Fortinet white logo
Fortinet white logo

CLI Reference

config vpn ssl settings

config vpn ssl settings

Configure SSL-VPN.

config vpn ssl settings
    Description: Configure SSL-VPN.
    set algorithm [high|medium|...]
    set auth-session-check-source-ip [enable|disable]
    set auth-timeout {integer}
    config authentication-rule
        Description: Authentication rule for SSL-VPN.
        edit <id>
            set auth [any|local|...]
            set cipher [any|high|...]
            set client-cert [enable|disable]
            set groups <name1>, <name2>, ...
            set portal {string}
            set realm {string}
            set source-address <name1>, <name2>, ...
            set source-address-negate [enable|disable]
            set source-address6 <name1>, <name2>, ...
            set source-address6-negate [enable|disable]
            set source-interface <name1>, <name2>, ...
            set user-peer {string}
            set users <name1>, <name2>, ...
        next
    end
    set auto-tunnel-static-route [enable|disable]
    set banned-cipher {option1}, {option2}, ...
    set browser-language-detection [enable|disable]
    set check-referer [enable|disable]
    set ciphersuite {option1}, {option2}, ...
    set client-sigalgs [no-rsa-pss|all]
    set default-portal {string}
    set deflate-compression-level {integer}
    set deflate-min-data-size {integer}
    set dns-server1 {ipv4-address}
    set dns-server2 {ipv4-address}
    set dns-suffix {var-string}
    set dtls-heartbeat-fail-count {integer}
    set dtls-heartbeat-idle-timeout {integer}
    set dtls-heartbeat-interval {integer}
    set dtls-hello-timeout {integer}
    set dtls-max-proto-ver [dtls1-0|dtls1-2]
    set dtls-min-proto-ver [dtls1-0|dtls1-2]
    set dtls-tunnel [enable|disable]
    set dual-stack-mode [enable|disable]
    set encode-2f-sequence [enable|disable]
    set encrypt-and-store-password [enable|disable]
    set force-two-factor-auth [enable|disable]
    set header-x-forwarded-for [pass|add|...]
    set hsts-include-subdomains [enable|disable]
    set http-compression [enable|disable]
    set http-only-cookie [enable|disable]
    set http-request-body-timeout {integer}
    set http-request-header-timeout {integer}
    set https-redirect [enable|disable]
    set idle-timeout {integer}
    set ipv6-dns-server1 {ipv6-address}
    set ipv6-dns-server2 {ipv6-address}
    set ipv6-wins-server1 {ipv6-address}
    set ipv6-wins-server2 {ipv6-address}
    set login-attempt-limit {integer}
    set login-block-time {integer}
    set login-timeout {integer}
    set port {integer}
    set port-precedence [enable|disable]
    set reqclientcert [enable|disable]
    set saml-redirect-port {integer}
    set server-hostname {string}
    set servercert {string}
    set source-address <name1>, <name2>, ...
    set source-address-negate [enable|disable]
    set source-address6 <name1>, <name2>, ...
    set source-address6-negate [enable|disable]
    set source-interface <name1>, <name2>, ...
    set ssl-client-renegotiation [disable|enable]
    set ssl-insert-empty-fragment [enable|disable]
    set ssl-max-proto-ver [tls1-0|tls1-1|...]
    set ssl-min-proto-ver [tls1-0|tls1-1|...]
    set status [enable|disable]
    set transform-backward-slashes [enable|disable]
    set tunnel-addr-assigned-method [first-available|round-robin]
    set tunnel-connect-without-reauth [enable|disable]
    set tunnel-ip-pools <name1>, <name2>, ...
    set tunnel-ipv6-pools <name1>, <name2>, ...
    set tunnel-user-session-timeout {integer}
    set unsafe-legacy-renegotiation [enable|disable]
    set url-obscuration [enable|disable]
    set user-peer {string}
    set wins-server1 {ipv4-address}
    set wins-server2 {ipv4-address}
    set x-content-type-options [enable|disable]
    set ztna-trusted-client [enable|disable]
end

config vpn ssl settings

Parameter

Description

Type

Size

Default

algorithm

Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

-

high

Option

Description

high

High algorithms.

medium

High and medium algorithms.

default

default

low

All algorithms.

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

-

enable

Option

Description

enable

Enable checking of source IP for authentication session.

disable

Disable checking of source IP for authentication session.

auth-timeout

SSL-VPN authentication timeout.

integer

Minimum value: 0 Maximum value: 259200

28800

auto-tunnel-static-route

Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

banned-cipher

Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Only applies to TLS 1.2 and below.

option

-

SHA1 SHA256 SHA384

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

CHACHA20

Ban the use of cipher suites using ChaCha20.

ARIA

Ban the use of cipher suites using ARIA.

AESCCM

Ban the use of cipher suites using AESCCM.

browser-language-detection

Enable/disable overriding the configured system language based on the preferred language of the browser.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

check-referer

Enable/disable verification of referer field in HTTP request header.

option

-

disable

Option

Description

enable

Enable verification of referer field in HTTP request header.

disable

Disable verification of referer field in HTTP request header.

ciphersuite

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below.

option

-

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option

Description

TLS-AES-128-GCM-SHA256

Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

TLS-AES-256-GCM-SHA384

Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

TLS-CHACHA20-POLY1305-SHA256

Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

TLS-AES-128-CCM-SHA256

Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

TLS-AES-128-CCM-8-SHA256

Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

client-sigalgs

Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.

option

-

all

Option

Description

no-rsa-pss

Disable RSA-PSS signature algorithms for client authentication.

all

Enable all supported signature algorithms for client authentication.

default-portal

Default SSL-VPN portal.

string

Maximum length: 35

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

6

deflate-min-data-size

Minimum amount of data that triggers compression.

integer

Minimum value: 200 Maximum value: 65535

300

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-suffix

DNS suffix used for SSL-VPN clients.

var-string

Maximum length: 253

dtls-heartbeat-fail-count

Number of missing heartbeats before the connection is considered dropped.

integer

Minimum value: 3 Maximum value: 10

3

dtls-heartbeat-idle-timeout

Idle timeout before DTLS heartbeat is sent.

integer

Minimum value: 3 Maximum value: 10

3

dtls-heartbeat-interval

Interval between DTLS heartbeat.

integer

Minimum value: 3 Maximum value: 10

3

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout.

integer

Minimum value: 10 Maximum value: 60

10

dtls-max-proto-ver

DTLS maximum protocol version.

option

-

dtls1-2

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

dtls-min-proto-ver

DTLS minimum protocol version.

option

-

dtls1-0

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

dtls-tunnel

Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

dual-stack-mode

Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

encrypt-and-store-password

Encrypt and store user passwords for SSL-VPN web sessions.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

force-two-factor-auth

Enable/disable only PKI users with two-factor authentication for SSL-VPNs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

-

add

Option

Description

pass

Forward the same HTTP header.

add

Add the HTTP header.

remove

Remove the HTTP header.

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-compression

Enable/disable to allow HTTP compression over SSL-VPN tunnels.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-only-cookie

Enable/disable SSL-VPN support for HttpOnly cookies.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-request-body-timeout

SSL-VPN session is disconnected if an HTTP request body is not received within this time.

integer

Minimum value: 0 Maximum value: 4294967295

30

http-request-header-timeout

SSL-VPN session is disconnected if an HTTP request header is not received within this time.

integer

Minimum value: 0 Maximum value: 4294967295

20

https-redirect

Enable/disable redirect of port 80 to SSL-VPN port.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

idle-timeout

SSL-VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

300

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

login-attempt-limit

SSL-VPN maximum login attempt times before block.

integer

Minimum value: 0 Maximum value: 4294967295

2

login-block-time

Time for which a user is blocked from logging in after too many failed login attempts.

integer

Minimum value: 0 Maximum value: 4294967295

60

login-timeout

SSLVPN maximum login timeout.

integer

Minimum value: 10 Maximum value: 180

30

port

SSL-VPN access port.

integer

Minimum value: 1 Maximum value: 65535

10443

port-precedence

Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

reqclientcert

Enable/disable to require client certificates for all SSL-VPN users.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

saml-redirect-port

SAML local redirect port in the machine running FortiClient. 0 is to disable redirection on FGT side.

integer

Minimum value: 0 Maximum value: 65535

8020

server-hostname

Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.

string

Maximum length: 255

servercert

Name of the server certificate to be used for SSL-VPNs.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-interface <name>

SSL-VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

ssl-client-renegotiation

Enable/disable to allow client renegotiation by the server if the tunnel goes down.

option

-

disable

Option

Description

disable

Abort any SSL connection that attempts to renegotiate.

enable

Allow a SSL client to renegotiate.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-max-proto-ver

SSL maximum protocol version.

option

-

tls1-3

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

-

tls1-2

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

status

Enable/disable SSL-VPN.

option

-

enable

Option

Description

enable

Enable SSL-VPN.

disable

Disable SSL-VPN.

transform-backward-slashes

Transform backward slashes to forward slashes in URLs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

tunnel-addr-assigned-method

Method used for assigning address for tunnel.

option

-

first-available

Option

Description

first-available

Assign the first available address from the pools.

round-robin

Assign the available address from the pool with a round robin fashion.

tunnel-connect-without-reauth

Enable/disable tunnel connection without re-authorization if previous connection dropped.

option

-

disable

Option

Description

enable

Enable tunnel connection without re-authorization.

disable

Disable tunnel connection without re-authorization.

tunnel-ip-pools <name>

Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

tunnel-ipv6-pools <name>

Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

tunnel-user-session-timeout

Number of seconds after which user sessions are cleaned up after tunnel connection is dropped.

integer

Minimum value: 1 Maximum value: 86400

30

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

url-obscuration

Enable/disable to obscure the host name of the URL of the web browser display.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

wins-server1

WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

WINS server 2.

ipv4-address

Not Specified

0.0.0.0

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ztna-trusted-client

Enable/disable verification of device certificate for SSLVPN ZTNA session.

option

-

disable

Option

Description

enable

Enable verification of device certificate for SSLVPN ZTNA session.

disable

Disable verification of device certificate for SSLVPN ZTNA session.

config authentication-rule

Parameter

Description

Type

Size

Default

auth

SSL-VPN authentication method restriction.

option

-

any

Option

Description

any

Any

local

Local

radius

RADIUS

tacacs+

TACACS+

ldap

LDAP

peer

PEER

cipher

SSL-VPN cipher strength.

option

-

high

Option

Description

any

Any cipher strength.

high

High cipher strength (>= 168 bits).

medium

Medium cipher strength (>= 128 bits).

client-cert

Enable/disable SSL-VPN client certificate restrictive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

groups <name>

User groups.

Group name.

string

Maximum length: 79

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

portal

SSL-VPN portal.

string

Maximum length: 35

realm

SSL-VPN realm.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-interface <name>

SSL-VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

user-peer

Name of user peer.

string

Maximum length: 35

users <name>

User name.

User name.

string

Maximum length: 79

config vpn ssl settings

config vpn ssl settings

Configure SSL-VPN.

config vpn ssl settings
    Description: Configure SSL-VPN.
    set algorithm [high|medium|...]
    set auth-session-check-source-ip [enable|disable]
    set auth-timeout {integer}
    config authentication-rule
        Description: Authentication rule for SSL-VPN.
        edit <id>
            set auth [any|local|...]
            set cipher [any|high|...]
            set client-cert [enable|disable]
            set groups <name1>, <name2>, ...
            set portal {string}
            set realm {string}
            set source-address <name1>, <name2>, ...
            set source-address-negate [enable|disable]
            set source-address6 <name1>, <name2>, ...
            set source-address6-negate [enable|disable]
            set source-interface <name1>, <name2>, ...
            set user-peer {string}
            set users <name1>, <name2>, ...
        next
    end
    set auto-tunnel-static-route [enable|disable]
    set banned-cipher {option1}, {option2}, ...
    set browser-language-detection [enable|disable]
    set check-referer [enable|disable]
    set ciphersuite {option1}, {option2}, ...
    set client-sigalgs [no-rsa-pss|all]
    set default-portal {string}
    set deflate-compression-level {integer}
    set deflate-min-data-size {integer}
    set dns-server1 {ipv4-address}
    set dns-server2 {ipv4-address}
    set dns-suffix {var-string}
    set dtls-heartbeat-fail-count {integer}
    set dtls-heartbeat-idle-timeout {integer}
    set dtls-heartbeat-interval {integer}
    set dtls-hello-timeout {integer}
    set dtls-max-proto-ver [dtls1-0|dtls1-2]
    set dtls-min-proto-ver [dtls1-0|dtls1-2]
    set dtls-tunnel [enable|disable]
    set dual-stack-mode [enable|disable]
    set encode-2f-sequence [enable|disable]
    set encrypt-and-store-password [enable|disable]
    set force-two-factor-auth [enable|disable]
    set header-x-forwarded-for [pass|add|...]
    set hsts-include-subdomains [enable|disable]
    set http-compression [enable|disable]
    set http-only-cookie [enable|disable]
    set http-request-body-timeout {integer}
    set http-request-header-timeout {integer}
    set https-redirect [enable|disable]
    set idle-timeout {integer}
    set ipv6-dns-server1 {ipv6-address}
    set ipv6-dns-server2 {ipv6-address}
    set ipv6-wins-server1 {ipv6-address}
    set ipv6-wins-server2 {ipv6-address}
    set login-attempt-limit {integer}
    set login-block-time {integer}
    set login-timeout {integer}
    set port {integer}
    set port-precedence [enable|disable]
    set reqclientcert [enable|disable]
    set saml-redirect-port {integer}
    set server-hostname {string}
    set servercert {string}
    set source-address <name1>, <name2>, ...
    set source-address-negate [enable|disable]
    set source-address6 <name1>, <name2>, ...
    set source-address6-negate [enable|disable]
    set source-interface <name1>, <name2>, ...
    set ssl-client-renegotiation [disable|enable]
    set ssl-insert-empty-fragment [enable|disable]
    set ssl-max-proto-ver [tls1-0|tls1-1|...]
    set ssl-min-proto-ver [tls1-0|tls1-1|...]
    set status [enable|disable]
    set transform-backward-slashes [enable|disable]
    set tunnel-addr-assigned-method [first-available|round-robin]
    set tunnel-connect-without-reauth [enable|disable]
    set tunnel-ip-pools <name1>, <name2>, ...
    set tunnel-ipv6-pools <name1>, <name2>, ...
    set tunnel-user-session-timeout {integer}
    set unsafe-legacy-renegotiation [enable|disable]
    set url-obscuration [enable|disable]
    set user-peer {string}
    set wins-server1 {ipv4-address}
    set wins-server2 {ipv4-address}
    set x-content-type-options [enable|disable]
    set ztna-trusted-client [enable|disable]
end

config vpn ssl settings

Parameter

Description

Type

Size

Default

algorithm

Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.

option

-

high

Option

Description

high

High algorithms.

medium

High and medium algorithms.

default

default

low

All algorithms.

auth-session-check-source-ip

Enable/disable checking of source IP for authentication session.

option

-

enable

Option

Description

enable

Enable checking of source IP for authentication session.

disable

Disable checking of source IP for authentication session.

auth-timeout

SSL-VPN authentication timeout.

integer

Minimum value: 0 Maximum value: 259200

28800

auto-tunnel-static-route

Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

banned-cipher

Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Only applies to TLS 1.2 and below.

option

-

SHA1 SHA256 SHA384

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

CHACHA20

Ban the use of cipher suites using ChaCha20.

ARIA

Ban the use of cipher suites using ARIA.

AESCCM

Ban the use of cipher suites using AESCCM.

browser-language-detection

Enable/disable overriding the configured system language based on the preferred language of the browser.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

check-referer

Enable/disable verification of referer field in HTTP request header.

option

-

disable

Option

Description

enable

Enable verification of referer field in HTTP request header.

disable

Disable verification of referer field in HTTP request header.

ciphersuite

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below.

option

-

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option

Description

TLS-AES-128-GCM-SHA256

Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

TLS-AES-256-GCM-SHA384

Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

TLS-CHACHA20-POLY1305-SHA256

Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

TLS-AES-128-CCM-SHA256

Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

TLS-AES-128-CCM-8-SHA256

Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

client-sigalgs

Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.

option

-

all

Option

Description

no-rsa-pss

Disable RSA-PSS signature algorithms for client authentication.

all

Enable all supported signature algorithms for client authentication.

default-portal

Default SSL-VPN portal.

string

Maximum length: 35

deflate-compression-level

Compression level (0~9).

integer

Minimum value: 0 Maximum value: 9

6

deflate-min-data-size

Minimum amount of data that triggers compression.

integer

Minimum value: 200 Maximum value: 65535

300

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-suffix

DNS suffix used for SSL-VPN clients.

var-string

Maximum length: 253

dtls-heartbeat-fail-count

Number of missing heartbeats before the connection is considered dropped.

integer

Minimum value: 3 Maximum value: 10

3

dtls-heartbeat-idle-timeout

Idle timeout before DTLS heartbeat is sent.

integer

Minimum value: 3 Maximum value: 10

3

dtls-heartbeat-interval

Interval between DTLS heartbeat.

integer

Minimum value: 3 Maximum value: 10

3

dtls-hello-timeout

SSLVPN maximum DTLS hello timeout.

integer

Minimum value: 10 Maximum value: 60

10

dtls-max-proto-ver

DTLS maximum protocol version.

option

-

dtls1-2

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

dtls-min-proto-ver

DTLS minimum protocol version.

option

-

dtls1-0

Option

Description

dtls1-0

DTLS version 1.0.

dtls1-2

DTLS version 1.2.

dtls-tunnel

Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

dual-stack-mode

Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

encode-2f-sequence

Encode \2F sequence to forward slash in URLs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

encrypt-and-store-password

Encrypt and store user passwords for SSL-VPN web sessions.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

force-two-factor-auth

Enable/disable only PKI users with two-factor authentication for SSL-VPNs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

header-x-forwarded-for

Forward the same, add, or remove HTTP header.

option

-

add

Option

Description

pass

Forward the same HTTP header.

add

Add the HTTP header.

remove

Remove the HTTP header.

hsts-include-subdomains

Add HSTS includeSubDomains response header.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-compression

Enable/disable to allow HTTP compression over SSL-VPN tunnels.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-only-cookie

Enable/disable SSL-VPN support for HttpOnly cookies.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

http-request-body-timeout

SSL-VPN session is disconnected if an HTTP request body is not received within this time.

integer

Minimum value: 0 Maximum value: 4294967295

30

http-request-header-timeout

SSL-VPN session is disconnected if an HTTP request header is not received within this time.

integer

Minimum value: 0 Maximum value: 4294967295

20

https-redirect

Enable/disable redirect of port 80 to SSL-VPN port.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

idle-timeout

SSL-VPN disconnects if idle for specified time in seconds.

integer

Minimum value: 0 Maximum value: 259200

300

ipv6-dns-server1

IPv6 DNS server 1.

ipv6-address

Not Specified

::

ipv6-dns-server2

IPv6 DNS server 2.

ipv6-address

Not Specified

::

ipv6-wins-server1

IPv6 WINS server 1.

ipv6-address

Not Specified

::

ipv6-wins-server2

IPv6 WINS server 2.

ipv6-address

Not Specified

::

login-attempt-limit

SSL-VPN maximum login attempt times before block.

integer

Minimum value: 0 Maximum value: 4294967295

2

login-block-time

Time for which a user is blocked from logging in after too many failed login attempts.

integer

Minimum value: 0 Maximum value: 4294967295

60

login-timeout

SSLVPN maximum login timeout.

integer

Minimum value: 10 Maximum value: 180

30

port

SSL-VPN access port.

integer

Minimum value: 1 Maximum value: 65535

10443

port-precedence

Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

reqclientcert

Enable/disable to require client certificates for all SSL-VPN users.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

saml-redirect-port

SAML local redirect port in the machine running FortiClient. 0 is to disable redirection on FGT side.

integer

Minimum value: 0 Maximum value: 65535

8020

server-hostname

Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.

string

Maximum length: 255

servercert

Name of the server certificate to be used for SSL-VPNs.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-interface <name>

SSL-VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

ssl-client-renegotiation

Enable/disable to allow client renegotiation by the server if the tunnel goes down.

option

-

disable

Option

Description

disable

Abort any SSL connection that attempts to renegotiate.

enable

Allow a SSL client to renegotiate.

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-max-proto-ver

SSL maximum protocol version.

option

-

tls1-3

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

ssl-min-proto-ver

SSL minimum protocol version.

option

-

tls1-2

Option

Description

tls1-0

TLS version 1.0.

tls1-1

TLS version 1.1.

tls1-2

TLS version 1.2.

tls1-3

TLS version 1.3.

status

Enable/disable SSL-VPN.

option

-

enable

Option

Description

enable

Enable SSL-VPN.

disable

Disable SSL-VPN.

transform-backward-slashes

Transform backward slashes to forward slashes in URLs.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

tunnel-addr-assigned-method

Method used for assigning address for tunnel.

option

-

first-available

Option

Description

first-available

Assign the first available address from the pools.

round-robin

Assign the available address from the pool with a round robin fashion.

tunnel-connect-without-reauth

Enable/disable tunnel connection without re-authorization if previous connection dropped.

option

-

disable

Option

Description

enable

Enable tunnel connection without re-authorization.

disable

Disable tunnel connection without re-authorization.

tunnel-ip-pools <name>

Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

tunnel-ipv6-pools <name>

Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.

Address name.

string

Maximum length: 79

tunnel-user-session-timeout

Number of seconds after which user sessions are cleaned up after tunnel connection is dropped.

integer

Minimum value: 1 Maximum value: 86400

30

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

url-obscuration

Enable/disable to obscure the host name of the URL of the web browser display.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

user-peer

Name of user peer.

string

Maximum length: 35

wins-server1

WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

WINS server 2.

ipv4-address

Not Specified

0.0.0.0

x-content-type-options

Add HTTP X-Content-Type-Options header.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ztna-trusted-client

Enable/disable verification of device certificate for SSLVPN ZTNA session.

option

-

disable

Option

Description

enable

Enable verification of device certificate for SSLVPN ZTNA session.

disable

Disable verification of device certificate for SSLVPN ZTNA session.

config authentication-rule

Parameter

Description

Type

Size

Default

auth

SSL-VPN authentication method restriction.

option

-

any

Option

Description

any

Any

local

Local

radius

RADIUS

tacacs+

TACACS+

ldap

LDAP

peer

PEER

cipher

SSL-VPN cipher strength.

option

-

high

Option

Description

any

Any cipher strength.

high

High cipher strength (>= 168 bits).

medium

Medium cipher strength (>= 128 bits).

client-cert

Enable/disable SSL-VPN client certificate restrictive.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

groups <name>

User groups.

Group name.

string

Maximum length: 79

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

portal

SSL-VPN portal.

string

Maximum length: 35

realm

SSL-VPN realm.

string

Maximum length: 35

source-address <name>

Source address of incoming traffic.

Address name.

string

Maximum length: 79

source-address-negate

Enable/disable negated source address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-address6 <name>

IPv6 source address of incoming traffic.

IPv6 address name.

string

Maximum length: 79

source-address6-negate

Enable/disable negated source IPv6 address match.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

source-interface <name>

SSL-VPN source interface of incoming traffic.

Interface name.

string

Maximum length: 35

user-peer

Name of user peer.

string

Maximum length: 35

users <name>

User name.

User name.

string

Maximum length: 79