config vpn ssl settings
|
This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 120G, FortiGate 121G, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80F Bypass, FortiGate 80F DSL, FortiGate 80F-POE, FortiGate 80F, FortiGate 81F, FortiGate 900D, FortiGate 900G, FortiGate 901G, FortiGate VM ARM64 for Azure, FortiGate VM ARM64 for GCP BYOL, FortiGate VM ARM64 for OCI BYOL, FortiGate VM for Aliyun PAYG, FortiGate VM for AWS PAYG, FortiGate VM for Azure BYOL, FortiGate VM for Azure PAYG, FortiGate VM for GCP BYOL, FortiGate VM for OPC BYOL, FortiGate VM64, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 80F 2R 3G4G DSL, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G DSL, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R. It is not available for: FortiGate 40F 3G4G, FortiGate 40F, FortiGate 60F, FortiGate 61F, FortiGate 90G, FortiGate 91G, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60F, FortiWiFi 61F. |
Configure SSL-VPN.
config vpn ssl settings
Description: Configure SSL-VPN.
set algorithm [high|medium|...]
set auth-session-check-source-ip [enable|disable]
set auth-timeout {integer}
config authentication-rule
Description: Authentication rule for SSL-VPN.
edit <id>
set auth [any|local|...]
set cipher [any|high|...]
set client-cert [enable|disable]
set groups <name1>, <name2>, ...
set portal {string}
set realm {string}
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set source-interface <name1>, <name2>, ...
set user-peer {string}
set users <name1>, <name2>, ...
next
end
set auto-tunnel-static-route [enable|disable]
set banned-cipher {option1}, {option2}, ...
set browser-language-detection [enable|disable]
set check-referer [enable|disable]
set ciphersuite {option1}, {option2}, ...
set client-sigalgs [no-rsa-pss|all]
set default-portal {string}
set deflate-compression-level {integer}
set deflate-min-data-size {integer}
set dns-server1 {ipv4-address}
set dns-server2 {ipv4-address}
set dns-suffix {var-string}
set dtls-heartbeat-fail-count {integer}
set dtls-heartbeat-idle-timeout {integer}
set dtls-heartbeat-interval {integer}
set dtls-hello-timeout {integer}
set dtls-max-proto-ver [dtls1-0|dtls1-2]
set dtls-min-proto-ver [dtls1-0|dtls1-2]
set dtls-tunnel [enable|disable]
set dual-stack-mode [enable|disable]
set encode-2f-sequence [enable|disable]
set encrypt-and-store-password [enable|disable]
set force-two-factor-auth [enable|disable]
set header-x-forwarded-for [pass|add|...]
set hsts-include-subdomains [enable|disable]
set http-compression [enable|disable]
set http-only-cookie [enable|disable]
set http-request-body-timeout {integer}
set http-request-header-timeout {integer}
set https-redirect [enable|disable]
set idle-timeout {integer}
set ipv6-dns-server1 {ipv6-address}
set ipv6-dns-server2 {ipv6-address}
set ipv6-wins-server1 {ipv6-address}
set ipv6-wins-server2 {ipv6-address}
set login-attempt-limit {integer}
set login-block-time {integer}
set login-timeout {integer}
set port {integer}
set port-precedence [enable|disable]
set reqclientcert [enable|disable]
set saml-redirect-port {integer}
set server-hostname {string}
set servercert {string}
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set source-interface <name1>, <name2>, ...
set ssl-client-renegotiation [disable|enable]
set ssl-insert-empty-fragment [enable|disable]
set ssl-max-proto-ver [tls1-0|tls1-1|...]
set ssl-min-proto-ver [tls1-0|tls1-1|...]
set status [enable|disable]
set transform-backward-slashes [enable|disable]
set tunnel-addr-assigned-method [first-available|round-robin]
set tunnel-connect-without-reauth [enable|disable]
set tunnel-ip-pools <name1>, <name2>, ...
set tunnel-ipv6-pools <name1>, <name2>, ...
set tunnel-user-session-timeout {integer}
set unsafe-legacy-renegotiation [enable|disable]
set url-obscuration [enable|disable]
set user-peer {string}
set wins-server1 {ipv4-address}
set wins-server2 {ipv4-address}
set x-content-type-options [enable|disable]
set ztna-trusted-client [enable|disable]
end
config vpn ssl settings
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
algorithm * |
Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. |
option |
- |
high |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
auth-session-check-source-ip |
Enable/disable checking of source IP for authentication session. |
option |
- |
enable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
auth-timeout |
SSL-VPN authentication timeout. |
integer |
Minimum value: 0 Maximum value: 259200 |
28800 |
||||||||||||||||||||||||||||||||||
|
auto-tunnel-static-route |
Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses. |
option |
- |
enable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
banned-cipher |
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Only applies to TLS 1.2 and below. |
option |
- |
SHA1 SHA256 SHA384 |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
browser-language-detection |
Enable/disable overriding the configured system language based on the preferred language of the browser. |
option |
- |
enable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
check-referer |
Enable/disable verification of referer field in HTTP request header. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
ciphersuite |
Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. |
option |
- |
TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
client-sigalgs |
Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. |
option |
- |
all |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
default-portal |
Default SSL-VPN portal. |
string |
Maximum length: 35 |
|
||||||||||||||||||||||||||||||||||
|
deflate-compression-level |
Compression level (0~9). |
integer |
Minimum value: 0 Maximum value: 9 |
6 |
||||||||||||||||||||||||||||||||||
|
deflate-min-data-size |
Minimum amount of data that triggers compression. |
integer |
Minimum value: 200 Maximum value: 65535 |
300 |
||||||||||||||||||||||||||||||||||
|
dns-server1 |
DNS server 1. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||||||||||||||||||||||||
|
dns-server2 |
DNS server 2. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||||||||||||||||||||||||
|
dns-suffix |
DNS suffix used for SSL-VPN clients. |
var-string |
Maximum length: 253 |
|
||||||||||||||||||||||||||||||||||
|
dtls-heartbeat-fail-count |
Number of missing heartbeats before the connection is considered dropped. |
integer |
Minimum value: 3 Maximum value: 10 |
3 |
||||||||||||||||||||||||||||||||||
|
dtls-heartbeat-idle-timeout |
Idle timeout before DTLS heartbeat is sent. |
integer |
Minimum value: 3 Maximum value: 10 |
3 |
||||||||||||||||||||||||||||||||||
|
dtls-heartbeat-interval |
Interval between DTLS heartbeat. |
integer |
Minimum value: 3 Maximum value: 10 |
3 |
||||||||||||||||||||||||||||||||||
|
dtls-hello-timeout |
SSLVPN maximum DTLS hello timeout. |
integer |
Minimum value: 10 Maximum value: 60 |
10 |
||||||||||||||||||||||||||||||||||
|
dtls-max-proto-ver |
DTLS maximum protocol version. |
option |
- |
dtls1-2 |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
dtls-min-proto-ver |
DTLS minimum protocol version. |
option |
- |
dtls1-0 |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
dtls-tunnel |
Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. |
option |
- |
enable ** |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
dual-stack-mode |
Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
encode-2f-sequence |
Encode \2F sequence to forward slash in URLs. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
encrypt-and-store-password |
Encrypt and store user passwords for SSL-VPN web sessions. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
force-two-factor-auth |
Enable/disable only PKI users with two-factor authentication for SSL-VPNs. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
header-x-forwarded-for |
Forward the same, add, or remove HTTP header. |
option |
- |
add |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
hsts-include-subdomains |
Add HSTS includeSubDomains response header. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
http-compression |
Enable/disable to allow HTTP compression over SSL-VPN tunnels. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
http-only-cookie |
Enable/disable SSL-VPN support for HttpOnly cookies. |
option |
- |
enable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
http-request-body-timeout |
SSL-VPN session is disconnected if an HTTP request body is not received within this time. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
30 |
||||||||||||||||||||||||||||||||||
|
http-request-header-timeout |
SSL-VPN session is disconnected if an HTTP request header is not received within this time. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
20 |
||||||||||||||||||||||||||||||||||
|
https-redirect |
Enable/disable redirect of port 80 to SSL-VPN port. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
idle-timeout |
SSL-VPN disconnects if idle for specified time in seconds. |
integer |
Minimum value: 0 Maximum value: 259200 |
300 |
||||||||||||||||||||||||||||||||||
|
ipv6-dns-server1 |
IPv6 DNS server 1. |
ipv6-address |
Not Specified |
:: |
||||||||||||||||||||||||||||||||||
|
ipv6-dns-server2 |
IPv6 DNS server 2. |
ipv6-address |
Not Specified |
:: |
||||||||||||||||||||||||||||||||||
|
ipv6-wins-server1 |
IPv6 WINS server 1. |
ipv6-address |
Not Specified |
:: |
||||||||||||||||||||||||||||||||||
|
ipv6-wins-server2 |
IPv6 WINS server 2. |
ipv6-address |
Not Specified |
:: |
||||||||||||||||||||||||||||||||||
|
login-attempt-limit |
SSL-VPN maximum login attempt times before block. |
integer |
Minimum value: 0 Maximum value: 10 |
2 |
||||||||||||||||||||||||||||||||||
|
login-block-time |
Time for which a user is blocked from logging in after too many failed login attempts. |
integer |
Minimum value: 0 Maximum value: 86400 |
60 |
||||||||||||||||||||||||||||||||||
|
login-timeout |
SSLVPN maximum login timeout. |
integer |
Minimum value: 10 Maximum value: 180 |
30 |
||||||||||||||||||||||||||||||||||
|
port |
SSL-VPN access port. |
integer |
Minimum value: 1 Maximum value: 65535 |
10443 |
||||||||||||||||||||||||||||||||||
|
port-precedence |
Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. |
option |
- |
enable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
reqclientcert |
Enable/disable to require client certificates for all SSL-VPN users. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
saml-redirect-port |
SAML local redirect port in the machine running FortiClient. 0 is to disable redirection on FGT side. |
integer |
Minimum value: 0 Maximum value: 65535 |
8020 |
||||||||||||||||||||||||||||||||||
|
server-hostname |
Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection. |
string |
Maximum length: 255 |
|
||||||||||||||||||||||||||||||||||
|
servercert |
Name of the server certificate to be used for SSL-VPNs. |
string |
Maximum length: 35 |
|
||||||||||||||||||||||||||||||||||
|
source-address |
Source address of incoming traffic. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||||||||||||||||||
|
source-address-negate |
Enable/disable negated source address match. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
source-address6 |
IPv6 source address of incoming traffic. IPv6 address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||||||||||||||||||
|
source-address6-negate |
Enable/disable negated source IPv6 address match. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
source-interface |
SSL-VPN source interface of incoming traffic. Interface name. |
string |
Maximum length: 35 |
|
||||||||||||||||||||||||||||||||||
|
ssl-client-renegotiation |
Enable/disable to allow client renegotiation by the server if the tunnel goes down. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
ssl-insert-empty-fragment |
Enable/disable insertion of empty fragment. |
option |
- |
enable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
ssl-max-proto-ver |
SSL maximum protocol version. |
option |
- |
tls1-3 |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
ssl-min-proto-ver |
SSL minimum protocol version. |
option |
- |
tls1-2 |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
status |
Enable/disable SSL-VPN. |
option |
- |
enable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
transform-backward-slashes |
Transform backward slashes to forward slashes in URLs. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
tunnel-addr-assigned-method |
Method used for assigning address for tunnel. |
option |
- |
first-available |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
tunnel-connect-without-reauth |
Enable/disable tunnel connection without re-authorization if previous connection dropped. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
tunnel-ip-pools |
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||||||||||||||||||
|
tunnel-ipv6-pools |
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||||||||||||||||||
|
tunnel-user-session-timeout |
Number of seconds after which user sessions are cleaned up after tunnel connection is dropped. |
integer |
Minimum value: 1 Maximum value: 86400 |
30 |
||||||||||||||||||||||||||||||||||
|
unsafe-legacy-renegotiation |
Enable/disable unsafe legacy re-negotiation. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
url-obscuration |
Enable/disable to obscure the host name of the URL of the web browser display. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
user-peer |
Name of user peer. |
string |
Maximum length: 35 |
|
||||||||||||||||||||||||||||||||||
|
wins-server1 |
WINS server 1. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||||||||||||||||||||||||
|
wins-server2 |
WINS server 2. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||||||||||||||||||||||||
|
x-content-type-options |
Add HTTP X-Content-Type-Options header. |
option |
- |
enable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
|
ztna-trusted-client |
Enable/disable verification of device certificate for SSLVPN ZTNA session. |
option |
- |
disable |
||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||
* This parameter may not exist in some models.
** Values may differ between models.
config authentication-rule
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
auth |
SSL-VPN authentication method restriction. |
option |
- |
any |
||||||||||||||
|
|
|
|||||||||||||||||
|
cipher * |
SSL-VPN cipher strength. |
option |
- |
high |
||||||||||||||
|
|
|
|||||||||||||||||
|
client-cert |
Enable/disable SSL-VPN client certificate restrictive. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
groups |
User groups. Group name. |
string |
Maximum length: 79 |
|
||||||||||||||
|
id |
ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||
|
portal |
SSL-VPN portal. |
string |
Maximum length: 35 |
|
||||||||||||||
|
realm |
SSL-VPN realm. |
string |
Maximum length: 35 |
|
||||||||||||||
|
source-address |
Source address of incoming traffic. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||
|
source-address-negate |
Enable/disable negated source address match. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
source-address6 |
IPv6 source address of incoming traffic. IPv6 address name. |
string |
Maximum length: 79 |
|
||||||||||||||
|
source-address6-negate |
Enable/disable negated source IPv6 address match. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
source-interface |
SSL-VPN source interface of incoming traffic. Interface name. |
string |
Maximum length: 35 |
|
||||||||||||||
|
user-peer |
Name of user peer. |
string |
Maximum length: 35 |
|
||||||||||||||
|
users |
User name. User name. |
string |
Maximum length: 79 |
|
||||||||||||||
* This parameter may not exist in some models.