Configuring SSL VPN web portals

The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. FortiGate administrators can configure login privileges for system users as well as the network resources that are available to the users.

note icon FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:

config user ldap
  edit <username>
       set server <domain>
       set password-expiry-warning enable
       set password-renewal enable


This step in the configuration of the SSL VPN tunnel sets up the infrastructure; the addressing, encryption, and certificates needed to make the initial connection to the FortiGate unit. This step is also where you configure what the remote user sees with a successful connection. The portal view defines the resources available to the remote users and the functionality they have on the network.

SSL connection configuration

To configure the basic SSL VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

Listen on Interface(s) Define the interface which the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.
Listen on Port Enter the port number for HTTPS access.
Redirect port 80 to this login port Enable to redirect the admin HTTP port to the admin HTTPS port.

There are two likely scenarios for this:

  • SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
  • SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as shown below (note that HTTPS-redirect is disabled by default):


config vpn ssl settings
   set https-redirect [enable | disable]

Restrict Access Restrict accessibility to either Allow access from any host or to Limit access to specific hosts as desired. If selecting the latter, you must specify the hosts.
Idle Logout Type the period of time (in seconds) that the connection can remain inactive before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.
Server Certificate Select the signed server certificate to use for authentication. If you leave the default setting (Fortinet_CA_SSLProxy), the FortiGate unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you purchase a certificate for your domain and upload it for use.
Require Client Certificate Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process.
Address Range Select Automatically assign addresses or Specify custom IP ranges. The latter will allow you to select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients.
DNS Server

If you select Specify, you may enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

Note: It is possible to implement a unique DNS suffix per SSL VPN portal using the CLI. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings. This is a CLI-only option, using the following syntax:

config vpn ssl web portal

edit <example>

set dns-suffix <string>


Specify WINS Servers Enable to access options for entering up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.
Allow Endpoint Registration Select so that FortiClient registers with the FortiGate unit when connecting. If you configured a registration key by going to System > Advanced, the remote user is prompted to enter the key. This only occurs on the first connection to the FortiGate unit.

Portal configuration

The portal configuration determines what the remote user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

To view the portals settings page, go to VPN > SSL-VPN Portals.

There are three pre-defined default portal configurations available:

  • full-access
  • tunnel-access
  • web-access

Each portal type includes similar configuration options. Select between the different portals by double-clicking one of the default portals in the list. You can also create a custom portal by selecting the Create New option at the top.

Portal Setting Description
Name The name for the portal.
Limit Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.

  Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.
  Source IP Pools Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
  Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

  • Allow client to save password - When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.
  • Allow client to connect automatically - When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.
  • Allow client to keep connections alive - When enabled, if the user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).
Enable Web Mode Select to enable web mode access.
Portal Message This is a text header that appears on the top of the web portal.
Theme Select a color styling specifically for the web portal.
Show Session Information The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher Displays the Connection Launcher widget in the web portal.
Show Login History Select to include user login history on the web portal.
User Bookmarks Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.

Tunnel Mode Client Options logic

The FortiGate will check the logic of Tunnel mode VPN client options.

If auto-connect or keep-alive is enabled, the following warning message will be shown: 'save-password should be enabled if either auto-connect or keep-alive is enabled.'

At the end of editing the portal, if either auto-connect or keep-alive is enabled and save-password is not enabled, the following message will be shown, and adding or editing the portal is not permitted: 'save-password should be enabled as either auto-connect or keep-alive is enabled.'

Options to allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.


note icon If your network configuration does not contain a default SSL VPN portal, you might receive the error message “Input value is invalid” when you attempt to access VPN > SSL-VPN Portals.

To enable a default portal - CLI:

config vpn ssl settings
  set default-portal <full-access | tunnel-access |


Adding bookmarks

A web bookmark can include login credentials to automatically log the SSL VPN user into the website. When the administrator configures bookmarks, the website credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the website.

To add a bookmark - web-based manager:
  1. On the VPN > SSL-VPN Portals page, ensure Enable User Bookmarks is enabled.
  2. Select Create New and enter the following information:
Category Select a category, or group, to include the bookmark. If this is the first bookmark added, you will be prompted to add a category. Otherwise, select Create from the drop-down list.
Name Enter a name for the bookmark.
Type Select the type of link from the drop-down list. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.
URL Enter the IP address source.
Description Enter a brief description of the link.
Single Sign-On Enable if you wish to use Single Sign-On (SSO) for any links that require authentication.

When including a link using SSO, be sure to use the entire URL. For example,, rather than just the IP address.
  1. Select OK.

For more configuration options, see Configuring SSL VPN web portals.

Personal bookmarks

The administrator has be ability to view bookmarks the remote client has added to their SSL VPN login in the bookmarks widget. This enables the administrator to monitor and, if needed, remove unwanted bookmarks that do not meet with corporate policy.

To view and maintain remote client bookmarks, go to VPN > SSL-VPN Personal Bookmarks.

For more information about available bookmark applications, see Applications available in the web portal

To enable personal bookmarks:
  1. Go to System > Feature Visibility.
  2. Enable SSL-VPN Personal Bookmark Management.
  3. Select Apply.

Moving and cloning bookmarks

The administrator also has the ability to move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark

edit 'name'

config bookmarks

move bookmark1 after/before

clone bookmark1 to



Supporting browsers without plugins (Citrix/Port forward) - CLI only

CLI syntax

config vpn ssl web user-bookmark

edit <name>

config bookmarks

edit "citrix-address"

set apptype citrix

set description "my citrix server"

set usl ""

set sso enable





Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks - CLI:

config vpn ssl web portal

edit "portal-name"

set user-group-bookmark enable*/disable



config vpn ssl web user-group-bookmark

edit "group-name"

config bookmark

edit "bookmark1"






Remote desktop bookmark creation with no password

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark

edit <group-name>

config bookmarks

edit <bookmark-name>

set apptype rdp

set host

set security nla

set port 3389

set logon-user <username>



Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.



If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSO support for HTML5 RDP

This feature adds support for SSO from the SSL VPN portal to an RDP bookmark. If SSO is used, then the credentials used to login to SSL VPN will be automatically used when connecting to a remote RDP server.

This option is only available in CLI.

To configure SSO support for HTML5 RDP - CLI:

conf vpn ssl web user-bookmark

edit <name>

config bookmarks

edit <name>

set apptype rdp

set host "x.x.x.x"

set port <value>

set sso [disable | auto]





SSL VPN Realms

You can go to VPN > SSL-VPN Realms and create custom login pages for your SSL VPN users. You can use this feature to customize the SSL VPN login page for your users and also to create multiple SSL VPN logins for different user groups.

In order to create a custom login page using the web-based manager, this feature must be enabled using Feature Select.

note icon Before you begin, copy the default login page text to a separate text file for safe-keeping. Afterward, if needed, you can restore the text to the original version.
To configure SSL VPN Realms - web-based manager:
  1. Configure a custom SSL VPN login by going to VPN > SSL-VPN Realms and selecting Create New. Users access different portals depending on the URL they enter.
  2. The first option in the custom login page is to enter the path of the custom URL.
    This path is appended to the address of the FortiGate unit interface to which SSL VPN users connect. The actual path for the custom login page appears beside the URL path field.
  3. You can also limit the number of users that can access the custom login at any given time.
  4. You can use HTML code to customize the appearance of the login page.
  5. After adding the custom login, you must associate it with the users that will access the custom login. Do this by going to VPN > SSL-VPN Settings and adding a rule to the Authentication/Portal Mapping section.
  6. Under Authentication/Portal Mapping, click Create New and select the user group(s) and the associated Realm.
To configure SSL VPN Realms - CLI:

config vpn ssl web realm

edit <url-path>

set login-page <content_str>

set max-concurrent-user <int>

set virtual-host <hostname_str>



Where the following variables are set:

Variable Description Default
edit <url-path> Enter the URL path to access the SSL-VPN login page.
Do not include “http://”.
No default.
login-page <content_str> Enter replacement HTML for SSL-VPN login page. No default.
max-concurrent-user <int> Enter the maximum number of concurrent users allowed. Range 0-65 535. 0 means unlimited. 0
virtual-host <hostname_str> Enter the virtual host name for this realm. Optional. Maximum length 255 characters. No default.

Customizable FortiClient download URL

The attribute customize-forticlient-download-url (disabled by default) can be enabled to allow users to customize the download URL for FortiClient. This option is only available in CLI.

If enabled, two other attributes, windows-forticlient-download-url and macos-forticlient-download-url, will appear.

To configure a customizable FortiClient download URL- CLI:

config vpn ssl web portal

edit <portal>

set customize-forticlient-download-url {enable | disable}

set windows-forticlient-download-url <custom URL for Windows>

set macos-forticlient-download-url <custom URL for Mac OS>



Disabling FortiClient download in the web portal

Use the following syntax to disable FortiClient download in the web portal.

config vpn ssl web portal

edit <portal name>

set forticlient-download disable



Split DNS support

This feature allows you to specify which domains will be resolved by the DNS server specified by the VPN while all other domains will be resolved by the locally specified DNS. This is useful in both Enterprise and MSP scenarios (when hosting multiple SSL VPN portals). This option is only available in CLI.

To configure split DNS support - CLI:

config vpn ssl web portal

edit <name>

config split-dns

edit 1

set domains ","

set dns-server1

set dns-server2

set ipv6-dns-server1 2000:2:3:4::5

set ipv6-dns-server2 2000:2:3:4::6