Configuring SSL VPN web portals

The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. FortiGate administrators can configure login privileges for system users as well as the network resources that are available to the users.

note icon FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:

config user ldap
  edit <username>
       set server <domain>
       set password-expiry-warning enable
       set password-renewal enable

For more information, see the Authentication Guide.

This step in the configuration of the SSL VPN tunnel sets up the infrastructure; the addressing, encryption, and certificates needed to make the initial connection to the FortiGate unit. This step is also where you configure what the remote user sees with a successful connection. The portal view defines the resources available to the remote users and the functionality they have on the network.

SSL connection configuration

To configure the basic SSL VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

Listen on Interface(s) Define the interface which the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.
Listen on Port Enter the port number for HTTPS access.
Redirect port 80 to this login port Enable to redirect the admin HTTP port to the admin HTTPS port.

There are two likely scenarios for this:

  • SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
  • SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as shown below (note that HTTPS-redirect is disabled by default):


config vpn ssl settings
   set https-redirect [enable | disable]

Restrict Access Restrict accessibility to either Allow access from any host or to Limit access to specific hosts as desired. If selecting the latter, you must specify the hosts.
Idle Logout Type the period of time (in seconds) that the connection can remain inactive before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.
Server Certificate Select the signed server certificate to use for authentication. If you leave the default setting (Fortinet_CA_SSLProxy), the FortiGate unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you purchase a certificate for your domain and upload it for use.
Require Client Certificate Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process.

For information on using PKI to provide client certificate authentication, see the Authentication Guide.
Address Range Select Automatically assign addresses or Specify custom IP ranges. The latter will allow you to select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients.
DNS Server If you select Specify, you may enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.
Specify WINS Servers Enable to access options for entering up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.
Allow Endpoint Registration Select so that FortiClient registers with the FortiGate unit when connecting. If you configured a registration key by going to System > Config > Advanced, the remote user is prompted to enter the key. This only occurs on the first connection to the FortiGate unit.

Portal configuration

The portal configuration determines what the remote user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

To view the portals settings page, go to VPN > SSL-VPN Portals.

There are three pre-defined default portal configurations available:

  • full-access
  • tunnel-access
  • web-access

Each portal type includes similar configuration options. Select between the different portals by double-clicking one of the default portals in the list. You can also create a custom portal by selecting the Create New option at the top.

Portal Setting Description
Name The name for the portal.
Limit Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.

  Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.
  Source IP Pools Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
  Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

  • Allow client to save password - When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.
  • Allow client to connect automatically - When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.
  • Allow client to keep connections alive - When enabled, if the user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).
Enable Web Mode Select to enable web mode access.
Portal Message This is a text header that appears on the top of the web portal.
Theme Select a color styling specifically for the web portal.
Show Session Information The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher Displays the Connection Launcher widget in the web portal.
Show Login History Select to include user login history on the web portal.
User Bookmarks Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.

Options to allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.


note icon If your network configuration does not contain a default SSL VPN portal, you might receive the error message “Input value is invalid” when you attempt to access VPN > SSL-VPN Portals.

To enable a default portal - CLI:

config vpn ssl settings
  set default-portal <full-access | tunnel-access |


Adding bookmarks

A web bookmark can include login credentials to automatically log the SSL VPN user into the website. When the administrator configures bookmarks, the website credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the website.

To add a bookmark - web-based manager:
  1. On the VPN > SSL-VPN Portals page, ensure Enable User Bookmarks is enabled.
  2. Select Create New and enter the following information:
Category Select a category, or group, to include the bookmark. If this is the first bookmark added, you will be prompted to add a category. Otherwise, select Create from the drop-down list.
Name Enter a name for the bookmark.
Type Select the type of link from the drop-down list. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.
URL Enter the IP address source.
Description Enter a brief description of the link.
Single Sign-On Enable if you wish to use Single Sign-On (SSO) for any links that require authentication.

When including a link using SSO, be sure to use the entire URL. For example,, rather than just the IP address.
  1. Select OK.

For more configuration options, see Configuring SSL VPN web portals.

Personal bookmarks

The administrator has be ability to view bookmarks the remote client has added to their SSL VPN login in the bookmarks widget. This enables the administrator to monitor and, if needed, remove unwanted bookmarks that do not meet with corporate policy.

To view and maintain remote client bookmarks, go to VPN > SSL-VPN Personal Bookmarks.

For more information about available bookmark applications, see Applications available in the web portal

To enable personal bookmarks:
  1. Go to System > Feature Select.
  2. Enable SSL-VPN Personal Bookmark Management.
  3. Select Apply.

SSL VPN Realms

You can go to VPN > SSL-VPN Realms and create custom login pages for your SSL VPN users. You can use this feature to customize the SSL VPN login page for your users and also to create multiple SSL VPN logins for different user groups.

In order to create a custom login page using the web-based manager, this feature must be enabled using Feature Select.

note icon Before you begin, copy the default login page text to a separate text file for safe-keeping. Afterward, if needed, you can restore the text to the original version.
To configure SSL VPN Realms - web-based manager:
  1. Configure a custom SSL VPN login by going to VPN > SSL-VPN Realms and selecting Create New. Users access different portals depending on the URL they enter.
  2. The first option in the custom login page is to enter the path of the custom URL.
    This path is appended to the address of the FortiGate unit interface to which SSL VPN users connect. The actual path for the custom login page appears beside the URL path field.
  3. You can also limit the number of users that can access the custom login at any given time.
  4. You can use HTML code to customize the appearance of the login page.
  5. After adding the custom login, you must associate it with the users that will access the custom login. Do this by going to VPN > SSL-VPN Settings and adding a rule to the Authentication/Portal Mapping section.
  6. Under Authentication/Portal Mapping, click Create New and select the user group(s) and the associated Realm.
To configure SSL VPN Realms - CLI:

config vpn ssl web realm

edit <url-path>

set login-page <content_str>

set max-concurrent-user <int>

set virtual-host <hostname_str>



Where the following variables are set:

Variable Description Default
edit <url-path> Enter the URL path to access the SSL-VPN login page.
Do not include “http://”.
No default.
login-page <content_str> Enter replacement HTML for SSL-VPN login page. No default.
max-concurrent-user <int> Enter the maximum number of concurrent users allowed. Range 0-65 535. 0 means unlimited. 0
virtual-host <hostname_str> Enter the virtual host name for this realm. Optional. Maximum length 255 characters. No default.