv3

    SMB version 3.

    smb-min-version

    SMB minimum client protocol version.

    option

    -

    smbv2

    Option

    Description

    smbv1

    SMB version 1.

    smbv2

    SMB version 2.

    smbv3

    SMB version 3.

    smb-ntlmv1-auth

    Enable support of NTLMv1 for Samba authentication.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    smbv1

    smbv1

    option

    -

    disable

    Option

    Description

    enable

    enable

    disable

    disable

    split-tunneling

    Enable/disable IPv4 split tunneling.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    split-tunneling-routing-address <name>

    IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

    Address name.

    string

    Maximum length: 79

    split-tunneling-routing-negate

    Enable to negate split tunneling routing address.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    theme

    Web portal color scheme.

    option

    -

    blue

    Option

    Description

    blue

    Light blue theme.

    green

    Green theme.

    neutrino

    Neutrino theme.

    melongene

    Melongene theme (eggplant color).

    mariner

    Mariner theme (dark blue color).

    tunnel-mode

    Enable/disable IPv4 SSL-VPN tunnel mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    use-sdwan

    Use SD-WAN rules to get output interface.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    user-bookmark

    Enable to allow web portal users to create their own bookmarks.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    user-group-bookmark

    Enable to allow web portal users to create bookmarks for all users in the same user group.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    web-mode

    Enable/disable SSL-VPN web mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    windows-forticlient-download-url

    Download URL for Windows FortiClient.

    var-string

    Maximum length: 1023

    wins-server1

    IPv4 WINS server 1.

    ipv4-address

    Not Specified

    0.0.0.0

    wins-server2

    IPv4 WINS server 1.

    ipv4-address

    Not Specified

    0.0.0.0

    config bookmark-group

    Parameter

    Description

    Type

    Size

    Default

    name

    Bookmark group name.

    string

    Maximum length: 35

    config bookmarks

    Parameter

    Description

    Type

    Size

    Default

    additional-params

    Additional parameters.

    var-string

    Maximum length: 128

    apptype

    Application type.

    option

    -

    web

    Option

    Description

    ftp

    FTP.

    rdp

    RDP.

    sftp

    SFTP.

    smb

    SMB/CIFS.

    ssh

    SSH.

    telnet

    Telnet.

    vnc

    VNC.

    web

    HTTP/HTTPS.

    color-depth

    Color depth per pixel.

    option

    -

    16

    Option

    Description

    32

    32bits per pixel.

    16

    16bits per pixel.

    8

    8bits per pixel.

    description

    Description.

    var-string

    Maximum length: 128

    domain

    Login domain.

    var-string

    Maximum length: 128

    folder

    Network shared file folder parameter.

    var-string

    Maximum length: 128

    host

    Host name/IP parameter.

    var-string

    Maximum length: 128

    keyboard-layout

    Keyboard layout.

    option

    -

    en-us

    Option

    Description

    ar-101

    Arabic (101).

    ar-102

    Arabic (102).

    ar-102-azerty

    Arabic (102) AZERTY.

    can-mul

    Canadian Multilingual Standard.

    cz

    Czech.

    cz-qwerty

    Czech (QWERTY).

    cz-pr

    Czech Programmers.

    da

    Danish.

    nl

    Dutch.

    de

    German.

    de-ch

    German, Switzerland.

    de-ibm

    German (IBM).

    en-uk

    English, United Kingdom.

    en-uk-ext

    English, United Kingdom Extended.

    en-us

    English, United States.

    en-us-dvorak

    English, United States-Dvorak.

    es

    Spanish.

    es-var

    Spanish Variation.

    fi

    Finnish.

    fi-sami

    Finnish with Sami.

    fr

    French.

    fr-ca

    French, Canada.

    fr-ch

    French, Switzerland.

    fr-be

    French, Belgium.

    hr

    Croatian.

    hu

    Hungarian.

    hu-101

    Hungarian 101-Key.

    it

    Italian.

    it-142

    Italian (142).

    ja

    Japanese.

    ko

    Korean.

    lt

    Lithuanian.

    lt-ibm

    Lithuanian IBM.

    lt-std

    Lithuanian Standard.

    lav-std

    Latvian (Standard).

    lav-leg

    Latvian (Legacy).

    mk

    Macedonian (FYROM).

    mk-std

    Macedonia (FYROM) - Standard.

    no

    Norwegian.

    no-sami

    Norwegian with Sami.

    pol-214

    Polish (214).

    pol-pr

    Polish (Programmers).

    pt

    Portuguese.

    pt-br

    Portuguese (Brazilian ABNT).

    pt-br-abnt2

    Portuguese (Brazilian ABNT2).

    ru

    Russian.

    ru-mne

    Russian - Mnemonic.

    ru-t

    Russian (Typewriter).

    sl

    Slovenian.

    sv

    Swedish.

    sv-sami

    Swedish with Sami.

    tuk

    Turkmen.

    tur-f

    Turkish F.

    tur-q

    Turkish Q.

    zh-sym-sg-us

    Chinese (Simplified, Singapore) - US keyboard.

    zh-sym-us

    Chinese (Simplified) - US Keyboard.

    zh-tr-hk

    Chinese (Traditional, Hong Kong S.A.R.).

    zh-tr-mo

    Chinese (Traditional Macao S.A.R.) - US Keyboard.

    zh-tr-us

    Chinese (Traditional) - US keyboard.

    load-balancing-info

    The load balancing information or cookie which should be provided to the connection broker.

    var-string

    Maximum length: 511

    logon-password

    Logon password.

    password

    Not Specified

    logon-user

    Logon user.

    var-string

    Maximum length: 35

    name

    Bookmark name.

    string

    Maximum length: 35

    port

    Remote port.

    integer

    Minimum value: 0 Maximum value: 65535

    0

    preconnection-blob

    An arbitrary string which identifies the RDP source.

    var-string

    Maximum length: 511

    preconnection-id

    The numeric ID of the RDP source (0-4294967295).

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    restricted-admin

    Enable/disable restricted admin mode for RDP.

    option

    -

    disable

    Option

    Description

    enable

    Enable restricted admin mode for RDP.

    disable

    Disable restricted admin mode for RDP.

    security

    Security mode for RDP connection.

    option

    -

    any

    Option

    Description

    any

    Allow the server to choose the type of security.

    rdp

    Standard RDP encryption.

    nla

    Network Level Authentication.

    tls

    TLS encryption.

    send-preconnection-id

    Enable/disable sending of preconnection ID.

    option

    -

    disable

    Option

    Description

    enable

    Enable sending of preconnection ID.

    disable

    Disable sending of preconnection ID.

    sso

    Single Sign-On.

    option

    -

    disable

    Option

    Description

    disable

    Disable SSO.

    static

    Static SSO.

    auto

    Auto SSO.

    sso-credential

    Single sign-on credentials.

    option

    -

    sslvpn-login

    Option

    Description

    sslvpn-login

    SSL-VPN login.

    alternative

    Alternative.

    sso-credential-sent-once

    Single sign-on credentials are only sent once to remote server.

    option

    -

    disable

    Option

    Description

    enable

    Single sign-on credentials are only sent once to remote server.

    disable

    Single sign-on credentials are sent to remote server for every HTTP request.

    sso-password

    SSO password.

    password

    Not Specified

    sso-username

    SSO user name.

    var-string

    Maximum length: 35

    url

    URL parameter.

    var-string

    Maximum length: 128

    config form-data

    Parameter

    Description

    Type

    Size

    Default

    name

    Name.

    string

    Maximum length: 35

    value

    Value.

    var-string

    Maximum length: 63

    config mac-addr-check-rule

    Parameter

    Description

    Type

    Size

    Default

    mac-addr-list <addr>

    Client MAC address list.

    Client MAC address.

    mac-address

    Not Specified

    mac-addr-mask

    Client MAC address mask.

    integer

    Minimum value: 1 Maximum value: 48

    48

    name

    Client MAC address check rule name.

    string

    Maximum length: 35

    config os-check-list

    Parameter

    Description

    Type

    Size

    Default

    action

    OS check options.

    option

    -

    allow

    Option

    Description

    deny

    Deny all OS versions.

    allow

    Allow any OS version.

    check-up-to-date

    Verify OS is up-to-date.

    latest-patch-level

    Latest OS patch level.

    user

    Not Specified

    0

    name

    Name.

    string

    Maximum length: 35

    tolerance

    OS patch level tolerance.

    integer

    Minimum value: 0 Maximum value: 65535

    0

    config split-dns

    Parameter

    Description

    Type

    Size

    Default

    dns-server1

    DNS server 1.

    ipv4-address

    Not Specified

    0.0.0.0

    dns-server2

    DNS server 2.

    ipv4-address

    Not Specified

    0.0.0.0

    domains

    Split DNS domains used for SSL-VPN clients separated by comma(,).

    var-string

    Maximum length: 1024

    id

    ID.

    integer

    Minimum value: 0 Maximum value: 4294967294

    0

    ipv6-dns-server1

    IPv6 DNS server 1.

    ipv6-address

    Not Specified

    ::

    ipv6-dns-server2

    IPv6 DNS server 2.

    ipv6-address

    Not Specified

    ::
    Previous
    Next

    config vpn ssl web portal

    config vpn ssl web portal

    Portal.

    config vpn ssl web portal
    Description: Portal.
    edit <name>
        set allow-user-access {option1}, {option2}, ...
        set auto-connect [enable|disable]
        config bookmark-group
            Description: Portal bookmark group.
            edit <name>
                config bookmarks
                    Description: Bookmark table.
                    edit <name>
                        set additional-params {var-string}
                        set apptype [ftp|rdp|...]
                        set color-depth [32|16|...]
                        set description {var-string}
                        set domain {var-string}
                        set folder {var-string}
                        config form-data
                            Description: Form data.
                            edit <name>
                                set value {var-string}
                            next
                        end
                        set host {var-string}
                        set keyboard-layout [ar-101|ar-102|...]
                        set load-balancing-info {var-string}
                        set logon-password {password}
                        set logon-user {var-string}
                        set port {integer}
                        set preconnection-blob {var-string}
                        set preconnection-id {integer}
                        set restricted-admin [enable|disable]
                        set security [any|rdp|...]
                        set send-preconnection-id [enable|disable]
                        set sso [disable|static|...]
                        set sso-credential [sslvpn-login|alternative]
                        set sso-credential-sent-once [enable|disable]
                        set sso-password {password}
                        set sso-username {var-string}
                        set url {var-string}
                    next
                end
            next
        end
        set clipboard [enable|disable]
        set custom-lang {string}
        set customize-forticlient-download-url [enable|disable]
        set display-bookmark [enable|disable]
        set display-connection-tools [enable|disable]
        set display-history [enable|disable]
        set display-status [enable|disable]
        set dns-server1 {ipv4-address}
        set dns-server2 {ipv4-address}
        set dns-suffix {var-string}
        set exclusive-routing [enable|disable]
        set forticlient-download [enable|disable]
        set forticlient-download-method [direct|ssl-vpn]
        set heading {string}
        set hide-sso-credential [enable|disable]
        set host-check [none|av|...]
        set host-check-interval {integer}
        set host-check-policy <name1>, <name2>, ...
        set ip-mode [range|user-group]
        set ip-pools <name1>, <name2>, ...
        set ipv6-dns-server1 {ipv6-address}
        set ipv6-dns-server2 {ipv6-address}
        set ipv6-exclusive-routing [enable|disable]
        set ipv6-pools <name1>, <name2>, ...
        set ipv6-service-restriction [enable|disable]
        set ipv6-split-tunneling [enable|disable]
        set ipv6-split-tunneling-routing-address <name1>, <name2>, ...
        set ipv6-split-tunneling-routing-negate [enable|disable]
        set ipv6-tunnel-mode [enable|disable]
        set ipv6-wins-server1 {ipv6-address}
        set ipv6-wins-server2 {ipv6-address}
        set keep-alive [enable|disable]
        set limit-user-logins [enable|disable]
        set mac-addr-action [allow|deny]
        set mac-addr-check [enable|disable]
        config mac-addr-check-rule
            Description: Client MAC address check rule.
            edit <name>
                set mac-addr-list <addr1>, <addr2>, ...
                set mac-addr-mask {integer}
            next
        end
        set macos-forticlient-download-url {var-string}
        set os-check [enable|disable]
        config os-check-list
            Description: SSL-VPN OS checks. Read-only.
            edit <name>
                set action [deny|allow|...]
                set latest-patch-level {user}
                set tolerance {integer}
            next
        end
        set redir-url {var-string}
        set save-password [enable|disable]
        set service-restriction [enable|disable]
        set skip-check-for-browser [enable|disable]
        set skip-check-for-unsupported-os [enable|disable]
        set smb-max-version [smbv1|smbv2|...]
        set smb-min-version [smbv1|smbv2|...]
        set smb-ntlmv1-auth [enable|disable]
        set smbv1 [enable|disable]
        config split-dns
            Description: Split DNS for SSL-VPN.
            edit <id>
                set dns-server1 {ipv4-address}
                set dns-server2 {ipv4-address}
                set domains {var-string}
                set ipv6-dns-server1 {ipv6-address}
                set ipv6-dns-server2 {ipv6-address}
            next
        end
        set split-tunneling [enable|disable]
        set split-tunneling-routing-address <name1>, <name2>, ...
        set split-tunneling-routing-negate [enable|disable]
        set theme [blue|green|...]
        set tunnel-mode [enable|disable]
        set use-sdwan [enable|disable]
        set user-bookmark [enable|disable]
        set user-group-bookmark [enable|disable]
        set web-mode [enable|disable]
        set windows-forticlient-download-url {var-string}
        set wins-server1 {ipv4-address}
        set wins-server2 {ipv4-address}
    next
end

    config vpn ssl web portal

    Parameter

    Description

    Type

    Size

    Default

    allow-user-access

    Allow user access to SSL-VPN applications.

    option

    -

    web ftp smb sftp telnet ssh vnc rdp ping

    Option

    Description

    web

    HTTP/HTTPS access.

    ftp

    FTP access.

    smb

    SMB/CIFS access.

    sftp

    SFTP access.

    telnet

    TELNET access.

    ssh

    SSH access.

    vnc

    VNC access.

    rdp

    RDP access.

    ping

    PING access.

    auto-connect

    Enable/disable automatic connect by client when system is up.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    clipboard

    Enable to support RDP/VPC clipboard functionality.

    option

    -

    enable

    Option

    Description

    enable

    Enable support of RDP/VNC clipboard.

    disable

    Disable support of RDP/VNC clipboard.

    custom-lang

    Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.

    string

    Maximum length: 35

    customize-forticlient-download-url

    Enable support of customized download URL for FortiClient.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    display-bookmark

    Enable to display the web portal bookmark widget.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    display-connection-tools

    Enable to display the web portal connection tools widget.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    display-history

    Enable to display the web portal user login history widget.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    display-status

    Enable to display the web portal status widget.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    dns-server1

    IPv4 DNS server 1.

    ipv4-address

    Not Specified

    0.0.0.0

    dns-server2

    IPv4 DNS server 2.

    ipv4-address

    Not Specified

    0.0.0.0

    dns-suffix

    DNS suffix.

    var-string

    Maximum length: 253

    exclusive-routing

    Enable/disable all traffic go through tunnel only.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    forticlient-download

    Enable/disable download option for FortiClient.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    forticlient-download-method

    FortiClient download method.

    option

    -

    direct

    Option

    Description

    direct

    Download via direct link.

    ssl-vpn

    Download via SSL-VPN.

    heading

    Web portal heading message.

    string

    Maximum length: 31

    SSL-VPN Portal

    hide-sso-credential

    Enable to prevent SSO credential being sent to client.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    host-check

    Type of host checking performed on endpoints.

    option

    -

    none

    Option

    Description

    none

    No host checking.

    av

    AntiVirus software recognized by the Windows Security Center.

    fw

    Firewall software recognized by the Windows Security Center.

    av-fw

    AntiVirus and firewall software recognized by the Windows Security Center.

    custom

    Custom.

    host-check-interval

    Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

    integer

    Minimum value: 120 Maximum value: 259200

    0

    host-check-policy <name>

    One or more policies to require the endpoint to have specific security software.

    Host check software list name.

    string

    Maximum length: 79

    ip-mode

    Method by which users of this SSL-VPN tunnel obtain IP addresses.

    option

    -

    range

    Option

    Description

    range

    Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.

    user-group

    Use IP the addresses associated with individual users or user groups (usually from external auth servers).

    ip-pools <name>

    IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

    Address name.

    string

    Maximum length: 79

    ipv6-dns-server1

    IPv6 DNS server 1.

    ipv6-address

    Not Specified

    ::

    ipv6-dns-server2

    IPv6 DNS server 2.

    ipv6-address

    Not Specified

    ::

    ipv6-exclusive-routing

    Enable/disable all IPv6 traffic go through tunnel only.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-pools <name>

    IPv6 firewall source address objects reserved for SSL-VPN tunnel mode clients.

    Address name.

    string

    Maximum length: 79

    ipv6-service-restriction

    Enable/disable IPv6 tunnel service restriction.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-split-tunneling

    Enable/disable IPv6 split tunneling.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-split-tunneling-routing-address <name>

    IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

    Address name.

    string

    Maximum length: 79

    ipv6-split-tunneling-routing-negate

    Enable to negate IPv6 split tunneling routing address.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-tunnel-mode

    Enable/disable IPv6 SSL-VPN tunnel mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    ipv6-wins-server1

    IPv6 WINS server 1.

    ipv6-address

    Not Specified

    ::

    ipv6-wins-server2

    IPv6 WINS server 2.

    ipv6-address

    Not Specified

    ::

    keep-alive

    Enable/disable automatic reconnect for FortiClient connections.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    limit-user-logins

    Enable to limit each user to one SSL-VPN session at a time.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    mac-addr-action

    Client MAC address action.

    option

    -

    allow

    Option

    Description

    allow

    Allow connection when client MAC address is matched.

    deny

    Deny connection when client MAC address is matched.

    mac-addr-check

    Enable/disable MAC address host checking.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    macos-forticlient-download-url

    Download URL for Mac FortiClient.

    var-string

    Maximum length: 1023

    name

    Portal name.

    string

    Maximum length: 35

    os-check

    Enable to let the FortiGate decide action based on client OS.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    redir-url

    Client login redirect URL.

    var-string

    Maximum length: 255

    save-password

    Enable/disable FortiClient saving the user's password.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    service-restriction

    Enable/disable tunnel service restriction.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    skip-check-for-browser

    Enable to skip host check for browser support.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    skip-check-for-unsupported-os

    Enable to skip host check if client OS does not support it.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    smb-max-version

    SMB maximum client protocol version.

    option

    -

    smbv3

    Option

    Description

    smbv1

    SMB version 1.

    smbv2

    SMB version 2.

    smbv3

    SMB version 3.

    smb-min-version

    SMB minimum client protocol version.

    option

    -

    smbv2

    Option

    Description

    smbv1

    SMB version 1.

    smbv2

    SMB version 2.

    smbv3

    SMB version 3.

    smb-ntlmv1-auth

    Enable support of NTLMv1 for Samba authentication.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    smbv1

    smbv1

    option

    -

    disable

    Option

    Description

    enable

    enable

    disable

    disable

    split-tunneling

    Enable/disable IPv4 split tunneling.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    split-tunneling-routing-address <name>

    IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

    Address name.

    string

    Maximum length: 79

    split-tunneling-routing-negate

    Enable to negate split tunneling routing address.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    theme

    Web portal color scheme.

    option

    -

    blue

    Option

    Description

    blue

    Light blue theme.

    green

    Green theme.

    neutrino

    Neutrino theme.

    melongene

    Melongene theme (eggplant color).

    mariner

    Mariner theme (dark blue color).

    tunnel-mode

    Enable/disable IPv4 SSL-VPN tunnel mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    use-sdwan

    Use SD-WAN rules to get output interface.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    user-bookmark

    Enable to allow web portal users to create their own bookmarks.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    user-group-bookmark

    Enable to allow web portal users to create bookmarks for all users in the same user group.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    web-mode

    Enable/disable SSL-VPN web mode.

    option

    -

    disable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    windows-forticlient-download-url

    Download URL for Windows FortiClient.

    var-string

    Maximum length: 1023

    wins-server1

    IPv4 WINS server 1.

    ipv4-address

    Not Specified

    0.0.0.0

    wins-server2

    IPv4 WINS server 1.

    ipv4-address

    Not Specified

    0.0.0.0

    config bookmark-group

    Parameter

    Description

    Type

    Size

    Default

    name

    Bookmark group name.

    string

    Maximum length: 35

    config bookmarks

    Parameter

    Description

    Type

    Size

    Default

    additional-params

    Additional parameters.

    var-string

    Maximum length: 128

    apptype

    Application type.

    option

    -

    web

    Option

    Description

    ftp

    FTP.

    rdp

    RDP.

    sftp

    SFTP.

    smb

    SMB/CIFS.

    ssh

    SSH.

    telnet

    Telnet.

    vnc

    VNC.

    web

    HTTP/HTTPS.

    color-depth

    Color depth per pixel.

    option

    -

    16

    Option

    Description

    32

    32bits per pixel.

    16

    16bits per pixel.

    8

    8bits per pixel.

    description

    Description.

    var-string

    Maximum length: 128

    domain

    Login domain.

    var-string

    Maximum length: 128

    folder

    Network shared file folder parameter.

    var-string

    Maximum length: 128

    host

    Host name/IP parameter.

    var-string

    Maximum length: 128

    keyboard-layout

    Keyboard layout.

    option

    -

    en-us

    Option

    Description

    ar-101

    Arabic (101).

    ar-102

    Arabic (102).

    ar-102-azerty

    Arabic (102) AZERTY.

    can-mul

    Canadian Multilingual Standard.

    cz

    Czech.

    cz-qwerty

    Czech (QWERTY).

    cz-pr

    Czech Programmers.

    da

    Danish.

    nl

    Dutch.

    de

    German.

    de-ch

    German, Switzerland.

    de-ibm

    German (IBM).

    en-uk

    English, United Kingdom.

    en-uk-ext

    English, United Kingdom Extended.

    en-us

    English, United States.

    en-us-dvorak

    English, United States-Dvorak.

    es

    Spanish.

    es-var

    Spanish Variation.

    fi

    Finnish.

    fi-sami

    Finnish with Sami.

    fr

    French.

    fr-ca

    French, Canada.

    fr-ch

    French, Switzerland.

    fr-be

    French, Belgium.

    hr

    Croatian.

    hu

    Hungarian.

    hu-101

    Hungarian 101-Key.

    it

    Italian.

    it-142

    Italian (142).

    ja

    Japanese.

    ko

    Korean.

    lt

    Lithuanian.

    lt-ibm

    Lithuanian IBM.

    lt-std

    Lithuanian Standard.

    lav-std

    Latvian (Standard).

    lav-leg

    Latvian (Legacy).

    mk

    Macedonian (FYROM).

    mk-std

    Macedonia (FYROM) - Standard.

    no

    Norwegian.

    no-sami

    Norwegian with Sami.

    pol-214

    Polish (214).

    pol-pr

    Polish (Programmers).

    pt

    Portuguese.

    pt-br

    Portuguese (Brazilian ABNT).

    pt-br-abnt2

    Portuguese (Brazilian ABNT2).

    ru

    Russian.

    ru-mne

    Russian - Mnemonic.

    ru-t

    Russian (Typewriter).

    sl

    Slovenian.

    sv

    Swedish.

    sv-sami

    Swedish with Sami.

    tuk

    Turkmen.

    tur-f

    Turkish F.

    tur-q

    Turkish Q.

    zh-sym-sg-us

    Chinese (Simplified, Singapore) - US keyboard.

    zh-sym-us

    Chinese (Simplified) - US Keyboard.

    zh-tr-hk

    Chinese (Traditional, Hong Kong S.A.R.).

    zh-tr-mo

    Chinese (Traditional Macao S.A.R.) - US Keyboard.

    zh-tr-us

    Chinese (Traditional) - US keyboard.

    load-balancing-info

    The load balancing information or cookie which should be provided to the connection broker.

    var-string

    Maximum length: 511

    logon-password

    Logon password.

    password

    Not Specified

    logon-user

    Logon user.

    var-string

    Maximum length: 35

    name

    Bookmark name.

    string

    Maximum length: 35

    port

    Remote port.

    integer

    Minimum value: 0 Maximum value: 65535

    0

    preconnection-blob

    An arbitrary string which identifies the RDP source.

    var-string

    Maximum length: 511

    preconnection-id

    The numeric ID of the RDP source (0-4294967295).

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    restricted-admin

    Enable/disable restricted admin mode for RDP.

    option

    -

    disable

    Option

    Description

    enable

    Enable restricted admin mode for RDP.

    disable

    Disable restricted admin mode for RDP.

    security

    Security mode for RDP connection.

    option

    -

    any

    Option

    Description

    any

    Allow the server to choose the type of security.

    rdp

    Standard RDP encryption.

    nla

    Network Level Authentication.

    tls

    TLS encryption.

    send-preconnection-id

    Enable/disable sending of preconnection ID.

    option

    -

    disable

    Option

    Description

    enable

    Enable sending of preconnection ID.

    disable

    Disable sending of preconnection ID.

    sso

    Single Sign-On.

    option

    -

    disable

    Option

    Description

    disable

    Disable SSO.

    static

    Static SSO.

    auto

    Auto SSO.

    sso-credential

    Single sign-on credentials.

    option

    -

    sslvpn-login

    Option

    Description

    sslvpn-login

    SSL-VPN login.

    alternative

    Alternative.

    sso-credential-sent-once

    Single sign-on credentials are only sent once to remote server.

    option

    -

    disable

    Option

    Description

    enable

    Single sign-on credentials are only sent once to remote server.

    disable

    Single sign-on credentials are sent to remote server for every HTTP request.

    sso-password

    SSO password.

    password

    Not Specified

    sso-username

    SSO user name.

    var-string

    Maximum length: 35

    url

    URL parameter.

    var-string

    Maximum length: 128

    config form-data

    Parameter

    Description

    Type

    Size

    Default

    name

    Name.

    string

    Maximum length: 35

    value

    Value.

    var-string

    Maximum length: 63

    config mac-addr-check-rule

    Parameter

    Description

    Type

    Size

    Default

    mac-addr-list <addr>

    Client MAC address list.

    Client MAC address.

    mac-address

    Not Specified

    mac-addr-mask

    Client MAC address mask.

    integer

    Minimum value: 1 Maximum value: 48

    48

    name

    Client MAC address check rule name.

    string

    Maximum length: 35

    config os-check-list

    Parameter

    Description

    Type

    Size

    Default

    action

    OS check options.

    option

    -

    allow

    Option

    Description

    deny

    Deny all OS versions.

    allow

    Allow any OS version.

    check-up-to-date

    Verify OS is up-to-date.

    latest-patch-level

    Latest OS patch level.

    user

    Not Specified

    0

    name

    Name.

    string

    Maximum length: 35

    tolerance

    OS patch level tolerance.

    integer

    Minimum value: 0 Maximum value: 65535

    0

    config split-dns

    Parameter

    Description

    Type

    Size

    Default

    dns-server1

    DNS server 1.

    ipv4-address

    Not Specified

    0.0.0.0

    dns-server2

    DNS server 2.

    ipv4-address

    Not Specified

    0.0.0.0

    domains

    Split DNS domains used for SSL-VPN clients separated by comma(,).

    var-string

    Maximum length: 1024

    id

    ID.

    integer

    Minimum value: 0 Maximum value: 4294967294

    0

    ipv6-dns-server1

    IPv6 DNS server 1.

    ipv6-address

    Not Specified

    ::

    ipv6-dns-server2

    IPv6 DNS server 2.

    ipv6-address

    Not Specified

    ::
    Previous
    Next