Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config vpn ssl settings

Configure SSL VPN.

config vpn ssl settings

Description: Configure SSL VPN.

set reqclientcert [enable|disable]

set user-peer {string}

set ssl-max-proto-ver [tls1-0|tls1-1|...]

set ssl-min-proto-ver [tls1-0|tls1-1|...]

set banned-cipher {option1}, {option2}, ...

set ssl-insert-empty-fragment [enable|disable]

set https-redirect [enable|disable]

set x-content-type-options [enable|disable]

set ssl-client-renegotiation [disable|enable]

set force-two-factor-auth [enable|disable]

set unsafe-legacy-renegotiation [enable|disable]

set servercert {string}

set algorithm [high|medium|...]

set idle-timeout {integer}

set auth-timeout {integer}

set login-attempt-limit {integer}

set login-block-time {integer}

set login-timeout {integer}

set dtls-hello-timeout {integer}

set tunnel-ip-pools <name1>, <name2>, ...

set tunnel-ipv6-pools <name1>, <name2>, ...

set dns-suffix {var-string}

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-wins-server1 {ipv6-address}

set ipv6-wins-server2 {ipv6-address}

set url-obscuration [enable|disable]

set http-compression [enable|disable]

set http-only-cookie [enable|disable]

set deflate-compression-level {integer}

set deflate-min-data-size {integer}

set port {integer}

set port-precedence [enable|disable]

set auto-tunnel-static-route [enable|disable]

set header-x-forwarded-for [pass|add|...]

set source-interface <name1>, <name2>, ...

set source-address <name1>, <name2>, ...

set source-address-negate [enable|disable]

set source-address6 <name1>, <name2>, ...

set source-address6-negate [enable|disable]

set default-portal {string}

config authentication-rule

Description: Authentication rule for SSL VPN.

edit <id>

set source-interface <name1>, <name2>, ...

set source-address <name1>, <name2>, ...

set source-address-negate [enable|disable]

set source-address6 <name1>, <name2>, ...

set source-address6-negate [enable|disable]

set users <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set portal {string}

set realm {string}

set client-cert [enable|disable]

set user-peer {string}

set cipher [any|high|...]

set auth [any|local|...]

next

end

set dtls-tunnel [enable|disable]

set dtls-max-proto-ver [dtls1-0|dtls1-2]

set dtls-min-proto-ver [dtls1-0|dtls1-2]

set check-referer [enable|disable]

set http-request-header-timeout {integer}

set http-request-body-timeout {integer}

set auth-session-check-source-ip [enable|disable]

set tunnel-connect-without-reauth [enable|disable]

set tunnel-user-session-timeout {integer}

set hsts-include-subdomains [enable|disable]

set transform-backward-slashes [enable|disable]

set encode-2f-sequence [enable|disable]

set encrypt-and-store-password [enable|disable]

set client-sigalgs [no-rsa-pss|all]

end

config vpn ssl settings

Parameter

Description

Type

Size

Default

reqclientcert

Enable/disable to require client certificates for all SSL VPN users.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

ssl-max-proto-ver

SSL maximum protocol version.

option

-

tls1-3

 

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

-

tls1-2

 

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

banned-cipher

Select one or more cipher technologies that cannot be used in SSL VPN negotiations.

option

-

 

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

https-redirect

Enable/disable redirect of port 80 to SSL VPN port.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-client-renegotiation

Enable/disable to allow client renegotiation by the server if the tunnel goes down.

option

-

disable

 

Option

Description

disable

Abort any SSL connection that attempts to renegotiate.

enable

Allow a SSL client to renegotiate.

force-two-factor-auth

Enable/disable only PKI users with two-factor authentication for SSL VPNs.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

servercert

Name of the server certificate to be used for SSL VPNs.

string

Maximum length: 35

Fortinet_Factory

algorithm

Force the SSL VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

-

high

 

Option

Description

high

High algorithms.

medium

High and medium algorithms.

default

default

low

All algorithms.

idle-timeout

SSL VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

300

auth-timeout

SSL VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).

integer

Minimum value: 0 Maximum value: 259200

28800

login-attempt-limit

SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).

integer

Minimum value: 0 Maximum value: 4294967295

2

login-block-time

Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).

integer

Minimum value: 0 Maximum value: 4294967295

60

login-timeout

SSLVPN maximum login timeout (10 - 180 sec, default = 30).

integer

Minimum value: 10 Maximum value: 180

30

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).

integer

Minimum value: 10 Maximum value: 60

10

tunnel-ip-pools <name>

Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

tunnel-ipv6-pools <name>

Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

dns-suffix

DNS suffix used for SSL VPN clients.

var-string

Maximum length: 253

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

wins-server1

WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

WINS server 2.

ipv4-address

Not Specified

0.0.0.0

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

url-obscuration

Enable/disable to obscure the host name of the URL of the web browser display.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

http-compression

Enable/disable to allow HTTP compression over SSL VPN tunnels.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

http-only-cookie

Enable/disable SSL VPN support for HttpOnly cookies.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

6

deflate-min-data-size

Minimum amount of data that triggers compression (200 - 65535 bytes).

integer

Minimum value: 200 Maximum value: 65535

300

port

SSL VPN access port (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

10443

port-precedence

Enable/disable, Enable means that if SSL VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-tunnel-static-route

Enable/disable to auto-create static routes for the SSL VPN tunnel IP addresses.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

-

add

 

Option

Description

pass

Forward the same HTTP header.

add

Add the HTTP header.

remove

Remove the HTTP header.

source-interface <name>

SSL VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

default-portal

Default SSL VPN portal.

string

Maximum length: 35

dtls-tunnel

Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

dtls-max-proto-ver

DTLS maximum protocol version.

option

-

dtls1-2

 

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

dtls-min-proto-ver

DTLS minimum protocol version.

option

-

dtls1-0

 

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

check-referer

Enable/disable verification of referer field in HTTP request header.

option

-

disable

 

Option

Description

enable

Enable verification of referer field in HTTP request header.

disable

Disable verification of referer field in HTTP request header.

http-request-header-timeout

SSL VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

20

http-request-body-timeout

SSL VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

30

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

-

enable

 

Option

Description

enable

Enable checking of source IP for authentication session.

disable

Disable checking of source IP for authentication session.

tunnel-connect-without-reauth

Enable/disable tunnel connection without re-authorization if previous connection dropped.

option

-

disable

 

Option

Description

enable

Enable tunnel connection without re-authorization.

disable

Disable tunnel connection without re-authorization.

tunnel-user-session-timeout

Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30).

integer

Minimum value: 1 Maximum value: 255

30

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

transform-backward-slashes

Transform backward slashes to forward slashes in URLs.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

encrypt-and-store-password

Encrypt and store user passwords for SSL VPN web sessions.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

client-sigalgs

Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.

option

-

all

 

Option

Description

no-rsa-pss

Disable RSA-PSS signature algorithms for client authentication.

all

Enable all supported signature algorithms for client authentication.

Parameter

Description

Type

Size

Default

source-interface <name>

SSL VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

users <name>

User name.

User name.

string

Maximum length: 79

groups <name>

User groups.

Group name.

string

Maximum length: 79

portal

SSL VPN portal.

string

Maximum length: 35

realm

SSL VPN realm.

string

Maximum length: 35

client-cert

Enable/disable SSL VPN client certificate restrictive.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

cipher

SSL VPN cipher strength.

option

-

high

 

Option

Description

any

Any cipher strength.

high

High cipher strength (>= 168 bits).

medium

Medium cipher strength (>= 128 bits).

auth

SSL VPN authentication method restriction.

option

-

any

 

Option

Description

any

Any

local

Local

radius

RADIUS

tacacs+

TACACS+

ldap

LDAP

config vpn ssl settings

Configure SSL VPN.

config vpn ssl settings

Description: Configure SSL VPN.

set reqclientcert [enable|disable]

set user-peer {string}

set ssl-max-proto-ver [tls1-0|tls1-1|...]

set ssl-min-proto-ver [tls1-0|tls1-1|...]

set banned-cipher {option1}, {option2}, ...

set ssl-insert-empty-fragment [enable|disable]

set https-redirect [enable|disable]

set x-content-type-options [enable|disable]

set ssl-client-renegotiation [disable|enable]

set force-two-factor-auth [enable|disable]

set unsafe-legacy-renegotiation [enable|disable]

set servercert {string}

set algorithm [high|medium|...]

set idle-timeout {integer}

set auth-timeout {integer}

set login-attempt-limit {integer}

set login-block-time {integer}

set login-timeout {integer}

set dtls-hello-timeout {integer}

set tunnel-ip-pools <name1>, <name2>, ...

set tunnel-ipv6-pools <name1>, <name2>, ...

set dns-suffix {var-string}

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-wins-server1 {ipv6-address}

set ipv6-wins-server2 {ipv6-address}

set url-obscuration [enable|disable]

set http-compression [enable|disable]

set http-only-cookie [enable|disable]

set deflate-compression-level {integer}

set deflate-min-data-size {integer}

set port {integer}

set port-precedence [enable|disable]

set auto-tunnel-static-route [enable|disable]

set header-x-forwarded-for [pass|add|...]

set source-interface <name1>, <name2>, ...

set source-address <name1>, <name2>, ...

set source-address-negate [enable|disable]

set source-address6 <name1>, <name2>, ...

set source-address6-negate [enable|disable]

set default-portal {string}

config authentication-rule

Description: Authentication rule for SSL VPN.

edit <id>

set source-interface <name1>, <name2>, ...

set source-address <name1>, <name2>, ...

set source-address-negate [enable|disable]

set source-address6 <name1>, <name2>, ...

set source-address6-negate [enable|disable]

set users <name1>, <name2>, ...

set groups <name1>, <name2>, ...

set portal {string}

set realm {string}

set client-cert [enable|disable]

set user-peer {string}

set cipher [any|high|...]

set auth [any|local|...]

next

end

set dtls-tunnel [enable|disable]

set dtls-max-proto-ver [dtls1-0|dtls1-2]

set dtls-min-proto-ver [dtls1-0|dtls1-2]

set check-referer [enable|disable]

set http-request-header-timeout {integer}

set http-request-body-timeout {integer}

set auth-session-check-source-ip [enable|disable]

set tunnel-connect-without-reauth [enable|disable]

set tunnel-user-session-timeout {integer}

set hsts-include-subdomains [enable|disable]

set transform-backward-slashes [enable|disable]

set encode-2f-sequence [enable|disable]

set encrypt-and-store-password [enable|disable]

set client-sigalgs [no-rsa-pss|all]

end

config vpn ssl settings

Parameter

Description

Type

Size

Default

reqclientcert

Enable/disable to require client certificates for all SSL VPN users.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

ssl-max-proto-ver

SSL maximum protocol version.

option

-

tls1-3

 

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

-

tls1-2

 

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

banned-cipher

Select one or more cipher technologies that cannot be used in SSL VPN negotiations.

option

-

 

Option

Description