config vpn ssl settings

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F, FortiGate 101F Gen2, FortiGate 1100E, FortiGate 1101E, FortiGate 120G, FortiGate 121G, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 200G, FortiGate 201E, FortiGate 201F, FortiGate 201G, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F, FortiGate 3201F Gen2, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F Gen2, FortiGate 3501F Gen2, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 4200F, FortiGate 4201F Gen2, FortiGate 4400F, FortiGate 4401F Gen2, FortiGate 4800F, FortiGate 4801F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80F Bypass, FortiGate 80F DSL, FortiGate 80F Gen2, FortiGate 80F-POE, FortiGate 81F Gen2, FortiGate 81F-POE, FortiGate 900D, FortiGate 900G, FortiGate 901G, FortiGate-VM64 Aliyun, FortiGate-VM64 AWS, FortiGate-VM64 Azure, FortiGate-VM64 GCP, FortiGate-VM64 OPC, FortiGate-VM64, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 80F 2R 3G4G DSL, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G DSL, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 40F 3G4G, FortiGate 40F, FortiGate 50G 5G, FortiGate 50G DSL, FortiGate 50G SFP-POE, FortiGate 50G SFP, FortiGate 50G, FortiGate 51G 5G, FortiGate 51G SFP-POE, FortiGate 51G, FortiGate 60F, FortiGate 61F, FortiGate 70G-POE, FortiGate 70G, FortiGate 71G-POE, FortiGate 71G, FortiGate 90G Gen2, FortiGate 90G, FortiGate 91G Gen2, FortiGate 91G, FortiGateRugged 50G 5G, FortiGateRugged 60F 3G4G, FortiGateRugged 60F Gen2, FortiGateRugged 70G 5G Dual, FortiGateRugged 70G, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 50G 5G, FortiWiFi 50G DSL, FortiWiFi 50G SFP, FortiWiFi 50G, FortiWiFi 51G, FortiWiFi 60F, FortiWiFi 61F, FortiWiFi 70G, FortiWiFi 71G.

Configure Agentless VPN.

config vpn ssl settings
    Description: Configure Agentless VPN.
    set algorithm [high|medium|...]
    set auth-session-check-source-ip [enable|disable]
    set auth-timeout {integer}
    config authentication-rule
        Description: Authentication rule for Agentless VPN.
        edit <id>
            set auth [any|local|...]
            set cipher [any|high|...]
            set client-cert [enable|disable]
            set groups <name1>, <name2>, ...
            set portal {string}
            set realm {string}
            set source-address <name1>, <name2>, ...
            set source-address-negate [enable|disable]
            set source-address6 <name1>, <name2>, ...
            set source-address6-negate [enable|disable]
            set source-interface <name1>, <name2>, ...
            set user-peer {string}
            set users <name1>, <name2>, ...
        next
    end
    set banned-cipher {option1}, {option2}, ...
    set browser-language-detection [enable|disable]
    set check-referer [enable|disable]
    set ciphersuite {option1}, {option2}, ...
    set client-sigalgs [no-rsa-pss|all]
    set default-portal {string}
    set deflate-compression-level {integer}
    set deflate-min-data-size {integer}
    set dns-suffix {var-string}
    set dtls-heartbeat-fail-count {integer}
    set dtls-heartbeat-idle-timeout {integer}
    set dtls-heartbeat-interval {integer}
    set dtls-hello-timeout {integer}
    set dual-stack-mode [enable|disable]
    set encode-2f-sequence [enable|disable]
    set encrypt-and-store-password [enable|disable]
    set force-two-factor-auth [enable|disable]
    set header-x-forwarded-for [pass|add|...]
    set hsts-include-subdomains [enable|disable]
    set http-compression [enable|disable]
    set http-only-cookie [enable|disable]
    set http-request-body-timeout {integer}
    set http-request-header-timeout {integer}
    set https-redirect [enable|disable]
    set idle-timeout {integer}
    set login-attempt-limit {integer}
    set login-block-time {integer}
    set login-timeout {integer}
    set port {integer}
    set port-precedence [enable|disable]
    set remote-https-cert-check [no-check|warn-on-error|...]
    set reqclientcert [enable|disable]
    set server-hostname {string}
    set servercert {string}
    set source-address <name1>, <name2>, ...
    set source-address-negate [enable|disable]
    set source-address6 <name1>, <name2>, ...
    set source-address6-negate [enable|disable]
    set source-interface <name1>, <name2>, ...
    set ssl-client-renegotiation [disable|enable]
    set ssl-insert-empty-fragment [enable|disable]
    set ssl-max-proto-ver [tls1-0|tls1-1|...]
    set ssl-min-proto-ver [tls1-0|tls1-1|...]
    set status [enable|disable]
    set tls-groups {option1}, {option2}, ...
    set transform-backward-slashes [enable|disable]
    set unsafe-legacy-renegotiation [enable|disable]
    set url-obscuration [enable|disable]
    set user-peer {string}
    set x-content-type-options [enable|disable]
end

config vpn ssl settings

Parameter

Description

Type

Size

Default

algorithm

Force the Agentless VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

high

Option	Description
high	High algorithms.
medium	High and medium algorithms.
default	default
low	All algorithms.

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

enable

Option	Description
enable	Enable checking of source IP for authentication session.
disable	Disable checking of source IP for authentication session.

auth-timeout

Agentless VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).

integer

Minimum value: 0 Maximum value: 259200

28800

banned-cipher

Select one or more cipher technologies that cannot be used in Agentless VPN negotiations. Only applies to TLS 1.2 and below.

option

SHA1 SHA256 SHA384

Option	Description
RSA	Ban the use of cipher suites using RSA key.
DHE	Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDHE	Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS	Ban the use of cipher suites using DSS authentication.
ECDSA	Ban the use of cipher suites using ECDSA authentication.
AES	Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM	Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA	Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES	Ban the use of cipher suites using triple DES
SHA1	Ban the use of cipher suites using HMAC-SHA1.
SHA256	Ban the use of cipher suites using HMAC-SHA256.
SHA384	Ban the use of cipher suites using HMAC-SHA384.
STATIC	Ban the use of cipher suites using static keys.
CHACHA20	Ban the use of cipher suites using ChaCha20.
ARIA	Ban the use of cipher suites using ARIA.
AESCCM	Ban the use of cipher suites using AESCCM.

browser-language-detection

Enable/disable overriding the configured system language based on the preferred language of the browser.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

check-referer

Enable/disable verification of referer field in HTTP request header.

option

disable

Option	Description
enable	Enable verification of referer field in HTTP request header.
disable	Disable verification of referer field in HTTP request header.

ciphersuite

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below.

option

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option	Description
TLS-AES-128-GCM-SHA256	Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.
TLS-AES-256-GCM-SHA384	Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.
TLS-CHACHA20-POLY1305-SHA256	Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.
TLS-AES-128-CCM-SHA256	Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.
TLS-AES-128-CCM-8-SHA256	Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

client-sigalgs

Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.

option

all

Option	Description
no-rsa-pss	Disable RSA-PSS signature algorithms for client authentication.
all	Enable all supported signature algorithms for client authentication.

default-portal

Default Agentless VPN portal.

string

Maximum length: 35

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

deflate-min-data-size

Minimum amount of data that triggers compression (200 - 65535 bytes).

integer

Minimum value: 200 Maximum value: 65535

300

dns-suffix

DNS suffix used for Agentless VPN clients.

var-string

Maximum length: 253

dtls-heartbeat-fail-count

Number of missing heartbeats before the connection is considered dropped.

integer

Minimum value: 3 Maximum value: 10

dtls-heartbeat-idle-timeout

Idle timeout before DTLS heartbeat is sent.

integer

Minimum value: 3 Maximum value: 10

dtls-heartbeat-interval

Interval between DTLS heartbeat.

integer

Minimum value: 3 Maximum value: 10

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).

integer

Minimum value: 10 Maximum value: 60

dual-stack-mode

Agentless web mode: support IPv4 and IPv6 bookmarks in the portal.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

encrypt-and-store-password

Encrypt and store user passwords for Agentless VPN web sessions.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

force-two-factor-auth

Enable/disable only PKI users with two-factor authentication for Agentless VPNs.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

add

Option	Description
pass	Forward the same HTTP header.
add	Add the HTTP header.
remove	Remove the HTTP header.

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

http-compression

Enable/disable to allow HTTP compression over Agentless VPN connections.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

http-only-cookie

Enable/disable Agentless VPN support for HttpOnly cookies.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

http-request-body-timeout

Agentless VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

http-request-header-timeout

Agentless VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

https-redirect

Enable/disable redirect of port 80 to Agentless VPN port.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

idle-timeout

Agentless VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

300

Agentless VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).

integer

Minimum value: 0 Maximum value: 10

Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).

integer

Minimum value: 0 Maximum value: 86400

Agentless VPN maximum login timeout (10 - 180 sec, default = 30).

integer

Minimum value: 10 Maximum value: 180

port

Agentless VPN access port (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

10443

port-precedence

Enable/disable, Enable means that if Agentless VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

remote-https-cert-check

Configure how the FortiGate unit checks and responds to the remote HTTPS server's certificate (default = warn-on-error).

option

warn-on-error

Option	Description
no-check	Do not check the remote HTTPS server's certificate.
warn-on-error	Display a warning when there is a certificate error.
reject-on-error	Reject connection when there is a certificate error.

reqclientcert

Enable/disable to require client certificates for all Agentless VPN users.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

server-hostname

Server hostname for HTTPS. When set, will be used for Agentless VPN web proxy host header for any redirection.

string

Maximum length: 255

servercert

Name of the server certificate to be used for Agentless VPNs.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

source-interface <name>

Agentless VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

ssl-client-renegotiation

Enable/disable to allow client renegotiation by the server if the tunnel goes down.

option

disable

Option	Description
disable	Abort any SSL connection that attempts to renegotiate.
enable	Allow a SSL client to renegotiate.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

ssl-max-proto-ver

SSL maximum protocol version.

option

tls1-3

Option	Description
tls1-0	TLS version 1.0.
tls1-1	TLS version 1.1.
tls1-2	TLS version 1.2.
tls1-3	TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

tls1-2

Option	Description
tls1-0	TLS version 1.0.
tls1-1	TLS version 1.1.
tls1-2	TLS version 1.2.
tls1-3	TLS version 1.3.

status

Enable/disable Agentless VPN.

option

enable

Option	Description
enable	Enable Agentless VPN.
disable	Disable Agentless VPN.

tls-groups

Configure the supported groups for TLS negotiation.

option

P-521 P-384 ML-KEM768 ML-KEM1024 P-384-MLKEM1024 P-256-MLKEM768 X25519-MLKEM768 X448 FFDHE4096 FFDHE6144 FFDHE8192

Option	Description
P-521	P-521
P-384	P-384
P-256	P-256
ML-KEM512	ML-KEM512
ML-KEM768	ML-KEM768
ML-KEM1024	ML-KEM1024
P-384-MLKEM1024	P-384-MLKEM1024
P-256-MLKEM768	P-256-MLKEM768
X25519-MLKEM768	X25519-MLKEM768
X448	X448
X25519	X25519
FFDHE2048	FFDHE2048
FFDHE3072	FFDHE3072
FFDHE4096	FFDHE4096
FFDHE6144	FFDHE6144
FFDHE8192	FFDHE8192

transform-backward-slashes

Transform backward slashes to forward slashes in URLs.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

url-obscuration

Enable/disable to obscure the host name of the URL of the web browser display.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

config authentication-rule

Parameter

Description

Type

Size

Default

auth

Agentless VPN authentication method restriction.

option

any

Option	Description
any	Any
local	Local
radius	RADIUS
tacacs+	TACACS+
ldap	LDAP
peer	PEER

cipher

Agentless VPN cipher strength.

option

high

Option	Description
any	Any cipher strength.
high	High cipher strength (>= 168 bits).
medium	Medium cipher strength (>= 128 bits).

client-cert

Enable/disable Agentless VPN client certificate restrictive.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

groups <name>

User groups.

Group name.

string

Maximum length: 79

ID (0 - 4294967295).

integer

Minimum value: 0 Maximum value: 4294967295

portal

Agentless VPN portal.

string

Maximum length: 35

realm

Agentless VPN realm.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

source-interface <name>

Agentless VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

user-peer

Name of user peer.

string

Maximum length: 35

users <name>

User name.

string

Maximum length: 79

config vpn ssl settings

Configure Agentless VPN.

config vpn ssl settings
    Description: Configure Agentless VPN.
    set algorithm [high|medium|...]
    set auth-session-check-source-ip [enable|disable]
    set auth-timeout {integer}
    config authentication-rule
        Description: Authentication rule for Agentless VPN.
        edit <id>
            set auth [any|local|...]
            set cipher [any|high|...]
            set client-cert [enable|disable]
            set groups <name1>, <name2>, ...
            set portal {string}
            set realm {string}
            set source-address <name1>, <name2>, ...
            set source-address-negate [enable|disable]
            set source-address6 <name1>, <name2>, ...
            set source-address6-negate [enable|disable]
            set source-interface <name1>, <name2>, ...
            set user-peer {string}
            set users <name1>, <name2>, ...
        next
    end
    set banned-cipher {option1}, {option2}, ...
    set browser-language-detection [enable|disable]
    set check-referer [enable|disable]
    set ciphersuite {option1}, {option2}, ...
    set client-sigalgs [no-rsa-pss|all]
    set default-portal {string}
    set deflate-compression-level {integer}
    set deflate-min-data-size {integer}
    set dns-suffix {var-string}
    set dtls-heartbeat-fail-count {integer}
    set dtls-heartbeat-idle-timeout {integer}
    set dtls-heartbeat-interval {integer}
    set dtls-hello-timeout {integer}
    set dual-stack-mode [enable|disable]
    set encode-2f-sequence [enable|disable]
    set encrypt-and-store-password [enable|disable]
    set force-two-factor-auth [enable|disable]
    set header-x-forwarded-for [pass|add|...]
    set hsts-include-subdomains [enable|disable]
    set http-compression [enable|disable]
    set http-only-cookie [enable|disable]
    set http-request-body-timeout {integer}
    set http-request-header-timeout {integer}
    set https-redirect [enable|disable]
    set idle-timeout {integer}
    set login-attempt-limit {integer}
    set login-block-time {integer}
    set login-timeout {integer}
    set port {integer}
    set port-precedence [enable|disable]
    set remote-https-cert-check [no-check|warn-on-error|...]
    set reqclientcert [enable|disable]
    set server-hostname {string}
    set servercert {string}
    set source-address <name1>, <name2>, ...
    set source-address-negate [enable|disable]
    set source-address6 <name1>, <name2>, ...
    set source-address6-negate [enable|disable]
    set source-interface <name1>, <name2>, ...
    set ssl-client-renegotiation [disable|enable]
    set ssl-insert-empty-fragment [enable|disable]
    set ssl-max-proto-ver [tls1-0|tls1-1|...]
    set ssl-min-proto-ver [tls1-0|tls1-1|...]
    set status [enable|disable]
    set tls-groups {option1}, {option2}, ...
    set transform-backward-slashes [enable|disable]
    set unsafe-legacy-renegotiation [enable|disable]
    set url-obscuration [enable|disable]
    set user-peer {string}
    set x-content-type-options [enable|disable]
end

config vpn ssl settings

Parameter

Description

Type

Size

Default

algorithm

Force the Agentless VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

high

Option	Description
high	High algorithms.
medium	High and medium algorithms.
default	default
low	All algorithms.

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

enable

Option	Description
enable	Enable checking of source IP for authentication session.
disable	Disable checking of source IP for authentication session.

auth-timeout

Agentless VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).

integer

Minimum value: 0 Maximum value: 259200

28800

banned-cipher

Select one or more cipher technologies that cannot be used in Agentless VPN negotiations. Only applies to TLS 1.2 and below.

option

SHA1 SHA256 SHA384

Option	Description
RSA	Ban the use of cipher suites using RSA key.
DHE	Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDHE	Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS	Ban the use of cipher suites using DSS authentication.
ECDSA	Ban the use of cipher suites using ECDSA authentication.
AES	Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM	Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA	Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES	Ban the use of cipher suites using triple DES
SHA1	Ban the use of cipher suites using HMAC-SHA1.
SHA256	Ban the use of cipher suites using HMAC-SHA256.
SHA384	Ban the use of cipher suites using HMAC-SHA384.
STATIC	Ban the use of cipher suites using static keys.
CHACHA20	Ban the use of cipher suites using ChaCha20.
ARIA	Ban the use of cipher suites using ARIA.
AESCCM	Ban the use of cipher suites using AESCCM.

browser-language-detection

Enable/disable overriding the configured system language based on the preferred language of the browser.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

check-referer

Enable/disable verification of referer field in HTTP request header.

option

disable

Option	Description
enable	Enable verification of referer field in HTTP request header.
disable	Disable verification of referer field in HTTP request header.

ciphersuite

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below.

option

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option	Description
TLS-AES-128-GCM-SHA256	Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.
TLS-AES-256-GCM-SHA384	Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.
TLS-CHACHA20-POLY1305-SHA256	Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.
TLS-AES-128-CCM-SHA256	Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.
TLS-AES-128-CCM-8-SHA256	Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

client-sigalgs

Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.

option

all

Option	Description
no-rsa-pss	Disable RSA-PSS signature algorithms for client authentication.
all	Enable all supported signature algorithms for client authentication.

default-portal

Default Agentless VPN portal.

string

Maximum length: 35

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

deflate-min-data-size

Minimum amount of data that triggers compression (200 - 65535 bytes).

integer

Minimum value: 200 Maximum value: 65535

300

dns-suffix

DNS suffix used for Agentless VPN clients.

var-string

Maximum length: 253

dtls-heartbeat-fail-count

Number of missing heartbeats before the connection is considered dropped.

integer

Minimum value: 3 Maximum value: 10

dtls-heartbeat-idle-timeout

Idle timeout before DTLS heartbeat is sent.

integer

Minimum value: 3 Maximum value: 10

dtls-heartbeat-interval

Interval between DTLS heartbeat.

integer

Minimum value: 3 Maximum value: 10

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).

integer

Minimum value: 10 Maximum value: 60

dual-stack-mode

Agentless web mode: support IPv4 and IPv6 bookmarks in the portal.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

encrypt-and-store-password

Encrypt and store user passwords for Agentless VPN web sessions.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

force-two-factor-auth

Enable/disable only PKI users with two-factor authentication for Agentless VPNs.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

add

Option	Description
pass	Forward the same HTTP header.
add	Add the HTTP header.
remove	Remove the HTTP header.

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

http-compression

Enable/disable to allow HTTP compression over Agentless VPN connections.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

http-only-cookie

Enable/disable Agentless VPN support for HttpOnly cookies.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

http-request-body-timeout

Agentless VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

http-request-header-timeout

Agentless VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).

integer

Minimum value: 0 Maximum value: 4294967295

https-redirect

Enable/disable redirect of port 80 to Agentless VPN port.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

idle-timeout

Agentless VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

300

Agentless VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).

integer

Minimum value: 0 Maximum value: 10

Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).

integer

Minimum value: 0 Maximum value: 86400

Agentless VPN maximum login timeout (10 - 180 sec, default = 30).

integer

Minimum value: 10 Maximum value: 180

port

Agentless VPN access port (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

10443

port-precedence

Enable/disable, Enable means that if Agentless VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

remote-https-cert-check

Configure how the FortiGate unit checks and responds to the remote HTTPS server's certificate (default = warn-on-error).

option

warn-on-error

Option	Description
no-check	Do not check the remote HTTPS server's certificate.
warn-on-error	Display a warning when there is a certificate error.
reject-on-error	Reject connection when there is a certificate error.

reqclientcert

Enable/disable to require client certificates for all Agentless VPN users.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

server-hostname

Server hostname for HTTPS. When set, will be used for Agentless VPN web proxy host header for any redirection.

string

Maximum length: 255

servercert

Name of the server certificate to be used for Agentless VPNs.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

source-interface <name>

Agentless VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

ssl-client-renegotiation

Enable/disable to allow client renegotiation by the server if the tunnel goes down.

option

disable

Option	Description
disable	Abort any SSL connection that attempts to renegotiate.
enable	Allow a SSL client to renegotiate.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

ssl-max-proto-ver

SSL maximum protocol version.

option

tls1-3

Option	Description
tls1-0	TLS version 1.0.
tls1-1	TLS version 1.1.
tls1-2	TLS version 1.2.
tls1-3	TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

tls1-2

Option	Description
tls1-0	TLS version 1.0.
tls1-1	TLS version 1.1.
tls1-2	TLS version 1.2.
tls1-3	TLS version 1.3.

status

Enable/disable Agentless VPN.

option

enable

Option	Description
enable	Enable Agentless VPN.
disable	Disable Agentless VPN.

tls-groups

Configure the supported groups for TLS negotiation.

option

P-521 P-384 ML-KEM768 ML-KEM1024 P-384-MLKEM1024 P-256-MLKEM768 X25519-MLKEM768 X448 FFDHE4096 FFDHE6144 FFDHE8192

Option	Description
P-521	P-521
P-384	P-384
P-256	P-256
ML-KEM512	ML-KEM512
ML-KEM768	ML-KEM768
ML-KEM1024	ML-KEM1024
P-384-MLKEM1024	P-384-MLKEM1024
P-256-MLKEM768	P-256-MLKEM768
X25519-MLKEM768	X25519-MLKEM768
X448	X448
X25519	X25519
FFDHE2048	FFDHE2048
FFDHE3072	FFDHE3072
FFDHE4096	FFDHE4096
FFDHE6144	FFDHE6144
FFDHE8192	FFDHE8192

transform-backward-slashes

Transform backward slashes to forward slashes in URLs.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

url-obscuration

Enable/disable to obscure the host name of the URL of the web browser display.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

config authentication-rule

Parameter

Description

Type

Size

Default

auth

Agentless VPN authentication method restriction.

option

any

Option	Description
any	Any
local	Local
radius	RADIUS
tacacs+	TACACS+
ldap	LDAP
peer	PEER

cipher

Agentless VPN cipher strength.

option

high

Option	Description
any	Any cipher strength.
high	High cipher strength (>= 168 bits).
medium	Medium cipher strength (>= 128 bits).

client-cert

Enable/disable Agentless VPN client certificate restrictive.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

groups <name>

User groups.

Group name.

string

Maximum length: 79

ID (0 - 4294967295).

integer

Minimum value: 0 Maximum value: 4294967295

portal

Agentless VPN portal.

string

Maximum length: 35

realm

Agentless VPN realm.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

source-interface <name>

Agentless VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

user-peer

Name of user peer.

string

Maximum length: 35

users <name>

User name.

string

Maximum length: 79

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config vpn ssl settings

config vpn ssl settings

config vpn ssl settings

config authentication-rule

config vpn ssl settings

config vpn ssl settings

config vpn ssl settings

config authentication-rule