Fortinet white logo
Fortinet white logo

CLI Reference

vpn ssl settings

Configure SSL VPN.

  config vpn ssl settings
      Description: Configure SSL VPN.
      set reqclientcert [enable|disable]
      set user-peer {string}
      set ssl-max-proto-ver [tls1-0|tls1-1|...]
      set ssl-min-proto-ver [tls1-0|tls1-1|...]
      set tlsv1-0 [enable|disable]
      set tlsv1-1 [enable|disable]
      set tlsv1-2 [enable|disable]
      set tlsv1-3 [enable|disable]
      set banned-cipher {option1}, {option2}, ...
      set ssl-insert-empty-fragment [enable|disable]
      set https-redirect [enable|disable]
      set x-content-type-options [enable|disable]
      set ssl-client-renegotiation [disable|enable]
      set force-two-factor-auth [enable|disable]
      set unsafe-legacy-renegotiation [enable|disable]
      set servercert {string}
      set algorithm [high|medium|...]
      set idle-timeout {integer}
      set auth-timeout {integer}
      set login-attempt-limit {integer}
      set login-block-time {integer}
      set login-timeout {integer}
      set dtls-hello-timeout {integer}
      set tunnel-ip-pools <name1>, <name2>, ...
      set tunnel-ipv6-pools <name1>, <name2>, ...
      set dns-suffix {var-string}
      set dns-server1 {ipv4-address}
      set dns-server2 {ipv4-address}
      set wins-server1 {ipv4-address}
      set wins-server2 {ipv4-address}
      set ipv6-dns-server1 {ipv6-address}
      set ipv6-dns-server2 {ipv6-address}
      set ipv6-wins-server1 {ipv6-address}
      set ipv6-wins-server2 {ipv6-address}
      set route-source-interface [enable|disable]
      set url-obscuration [enable|disable]
      set http-compression [enable|disable]
      set http-only-cookie [enable|disable]
      set deflate-compression-level {integer}
      set deflate-min-data-size {integer}
      set port {integer}
      set port-precedence [enable|disable]
      set auto-tunnel-static-route [enable|disable]
      set header-x-forwarded-for [pass|add|...]
      set source-interface <name1>, <name2>, ...
      set source-address <name1>, <name2>, ...
      set source-address-negate [enable|disable]
      set source-address6 <name1>, <name2>, ...
      set source-address6-negate [enable|disable]
      set default-portal {string}
      config authentication-rule
          Description: Authentication rule for SSL VPN.
          edit <id>
              set source-interface <name1>, <name2>, ...
              set source-address <name1>, <name2>, ...
              set source-address-negate [enable|disable]
              set source-address6 <name1>, <name2>, ...
              set source-address6-negate [enable|disable]
              set users <name1>, <name2>, ...
              set groups <name1>, <name2>, ...
              set portal {string}
              set realm {string}
              set client-cert [enable|disable]
              set user-peer {string}
              set cipher [any|high|...]
              set auth [any|local|...]
          next
      end
      set dtls-tunnel [enable|disable]
      set dtls-max-proto-ver [dtls1-0|dtls1-2]
      set dtls-min-proto-ver [dtls1-0|dtls1-2]
      set check-referer [enable|disable]
      set http-request-header-timeout {integer}
      set http-request-body-timeout {integer}
      set auth-session-check-source-ip [enable|disable]
      set tunnel-connect-without-reauth [enable|disable]
      set tunnel-user-session-timeout {integer}
      set hsts-include-subdomains [enable|disable]
  end

config vpn ssl settings

Parameter Name Description Type Size
reqclientcert Enable to require client certificates for all SSL-VPN users.
enable: Enable setting.
disable: Disable setting.
option -
user-peer Name of user peer. string Maximum length: 35
ssl-max-proto-ver SSL maximum protocol version.
tls1-0: TLS version 1.0.
tls1-1: TLS version 1.1.
tls1-2: TLS version 1.2.
tls1-3: TLS version 1.3.
option -
ssl-min-proto-ver SSL minimum protocol version.
tls1-0: TLS version 1.0.
tls1-1: TLS version 1.1.
tls1-2: TLS version 1.2.
tls1-3: TLS version 1.3.
option -
tlsv1-0 tlsv1-0
enable: Enable setting.
disable: Disable setting.
option -
tlsv1-1 tlsv1-1
enable: Enable setting.
disable: Disable setting.
option -
tlsv1-2 tlsv1-2
enable: Enable setting.
disable: Disable setting.
option -
tlsv1-3 tlsv1-3
enable: Enable setting.
disable: Disable setting.
option -
banned-cipher Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
RSA: Ban the use of cipher suites using RSA key.
DHE: Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDHE: Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS: Ban the use of cipher suites using DSS authentication.
ECDSA: Ban the use of cipher suites using ECDSA authentication.
AES: Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM: Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA: Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES: Ban the use of cipher suites using triple DES
SHA1: Ban the use of cipher suites using HMAC-SHA1.
SHA256: Ban the use of cipher suites using HMAC-SHA256.
SHA384: Ban the use of cipher suites using HMAC-SHA384.
STATIC: Ban the use of cipher suites using static keys.
option -
ssl-insert-empty-fragment Enable/disable insertion of empty fragment.
enable: Enable setting.
disable: Disable setting.
option -
https-redirect Enable/disable redirect of port 80 to SSL-VPN port.
enable: Enable setting.
disable: Disable setting.
option -
x-content-type-options Add HTTP X-Content-Type-Options header.
enable: Enable setting.
disable: Disable setting.
option -
ssl-client-renegotiation Enable to allow client renegotiation by the server if the tunnel goes down.
disable: Abort any SSL connection that attempts to renegotiate.
enable: Allow a SSL client to renegotiate.
option -
force-two-factor-auth Enable only PKI users with two-factor authentication for SSL-VPNs.
enable: Enable setting.
disable: Disable setting.
option -
unsafe-legacy-renegotiation Enable/disable unsafe legacy re-negotiation.
enable: Enable setting.
disable: Disable setting.
option -
servercert Name of the server certificate to be used for SSL-VPNs. string Maximum length: 35
algorithm Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
high: High algorithms.
medium: High and medium algorithms.
default: default
low: All algorithms.
option -
idle-timeout SSL VPN disconnects if idle for specified time in seconds. integer Minimum value: 0 Maximum value: 259200
auth-timeout SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). integer Minimum value: 0 Maximum value: 259200
login-attempt-limit SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). integer Minimum value: 0 Maximum value: 4294967295
login-block-time Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). integer Minimum value: 0 Maximum value: 4294967295
login-timeout SSLVPN maximum login timeout (10 - 180 sec, default = 30). integer Minimum value: 10 Maximum value: 180
dtls-hello-timeout SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). integer Minimum value: 10 Maximum value: 60
tunnel-ip-pools <name> Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
Address name.
string Maximum length: 79
tunnel-ipv6-pools <name> Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
Address name.
string Maximum length: 79
dns-suffix DNS suffix used for SSL-VPN clients. var-string Maximum length: 253
dns-server1 DNS server 1. ipv4-address Not Specified
dns-server2 DNS server 2. ipv4-address Not Specified
wins-server1 WINS server 1. ipv4-address Not Specified
wins-server2 WINS server 2. ipv4-address Not Specified
ipv6-dns-server1 IPv6 DNS server 1. ipv6-address Not Specified
ipv6-dns-server2 IPv6 DNS server 2. ipv6-address Not Specified
ipv6-wins-server1 IPv6 WINS server 1. ipv6-address Not Specified
ipv6-wins-server2 IPv6 WINS server 2. ipv6-address Not Specified
route-source-interface Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
enable: Enable setting.
disable: Disable setting.
option -
url-obscuration Enable to obscure the host name of the URL of the web browser display.
enable: Enable setting.
disable: Disable setting.
option -
http-compression Enable to allow HTTP compression over SSL-VPN tunnels.
enable: Enable setting.
disable: Disable setting.
option -
http-only-cookie Enable/disable SSL-VPN support for HttpOnly cookies.
enable: Enable setting.
disable: Disable setting.
option -
deflate-compression-level Compression level (0~9). integer Minimum value: 0 Maximum value: 9
deflate-min-data-size Minimum amount of data that triggers compression (200 - 65535 bytes). integer Minimum value: 200 Maximum value: 65535
port SSL-VPN access port (1 - 65535). integer Minimum value: 1 Maximum value: 65535
port-precedence Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
enable: Enable setting.
disable: Disable setting.
option -
auto-tunnel-static-route Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
enable: Enable setting.
disable: Disable setting.
option -
header-x-forwarded-for Forward the same, add, or remove HTTP header.
pass: Forward the same HTTP header.
add: Add the HTTP header.
remove: Remove the HTTP header.
option -
source-interface <name> SSL VPN source interface of incoming traffic.
Interface name.
string Maximum length: 35
source-address <name> Source address of incoming traffic.
Address name.
string Maximum length: 79
source-address-negate Enable/disable negated source address match.
enable: Enable setting.
disable: Disable setting.
option -
source-address6 <name> IPv6 source address of incoming traffic.
IPv6 address name.
string Maximum length: 79
source-address6-negate Enable/disable negated source IPv6 address match.
enable: Enable setting.
disable: Disable setting.
option -
default-portal Default SSL VPN portal. string Maximum length: 35
dtls-tunnel Enable DTLS to prevent eavesdropping, tampering, or message forgery.
enable: Enable setting.
disable: Disable setting.
option -
dtls-max-proto-ver DTLS maximum protocol version.
dtls1-0: DTLS version 1.0.
dtls1-2: DTLS version 1.2.
option -
dtls-min-proto-ver DTLS minimum protocol version.
dtls1-0: DTLS version 1.0.
dtls1-2: DTLS version 1.2.
option -
check-referer Enable/disable verification of referer field in HTTP request header.
enable: Enable verification of referer field in HTTP request header.
disable: Disable verification of referer field in HTTP request header.
option -
http-request-header-timeout SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). integer Minimum value: 0 Maximum value: 4294967295
http-request-body-timeout SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). integer Minimum value: 0 Maximum value: 4294967295
auth-session-check-source-ip Enable/disable checking of source IP for authentication session.
enable: Enable checking of source IP for authentication session.
disable: Disable checking of source IP for authentication session.
option -
tunnel-connect-without-reauth Enable/disable tunnel connection without re-authorization if previous connection dropped.
enable: Enable tunnel connection without re-authorization.
disable: Disable tunnel connection without re-authorization.
option -
tunnel-user-session-timeout Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30). integer Minimum value: 1 Maximum value: 255
hsts-include-subdomains Add HSTS includeSubDomains response header.
enable: Enable setting.
disable: Disable setting.
option -
Parameter Name Description Type Size
source-interface <name> SSL VPN source interface of incoming traffic.
Interface name.
string Maximum length: 35
source-address <name> Source address of incoming traffic.
Address name.
string Maximum length: 79
source-address-negate Enable/disable negated source address match.
enable: Enable setting.
disable: Disable setting.
option -
source-address6 <name> IPv6 source address of incoming traffic.
IPv6 address name.
string Maximum length: 79
source-address6-negate Enable/disable negated source IPv6 address match.
enable: Enable setting.
disable: Disable setting.
option -
users <name> User name.
User name.
string Maximum length: 79
groups <name> User groups.
Group name.
string Maximum length: 79
portal SSL VPN portal. string Maximum length: 35
realm SSL VPN realm. string Maximum length: 35
client-cert Enable/disable SSL VPN client certificate restrictive.
enable: Enable setting.
disable: Disable setting.
option -
user-peer Name of user peer. string Maximum length: 35
cipher SSL VPN cipher strength.
any: Any cipher strength.
high: High cipher strength (>= 168 bits).
medium: Medium cipher strength (>= 128 bits).
option -
auth SSL VPN authentication method restriction.
any: Any
local: Local
radius: RADIUS
tacacs+: TACACS+
ldap: LDAP
option -

vpn ssl settings

Configure SSL VPN.

  config vpn ssl settings
      Description: Configure SSL VPN.
      set reqclientcert [enable|disable]
      set user-peer {string}
      set ssl-max-proto-ver [tls1-0|tls1-1|...]
      set ssl-min-proto-ver [tls1-0|tls1-1|...]
      set tlsv1-0 [enable|disable]
      set tlsv1-1 [enable|disable]
      set tlsv1-2 [enable|disable]
      set tlsv1-3 [enable|disable]
      set banned-cipher {option1}, {option2}, ...
      set ssl-insert-empty-fragment [enable|disable]
      set https-redirect [enable|disable]
      set x-content-type-options [enable|disable]
      set ssl-client-renegotiation [disable|enable]
      set force-two-factor-auth [enable|disable]
      set unsafe-legacy-renegotiation [enable|disable]
      set servercert {string}
      set algorithm [high|medium|...]
      set idle-timeout {integer}
      set auth-timeout {integer}
      set login-attempt-limit {integer}
      set login-block-time {integer}
      set login-timeout {integer}
      set dtls-hello-timeout {integer}
      set tunnel-ip-pools <name1>, <name2>, ...
      set tunnel-ipv6-pools <name1>, <name2>, ...
      set dns-suffix {var-string}
      set dns-server1 {ipv4-address}
      set dns-server2 {ipv4-address}
      set wins-server1 {ipv4-address}
      set wins-server2 {ipv4-address}
      set ipv6-dns-server1 {ipv6-address}
      set ipv6-dns-server2 {ipv6-address}
      set ipv6-wins-server1 {ipv6-address}
      set ipv6-wins-server2 {ipv6-address}
      set route-source-interface [enable|disable]
      set url-obscuration [enable|disable]
      set http-compression [enable|disable]
      set http-only-cookie [enable|disable]
      set deflate-compression-level {integer}
      set deflate-min-data-size {integer}
      set port {integer}
      set port-precedence [enable|disable]
      set auto-tunnel-static-route [enable|disable]
      set header-x-forwarded-for [pass|add|...]
      set source-interface <name1>, <name2>, ...
      set source-address <name1>, <name2>, ...
      set source-address-negate [enable|disable]
      set source-address6 <name1>, <name2>, ...
      set source-address6-negate [enable|disable]
      set default-portal {string}
      config authentication-rule
          Description: Authentication rule for SSL VPN.
          edit <id>
              set source-interface <name1>, <name2>, ...
              set source-address <name1>, <name2>, ...
              set source-address-negate [enable|disable]
              set source-address6 <name1>, <name2>, ...
              set source-address6-negate [enable|disable]
              set users <name1>, <name2>, ...
              set groups <name1>, <name2>, ...
              set portal {string}
              set realm {string}
              set client-cert [enable|disable]
              set user-peer {string}
              set cipher [any|high|...]
              set auth [any|local|...]
          next
      end
      set dtls-tunnel [enable|disable]
      set dtls-max-proto-ver [dtls1-0|dtls1-2]
      set dtls-min-proto-ver [dtls1-0|dtls1-2]
      set check-referer [enable|disable]
      set http-request-header-timeout {integer}
      set http-request-body-timeout {integer}
      set auth-session-check-source-ip [enable|disable]
      set tunnel-connect-without-reauth [enable|disable]
      set tunnel-user-session-timeout {integer}
      set hsts-include-subdomains [enable|disable]
  end

config vpn ssl settings

Parameter Name Description Type Size
reqclientcert Enable to require client certificates for all SSL-VPN users.
enable: Enable setting.
disable: Disable setting.
option -
user-peer Name of user peer. string Maximum length: 35
ssl-max-proto-ver SSL maximum protocol version.
tls1-0: TLS version 1.0.
tls1-1: TLS version 1.1.
tls1-2: TLS version 1.2.
tls1-3: TLS version 1.3.
option -
ssl-min-proto-ver SSL minimum protocol version.
tls1-0: TLS version 1.0.
tls1-1: TLS version 1.1.
tls1-2: TLS version 1.2.
tls1-3: TLS version 1.3.
option -
tlsv1-0 tlsv1-0
enable: Enable setting.
disable: Disable setting.
option -
tlsv1-1 tlsv1-1
enable: Enable setting.
disable: Disable setting.
option -
tlsv1-2 tlsv1-2
enable: Enable setting.
disable: Disable setting.
option -
tlsv1-3 tlsv1-3
enable: Enable setting.
disable: Disable setting.
option -
banned-cipher Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
RSA: Ban the use of cipher suites using RSA key.
DHE: Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDHE: Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS: Ban the use of cipher suites using DSS authentication.
ECDSA: Ban the use of cipher suites using ECDSA authentication.
AES: Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM: Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA: Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES: Ban the use of cipher suites using triple DES
SHA1: Ban the use of cipher suites using HMAC-SHA1.
SHA256: Ban the use of cipher suites using HMAC-SHA256.
SHA384: Ban the use of cipher suites using HMAC-SHA384.
STATIC: Ban the use of cipher suites using static keys.
option -
ssl-insert-empty-fragment Enable/disable insertion of empty fragment.
enable: Enable setting.
disable: Disable setting.
option -
https-redirect Enable/disable redirect of port 80 to SSL-VPN port.
enable: Enable setting.
disable: Disable setting.
option -
x-content-type-options Add HTTP X-Content-Type-Options header.
enable: Enable setting.
disable: Disable setting.
option -
ssl-client-renegotiation Enable to allow client renegotiation by the server if the tunnel goes down.
disable: Abort any SSL connection that attempts to renegotiate.
enable: Allow a SSL client to renegotiate.
option -
force-two-factor-auth Enable only PKI users with two-factor authentication for SSL-VPNs.
enable: Enable setting.
disable: Disable setting.
option -
unsafe-legacy-renegotiation Enable/disable unsafe legacy re-negotiation.
enable: Enable setting.
disable: Disable setting.
option -
servercert Name of the server certificate to be used for SSL-VPNs. string Maximum length: 35
algorithm Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
high: High algorithms.
medium: High and medium algorithms.
default: default
low: All algorithms.
option -
idle-timeout SSL VPN disconnects if idle for specified time in seconds. integer Minimum value: 0 Maximum value: 259200
auth-timeout SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). integer Minimum value: 0 Maximum value: 259200
login-attempt-limit SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). integer Minimum value: 0 Maximum value: 4294967295
login-block-time Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). integer Minimum value: 0 Maximum value: 4294967295
login-timeout SSLVPN maximum login timeout (10 - 180 sec, default = 30). integer Minimum value: 10 Maximum value: 180
dtls-hello-timeout SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). integer Minimum value: 10 Maximum value: 60
tunnel-ip-pools <name> Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
Address name.
string Maximum length: 79
tunnel-ipv6-pools <name> Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
Address name.
string Maximum length: 79
dns-suffix DNS suffix used for SSL-VPN clients. var-string Maximum length: 253
dns-server1 DNS server 1. ipv4-address Not Specified
dns-server2 DNS server 2. ipv4-address Not Specified
wins-server1 WINS server 1. ipv4-address Not Specified
wins-server2 WINS server 2. ipv4-address Not Specified
ipv6-dns-server1 IPv6 DNS server 1. ipv6-address Not Specified
ipv6-dns-server2 IPv6 DNS server 2. ipv6-address Not Specified
ipv6-wins-server1 IPv6 WINS server 1. ipv6-address Not Specified
ipv6-wins-server2 IPv6 WINS server 2. ipv6-address Not Specified
route-source-interface Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
enable: Enable setting.
disable: Disable setting.
option -
url-obscuration Enable to obscure the host name of the URL of the web browser display.
enable: Enable setting.
disable: Disable setting.
option -
http-compression Enable to allow HTTP compression over SSL-VPN tunnels.
enable: Enable setting.
disable: Disable setting.
option -
http-only-cookie Enable/disable SSL-VPN support for HttpOnly cookies.
enable: Enable setting.
disable: Disable setting.
option -
deflate-compression-level Compression level (0~9). integer Minimum value: 0 Maximum value: 9
deflate-min-data-size Minimum amount of data that triggers compression (200 - 65535 bytes). integer Minimum value: 200 Maximum value: 65535
port SSL-VPN access port (1 - 65535). integer Minimum value: 1 Maximum value: 65535
port-precedence Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
enable: Enable setting.
disable: Disable setting.
option -
auto-tunnel-static-route Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
enable: Enable setting.
disable: Disable setting.
option -
header-x-forwarded-for Forward the same, add, or remove HTTP header.
pass: Forward the same HTTP header.
add: Add the HTTP header.
remove: Remove the HTTP header.
option -
source-interface <name> SSL VPN source interface of incoming traffic.
Interface name.
string Maximum length: 35
source-address <name> Source address of incoming traffic.
Address name.
string Maximum length: 79
source-address-negate Enable/disable negated source address match.
enable: Enable setting.
disable: Disable setting.
option -
source-address6 <name> IPv6 source address of incoming traffic.
IPv6 address name.
string Maximum length: 79
source-address6-negate Enable/disable negated source IPv6 address match.
enable: Enable setting.
disable: Disable setting.
option -
default-portal Default SSL VPN portal. string Maximum length: 35
dtls-tunnel Enable DTLS to prevent eavesdropping, tampering, or message forgery.
enable: Enable setting.
disable: Disable setting.
option -
dtls-max-proto-ver DTLS maximum protocol version.
dtls1-0: DTLS version 1.0.
dtls1-2: DTLS version 1.2.
option -
dtls-min-proto-ver DTLS minimum protocol version.
dtls1-0: DTLS version 1.0.
dtls1-2: DTLS version 1.2.
option -
check-referer Enable/disable verification of referer field in HTTP request header.
enable: Enable verification of referer field in HTTP request header.
disable: Disable verification of referer field in HTTP request header.
option -
http-request-header-timeout SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). integer Minimum value: 0 Maximum value: 4294967295
http-request-body-timeout SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). integer Minimum value: 0 Maximum value: 4294967295
auth-session-check-source-ip Enable/disable checking of source IP for authentication session.
enable: Enable checking of source IP for authentication session.
disable: Disable checking of source IP for authentication session.
option -
tunnel-connect-without-reauth Enable/disable tunnel connection without re-authorization if previous connection dropped.
enable: Enable tunnel connection without re-authorization.
disable: Disable tunnel connection without re-authorization.
option -
tunnel-user-session-timeout Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30). integer Minimum value: 1 Maximum value: 255
hsts-include-subdomains Add HSTS includeSubDomains response header.
enable: Enable setting.
disable: Disable setting.
option -
Parameter Name Description Type Size
source-interface <name> SSL VPN source interface of incoming traffic.
Interface name.
string Maximum length: 35
source-address <name> Source address of incoming traffic.
Address name.
string Maximum length: 79
source-address-negate Enable/disable negated source address match.
enable: Enable setting.
disable: Disable setting.
option -
source-address6 <name> IPv6 source address of incoming traffic.
IPv6 address name.
string Maximum length: 79
source-address6-negate Enable/disable negated source IPv6 address match.
enable: Enable setting.
disable: Disable setting.
option -
users <name> User name.
User name.
string Maximum length: 79
groups <name> User groups.
Group name.
string Maximum length: 79
portal SSL VPN portal. string Maximum length: 35
realm SSL VPN realm. string Maximum length: 35
client-cert Enable/disable SSL VPN client certificate restrictive.
enable: Enable setting.
disable: Disable setting.
option -
user-peer Name of user peer. string Maximum length: 35
cipher SSL VPN cipher strength.
any: Any cipher strength.
high: High cipher strength (>= 168 bits).
medium: Medium cipher strength (>= 128 bits).
option -
auth SSL VPN authentication method restriction.
any: Any
local: Local
radius: RADIUS
tacacs+: TACACS+
ldap: LDAP
option -