Fortinet white logo
Fortinet white logo

CLI Reference

config vpn ssl web portal

config vpn ssl web portal

Portal.

config vpn ssl web portal
    Description: Portal.
    edit <name>
        set tunnel-mode [enable|disable]
        set ip-mode [range|user-group|...]
        set dhcp-ip-overlap [use-new|use-old]
        set auto-connect [enable|disable]
        set keep-alive [enable|disable]
        set save-password [enable|disable]
        set ip-pools <name1>, <name2>, ...
        set exclusive-routing [enable|disable]
        set service-restriction [enable|disable]
        set split-tunneling [enable|disable]
        set split-tunneling-routing-negate [enable|disable]
        set split-tunneling-routing-address <name1>, <name2>, ...
        set dns-server1 {ipv4-address}
        set dns-server2 {ipv4-address}
        set dns-suffix {var-string}
        set wins-server1 {ipv4-address}
        set wins-server2 {ipv4-address}
        set ipv6-tunnel-mode [enable|disable]
        set ipv6-pools <name1>, <name2>, ...
        set ipv6-exclusive-routing [enable|disable]
        set ipv6-service-restriction [enable|disable]
        set ipv6-split-tunneling [enable|disable]
        set ipv6-split-tunneling-routing-negate [enable|disable]
        set ipv6-split-tunneling-routing-address <name1>, <name2>, ...
        set ipv6-dns-server1 {ipv6-address}
        set ipv6-dns-server2 {ipv6-address}
        set ipv6-wins-server1 {ipv6-address}
        set ipv6-wins-server2 {ipv6-address}
        set web-mode [enable|disable]
        set display-bookmark [enable|disable]
        set user-bookmark [enable|disable]
        set allow-user-access {option1}, {option2}, ...
        set user-group-bookmark [enable|disable]
        config bookmark-group
            Description: Portal bookmark group.
            edit <name>
                config bookmarks
                    Description: Bookmark table.
                    edit <name>
                        set apptype [ftp|rdp|...]
                        set url {var-string}
                        set host {var-string}
                        set folder {var-string}
                        set domain {var-string}
                        set additional-params {var-string}
                        set description {var-string}
                        set keyboard-layout [ar-101|ar-102|...]
                        set security [any|rdp|...]
                        set send-preconnection-id [enable|disable]
                        set preconnection-id {integer}
                        set preconnection-blob {var-string}
                        set load-balancing-info {var-string}
                        set restricted-admin [enable|disable]
                        set port {integer}
                        set logon-user {var-string}
                        set logon-password {password}
                        set color-depth [32|16|...]
                        set sso [disable|static|...]
                        config form-data
                            Description: Form data.
                            edit <name>
                                set value {var-string}
                            next
                        end
                        set sso-credential [sslvpn-login|alternative]
                        set sso-username {var-string}
                        set sso-password {password}
                        set sso-credential-sent-once [enable|disable]
                        set width {integer}
                        set height {integer}
                    next
                end
            next
        end
        set display-connection-tools [enable|disable]
        set display-history [enable|disable]
        set display-status [enable|disable]
        set rewrite-ip-uri-ui [enable|disable]
        set heading {string}
        set redir-url {var-string}
        set theme [jade|neutrino|...]
        set custom-lang {string}
        set smb-ntlmv1-auth [enable|disable]
        set smbv1 [enable|disable]
        set smb-min-version [smbv1|smbv2|...]
        set smb-max-version [smbv1|smbv2|...]
        set use-sdwan [enable|disable]
        set prefer-ipv6-dns [enable|disable]
        set clipboard [enable|disable]
        set default-window-width {integer}
        set default-window-height {integer}
        set host-check [none|av|...]
        set host-check-interval {integer}
        set host-check-policy <name1>, <name2>, ...
        set limit-user-logins [enable|disable]
        set mac-addr-check [enable|disable]
        set mac-addr-action [allow|deny]
        config mac-addr-check-rule
            Description: Client MAC address check rule.
            edit <name>
                set mac-addr-mask {integer}
                set mac-addr-list <addr1>, <addr2>, ...
            next
        end
        set os-check [enable|disable]
        config os-check-list
            Description: SSL-VPN OS checks.
            edit <name>
                set action [deny|allow|...]
                set tolerance {integer}
                set latest-patch-level {user}
            next
        end
        set forticlient-download [enable|disable]
        set forticlient-download-method [direct|ssl-vpn]
        set customize-forticlient-download-url [enable|disable]
        set windows-forticlient-download-url {var-string}
        set macos-forticlient-download-url {var-string}
        set skip-check-for-unsupported-os [enable|disable]
        set skip-check-for-browser [enable|disable]
        set hide-sso-credential [enable|disable]
        config split-dns
            Description: Split DNS for SSL-VPN.
            edit <id>
                set domains {var-string}
                set dns-server1 {ipv4-address}
                set dns-server2 {ipv4-address}
            next
        end
    next
end

config vpn ssl web portal

Parameter

Description

Type

Size

Default

tunnel-mode

Enable/disable IPv4 SSL-VPN tunnel mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-mode

Method by which users of this SSL-VPN tunnel obtain IP addresses.

option

-

range

Option

Description

range

Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.

user-group

Use the IP addresses associated with individual users or user groups (usually from external auth servers).

dhcp

Use IP addresses obtained from external DHCP server.

dhcp-ip-overlap

Configure overlapping DHCP IP allocation assignment.

option

-

use-new

Option

Description

use-new

Assign DHCP lease to new client and remove old client lease.

use-old

Preserve previous client IP allocation and disconnect new client.

auto-connect

Enable/disable automatic connect by client when system is up.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

keep-alive

Enable/disable automatic reconnect for FortiClient connections.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

save-password

Enable/disable FortiClient saving the user's password.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-pools <name>

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

exclusive-routing

Enable/disable all traffic go through tunnel only.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

service-restriction

Enable/disable tunnel service restriction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling

Enable/disable IPv4 split tunneling.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-negate

Enable to negate split tunneling routing address.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-address <name>

IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

dns-server1

IPv4 DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

IPv4 DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-suffix

DNS suffix.

var-string

Maximum length: 253

wins-server1

IPv4 WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

IPv4 WINS server 1.

ipv4-address

Not Specified

0.0.0.0

ipv6-tunnel-mode

Enable/disable IPv6 SSL-VPN tunnel mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-pools <name>

IPv6 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

ipv6-exclusive-routing

Enable/disable all IPv6 traffic go through tunnel only.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-service-restriction

Enable/disable IPv6 tunnel service restriction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling

Enable/disable IPv6 split tunneling.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-negate

Enable to negate IPv6 split tunneling routing address.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-address <name>

IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

web-mode

Enable/disable SSL-VPN web mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-bookmark

Enable to display the web portal bookmark widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-bookmark

Enable to allow web portal users to create their own bookmarks.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

allow-user-access

Allow user access to SSL-VPN applications.

option

-

web ftp smb sftp telnet ssh vnc rdp ping

Option

Description

web

HTTP/HTTPS access.

ftp

FTP access.

smb

SMB/CIFS access.

sftp

SFTP access.

telnet

TELNET access.

ssh

SSH access.

vnc

VNC access.

rdp

RDP access.

ping

PING access.

user-group-bookmark

Enable to allow web portal users to create bookmarks for all users in the same user group.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-connection-tools

Enable to display the web portal connection tools widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-history

Enable to display the web portal user login history widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-status

Enable to display the web portal status widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

rewrite-ip-uri-ui

Rewrite contents for URI contains IP and /ui/ .

option

-

disable

Option

Description

enable

Enable contents rewrite for URI contains "IP-address/ui/".

disable

Disable contents rewrite for URI contains "IP-address/ui/".

heading

Web portal heading message.

string

Maximum length: 31

SSL-VPN Portal

redir-url

Client login redirect URL.

var-string

Maximum length: 255

theme

Web portal color scheme.

option

-

neutrino

Option

Description

jade

Jade theme.

neutrino

Neutrino theme.

mariner

Mariner theme.

graphite

Graphite theme.

melongene

Melongene theme.

dark-matter

Dark Matter theme.

onyx

Onyx theme.

eclipse

Eclipse theme.

custom-lang

Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.

string

Maximum length: 35

smb-ntlmv1-auth

Enable support of NTLMv1 for Samba authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

smbv1

SMB version 1.

option

-

disable

Option

Description

enable

enable

disable

disable

smb-min-version

SMB minimum client protocol version.

option

-

smbv2

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

smb-max-version

SMB maximum client protocol version.

option

-

smbv3

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

use-sdwan

Use SD-WAN rules to get output interface.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

prefer-ipv6-dns

Prefer to query IPv6 DNS server first if enabled.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

clipboard

Enable to support RDP/VPC clipboard functionality.

option

-

enable

Option

Description

enable

Enable support of RDP/VNC clipboard.

disable

Disable support of RDP/VNC clipboard.

default-window-width

Screen width .

integer

Minimum value: 0 Maximum value: 65535

1024

default-window-height

Screen height .

integer

Minimum value: 0 Maximum value: 65535

768

host-check

Type of host checking performed on endpoints.

option

-

none

Option

Description

none

No host checking.

av

AntiVirus software recognized by the Windows Security Center.

fw

Firewall software recognized by the Windows Security Center.

av-fw

AntiVirus and firewall software recognized by the Windows Security Center.

custom

Custom.

host-check-interval

Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

integer

Minimum value: 120 Maximum value: 259200

0

host-check-policy <name>

One or more policies to require the endpoint to have specific security software.

Host check software list name.

string

Maximum length: 79

limit-user-logins

Enable to limit each user to one SSL-VPN session at a time.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-check

Enable/disable MAC address host checking.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-action

Client MAC address action.

option

-

allow

Option

Description

allow

Allow connection when client MAC address is matched.

deny

Deny connection when client MAC address is matched.

os-check

Enable to let the FortiProxy decide action based on client OS.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download

Enable/disable download option for FortiClient.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download-method

FortiClient download method.

option

-

direct

Option

Description

direct

Download via direct link.

ssl-vpn

Download via SSL-VPN.

customize-forticlient-download-url

Enable support of customized download URL for FortiClient.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

windows-forticlient-download-url

Download URL for Windows FortiClient.

var-string

Maximum length: 1023

macos-forticlient-download-url

Download URL for Mac FortiClient.

var-string

Maximum length: 1023

skip-check-for-unsupported-os

Enable to skip host check if client OS does not support it.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

skip-check-for-browser

Enable to skip host check for browser support.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

hide-sso-credential

Enable to prevent SSO credential being sent to client.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config bookmarks

Parameter

Description

Type

Size

Default

apptype

Application type.

option

-

web

Option

Description

ftp

FTP.

rdp

RDP.

sftp

SFTP.

smb

SMB/CIFS.

ssh

SSH.

telnet

Telnet.

vnc

VNC.

web

HTTP/HTTPS.

url

URL parameter.

var-string

Maximum length: 128

host

Host name/IP parameter.

var-string

Maximum length: 128

folder

Network shared file folder parameter.

var-string

Maximum length: 128

domain

Login domain.

var-string

Maximum length: 128

additional-params

Additional parameters.

var-string

Maximum length: 128

description

Description.

var-string

Maximum length: 128

keyboard-layout

Keyboard layout.

option

-

en-us

Option

Description

ar-101

Arabic (101).

ar-102

Arabic (102).

ar-102-azerty

Arabic (102) AZERTY.

can-mul

Canadian Multilingual Standard.

cz

Czech.

cz-qwerty

Czech (QWERTY).

cz-pr

Czech Programmers.

da

Danish.

nl

Dutch.

de

German.

de-ch

German, Switzerland.

de-ibm

German (IBM).

en-uk

English, United Kingdom.

en-uk-ext

English, United Kingdom Extended.

en-us

English, United States.

en-us-dvorak

English, United States-Dvorak.

es

Spanish.

es-var

Spanish Variation.

fi

Finish.

fi-sami

Finnish with Sami.

fr

French.

fr-apple

French, Apple.

fr-ca

French, Canada.

fr-ch

French, Switzerland.

fr-be

French, Belgium.

hr

Croatian.

hu

Hungarian.

hu-101

Hungarian 101-Key.

it

Italian.

it-142

Italian (142).

ja

Japanese.

ko

Korean.

lt

Lithuanian.

lt-ibm

Lithuanian IBM.

lt-std

Lithuanian Standard.

lav-std

Latvian (Standard).

lav-leg

Latvian (Legacy).

mk

Macedonian (FYROM).

mk-std

Macedonia (FYROM) - Standard.

no

Norwegian.

no-sami

Norwegian with Sami.

pol-214

Polish (214).

pol-pr

Polish (Programmers).

pt

Portuguese.

pt-br

Portuguese (Brazilian ABNT).

pt-br-abnt2

Portuguese (Brazilian ABNT2).

ru

Russian.

ru-mne

Russian - Mnemonic.

ru-t

Russian (Typewriter).

sl

Slovenian.

sv

Swedish.

sv-sami

Swedish with Sami.

tuk

Turkmen.

tur-f

Turkish F.

tur-q

Turkish Q.

zh-sym-sg-us

Chinese (Simplified, Singapore) - US keyboard.

zh-sym-us

Chinese (Simplified) - US Keyboard.

zh-tr-hk

Chinese (Traditional, Hong Kong S.A.R.).

zh-tr-mo

Chinese (Traditional Macao S.A.R.) - US Keyboard.

zh-tr-us

Chinese (Traditional) - US keyboard.

security

Security mode for RDP connection.

option

-

rdp

Option

Description

any

Allow the server to choose the type of security.

rdp

Standard RDP encryption.

nla

Network Level Authentication.

tls

TLS encryption.

send-preconnection-id

Enable/disable sending of preconnection ID.

option

-

disable

Option

Description

enable

Enable sending of preconnection ID.

disable

Disable sending of preconnection ID.

preconnection-id

The numeric ID of the RDP source .

integer

Minimum value: 0 Maximum value: 4294967295

0

preconnection-blob

An arbitrary string which identifies the RDP source.

var-string

Maximum length: 511

load-balancing-info

The load balancing information or cookie which should be provided to the connection broker.

var-string

Maximum length: 511

restricted-admin

Enable/disable restricted admin mode for RDP.

option

-

disable

Option

Description

enable

Enable restricted admin mode for RDP.

disable

Disable restricted admin mode for RDP.

port

Remote port.

integer

Minimum value: 0 Maximum value: 65535

0

logon-user

Logon user.

var-string

Maximum length: 35

logon-password

Logon password.

password

Not Specified

color-depth

Color depth per pixel.

option

-

16

Option

Description

32

32bits per pixel.

16

16bits per pixel.

8

8bits per pixel.

sso

Single Sign-On.

option

-

disable

Option

Description

disable

Disable SSO.

static

Static SSO.

auto

Auto SSO.

sso-credential

Single sign-on credentials.

option

-

sslvpn-login

Option

Description

sslvpn-login

SSL-VPN login.

alternative

Alternative.

sso-username

SSO user name.

var-string

Maximum length: 35

sso-password

SSO password.

password

Not Specified

sso-credential-sent-once

Single sign-on credentials are only sent once to remote server.

option

-

disable

Option

Description

enable

Single sign-on credentials are only sent once to remote server.

disable

Single sign-on credentials are sent to remote server for every HTTP request.

width

Screen width .

integer

Minimum value: 0 Maximum value: 65535

0

height

Screen height .

integer

Minimum value: 0 Maximum value: 65535

0

config form-data

Parameter

Description

Type

Size

Default

value

Value.

var-string

Maximum length: 63

config mac-addr-check-rule

Parameter

Description

Type

Size

Default

mac-addr-mask

Client MAC address mask.

integer

Minimum value: 1 Maximum value: 48

48

mac-addr-list <addr>

Client MAC address list.

Client MAC address.

mac-address

Not Specified

config os-check-list

Parameter

Description

Type

Size

Default

action

OS check options.

option

-

allow

Option

Description

deny

Deny all OS versions.

allow

Allow any OS version.

check-up-to-date

Verify OS is up-to-date.

tolerance

OS patch level tolerance.

integer

Minimum value: 0 Maximum value: 65535

0

latest-patch-level

Latest OS patch level.

user

Not Specified

0

config split-dns

Parameter

Description

Type

Size

Default

domains

Split DNS domains used for SSL-VPN clients separated by comma.

var-string

Maximum length: 1024

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

config vpn ssl web portal

config vpn ssl web portal

Portal.

config vpn ssl web portal
    Description: Portal.
    edit <name>
        set tunnel-mode [enable|disable]
        set ip-mode [range|user-group|...]
        set dhcp-ip-overlap [use-new|use-old]
        set auto-connect [enable|disable]
        set keep-alive [enable|disable]
        set save-password [enable|disable]
        set ip-pools <name1>, <name2>, ...
        set exclusive-routing [enable|disable]
        set service-restriction [enable|disable]
        set split-tunneling [enable|disable]
        set split-tunneling-routing-negate [enable|disable]
        set split-tunneling-routing-address <name1>, <name2>, ...
        set dns-server1 {ipv4-address}
        set dns-server2 {ipv4-address}
        set dns-suffix {var-string}
        set wins-server1 {ipv4-address}
        set wins-server2 {ipv4-address}
        set ipv6-tunnel-mode [enable|disable]
        set ipv6-pools <name1>, <name2>, ...
        set ipv6-exclusive-routing [enable|disable]
        set ipv6-service-restriction [enable|disable]
        set ipv6-split-tunneling [enable|disable]
        set ipv6-split-tunneling-routing-negate [enable|disable]
        set ipv6-split-tunneling-routing-address <name1>, <name2>, ...
        set ipv6-dns-server1 {ipv6-address}
        set ipv6-dns-server2 {ipv6-address}
        set ipv6-wins-server1 {ipv6-address}
        set ipv6-wins-server2 {ipv6-address}
        set web-mode [enable|disable]
        set display-bookmark [enable|disable]
        set user-bookmark [enable|disable]
        set allow-user-access {option1}, {option2}, ...
        set user-group-bookmark [enable|disable]
        config bookmark-group
            Description: Portal bookmark group.
            edit <name>
                config bookmarks
                    Description: Bookmark table.
                    edit <name>
                        set apptype [ftp|rdp|...]
                        set url {var-string}
                        set host {var-string}
                        set folder {var-string}
                        set domain {var-string}
                        set additional-params {var-string}
                        set description {var-string}
                        set keyboard-layout [ar-101|ar-102|...]
                        set security [any|rdp|...]
                        set send-preconnection-id [enable|disable]
                        set preconnection-id {integer}
                        set preconnection-blob {var-string}
                        set load-balancing-info {var-string}
                        set restricted-admin [enable|disable]
                        set port {integer}
                        set logon-user {var-string}
                        set logon-password {password}
                        set color-depth [32|16|...]
                        set sso [disable|static|...]
                        config form-data
                            Description: Form data.
                            edit <name>
                                set value {var-string}
                            next
                        end
                        set sso-credential [sslvpn-login|alternative]
                        set sso-username {var-string}
                        set sso-password {password}
                        set sso-credential-sent-once [enable|disable]
                        set width {integer}
                        set height {integer}
                    next
                end
            next
        end
        set display-connection-tools [enable|disable]
        set display-history [enable|disable]
        set display-status [enable|disable]
        set rewrite-ip-uri-ui [enable|disable]
        set heading {string}
        set redir-url {var-string}
        set theme [jade|neutrino|...]
        set custom-lang {string}
        set smb-ntlmv1-auth [enable|disable]
        set smbv1 [enable|disable]
        set smb-min-version [smbv1|smbv2|...]
        set smb-max-version [smbv1|smbv2|...]
        set use-sdwan [enable|disable]
        set prefer-ipv6-dns [enable|disable]
        set clipboard [enable|disable]
        set default-window-width {integer}
        set default-window-height {integer}
        set host-check [none|av|...]
        set host-check-interval {integer}
        set host-check-policy <name1>, <name2>, ...
        set limit-user-logins [enable|disable]
        set mac-addr-check [enable|disable]
        set mac-addr-action [allow|deny]
        config mac-addr-check-rule
            Description: Client MAC address check rule.
            edit <name>
                set mac-addr-mask {integer}
                set mac-addr-list <addr1>, <addr2>, ...
            next
        end
        set os-check [enable|disable]
        config os-check-list
            Description: SSL-VPN OS checks.
            edit <name>
                set action [deny|allow|...]
                set tolerance {integer}
                set latest-patch-level {user}
            next
        end
        set forticlient-download [enable|disable]
        set forticlient-download-method [direct|ssl-vpn]
        set customize-forticlient-download-url [enable|disable]
        set windows-forticlient-download-url {var-string}
        set macos-forticlient-download-url {var-string}
        set skip-check-for-unsupported-os [enable|disable]
        set skip-check-for-browser [enable|disable]
        set hide-sso-credential [enable|disable]
        config split-dns
            Description: Split DNS for SSL-VPN.
            edit <id>
                set domains {var-string}
                set dns-server1 {ipv4-address}
                set dns-server2 {ipv4-address}
            next
        end
    next
end

config vpn ssl web portal

Parameter

Description

Type

Size

Default

tunnel-mode

Enable/disable IPv4 SSL-VPN tunnel mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-mode

Method by which users of this SSL-VPN tunnel obtain IP addresses.

option

-

range

Option

Description

range

Use the IP addresses available for all SSL-VPN users as defined by the SSL settings command.

user-group

Use the IP addresses associated with individual users or user groups (usually from external auth servers).

dhcp

Use IP addresses obtained from external DHCP server.

dhcp-ip-overlap

Configure overlapping DHCP IP allocation assignment.

option

-

use-new

Option

Description

use-new

Assign DHCP lease to new client and remove old client lease.

use-old

Preserve previous client IP allocation and disconnect new client.

auto-connect

Enable/disable automatic connect by client when system is up.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

keep-alive

Enable/disable automatic reconnect for FortiClient connections.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

save-password

Enable/disable FortiClient saving the user's password.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ip-pools <name>

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

exclusive-routing

Enable/disable all traffic go through tunnel only.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

service-restriction

Enable/disable tunnel service restriction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling

Enable/disable IPv4 split tunneling.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-negate

Enable to negate split tunneling routing address.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

split-tunneling-routing-address <name>

IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

dns-server1

IPv4 DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

IPv4 DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-suffix

DNS suffix.

var-string

Maximum length: 253

wins-server1

IPv4 WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

IPv4 WINS server 1.

ipv4-address

Not Specified

0.0.0.0

ipv6-tunnel-mode

Enable/disable IPv6 SSL-VPN tunnel mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-pools <name>

IPv6 firewall source address objects reserved for SSL-VPN tunnel mode clients.

Address name.

string

Maximum length: 79

ipv6-exclusive-routing

Enable/disable all IPv6 traffic go through tunnel only.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-service-restriction

Enable/disable IPv6 tunnel service restriction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling

Enable/disable IPv6 split tunneling.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-negate

Enable to negate IPv6 split tunneling routing address.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6-split-tunneling-routing-address <name>

IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.

Address name.

string

Maximum length: 79

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

web-mode

Enable/disable SSL-VPN web mode.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-bookmark

Enable to display the web portal bookmark widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-bookmark

Enable to allow web portal users to create their own bookmarks.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

allow-user-access

Allow user access to SSL-VPN applications.

option

-

web ftp smb sftp telnet ssh vnc rdp ping

Option

Description

web

HTTP/HTTPS access.

ftp

FTP access.

smb

SMB/CIFS access.

sftp

SFTP access.

telnet

TELNET access.

ssh

SSH access.

vnc

VNC access.

rdp

RDP access.

ping

PING access.

user-group-bookmark

Enable to allow web portal users to create bookmarks for all users in the same user group.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-connection-tools

Enable to display the web portal connection tools widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-history

Enable to display the web portal user login history widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

display-status

Enable to display the web portal status widget.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

rewrite-ip-uri-ui

Rewrite contents for URI contains IP and /ui/ .

option

-

disable

Option

Description

enable

Enable contents rewrite for URI contains "IP-address/ui/".

disable

Disable contents rewrite for URI contains "IP-address/ui/".

heading

Web portal heading message.

string

Maximum length: 31

SSL-VPN Portal

redir-url

Client login redirect URL.

var-string

Maximum length: 255

theme

Web portal color scheme.

option

-

neutrino

Option

Description

jade

Jade theme.

neutrino

Neutrino theme.

mariner

Mariner theme.

graphite

Graphite theme.

melongene

Melongene theme.

dark-matter

Dark Matter theme.

onyx

Onyx theme.

eclipse

Eclipse theme.

custom-lang

Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files.

string

Maximum length: 35

smb-ntlmv1-auth

Enable support of NTLMv1 for Samba authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

smbv1

SMB version 1.

option

-

disable

Option

Description

enable

enable

disable

disable

smb-min-version

SMB minimum client protocol version.

option

-

smbv2

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

smb-max-version

SMB maximum client protocol version.

option

-

smbv3

Option

Description

smbv1

SMB version 1.

smbv2

SMB version 2.

smbv3

SMB version 3.

use-sdwan

Use SD-WAN rules to get output interface.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

prefer-ipv6-dns

Prefer to query IPv6 DNS server first if enabled.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

clipboard

Enable to support RDP/VPC clipboard functionality.

option

-

enable

Option

Description

enable

Enable support of RDP/VNC clipboard.

disable

Disable support of RDP/VNC clipboard.

default-window-width

Screen width .

integer

Minimum value: 0 Maximum value: 65535

1024

default-window-height

Screen height .

integer

Minimum value: 0 Maximum value: 65535

768

host-check

Type of host checking performed on endpoints.

option

-

none

Option

Description

none

No host checking.

av

AntiVirus software recognized by the Windows Security Center.

fw

Firewall software recognized by the Windows Security Center.

av-fw

AntiVirus and firewall software recognized by the Windows Security Center.

custom

Custom.

host-check-interval

Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

integer

Minimum value: 120 Maximum value: 259200

0

host-check-policy <name>

One or more policies to require the endpoint to have specific security software.

Host check software list name.

string

Maximum length: 79

limit-user-logins

Enable to limit each user to one SSL-VPN session at a time.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-check

Enable/disable MAC address host checking.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

mac-addr-action

Client MAC address action.

option

-

allow

Option

Description

allow

Allow connection when client MAC address is matched.

deny

Deny connection when client MAC address is matched.

os-check

Enable to let the FortiProxy decide action based on client OS.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download

Enable/disable download option for FortiClient.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticlient-download-method

FortiClient download method.

option

-

direct

Option

Description

direct

Download via direct link.

ssl-vpn

Download via SSL-VPN.

customize-forticlient-download-url

Enable support of customized download URL for FortiClient.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

windows-forticlient-download-url

Download URL for Windows FortiClient.

var-string

Maximum length: 1023

macos-forticlient-download-url

Download URL for Mac FortiClient.

var-string

Maximum length: 1023

skip-check-for-unsupported-os

Enable to skip host check if client OS does not support it.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

skip-check-for-browser

Enable to skip host check for browser support.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

hide-sso-credential

Enable to prevent SSO credential being sent to client.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config bookmarks

Parameter

Description

Type

Size

Default

apptype

Application type.

option

-

web

Option

Description

ftp

FTP.

rdp

RDP.

sftp

SFTP.

smb

SMB/CIFS.

ssh

SSH.

telnet

Telnet.

vnc

VNC.

web

HTTP/HTTPS.

url

URL parameter.

var-string

Maximum length: 128

host

Host name/IP parameter.

var-string

Maximum length: 128

folder

Network shared file folder parameter.

var-string

Maximum length: 128

domain

Login domain.

var-string

Maximum length: 128

additional-params

Additional parameters.

var-string

Maximum length: 128

description

Description.

var-string

Maximum length: 128

keyboard-layout

Keyboard layout.

option

-

en-us

Option

Description

ar-101

Arabic (101).

ar-102

Arabic (102).

ar-102-azerty

Arabic (102) AZERTY.

can-mul

Canadian Multilingual Standard.

cz

Czech.

cz-qwerty

Czech (QWERTY).

cz-pr

Czech Programmers.

da

Danish.

nl

Dutch.

de

German.

de-ch

German, Switzerland.

de-ibm

German (IBM).

en-uk

English, United Kingdom.

en-uk-ext

English, United Kingdom Extended.

en-us

English, United States.

en-us-dvorak

English, United States-Dvorak.

es

Spanish.

es-var

Spanish Variation.

fi

Finish.

fi-sami

Finnish with Sami.

fr

French.

fr-apple

French, Apple.

fr-ca

French, Canada.

fr-ch

French, Switzerland.

fr-be

French, Belgium.

hr

Croatian.

hu

Hungarian.

hu-101

Hungarian 101-Key.

it

Italian.

it-142

Italian (142).

ja

Japanese.

ko

Korean.

lt

Lithuanian.

lt-ibm

Lithuanian IBM.

lt-std

Lithuanian Standard.

lav-std

Latvian (Standard).

lav-leg

Latvian (Legacy).

mk

Macedonian (FYROM).

mk-std

Macedonia (FYROM) - Standard.

no

Norwegian.

no-sami

Norwegian with Sami.

pol-214

Polish (214).

pol-pr

Polish (Programmers).

pt

Portuguese.

pt-br

Portuguese (Brazilian ABNT).

pt-br-abnt2

Portuguese (Brazilian ABNT2).

ru

Russian.

ru-mne

Russian - Mnemonic.

ru-t

Russian (Typewriter).

sl

Slovenian.

sv

Swedish.

sv-sami

Swedish with Sami.

tuk

Turkmen.

tur-f

Turkish F.

tur-q

Turkish Q.

zh-sym-sg-us

Chinese (Simplified, Singapore) - US keyboard.

zh-sym-us

Chinese (Simplified) - US Keyboard.

zh-tr-hk

Chinese (Traditional, Hong Kong S.A.R.).

zh-tr-mo

Chinese (Traditional Macao S.A.R.) - US Keyboard.

zh-tr-us

Chinese (Traditional) - US keyboard.

security

Security mode for RDP connection.

option

-

rdp

Option

Description

any

Allow the server to choose the type of security.

rdp

Standard RDP encryption.

nla

Network Level Authentication.

tls

TLS encryption.

send-preconnection-id

Enable/disable sending of preconnection ID.

option

-

disable

Option

Description

enable

Enable sending of preconnection ID.

disable

Disable sending of preconnection ID.

preconnection-id

The numeric ID of the RDP source .

integer

Minimum value: 0 Maximum value: 4294967295

0

preconnection-blob

An arbitrary string which identifies the RDP source.

var-string

Maximum length: 511

load-balancing-info

The load balancing information or cookie which should be provided to the connection broker.

var-string

Maximum length: 511

restricted-admin

Enable/disable restricted admin mode for RDP.

option

-

disable

Option

Description

enable

Enable restricted admin mode for RDP.

disable

Disable restricted admin mode for RDP.

port

Remote port.

integer

Minimum value: 0 Maximum value: 65535

0

logon-user

Logon user.

var-string

Maximum length: 35

logon-password

Logon password.

password

Not Specified

color-depth

Color depth per pixel.

option

-

16

Option

Description

32

32bits per pixel.

16

16bits per pixel.

8

8bits per pixel.

sso

Single Sign-On.

option

-

disable

Option

Description

disable

Disable SSO.

static

Static SSO.

auto

Auto SSO.

sso-credential

Single sign-on credentials.

option

-

sslvpn-login

Option

Description

sslvpn-login

SSL-VPN login.

alternative

Alternative.

sso-username

SSO user name.

var-string

Maximum length: 35

sso-password

SSO password.

password

Not Specified

sso-credential-sent-once

Single sign-on credentials are only sent once to remote server.

option

-

disable

Option

Description

enable

Single sign-on credentials are only sent once to remote server.

disable

Single sign-on credentials are sent to remote server for every HTTP request.

width

Screen width .

integer

Minimum value: 0 Maximum value: 65535

0

height

Screen height .

integer

Minimum value: 0 Maximum value: 65535

0

config form-data

Parameter

Description

Type

Size

Default

value

Value.

var-string

Maximum length: 63

config mac-addr-check-rule

Parameter

Description

Type

Size

Default

mac-addr-mask

Client MAC address mask.

integer

Minimum value: 1 Maximum value: 48

48

mac-addr-list <addr>

Client MAC address list.

Client MAC address.

mac-address

Not Specified

config os-check-list

Parameter

Description

Type

Size

Default

action

OS check options.

option

-

allow

Option

Description

deny

Deny all OS versions.

allow

Allow any OS version.

check-up-to-date

Verify OS is up-to-date.

tolerance

OS patch level tolerance.

integer

Minimum value: 0 Maximum value: 65535

0

latest-patch-level

Latest OS patch level.

user

Not Specified

0

config split-dns

Parameter

Description

Type

Size

Default

domains

Split DNS domains used for SSL-VPN clients separated by comma.

var-string

Maximum length: 1024

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0