vpn : ssl settings
 
ssl settings
Use this command to configure basic SSL VPN settings including interface idle-timeout values and SSL encryption preferences. If required, you can also enable the use of digital certificates for authenticating remote clients.
You can optionally specify the IP address of any Domain Name Service (DNS) server and/or Windows Internet Name Service (WINS) server that resides on the private network behind the FortiGate unit. The DNS and/or WINS server will find the IP addresses of other computers whenever a connected SSL VPN user sends an email message or browses the Internet.
You can configure SSL VPNs on FortiGate units that run in NAT/Route mode. The commands are available in NAT/Route mode only.
Syntax
config vpn ssl settings
set algorithm <cipher_suite>
set auth-timeout <auth_seconds>
set auto-tunnel-static-route {enable | disable}
set default-portal <portal_name>
set deflate-compression-level <int>
set deflate-min-data-size <int>
set dns-server1 <address_ipv4>
set dns-server2 <address_ipv4>
set dns-suffix <domain_str>
set force-two-factor-auth {enable | disable}
set http-compression {enable | disable}
set http-only-cookie {enable | disable}
set idle-timeout <idle_seconds>
set ipv6-dns-server1 <ip6_addr>
set ipv6-dns-server2 <ip6_addr>
set ipv6-wins-server1 <ip6_addr>
set ipv6-wins-server2 <ip6_addr>
set port <port_int>
set port-precedence {enable | disable}
set reqclientcert {enable | disable}
set route-source-interface {enable | disable}
set servercert <server_cert_name>
set source-address <addr1>[,addr2...addrn]
set source-address6 <addr1>[,addr2...addrn]
set source-address-negate {enable | disable}
set source-address6-negate {enable | disable}
set source-interface <port1>[,port2...portn>]
set ssl-big-buffer {enable | disable}
set ssl-client-renegotiation {enable | disable}
set ssl-insert-empty-fragment {enable | disable}
set sslv2 {enable | disable}
set sslv3 {enable | disable}
set tlsv1-0 {enable | disable}
set tlsv1-1 {enable | disable}
set tlsv1-2 {enable | disable}
set tunnel-ip-pools <pool1_name ...pooln_name>
set unsafe-legacy-renegotiation {enable | disable}
set url-obscuration {enable | disable}
set wins-server1 <address_ipv4>
set wins-server2 <address_ipv4>
config authentication-rule
edit <id>
set auth <auth_method>
set cipher {high | medium | any}
set client-cert {enable | disable}
set groups {grp1 ... grpn}
set realm <realm_name>
set source-address <port1>[,port2...portn]
set source-address6 <port1>[,port2...portn]
set source-address-negate {enable | disable}
set source-address6-negate {enable | disable}
set source-interface <port1>[,port2...portn]
set users <name_list>
end
end
end
When you configure the timeout settings, if you set the authentication timeout (auth‑timeout) to 0, then the remote client does not have to re-authenticate again unless they log out of the system. In order to fully take advantage of this setting, the value for idle‑timeout has to be set to 0 also, so the client does not timeout if the maximum idle time is reached. If the idle-timeout is not set to the infinite value, the system will log out if it reaches the limit set, regardless of the auth-timeout setting.
The tunnel‑ip‑pools field is required for tunnel-mode access only. All other fields are optional.
Variable
Description
Default
algorithm <cipher_suite>
Enter one of the following options to determine the level of SSL encryption to use. The web browser on the remote client must be capable of matching the level that you specify:
To use any cipher suite, type low.
To use a 128-bit or greater cipher suite, type default.
To use a cipher suite that is greater than 128 bits, type high.
default
auth-timeout <auth_seconds>
Enter the period of time (in seconds) to control how long an authenticated connection will remain connected. When this time expires, the system forces the remote client to authenticate again. Range is 10 to 259,200 seconds (3 days). Use the value of 0 to indicate no timeout.
28800
auto-tunnel-static-route {enable | disable}
If enabled, when you create an SSL VPN portal with tunnel mode enabled, FortiOS automatically adds static routes for the networks that can be accessed through the SSL VPN tunnel so that you don’t have to add them manually.
enable
default-portal <portal_name>
Enter the name of the default SSL VPN portal.
null
deflate-compression-level <int>
Set the compression level. Range is 1 (least compression) to 9 (most compression). Higher compression reduces the volume of data but requires more processing time. This field is available when http‑compression is enabled.
6
deflate-min-data-size <int>
Set the minimum amount of data that will trigger compression. Smaller amounts are not compressed. Range is 200 to 65 535 bytes. This field is available when http‑compression is enabled.
300
dns-server1 <address_ipv4>
Enter the IP address of the primary DNS server that SSL VPN clients will be able to access after a connection has been established. If required, you can specify a secondary DNS server through the dns-server2 attribute.
0.0.0.0
dns-server2 <address_ipv4>
Enter the IP address of a secondary DNS server if required.
0.0.0.0
dns-suffix <domain_str>
Enter the DNS suffix. Maximum length 253 characters.
null
force-two-factor-auth {enable | disable}
Enable to require PKI (peer) users to authenticate by password in addition to certificate authentication. If this is enabled, only PKI users with two-factor authentication enabled will be able to log on to the SSL VPN.
disable
http-compression {enable | disable}
Enable use of compression between the FortiGate unit and the client web browser. You can adjust the fields deflate‑compression‑level and deflate‑min‑data-size to tune performance.
disable
http-only-cookie {enable | disable}
Disable only if a web site is having trouble with the tunnel mode Java Applet.
enable
idle-timeout <idle_seconds>
Enter the period of time (in seconds) to control how long the connection can remain idle before the system forces the remote user to log in again. The range is from 10 to 259 200 seconds. Use the value of 0 to indicate no timeout.
300
ipv6-dns-server1 <ip6_addr>
ipv6-dns-server2 <ip6_addr>
Specify primary and secondary IPv6 DNS servers.
::
::
ipv6-wins-server1 <ip6_addr>
ipv6-wins-server2 <ip6_addr>
Specify primary and secondary IPv6 DNS servers.
::
::
port <port_int>
Enter the SSL VPN access port. Range 1 - 65 535.
When vdoms are enabled, this setting is per VDOM.
10443
port-precedence {enable | disable}
Enable to give SSLVPN higher priority than HTTPS if both are enabled on the same port.
enable
reqclientcert {enable | disable}
Disable or enable the use of group certificates for authenticating remote clients. The SSLVPN daemon will require a client certificate for all SSL VPN users regardless of policy.
disable
route-source-interface {enable | disable}
Enable to allow the SSL VPN connection to bypass routing and bind to the incoming interface.
disable
servercert <server_cert_name>
Enter the name of the signed server certificate that the FortiGate unit will use to identify itself during the SSL handshake with a web browser when the web browser connects to the login page. The server certificate must already be loaded into the FortiGate configuration. If you do not specify a server certificate, the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.
self-sign
source-address <addr1>[,addr2...addrn]
source-address6 <addr1>[,addr2...addrn]
Optionally, specify addresses from which users can log in. Leave field empty to allow login from any address.
Use source-address6 for IPv6 addresses.
null
source-address-negate {enable | disable}
source-address6-negate {enable | disable}
Invert the source-address setting so that it specifies addresses to not allow.
Use source-address6-negate for source-address6.
disable
source-interface <port1>[,port2...portn>]
Enter interfaces to listen on for SSL clients.
null
ssl-big-buffer {enable | disable}
The default setting (disable) reduces memory use by 16kbytes per connection.
disable
ssl-client-renegotiation {enable | disable}
Enable or disable renegotiation if tunnel goes down. SSL renegotiation feature could be used for DOS attack.
disable
ssl-insert-empty-fragment {enable | disable}
Internet Explorer 6 and earlier might not work well with the default setting (enable). The setting can be changed, but reduces security.
enable
sslv2 {enable | disable}
Disable or enable SSL version 2 encryption.
disable
sslv3 {enable | disable}
Disable or enable SSL version 3 encryption.
enable
tlsv1-0 {enable | disable}
Enable or disable TLS 1.0 cryptographic protocol.
enable
tlsv1-1 {enable | disable}
Enable or disable TLS 1.1 cryptographic protocol.
enable
tlsv1-2 {enable | disable}
Enable or disable TLS 1.2 cryptographic protocol.
enable
tunnel-ip-pools <pool1_name ...pooln_name>
Enter the firewall addresses that represent the ranges of IPv4 addresses reserved for remote clients.
No default.
tunnel-ipv6-pools <pool1_name ...pooln_name>
Enter the firewall addresses that represent the ranges of IPv6 addresses reserved for remote clients.
No default.
unsafe-legacy-renegotiation {enable | disable}
Allow less-secure legacy renegotiation method. This field is available if ssl-client-renegotiation is enabled.
disable
url-obscuration {enable | disable}
Enable to encrypt the host name of the url in the display (web address) of the browser for web mode only. This is a requirement for ICSA ssl vpn certification. Also, if enabled, bookmark details are not visible (field is blank.).
disable
wins-server1 <address_ipv4>
Enter the IP address of the primary WINS server that SSL VPN clients will be able to access after a connection has been established. If required, you can specify a secondary WINS server through the wins-server2 attribute.
0.0.0.0
wins-server2 <address_ipv4>
Enter the IP address of a secondary WINS server if required.
0.0.0.0
authentication-rule variables
auth <auth_method>
Set permitted authentication method: local, ldap, radius, tacacs+, or any.
any
cipher {high | medium | any}
Set required SSL cipher strength.
high — 168 bits or more
medium —128 bits or more
any
client-cert {enable | disable}
Enable to require client certificates.
disable
groups {grp1 ... grpn}
Enter a space-separated list of user groups allowed to authenticate.
null
realm <realm_name>
Enter the name of the realm to which this rule applies. Select a realm defined in vpn ssl web realm.
null
source-address <port1>[,port2...portn]
source-address6 <port1>[,port2...portn]
Optionally, specify addresses from which users can log in. Leave field empty to allow login from any address.
Use source-address6 for IPv6 addresses.
null
source-address-negate {enable | disable}
source-address6-negate {enable | disable}
Invert the source-address setting so that it specifies addresses to not allow.
Use source-address6-negate for source-address6.
disable
source-interface <port1>[,port2...portn]
Optionally, specify ports from which users can log in. Leave field empty to allow login from any port.
null
users <name_list>
Enter a space-separated list of user names allowed to authenticate.
null