vpn : ssl web portal
 
ssl web portal
The SSL VPN Service portal allows you to access network resources through a secure channel using a web browser. FortiGate administrators can configure log in privileges for system users and which network resources are available to the users, such as HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH.
The portal configuration determines what the system user sees when they log in to the FortiGate. Both the system administrator and the system user have the ability to customize the SSL VPN portal.
There are three pre-defined default web portal configurations available:
full-access: Includes all widgets available to the user - Session Information, Connection Tool, Bookmarks, and Tunnel Mode.
tunnel-access: Includes Session Information and Tunnel Mode widgets.
web-access: Includes Session Information and Bookmarks widgets.
These pre-defined portal configurations can be edited, including their names.
Syntax
config vpn ssl web portal
edit <portal_name_str>
set auto-connect {enable | disable}
set auto-prompt-mobile-user-download {enable  | disable}
set cache-cleaner {enable | disable}
set custom-lang <lang_str>
set dns-server1 <ip4_addr>
set dns-server2 <ip4_addr>
set display-bookmark {enable | disable}
set display-connection-tools {enable | disable}
set display-forticlient-download {enable | disable}
set display-history {enable | disable}
set display-history-limit <int>
set display-status {enable | disable}
set heading <str_heading>
set host-check {av | av‑fw | custom | fw | none}
set host-check-interval <seconds>
set host-check-policy <hcpolicy_name>
set ip-mode {range | usrgrp}
set ip-pools {<pool1_name> .. <pooln_name>}
set ipv6-dns-server1 <ip6_addr>
set ipv6-dns-server2 <ip6_addr>
set ipv6-pools {<pool1_name> .. <pooln_name>}
set ipv6-split-tunneling {enable | disable}
set ipv6-split-tunneling-routing-address <address_name>
set ipv6-tunnel-mode {enable | disable}
set ipv6-wins-server1 <ip6_addr>
set ipv6-wins-server2 <ip6_addr>
set keep-alive {enable | disable}
set limit-user-logins {enable | disable}
set mac-addr-action {allow | deny
set mac-addr-check {enable | disable}
set os-check {enable | disable}
set page-layout <double‑column | single‑column>
set redir-url <redir_url>
set save-password {enable | disable}
set skip-check-for-unsupported-browser {enable | disable}
set skip-check-for-unsupported-os {enable | disable}
set split-tunneling {enable | disable}
set split-tunneling-routing-address <address_name>
set theme {blue | gray | orange}
set tunnel-mode {enable | disable}
set user-bookmark {enable | disable}
set virtual-desktop {enable | disable}
set virtual-desktop-app-list <applist_name>
set virtual-desktop-clipboard-share {enable | disable}
set virtual-desktop-desktop-switch {enable | disable}
set virtual-desktop-logout-when-browser-close {enable | disable}
set virtual-desktop-network-share-access {enable | disable}
set virtual-desktop-printing {enable | disable}
set virtual-desktop-removable-media-access {enable | disable}
config bookmark-group
edit <bookmarkgrp_name>
config bookmarks
edit <bookmark_name>
set additional-params <param_str>
set apptype <service_type>
set description <description_txt>
set folder <folder_name>
set full-screen-mode {enable | disable}
set host <host_name>
set keyboard-layout <locale_str>
set listening-port <port_int>
set logon-user <user‑name_str>
set logon-password <password_str>
set logon-user <user‑name_str>
set remote-port <port_int>
set screen-height <h_int>
set screen-width <w_int>
set show-status-window {enable | disable}
set sso {disable | auto}
set sso-credential {sslvpn‑login | alternative)
set sso‑password <pwd_str>
set sso‑username <name_str>
set url <target_ip>
end
end
config mac-addr-check-rule
edit <rule_name>
set mac-addr-list <mac_list>
set mac-addr-mask <int>
end
config os-check-list {windows-2000 | windows-vista | windows-xp
| windows-7 | windows-8}
set action {allow | check‑up‑to‑date | deny}
set latest-patch-level {disable | 0 ‑ 255}
set tolerance {tolerance_num}
end
end
Variable
Description
Default
edit <portal_name_str>
Enter a name for the portal.
Three pre-defined web portal configurations exist: full-access, tunnel-access, and web-access.
No default.
auto-connect {enable | disable}
Enable or disable FortiClient automatic connection to this portal.
disable
auto-prompt-mobile-user-download {enable  | disable}
Enable to prompt mobile users to download FortiClient Endpoint Security.
enable
cache-cleaner {enable | disable}
Enable the FortiGate unit to remove residual information from the remote client computer just before the SSL VPN session ends. This is done with a downloaded ActiveX control.
disable
custom-lang <lang_str>
Set the portal language. To view the list of languages, enter set custom‑lang ?
This is available when web-mode is enabled.
No default.
dns-server1 <ip4_addr>
dns-server2 <ip4_addr>
Specify primary and secondary DNS servers.
0.0.0.0
0.0.0.0
display-bookmark {enable | disable}
Enable or disable bookmarks widget.
enable
display-connection-tools {enable | disable}
Enable or disable connection tools widget.
enable
display-forticlient-download {enable | disable}
Enable or disable FortiClient download widget.
enable
display-history {enable | disable}
Enable or disable user login history widget.
enable
display-history-limit <int>
Set the maximum number of login history entries.
5
display-status {enable | disable}
Enable or disable
enable
heading <str_heading>
Enter the caption that appears at the top of the web portal home page.
null
host-check {av | av‑fw | custom | fw | none}
Select the type of host checking to perform on endpoints:
av — Check for antivirus software recognized by the Windows Security Center.
av-fw — Check for both antivirus and firewall software recognized by the Windows Security Center.
custom — Check for the software defined in host‑check‑policy.
fw — Check for firewall software recognized by the Windows Security Center.
none — Do not perform host checking.
none
host-check-interval <seconds>
Enter how often to recheck the host. Range is every 120 seconds to 259 200 seconds. Enter 0 to not recheck the host during the session. This is not available if host-check is none.
0
host-check-policy <hcpolicy_name>
Select the specific host check software to look for. These applications are defined in the vpn ssl web host-check-software command. This field is available when host‑check is custom.
null
ip-mode {range | usrgrp}
Select the mode by which the IP address is assigned to the user: address range or user group.
range
ip-pools {<pool1_name> .. <pooln_name>}
Enter the names of the IP pools (firewall addresses) that represent IPv4 address ranges reserved for tunnel-mode SSL VPN clients.
No default.
ipv6-dns-server1 <ip6_addr>
ipv6-dns-server2 <ip6_addr>
Specify primary and secondary IPv6 DNS servers.
::
::
ipv6-pools {<pool1_name> .. <pooln_name>}
Enter the names of the IP pools (firewall addresses) that represent IPv6 address ranges reserved for tunnel-mode SSL VPN clients.
No default.
ipv6-split-tunneling {enable | disable}
Enable split tunneling for IPv6. Split tunneling ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route.
disable
ipv6-split-tunneling-routing-address <address_name>
Enter the firewall addresses for the destinations that IPv6 clients will reach through the SSL VPN. The client’s split-tunneling configuration will ensure that the tunnel is used for these destinations only.
This is available when ipv6-split-tunneling is enabled.
No default.
ipv6-tunnel-mode {enable | disable}
Enable or disable IPv6 tunnel mode.
enable
ipv6-wins-server1 <ip6_addr>
ipv6-wins-server2 <ip6_addr>
Specify primary and secondary IPv6 WINS servers.
::
::
keep-alive {enable | disable}
Enable or disable keepalive (automatic reconnect) for FortiClient connections to this portal.
 
limit-user-logins {enable | disable}
Enable to allow each user one SSL VPN session at a time.
disable
mac-addr-action {allow | deny
Set action for MAC address check: allow or deny connection.
allow
mac-addr-check {enable | disable}
Enable or disable MAC address host check.
disable
os-check {enable | disable}
Enable the FortiGate unit to determine what action to take depending on what operating system the client has.
disable
page-layout <double‑column | single‑column>
Select the number of columns in the portal display.
single-column
redir-url <redir_url>
Enter the URL of the web page which will enable the FortiGate unit to display a second HTML page in a popup window when the web portal home page is displayed. The web server for this URL must reside on the private network behind the FortiGate unit.
null
save-password {enable | disable}
Enable or disable FortiClient saving of user password.
disable
skip-check-for-unsupported-browser {enable | disable}
Skip the host check if the browser doesn’t support it. This field is available if host checking is enabled.
enable
skip-check-for-unsupported-os {enable | disable}
Skip the host check if the client operating system doesn’t support it. This field is available if host checking is enabled.
enable
split-tunneling {enable | disable}
Enable split tunneling. Split tunneling ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. Available only if tunnel-status is enabled.
disable
split-tunneling-routing-address <address_name>
Enter the firewall addresses for the destinations that clients will reach through the SSL VPN. The client’s split-tunneling configuration will ensure that the tunnel is used for these destinations only.
This is available when split-tunneling is enabled.
No default.
theme {blue | gray | orange}
Select the portal display theme (color).
blue
tunnel-mode {enable | disable}
Enable or disable IPv4 tunnel mode.
enable
user-bookmark {enable | disable}
Allow web portal users to create their own bookmarks.
enable
virtual-desktop {enable | disable}
Enable the SSL VPN virtual desktop client application. If set to enable on the client, attempts to connect via SSL VPN are refused.
disable
virtual-desktop-app-list <applist_name>
Enter the name of the application list to apply to the virtual desktop. See vpn ssl web virtual-desktop-app-list.
Null
virtual-desktop-clipboard-share {enable | disable}
Enable or disable sharing of the clipboard with the regular desktop.
disable
virtual-desktop-desktop-switch {enable | disable}
Enable or disable switching between virtual and regular desktop.
disable
virtual-desktop-logout-when-browser-close {enable | disable}
Enable or disable automatic logout from virtual desktop when browser is closed.
disable
virtual-desktop-network-share-access {enable | disable}
Enable or disable network share access from the virtual desktop.
disable
virtual-desktop-printing {enable | disable}
Enable or disable printing from the virtual desktop.
disable
virtual-desktop-removable-media-access {enable | disable}
Enable or disable accessing removable media such as USB drives from the virtual desktop.
disable
wins-server1 <ip4_addr>
wins-server2 <ip4_addr>
Specify primary and secondary WINS servers.
0.0.0.0
0.0.0.0
config mac-addr-check-rule variables
edit <rule_name>
Enter a name for this MAC check rule.
 
mac-addr-list <mac_list>
Enter client MAC addresses.
No default.
mac-addr-mask <int>
Set the size of the netmask in bits. Range 1-48.
48
config os-check-list variables     
Available when set os-check is set to check-up-to-date.
action {allow | check‑up‑to‑date | deny}
Specify how to perform the patch level check.
allow - any level is permitted
check-up-to-date - some patch levels are permitted, make selections for latest-patch-level and tolerance
deny - do not permit access for any version of this OS
allow
latest-patch-level {disable | 0 ‑ 255}
Specify the latest allowed patch level.
Available when check-up-to-date is set to enable.
Win2000: 4
WinXP: 2
tolerance {tolerance_num}
Specify the lowest allowable patch level tolerance. Equals latest-patch-level minus tolerance and above.
Available when action is check-up-to-date.
0
Bookmarks variables
edit <bookmarkgrp_name>
Enter the bookmark group name. Maximum 36 characters.
null
edit <bookmark_name>
Enter the name of the bookmark. It must be unique. Maximum 36 characters.
null
additional-params <param_str>
Enter additional parameters the application requires.
Available when apptype is citrix, portforward, rdp, or rdpnative.
 
apptype <service_type>
Enter the identifier of the service to associate with the bookmark:
Type citrix for Citrix web server interface.
Type ftp for FTP services.
Type portforward for port forwarding.
Type rdp for Windows Terminal services.
Type rdpnative for remote desktop access with native client.
Type smb for SMB/CIFS (Windows file share) services.
Type ssh for SSH services.
Type telnet for telnet services.
Type vnc for VNC services.
Type web for HTTP and/or HTTPS services.
web
description <description_txt>
Enter a description of the bookmark. Maximum 129 characters.
null
folder <folder_name>
Enter the remote folder name, if apptype is smb or ftp.
The folder name must include the server name, //172.20.120.103/myfolder, for example.
No default.
full-screen-mode {enable | disable}
Enable or disable full-screen mode. Available when apptype is rdp or rdpnative.
disable
host <host_name>
Enter the host name, if apptype is telnet or rdp. Maximum 36 characters.
No default.
keyboard-layout <locale_str>
Enter the keyboard layout for the RDP session. Available when apptype is rdp.
en-us
listening-port <port_int>
Enter the listening port number.
Available when apptype is portforward.
null
logon-user <user‑name_str>
logon-password <password_str>
Enter the logon credentials for the RDP bookmark. Available when apptype is rdp.
null
remote-port <port_int>
Enter the remote port number.
Available when apptype is portforward.
null
screen-height <h_int>
Enter screen height in pixels. Available when apptype is rdp or rdpnative.
768
screen-width <w_int>
Enter screen width in pixels. Available when apptype is rdp or rdpnative.
1024
show-status-window {enable | disable}
Enable or disable the status window.
Available when apptype is portforward.
disable
sso {disable | auto}
A Single Sign-On (SSO) bookmark automatically enters the login credentials for the bookmark destination. Select one of:
disable — This is not an SSO bookmark.
auto — SSO bookmark, configure sso‑credential.
disable
sso-credential {sslvpn‑login | alternative)
Select whether the bookmark enters the user’s SSL VPN credentials or alternative credentials defined in sso‑username and sso‑password.
sslvpn‑login
sso‑password <pwd_str>
Enter alternative password. Available when sso‑credential is alternative.
No default.
sso‑username <name_str>
Enter alternative username. Available when sso‑credential is alternative.
No default.
url <target_ip>
Enter the URL of the web page, if apptype is web or citrix.
No default.