Fortinet black logo

CLI Reference

config vpn ssl web portal

config vpn ssl web portal

Portal.

config vpn ssl web portal

Description: Portal.

edit <name>

set tunnel-mode [enable|disable]

set ip-mode [range|user-group]

set auto-connect [enable|disable]

set keep-alive [enable|disable]

set save-password [enable|disable]

set ip-pools <name1>, <name2>, ...

set exclusive-routing [enable|disable]

set service-restriction [enable|disable]

set split-tunneling [enable|disable]

set split-tunneling-routing-negate [enable|disable]

set split-tunneling-routing-address <name1>, <name2>, ...

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set dns-suffix {var-string}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set ipv6-tunnel-mode [enable|disable]

set ipv6-pools <name1>, <name2>, ...

set ipv6-exclusive-routing [enable|disable]

set ipv6-service-restriction [enable|disable]

set ipv6-split-tunneling [enable|disable]

set ipv6-split-tunneling-routing-negate [enable|disable]

set ipv6-split-tunneling-routing-address <name1>, <name2>, ...

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-wins-server1 {ipv6-address}

set ipv6-wins-server2 {ipv6-address}

set web-mode [enable|disable]

set display-bookmark [enable|disable]

set user-bookmark [enable|disable]

set allow-user-access {option1}, {option2}, ...

set user-group-bookmark [enable|disable]

config bookmark-group

Description: Portal bookmark group.

edit <name>

config bookmarks

Description: Bookmark table.

edit <name>

set apptype [ftp|rdp|...]

set url {var-string}

set host {var-string}

set folder {var-string}

set domain {var-string}

set additional-params {var-string}

set description {var-string}

set keyboard-layout [ar-101|ar-102|...]

set security [rdp|nla|...]

set send-preconnection-id [enable|disable]

set preconnection-id {integer}

set preconnection-blob {var-string}

set load-balancing-info {var-string}

set restricted-admin [enable|disable]

set port {integer}

set logon-user {var-string}

set logon-password {password}

set color-depth [32|16|...]

set sso [disable|static|...]

config form-data

Description: Form data.

edit <name>

set value {var-string}

next

end

set sso-credential [sslvpn-login|alternative]

set sso-username {var-string}

set sso-password {password}

set sso-credential-sent-once [enable|disable]

next

end

next

end

set display-connection-tools [enable|disable]

set display-history [enable|disable]

set display-status [enable|disable]

set rewrite-ip-uri-ui [enable|disable]

set heading {string}

set redir-url {var-string}

set theme [jade|neutrino|...]

set custom-lang {string}

set smb-ntlmv1-auth [enable|disable]

set smbv1 [enable|disable]

set smb-min-version [smbv1|smbv2|...]

set smb-max-version [smbv1|smbv2|...]

set use-sdwan [enable|disable]

set prefer-ipv6-dns [enable|disable]

set clipboard [enable|disable]

set host-check [none|av|...]

set host-check-interval {integer}

set host-check-policy <name1>, <name2>, ...

set limit-user-logins [enable|disable]

set mac-addr-check [enable|disable]

set mac-addr-action [allow|deny]

config mac-addr-check-rule

Description: Client MAC address check rule.

edit <name>

set mac-addr-mask {integer}

set mac-addr-list <addr1>, <addr2>, ...

next

end

set os-check [enable|disable]

config os-check-list

Description: SSL-VPN OS checks.

edit <name>

set action [deny|allow|...]

set tolerance {integer}

set latest-patch-level {user}

next

end

set forticlient-download [enable|disable]

set forticlient-download-method [direct|ssl-vpn]

set customize-forticlient-download-url [enable|disable]

set windows-forticlient-download-url {var-string}

set macos-forticlient-download-url {var-string}

set skip-check-for-unsupported-os [enable|disable]

set skip-check-for-browser [enable|disable]

set hide-sso-credential [enable|disable]

config split-dns

Description: Split DNS for SSL-VPN.

edit <id>

set domains {var-string}

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

next

end

next

end

config vpn ssl web portal

Parameter

Description

Type

Size

Default

tunnel-mode

Enable/disable IPv4 SSL-VPN tunnel mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-mode

Method by which users of this SSL-VPN tunnel obtain IP addresses.

option

-

range

Option

Description

range

Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.

user-group

Use IP the addresses associated with individual users or user groups (usually from external auth servers).

auto-connect

Enable/disable automatic connect by client when system is up.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

keep-alive

Enable/disable automatic reconnect for FortiClient connections.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

save-password

Enable/disable FortiClient saving the user's password.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-pools <name>

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

exclusive-routing

Enable/disable all traffic go through tunnel only.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

service-restriction

Enable/disable tunnel service restriction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling

Enable/disable IPv4 split tunneling.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-negate

Enable to negate split tunneling routing address.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-address <name>

IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

dns-server1

IPv4 DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

IPv4 DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-suffix

DNS suffix.

var-string

Maximum length: 253

wins-server1

IPv4 WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

IPv4 WINS server 1.

ipv4-address

Not Specified

0.0.0.0

ipv6-tunnel-mode

Enable/disable IPv6 SSL-VPN tunnel mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-pools <name>

IPv6 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

ipv6-exclusive-routing

Enable/disable all IPv6 traffic go through tunnel only.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-service-restriction

Enable/disable IPv6 tunnel service restriction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling

Enable/disable IPv6 split tunneling.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-negate

Enable to negate IPv6 split tunneling routing address.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-address <name>

IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

web-mode

Enable/disable SSL-VPN web mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-bookmark

Enable to display the web portal bookmark widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-bookmark

Enable to allow web portal users to create their own bookmarks.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

allow-user-access

Allow user access to SSL-VPN applications.

option

-

web ftp smb sftp telnet ssh vnc rdp ping

Option

Description

web

HTTP/HTTPS access.

ftp

FTP access.

smb

SMB/CIFS access.

sftp

SFTP access.

telnet

TELNET access.

ssh

SSH access.

vnc

VNC access.

rdp

RDP access.

ping

PING access.

user-group-bookmark

Enable to allow web portal users to create bookmarks for all users in the same user group.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-connection-tools

Enable to display the web portal connection tools widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-history

Enable to display the web portal user login history widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-status

Enable to display the web portal status widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

rewrite-ip-uri-ui

Rewrite contents for URI contains IP and "/ui/".

option

-

disable

Option

Description

enable

Enable contents rewrite for URI contains "IP-address/ui/".

disable

Disable contents rewrite for URI contains "IP-address/ui/".

heading

Web portal heading message.

string

Maximum length: 31

SSL-VPN Portal

redir-url

Client login redirect URL.

var-string

Maximum length: 255

theme

Web portal color scheme.

option

-

neutrino

Option

Description

jade

Jade theme.

neutrino

Neutrino theme.

mariner

Mariner theme.

graphite

Graphite theme.

melongene

Melongene theme.

dark-matter

Dark Matter theme.

onyx

Onyx theme.

eclipse

Eclipse theme.

custom-lang

Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.

string

Maximum length: 35

smb-ntlmv1-auth

Enable support of NTLMv1 for Samba authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

smbv1

smbv1

option

-

disable

Option

Description

enable

enable

disable

disable

smb-min-version

SMB minimum client protocol version.

option

-

smbv2

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

smb-max-version

SMB maximum client protocol version.

option

-

smbv3

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

use-sdwan

Use SD-WAN rules to get output interface.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

prefer-ipv6-dns

prefer to query IPv6 dns first if enabled.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

clipboard

Enable to support RDP/VPC clipboard functionality.

option

-

enable

Option

Description

enable

Enable support of RDP/VNC clipboard.

disable

Disable support of RDP/VNC clipboard.

host-check

Type of host checking performed on endpoints.

option

-

none

Option

Description

none

No host checking.

av

AntiVirus software recognized by the Windows Security Center.

fw

Firewall software recognized by the Windows Security Center.

av-fw

AntiVirus and firewall software recognized by the Windows Security Center.

custom

Custom.

host-check-interval

Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

integer

Minimum value: 120 Maximum value: 259200

0

host-check-policy <name>

One or more policies to require the endpoint to have specific security software.

Host check software list name.

string

Maximum length: 79

limit-user-logins

Enable to limit each user to one SSL-VPN session at a time.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-check

Enable/disable MAC address host checking.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-action

Client MAC address action.

option

-

allow

Option

Description

allow

Allow connection when client MAC address is matched.

deny

Deny connection when client MAC address is matched.

os-check

Enable to let the FortiGate decide action based on client OS.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download

Enable/disable download option for FortiClient.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download-method

FortiClient download method.

option

-

direct

Option

Description

direct

Download via direct link.

ssl-vpn

Download via SSL-VPN.

customize-forticlient-download-url

Enable support of customized download URL for FortiClient.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

windows-forticlient-download-url

Download URL for Windows FortiClient.

var-string

Maximum length: 1023

macos-forticlient-download-url

Download URL for Mac FortiClient.

var-string

Maximum length: 1023

skip-check-for-unsupported-os

Enable to skip host check if client OS does not support it.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

skip-check-for-browser

Enable to skip host check for browser support.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

hide-sso-credential

Enable to prevent SSO credential being sent to client.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config bookmarks

Parameter

Description

Type

Size

Default

apptype

Application type.

option

-

web

Option

Description

ftp

FTP.

rdp

RDP.

sftp

SFTP.

smb

SMB/CIFS.

ssh

SSH.

telnet

Telnet.

vnc

VNC.

web

HTTP/HTTPS.

url

URL parameter.

var-string

Maximum length: 128

host

Host name/IP parameter.

var-string

Maximum length: 128

folder

Network shared file folder parameter.

var-string

Maximum length: 128

domain

Login domain.

var-string

Maximum length: 128

additional-params

Additional parameters.

var-string

Maximum length: 128

description

Description.

var-string

Maximum length: 128

keyboard-layout

Keyboard layout.

option

-

en-us

Option

Description

ar-101

Arabic (101).

ar-102

Arabic (102).

ar-102-azerty

Arabic (102) AZERTY.

can-mul

Canadian Multilingual Standard.

cz

Czech.

cz-qwerty

Czech (QWERTY).

cz-pr

Czech Programmers.

da

Danish.

nl

Dutch.

de

German.

de-ch

German, Switzerland.

de-ibm

German (IBM).

en-uk

English, United Kingdom.

en-uk-ext

English, United Kingdom Extended.

en-us

English, United States.

en-us-dvorak

English, United States-Dvorak.

es

Spanish.

es-var

Spanish Variation.

fi

Finish.

fi-sami

Finnish with Sami.

fr

French.

fr-ca

French, Canada.

fr-ch

French, Switzerland.

fr-be

French, Belgian.

hr

Croatian.

hu

Hungarian.

hu-101

Hungarian 101-Key.

it

Italian.

it-142

Italian (142).

ja

Japanese.

ko

Korean.

lt

Lithuanian.

lt-ibm

Lithuanian IBM.

lt-std

Lithuanian Standard.

lav-std

Latvian (Standard).

lav-leg

Latvian (Legacy).

mk

Macedonian (FYROM).

mk-std

Macedonia (FYROM) - Standard.

no

Norwegian.

no-sami

Norwegian with Sami.

pol-214

Polish (214).

pol-pr

Polish (Programmers).

pt

Portuguese.

pt-br

Portuguese (Brazilian ABNT).

pt-br-abnt2

Portuguese (Brazilian ABNT2).

ru

Russian.

ru-mne

Russian - Mnemonic.

ru-t

Russian (Typewriter).

sl

Slovenian.

sv

Swedish.

sv-sami

Swedish with Sami.

tuk

Turkmen.

tur-f

Turkish F.

tur-q

Turkish Q.

zh-sym-sg-us

Chinese (Simplified, Singapore) - US keyboard.

zh-sym-us

Chinese (Simplified) - US Keyboard.

zh-tr-hk

Chinese (Traditional, Hong Kong S.A.R.).

zh-tr-mo

Chinese (Traditional Macao S.A.R.) - US Keyboard.

zh-tr-us

Chinese (Traditional) - US keyboard.

security

Security mode for RDP connection.

option

-

rdp

Option

Description

rdp

Standard RDP encryption.

nla

Network Level Authentication.

tls

TLS encryption.

any

Allow the server to choose the type of security.

send-preconnection-id

Enable/disable sending of preconnection ID.

option

-

disable

Option

Description

enable

Enable sending of preconnection ID.

disable

Disable sending of preconnection ID.

preconnection-id

The numeric ID of the RDP source .

integer

Minimum value: 0 Maximum value: 4294967295

0

preconnection-blob

An arbitrary string which identifies the RDP source.

var-string

Maximum length: 511

load-balancing-info

The load balancing information or cookie which should be provided to the connection broker.

var-string

Maximum length: 511

restricted-admin

Enable/disable restricted admin mode for RDP.

option

-

disable

Option

Description

enable

Enable restricted admin mode for RDP.

disable

Disable restricted admin mode for RDP.

port

Remote port.

integer

Minimum value: 0 Maximum value: 65535

0

logon-user

Logon user.

var-string

Maximum length: 35

logon-password

Logon password.

password

Not Specified

color-depth

Color depth per pixel.

option

-

16

Option

Description

32

32bits per pixel.

16

16bits per pixel.

8

8bits per pixel.

sso

Single Sign-On.

option

-

disable

Option

Description

disable

Disable SSO.

static

Static SSO.

auto

Auto SSO.

sso-credential

Single sign-on credentials.

option

-

sslvpn-login

Option

Description

sslvpn-login

SSL-VPN login.

alternative

Alternative.

sso-username

SSO user name.

var-string

Maximum length: 35

sso-password

SSO password.

password

Not Specified

sso-credential-sent-once

Single sign-on credentials are only sent once to remote server.

option

-

disable

Option

Description

enable

Single sign-on credentials are only sent once to remote server.

disable

Single sign-on credentials are sent to remote server for every HTTP request.

config form-data

Parameter

Description

Type

Size

Default

value

Value.

var-string

Maximum length: 63

config mac-addr-check-rule

Parameter

Description

Type

Size

Default

mac-addr-mask

Client MAC address mask.

integer

Minimum value: 1 Maximum value: 48

48

mac-addr-list <addr>

Client MAC address list.

Client MAC address.

mac-address

Not Specified

config os-check-list

Parameter

Description

Type

Size

Default

action

OS check options.

option

-

allow

Option

Description

deny

Deny all OS versions.

allow

Allow any OS version.

check-up-to-date

Verify OS is up-to-date.

tolerance

OS patch level tolerance.

integer

Minimum value: 0 Maximum value: 65535

0

latest-patch-level

Latest OS patch level.

user

Not Specified

0

config split-dns

Parameter

Description

Type

Size

Default

domains

Split DNS domains used for SSL-VPN clients separated by comma(,).

var-string

Maximum length: 1024

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

config vpn ssl web portal

Portal.

config vpn ssl web portal

Description: Portal.

edit <name>

set tunnel-mode [enable|disable]

set ip-mode [range|user-group]

set auto-connect [enable|disable]

set keep-alive [enable|disable]

set save-password [enable|disable]

set ip-pools <name1>, <name2>, ...

set exclusive-routing [enable|disable]

set service-restriction [enable|disable]

set split-tunneling [enable|disable]

set split-tunneling-routing-negate [enable|disable]

set split-tunneling-routing-address <name1>, <name2>, ...

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set dns-suffix {var-string}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set ipv6-tunnel-mode [enable|disable]

set ipv6-pools <name1>, <name2>, ...

set ipv6-exclusive-routing [enable|disable]

set ipv6-service-restriction [enable|disable]

set ipv6-split-tunneling [enable|disable]

set ipv6-split-tunneling-routing-negate [enable|disable]

set ipv6-split-tunneling-routing-address <name1>, <name2>, ...

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

set ipv6-wins-server1 {ipv6-address}

set ipv6-wins-server2 {ipv6-address}

set web-mode [enable|disable]

set display-bookmark [enable|disable]

set user-bookmark [enable|disable]

set allow-user-access {option1}, {option2}, ...

set user-group-bookmark [enable|disable]

config bookmark-group

Description: Portal bookmark group.

edit <name>

config bookmarks

Description: Bookmark table.

edit <name>

set apptype [ftp|rdp|...]

set url {var-string}

set host {var-string}

set folder {var-string}

set domain {var-string}

set additional-params {var-string}

set description {var-string}

set keyboard-layout [ar-101|ar-102|...]

set security [rdp|nla|...]

set send-preconnection-id [enable|disable]

set preconnection-id {integer}

set preconnection-blob {var-string}

set load-balancing-info {var-string}

set restricted-admin [enable|disable]

set port {integer}

set logon-user {var-string}

set logon-password {password}

set color-depth [32|16|...]

set sso [disable|static|...]

config form-data

Description: Form data.

edit <name>

set value {var-string}

next

end

set sso-credential [sslvpn-login|alternative]

set sso-username {var-string}

set sso-password {password}

set sso-credential-sent-once [enable|disable]

next

end

next

end

set display-connection-tools [enable|disable]

set display-history [enable|disable]

set display-status [enable|disable]

set rewrite-ip-uri-ui [enable|disable]

set heading {string}

set redir-url {var-string}

set theme [jade|neutrino|...]

set custom-lang {string}

set smb-ntlmv1-auth [enable|disable]

set smbv1 [enable|disable]

set smb-min-version [smbv1|smbv2|...]

set smb-max-version [smbv1|smbv2|...]

set use-sdwan [enable|disable]

set prefer-ipv6-dns [enable|disable]

set clipboard [enable|disable]

set host-check [none|av|...]

set host-check-interval {integer}

set host-check-policy <name1>, <name2>, ...

set limit-user-logins [enable|disable]

set mac-addr-check [enable|disable]

set mac-addr-action [allow|deny]

config mac-addr-check-rule

Description: Client MAC address check rule.

edit <name>

set mac-addr-mask {integer}

set mac-addr-list <addr1>, <addr2>, ...

next

end

set os-check [enable|disable]

config os-check-list

Description: SSL-VPN OS checks.

edit <name>

set action [deny|allow|...]

set tolerance {integer}

set latest-patch-level {user}

next

end

set forticlient-download [enable|disable]

set forticlient-download-method [direct|ssl-vpn]

set customize-forticlient-download-url [enable|disable]

set windows-forticlient-download-url {var-string}

set macos-forticlient-download-url {var-string}

set skip-check-for-unsupported-os [enable|disable]

set skip-check-for-browser [enable|disable]

set hide-sso-credential [enable|disable]

config split-dns

Description: Split DNS for SSL-VPN.

edit <id>

set domains {var-string}

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set ipv6-dns-server1 {ipv6-address}

set ipv6-dns-server2 {ipv6-address}

next

end

next

end

config vpn ssl web portal

Parameter

Description

Type

Size

Default

tunnel-mode

Enable/disable IPv4 SSL-VPN tunnel mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-mode

Method by which users of this SSL-VPN tunnel obtain IP addresses.

option

-

range

Option

Description

range

Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.

user-group

Use IP the addresses associated with individual users or user groups (usually from external auth servers).

auto-connect

Enable/disable automatic connect by client when system is up.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

keep-alive

Enable/disable automatic reconnect for FortiClient connections.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

save-password

Enable/disable FortiClient saving the user's password.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-pools <name>

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

exclusive-routing

Enable/disable all traffic go through tunnel only.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

service-restriction

Enable/disable tunnel service restriction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling

Enable/disable IPv4 split tunneling.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-negate

Enable to negate split tunneling routing address.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-address <name>

IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

dns-server1

IPv4 DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

IPv4 DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-suffix

DNS suffix.

var-string

Maximum length: 253

wins-server1

IPv4 WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

IPv4 WINS server 1.

ipv4-address

Not Specified

0.0.0.0

ipv6-tunnel-mode

Enable/disable IPv6 SSL-VPN tunnel mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-pools <name>

IPv6 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

ipv6-exclusive-routing

Enable/disable all IPv6 traffic go through tunnel only.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-service-restriction

Enable/disable IPv6 tunnel service restriction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling

Enable/disable IPv6 split tunneling.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-negate

Enable to negate IPv6 split tunneling routing address.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-address <name>

IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

web-mode

Enable/disable SSL-VPN web mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-bookmark

Enable to display the web portal bookmark widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-bookmark

Enable to allow web portal users to create their own bookmarks.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

allow-user-access

Allow user access to SSL-VPN applications.

option

-

web ftp smb sftp telnet ssh vnc rdp ping

Option

Description

web

HTTP/HTTPS access.

ftp

FTP access.

smb

SMB/CIFS access.

sftp

SFTP access.

telnet

TELNET access.

ssh

SSH access.

vnc

VNC access.

rdp

RDP access.

ping

PING access.

user-group-bookmark

Enable to allow web portal users to create bookmarks for all users in the same user group.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-connection-tools

Enable to display the web portal connection tools widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-history

Enable to display the web portal user login history widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-status

Enable to display the web portal status widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

rewrite-ip-uri-ui

Rewrite contents for URI contains IP and "/ui/".

option

-

disable

Option

Description

enable

Enable contents rewrite for URI contains "IP-address/ui/".

disable

Disable contents rewrite for URI contains "IP-address/ui/".

heading

Web portal heading message.

string

Maximum length: 31

SSL-VPN Portal

redir-url

Client login redirect URL.

var-string

Maximum length: 255

theme

Web portal color scheme.

option

-

neutrino

Option

Description

jade

Jade theme.

neutrino

Neutrino theme.

mariner

Mariner theme.

graphite

Graphite theme.

melongene

Melongene theme.

dark-matter

Dark Matter theme.

onyx

Onyx theme.

eclipse

Eclipse theme.

custom-lang

Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.

string

Maximum length: 35

smb-ntlmv1-auth

Enable support of NTLMv1 for Samba authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

smbv1

smbv1

option

-

disable

Option

Description

enable

enable

disable

disable

smb-min-version

SMB minimum client protocol version.

option

-

smbv2

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

smb-max-version

SMB maximum client protocol version.

option

-

smbv3

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

use-sdwan

Use SD-WAN rules to get output interface.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

prefer-ipv6-dns

prefer to query IPv6 dns first if enabled.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

clipboard

Enable to support RDP/VPC clipboard functionality.

option

-

enable

Option

Description

enable

Enable support of RDP/VNC clipboard.

disable

Disable support of RDP/VNC clipboard.

host-check

Type of host checking performed on endpoints.

option

-

none

Option

Description

none

No host checking.

av

AntiVirus software recognized by the Windows Security Center.

fw

Firewall software recognized by the Windows Security Center.

av-fw

AntiVirus and firewall software recognized by the Windows Security Center.

custom

Custom.

host-check-interval

Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

integer

Minimum value: 120 Maximum value: 259200

0

host-check-policy <name>

One or more policies to require the endpoint to have specific security software.

Host check software list name.

string

Maximum length: 79

limit-user-logins

Enable to limit each user to one SSL-VPN session at a time.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-check

Enable/disable MAC address host checking.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-action

Client MAC address action.

option

-

allow

Option

Description

allow

Allow connection when client MAC address is matched.

deny

Deny connection when client MAC address is matched.

os-check

Enable to let the FortiGate decide action based on client OS.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download

Enable/disable download option for FortiClient.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download-method

FortiClient download method.

option

-

direct

Option

Description

direct

Download via direct link.

ssl-vpn

Download via SSL-VPN.

customize-forticlient-download-url

Enable support of customized download URL for FortiClient.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

windows-forticlient-download-url

Download URL for Windows FortiClient.

var-string

Maximum length: 1023

macos-forticlient-download-url

Download URL for Mac FortiClient.

var-string

Maximum length: 1023

skip-check-for-unsupported-os

Enable to skip host check if client OS does not support it.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

skip-check-for-browser

Enable to skip host check for browser support.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

hide-sso-credential

Enable to prevent SSO credential being sent to client.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config bookmarks

Parameter

Description

Type

Size

Default

apptype

Application type.

option

-

web

Option

Description

ftp

FTP.

rdp

RDP.

sftp

SFTP.

smb

SMB/CIFS.

ssh

SSH.

telnet

Telnet.

vnc

VNC.

web

HTTP/HTTPS.

url

URL parameter.

var-string

Maximum length: 128

host

Host name/IP parameter.

var-string

Maximum length: 128

folder

Network shared file folder parameter.

var-string

Maximum length: 128

domain

Login domain.

var-string

Maximum length: 128

additional-params

Additional parameters.

var-string

Maximum length: 128

description

Description.

var-string

Maximum length: 128

keyboard-layout

Keyboard layout.

option

-

en-us

Option

Description

ar-101

Arabic (101).

ar-102

Arabic (102).

ar-102-azerty

Arabic (102) AZERTY.

can-mul

Canadian Multilingual Standard.

cz

Czech.

cz-qwerty

Czech (QWERTY).

cz-pr

Czech Programmers.

da

Danish.

nl

Dutch.

de

German.

de-ch

German, Switzerland.

de-ibm

German (IBM).

en-uk

English, United Kingdom.

en-uk-ext

English, United Kingdom Extended.

en-us

English, United States.

en-us-dvorak

English, United States-Dvorak.

es

Spanish.

es-var

Spanish Variation.

fi

Finish.

fi-sami

Finnish with Sami.

fr

French.

fr-ca

French, Canada.

fr-ch

French, Switzerland.

fr-be

French, Belgian.

hr

Croatian.

hu

Hungarian.

hu-101

Hungarian 101-Key.

it

Italian.

it-142

Italian (142).

ja

Japanese.

ko

Korean.

lt

Lithuanian.

lt-ibm

Lithuanian IBM.

lt-std

Lithuanian Standard.

lav-std

Latvian (Standard).

lav-leg

Latvian (Legacy).

mk

Macedonian (FYROM).

mk-std

Macedonia (FYROM) - Standard.

no

Norwegian.

no-sami

Norwegian with Sami.

pol-214

Polish (214).

pol-pr

Polish (Programmers).

pt

Portuguese.

pt-br

Portuguese (Brazilian ABNT).

pt-br-abnt2

Portuguese (Brazilian ABNT2).

ru

Russian.

ru-mne

Russian - Mnemonic.

ru-t

Russian (Typewriter).

sl

Slovenian.

sv

Swedish.

sv-sami

Swedish with Sami.

tuk

Turkmen.

tur-f

Turkish F.

tur-q

Turkish Q.

zh-sym-sg-us

Chinese (Simplified, Singapore) - US keyboard.

zh-sym-us

Chinese (Simplified) - US Keyboard.

zh-tr-hk

Chinese (Traditional, Hong Kong S.A.R.).

zh-tr-mo

Chinese (Traditional Macao S.A.R.) - US Keyboard.

zh-tr-us

Chinese (Traditional) - US keyboard.

security

Security mode for RDP connection.

option

-

rdp

Option

Description

rdp

Standard RDP encryption.

nla

Network Level Authentication.

tls

TLS encryption.

any

Allow the server to choose the type of security.

send-preconnection-id

Enable/disable sending of preconnection ID.

option

-

disable

Option

Description

enable

Enable sending of preconnection ID.

disable

Disable sending of preconnection ID.

preconnection-id

The numeric ID of the RDP source .

integer

Minimum value: 0 Maximum value: 4294967295

0

preconnection-blob

An arbitrary string which identifies the RDP source.

var-string

Maximum length: 511

load-balancing-info

The load balancing information or cookie which should be provided to the connection broker.

var-string

Maximum length: 511

restricted-admin

Enable/disable restricted admin mode for RDP.

option

-

disable

Option

Description

enable

Enable restricted admin mode for RDP.

disable

Disable restricted admin mode for RDP.

port

Remote port.

integer

Minimum value: 0 Maximum value: 65535

0

logon-user

Logon user.

var-string

Maximum length: 35

logon-password

Logon password.

password

Not Specified

color-depth

Color depth per pixel.

option

-

16

Option

Description

32

32bits per pixel.

16

16bits per pixel.

8

8bits per pixel.

sso

Single Sign-On.

option

-

disable

Option

Description

disable

Disable SSO.

static

Static SSO.

auto

Auto SSO.

sso-credential

Single sign-on credentials.

option

-

sslvpn-login

Option

Description

sslvpn-login

SSL-VPN login.

alternative

Alternative.

sso-username

SSO user name.

var-string

Maximum length: 35

sso-password

SSO password.

password

Not Specified

sso-credential-sent-once

Single sign-on credentials are only sent once to remote server.

option

-

disable

Option

Description

enable

Single sign-on credentials are only sent once to remote server.

disable

Single sign-on credentials are sent to remote server for every HTTP request.

config form-data

Parameter

Description

Type

Size

Default

value

Value.

var-string

Maximum length: 63

config mac-addr-check-rule

Parameter

Description

Type

Size

Default

mac-addr-mask

Client MAC address mask.

integer

Minimum value: 1 Maximum value: 48

48

mac-addr-list <addr>

Client MAC address list.

Client MAC address.

mac-address

Not Specified

config os-check-list

Parameter

Description

Type

Size

Default

action

OS check options.

option

-

allow

Option

Description

deny

Deny all OS versions.

allow

Allow any OS version.

check-up-to-date

Verify OS is up-to-date.

tolerance

OS patch level tolerance.

integer

Minimum value: 0 Maximum value: 65535

0

latest-patch-level

Latest OS patch level.

user

Not Specified

0

config split-dns

Parameter

Description

Type

Size

Default

domains

Split DNS domains used for SSL-VPN clients separated by comma(,).

var-string

Maximum length: 1024

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::