fortios.vpn/ssl.Settings
Explore with Pulumi AI
Configure SSL VPN.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fortios from "@pulumiverse/fortios";
const trname = new fortios.vpn.ssl.Settings("trname", {
loginAttemptLimit: 2,
loginBlockTime: 60,
loginTimeout: 30,
port: 443,
servercert: "self-sign",
});
import pulumi
import pulumiverse_fortios as fortios
trname = fortios.vpn.ssl.Settings("trname",
login_attempt_limit=2,
login_block_time=60,
login_timeout=30,
port=443,
servercert="self-sign")
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/vpn"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpn.NewSettings(ctx, "trname", &vpn.SettingsArgs{
LoginAttemptLimit: pulumi.Int(2),
LoginBlockTime: pulumi.Int(60),
LoginTimeout: pulumi.Int(30),
Port: pulumi.Int(443),
Servercert: pulumi.String("self-sign"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortios = Pulumiverse.Fortios;
return await Deployment.RunAsync(() =>
{
var trname = new Fortios.Vpn.Ssl.Settings("trname", new()
{
LoginAttemptLimit = 2,
LoginBlockTime = 60,
LoginTimeout = 30,
Port = 443,
Servercert = "self-sign",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortios.vpn.Settings;
import com.pulumi.fortios.vpn.SettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var trname = new Settings("trname", SettingsArgs.builder()
.loginAttemptLimit(2)
.loginBlockTime(60)
.loginTimeout(30)
.port(443)
.servercert("self-sign")
.build());
}
}
resources:
trname:
type: fortios:vpn/ssl:Settings
properties:
loginAttemptLimit: 2
loginBlockTime: 60
loginTimeout: 30
port: 443
servercert: self-sign
Create Settings Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Settings(name: string, args?: SettingsArgs, opts?: CustomResourceOptions);
@overload
def Settings(resource_name: str,
args: Optional[SettingsArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def Settings(resource_name: str,
opts: Optional[ResourceOptions] = None,
algorithm: Optional[str] = None,
auth_session_check_source_ip: Optional[str] = None,
auth_timeout: Optional[int] = None,
authentication_rules: Optional[Sequence[SettingsAuthenticationRuleArgs]] = None,
auto_tunnel_static_route: Optional[str] = None,
banned_cipher: Optional[str] = None,
browser_language_detection: Optional[str] = None,
check_referer: Optional[str] = None,
ciphersuite: Optional[str] = None,
client_sigalgs: Optional[str] = None,
default_portal: Optional[str] = None,
deflate_compression_level: Optional[int] = None,
deflate_min_data_size: Optional[int] = None,
dns_server1: Optional[str] = None,
dns_server2: Optional[str] = None,
dns_suffix: Optional[str] = None,
dtls_heartbeat_fail_count: Optional[int] = None,
dtls_heartbeat_idle_timeout: Optional[int] = None,
dtls_heartbeat_interval: Optional[int] = None,
dtls_hello_timeout: Optional[int] = None,
dtls_max_proto_ver: Optional[str] = None,
dtls_min_proto_ver: Optional[str] = None,
dtls_tunnel: Optional[str] = None,
dual_stack_mode: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
encode2f_sequence: Optional[str] = None,
encrypt_and_store_password: Optional[str] = None,
force_two_factor_auth: Optional[str] = None,
get_all_tables: Optional[str] = None,
header_x_forwarded_for: Optional[str] = None,
hsts_include_subdomains: Optional[str] = None,
http_compression: Optional[str] = None,
http_only_cookie: Optional[str] = None,
http_request_body_timeout: Optional[int] = None,
http_request_header_timeout: Optional[int] = None,
https_redirect: Optional[str] = None,
idle_timeout: Optional[int] = None,
ipv6_dns_server1: Optional[str] = None,
ipv6_dns_server2: Optional[str] = None,
ipv6_wins_server1: Optional[str] = None,
ipv6_wins_server2: Optional[str] = None,
login_attempt_limit: Optional[int] = None,
login_block_time: Optional[int] = None,
login_timeout: Optional[int] = None,
port: Optional[int] = None,
port_precedence: Optional[str] = None,
reqclientcert: Optional[str] = None,
route_source_interface: Optional[str] = None,
saml_redirect_port: Optional[int] = None,
server_hostname: Optional[str] = None,
servercert: Optional[str] = None,
source_address6_negate: Optional[str] = None,
source_address6s: Optional[Sequence[SettingsSourceAddress6Args]] = None,
source_address_negate: Optional[str] = None,
source_addresses: Optional[Sequence[SettingsSourceAddressArgs]] = None,
source_interfaces: Optional[Sequence[SettingsSourceInterfaceArgs]] = None,
ssl_client_renegotiation: Optional[str] = None,
ssl_insert_empty_fragment: Optional[str] = None,
ssl_max_proto_ver: Optional[str] = None,
ssl_min_proto_ver: Optional[str] = None,
status: Optional[str] = None,
tlsv10: Optional[str] = None,
tlsv11: Optional[str] = None,
tlsv12: Optional[str] = None,
tlsv13: Optional[str] = None,
transform_backward_slashes: Optional[str] = None,
tunnel_addr_assigned_method: Optional[str] = None,
tunnel_connect_without_reauth: Optional[str] = None,
tunnel_ip_pools: Optional[Sequence[SettingsTunnelIpPoolArgs]] = None,
tunnel_ipv6_pools: Optional[Sequence[SettingsTunnelIpv6PoolArgs]] = None,
tunnel_user_session_timeout: Optional[int] = None,
unsafe_legacy_renegotiation: Optional[str] = None,
url_obscuration: Optional[str] = None,
user_peer: Optional[str] = None,
vdomparam: Optional[str] = None,
web_mode_snat: Optional[str] = None,
wins_server1: Optional[str] = None,
wins_server2: Optional[str] = None,
x_content_type_options: Optional[str] = None,
ztna_trusted_client: Optional[str] = None)
func NewSettings(ctx *Context, name string, args *SettingsArgs, opts ...ResourceOption) (*Settings, error)
public Settings(string name, SettingsArgs? args = null, CustomResourceOptions? opts = null)
public Settings(String name, SettingsArgs args)
public Settings(String name, SettingsArgs args, CustomResourceOptions options)
type: fortios:vpn/ssl/settings:Settings
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SettingsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SettingsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SettingsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SettingsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SettingsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Settings Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Settings resource accepts the following input properties:
- Algorithm string
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - Auth
Session stringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - Auth
Timeout int - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- Authentication
Rules List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Authentication Rule> - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - Auto
Tunnel stringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - Banned
Cipher string - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- Browser
Language stringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - Check
Referer string - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - Ciphersuite string
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - Client
Sigalgs string - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - Default
Portal string - Default SSL VPN portal.
- Deflate
Compression intLevel - Compression level (0~9).
- Deflate
Min intData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- Dns
Server1 string - DNS server 1.
- Dns
Server2 string - DNS server 2.
- Dns
Suffix string - DNS suffix used for SSL-VPN clients.
- Dtls
Heartbeat intFail Count - Number of missing heartbeats before the connection is considered dropped.
- Dtls
Heartbeat intIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- Dtls
Heartbeat intInterval - Interval between DTLS heartbeat.
- Dtls
Hello intTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- Dtls
Max stringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - Dtls
Min stringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - Dtls
Tunnel string - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - Dual
Stack stringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Encode2f
Sequence string - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - Encrypt
And stringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - Force
Two stringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Header
XForwarded stringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - Hsts
Include stringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - Http
Compression string - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - string
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - Http
Request intBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- Http
Request intHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- Https
Redirect string - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - Idle
Timeout int - SSL VPN disconnects if idle for specified time in seconds.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Wins
Server1 string - IPv6 WINS server 1.
- Ipv6Wins
Server2 string - IPv6 WINS server 2.
- Login
Attempt intLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- Login
Block intTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- Login
Timeout int - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- Port int
- SSL-VPN access port (1 - 65535).
- Port
Precedence string - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - Reqclientcert string
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - Route
Source stringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - Saml
Redirect intPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- Server
Hostname string - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- Servercert string
- Name of the server certificate to be used for SSL-VPNs.
- Source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - Source
Address6s List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Source Address6> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - Source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - Source
Addresses List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Source Address> - Source address of incoming traffic. The structure of
source_address
block is documented below. - Source
Interfaces List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Source Interface> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - Ssl
Client stringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - Ssl
Insert stringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - Ssl
Max stringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - Ssl
Min stringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - Status string
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - Tlsv10 string
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - Tlsv11 string
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - Tlsv12 string
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - Tlsv13 string
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - Transform
Backward stringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - Tunnel
Addr stringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - Tunnel
Connect stringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - Tunnel
Ip List<Pulumiverse.Pools Fortios. Vpn. Ssl. Inputs. Settings Tunnel Ip Pool> - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - Tunnel
Ipv6Pools List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Tunnel Ipv6Pool> - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - Tunnel
User intSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- Unsafe
Legacy stringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - Url
Obscuration string - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - User
Peer string - Name of user peer.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Web
Mode stringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - Wins
Server1 string - WINS server 1.
- Wins
Server2 string - WINS server 2.
- XContent
Type stringOptions - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - Ztna
Trusted stringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- Algorithm string
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - Auth
Session stringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - Auth
Timeout int - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- Authentication
Rules []SettingsAuthentication Rule Args - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - Auto
Tunnel stringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - Banned
Cipher string - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- Browser
Language stringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - Check
Referer string - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - Ciphersuite string
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - Client
Sigalgs string - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - Default
Portal string - Default SSL VPN portal.
- Deflate
Compression intLevel - Compression level (0~9).
- Deflate
Min intData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- Dns
Server1 string - DNS server 1.
- Dns
Server2 string - DNS server 2.
- Dns
Suffix string - DNS suffix used for SSL-VPN clients.
- Dtls
Heartbeat intFail Count - Number of missing heartbeats before the connection is considered dropped.
- Dtls
Heartbeat intIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- Dtls
Heartbeat intInterval - Interval between DTLS heartbeat.
- Dtls
Hello intTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- Dtls
Max stringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - Dtls
Min stringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - Dtls
Tunnel string - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - Dual
Stack stringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Encode2f
Sequence string - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - Encrypt
And stringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - Force
Two stringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Header
XForwarded stringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - Hsts
Include stringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - Http
Compression string - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - string
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - Http
Request intBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- Http
Request intHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- Https
Redirect string - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - Idle
Timeout int - SSL VPN disconnects if idle for specified time in seconds.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Wins
Server1 string - IPv6 WINS server 1.
- Ipv6Wins
Server2 string - IPv6 WINS server 2.
- Login
Attempt intLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- Login
Block intTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- Login
Timeout int - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- Port int
- SSL-VPN access port (1 - 65535).
- Port
Precedence string - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - Reqclientcert string
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - Route
Source stringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - Saml
Redirect intPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- Server
Hostname string - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- Servercert string
- Name of the server certificate to be used for SSL-VPNs.
- Source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - Source
Address6s []SettingsSource Address6Args - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - Source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - Source
Addresses []SettingsSource Address Args - Source address of incoming traffic. The structure of
source_address
block is documented below. - Source
Interfaces []SettingsSource Interface Args - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - Ssl
Client stringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - Ssl
Insert stringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - Ssl
Max stringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - Ssl
Min stringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - Status string
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - Tlsv10 string
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - Tlsv11 string
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - Tlsv12 string
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - Tlsv13 string
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - Transform
Backward stringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - Tunnel
Addr stringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - Tunnel
Connect stringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - Tunnel
Ip []SettingsPools Tunnel Ip Pool Args - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - Tunnel
Ipv6Pools []SettingsTunnel Ipv6Pool Args - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - Tunnel
User intSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- Unsafe
Legacy stringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - Url
Obscuration string - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - User
Peer string - Name of user peer.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Web
Mode stringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - Wins
Server1 string - WINS server 1.
- Wins
Server2 string - WINS server 2.
- XContent
Type stringOptions - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - Ztna
Trusted stringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- algorithm String
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - auth
Session StringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - auth
Timeout Integer - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- authentication
Rules List<SettingsAuthentication Rule> - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - auto
Tunnel StringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - banned
Cipher String - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- browser
Language StringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - check
Referer String - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - ciphersuite String
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - client
Sigalgs String - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - default
Portal String - Default SSL VPN portal.
- deflate
Compression IntegerLevel - Compression level (0~9).
- deflate
Min IntegerData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- dns
Server1 String - DNS server 1.
- dns
Server2 String - DNS server 2.
- dns
Suffix String - DNS suffix used for SSL-VPN clients.
- dtls
Heartbeat IntegerFail Count - Number of missing heartbeats before the connection is considered dropped.
- dtls
Heartbeat IntegerIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- dtls
Heartbeat IntegerInterval - Interval between DTLS heartbeat.
- dtls
Hello IntegerTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- dtls
Max StringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Min StringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Tunnel String - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - dual
Stack StringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- encode2f
Sequence String - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - encrypt
And StringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - force
Two StringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- header
XForwarded StringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - hsts
Include StringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - http
Compression String - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - String
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - http
Request IntegerBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- http
Request IntegerHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- https
Redirect String - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - idle
Timeout Integer - SSL VPN disconnects if idle for specified time in seconds.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Wins
Server1 String - IPv6 WINS server 1.
- ipv6Wins
Server2 String - IPv6 WINS server 2.
- login
Attempt IntegerLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- login
Block IntegerTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- login
Timeout Integer - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- port Integer
- SSL-VPN access port (1 - 65535).
- port
Precedence String - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - reqclientcert String
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - route
Source StringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - saml
Redirect IntegerPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- server
Hostname String - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- servercert String
- Name of the server certificate to be used for SSL-VPNs.
- source
Address6Negate String - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s List<SettingsSource Address6> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address StringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses List<SettingsSource Address> - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces List<SettingsSource Interface> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - ssl
Client StringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - ssl
Insert StringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - ssl
Max StringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - ssl
Min StringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - status String
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - tlsv10 String
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - tlsv11 String
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - tlsv12 String
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - tlsv13 String
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - transform
Backward StringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - tunnel
Addr StringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - tunnel
Connect StringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - tunnel
Ip List<SettingsPools Tunnel Ip Pool> - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - tunnel
Ipv6Pools List<SettingsTunnel Ipv6Pool> - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - tunnel
User IntegerSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- unsafe
Legacy StringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - url
Obscuration String - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - user
Peer String - Name of user peer.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- web
Mode StringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - wins
Server1 String - WINS server 1.
- wins
Server2 String - WINS server 2.
- x
Content StringType Options - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - ztna
Trusted StringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- algorithm string
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - auth
Session stringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - auth
Timeout number - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- authentication
Rules SettingsAuthentication Rule[] - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - auto
Tunnel stringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - banned
Cipher string - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- browser
Language stringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - check
Referer string - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - ciphersuite string
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - client
Sigalgs string - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - default
Portal string - Default SSL VPN portal.
- deflate
Compression numberLevel - Compression level (0~9).
- deflate
Min numberData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- dns
Server1 string - DNS server 1.
- dns
Server2 string - DNS server 2.
- dns
Suffix string - DNS suffix used for SSL-VPN clients.
- dtls
Heartbeat numberFail Count - Number of missing heartbeats before the connection is considered dropped.
- dtls
Heartbeat numberIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- dtls
Heartbeat numberInterval - Interval between DTLS heartbeat.
- dtls
Hello numberTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- dtls
Max stringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Min stringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Tunnel string - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - dual
Stack stringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- encode2f
Sequence string - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - encrypt
And stringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - force
Two stringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- header
XForwarded stringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - hsts
Include stringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - http
Compression string - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - string
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - http
Request numberBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- http
Request numberHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- https
Redirect string - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - idle
Timeout number - SSL VPN disconnects if idle for specified time in seconds.
- ipv6Dns
Server1 string - IPv6 DNS server 1.
- ipv6Dns
Server2 string - IPv6 DNS server 2.
- ipv6Wins
Server1 string - IPv6 WINS server 1.
- ipv6Wins
Server2 string - IPv6 WINS server 2.
- login
Attempt numberLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- login
Block numberTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- login
Timeout number - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- port number
- SSL-VPN access port (1 - 65535).
- port
Precedence string - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - reqclientcert string
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - route
Source stringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - saml
Redirect numberPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- server
Hostname string - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- servercert string
- Name of the server certificate to be used for SSL-VPNs.
- source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s SettingsSource Address6[] - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses SettingsSource Address[] - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces SettingsSource Interface[] - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - ssl
Client stringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - ssl
Insert stringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - ssl
Max stringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - ssl
Min stringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - status string
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - tlsv10 string
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - tlsv11 string
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - tlsv12 string
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - tlsv13 string
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - transform
Backward stringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - tunnel
Addr stringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - tunnel
Connect stringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - tunnel
Ip SettingsPools Tunnel Ip Pool[] - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - tunnel
Ipv6Pools SettingsTunnel Ipv6Pool[] - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - tunnel
User numberSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- unsafe
Legacy stringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - url
Obscuration string - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - user
Peer string - Name of user peer.
- vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- web
Mode stringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - wins
Server1 string - WINS server 1.
- wins
Server2 string - WINS server 2.
- x
Content stringType Options - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - ztna
Trusted stringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- algorithm str
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - auth_
session_ strcheck_ source_ ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - auth_
timeout int - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- authentication_
rules Sequence[SettingsAuthentication Rule Args] - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - auto_
tunnel_ strstatic_ route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - banned_
cipher str - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- browser_
language_ strdetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - check_
referer str - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - ciphersuite str
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - client_
sigalgs str - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - default_
portal str - Default SSL VPN portal.
- deflate_
compression_ intlevel - Compression level (0~9).
- deflate_
min_ intdata_ size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- dns_
server1 str - DNS server 1.
- dns_
server2 str - DNS server 2.
- dns_
suffix str - DNS suffix used for SSL-VPN clients.
- dtls_
heartbeat_ intfail_ count - Number of missing heartbeats before the connection is considered dropped.
- dtls_
heartbeat_ intidle_ timeout - Idle timeout before DTLS heartbeat is sent.
- dtls_
heartbeat_ intinterval - Interval between DTLS heartbeat.
- dtls_
hello_ inttimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- dtls_
max_ strproto_ ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls_
min_ strproto_ ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls_
tunnel str - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - dual_
stack_ strmode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- encode2f_
sequence str - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - encrypt_
and_ strstore_ password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - force_
two_ strfactor_ auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- header_
x_ strforwarded_ for - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - hsts_
include_ strsubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - http_
compression str - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - str
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - http_
request_ intbody_ timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- http_
request_ intheader_ timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- https_
redirect str - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - idle_
timeout int - SSL VPN disconnects if idle for specified time in seconds.
- ipv6_
dns_ strserver1 - IPv6 DNS server 1.
- ipv6_
dns_ strserver2 - IPv6 DNS server 2.
- ipv6_
wins_ strserver1 - IPv6 WINS server 1.
- ipv6_
wins_ strserver2 - IPv6 WINS server 2.
- login_
attempt_ intlimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- login_
block_ inttime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- login_
timeout int - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- port int
- SSL-VPN access port (1 - 65535).
- port_
precedence str - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - reqclientcert str
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - route_
source_ strinterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - saml_
redirect_ intport - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- server_
hostname str - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- servercert str
- Name of the server certificate to be used for SSL-VPNs.
- source_
address6_ strnegate - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source_
address6s Sequence[SettingsSource Address6Args] - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source_
address_ strnegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source_
addresses Sequence[SettingsSource Address Args] - Source address of incoming traffic. The structure of
source_address
block is documented below. - source_
interfaces Sequence[SettingsSource Interface Args] - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - ssl_
client_ strrenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - ssl_
insert_ strempty_ fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - ssl_
max_ strproto_ ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - ssl_
min_ strproto_ ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - status str
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - tlsv10 str
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - tlsv11 str
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - tlsv12 str
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - tlsv13 str
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - transform_
backward_ strslashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - tunnel_
addr_ strassigned_ method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - tunnel_
connect_ strwithout_ reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - tunnel_
ip_ Sequence[Settingspools Tunnel Ip Pool Args] - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - tunnel_
ipv6_ Sequence[Settingspools Tunnel Ipv6Pool Args] - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - tunnel_
user_ intsession_ timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- unsafe_
legacy_ strrenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - url_
obscuration str - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - user_
peer str - Name of user peer.
- vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- web_
mode_ strsnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - wins_
server1 str - WINS server 1.
- wins_
server2 str - WINS server 2.
- x_
content_ strtype_ options - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - ztna_
trusted_ strclient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- algorithm String
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - auth
Session StringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - auth
Timeout Number - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- authentication
Rules List<Property Map> - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - auto
Tunnel StringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - banned
Cipher String - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- browser
Language StringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - check
Referer String - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - ciphersuite String
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - client
Sigalgs String - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - default
Portal String - Default SSL VPN portal.
- deflate
Compression NumberLevel - Compression level (0~9).
- deflate
Min NumberData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- dns
Server1 String - DNS server 1.
- dns
Server2 String - DNS server 2.
- dns
Suffix String - DNS suffix used for SSL-VPN clients.
- dtls
Heartbeat NumberFail Count - Number of missing heartbeats before the connection is considered dropped.
- dtls
Heartbeat NumberIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- dtls
Heartbeat NumberInterval - Interval between DTLS heartbeat.
- dtls
Hello NumberTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- dtls
Max StringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Min StringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Tunnel String - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - dual
Stack StringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- encode2f
Sequence String - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - encrypt
And StringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - force
Two StringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- header
XForwarded StringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - hsts
Include StringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - http
Compression String - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - String
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - http
Request NumberBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- http
Request NumberHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- https
Redirect String - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - idle
Timeout Number - SSL VPN disconnects if idle for specified time in seconds.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Wins
Server1 String - IPv6 WINS server 1.
- ipv6Wins
Server2 String - IPv6 WINS server 2.
- login
Attempt NumberLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- login
Block NumberTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- login
Timeout Number - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- port Number
- SSL-VPN access port (1 - 65535).
- port
Precedence String - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - reqclientcert String
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - route
Source StringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - saml
Redirect NumberPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- server
Hostname String - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- servercert String
- Name of the server certificate to be used for SSL-VPNs.
- source
Address6Negate String - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s List<Property Map> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address StringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses List<Property Map> - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces List<Property Map> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - ssl
Client StringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - ssl
Insert StringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - ssl
Max StringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - ssl
Min StringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - status String
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - tlsv10 String
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - tlsv11 String
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - tlsv12 String
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - tlsv13 String
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - transform
Backward StringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - tunnel
Addr StringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - tunnel
Connect StringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - tunnel
Ip List<Property Map>Pools - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - tunnel
Ipv6Pools List<Property Map> - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - tunnel
User NumberSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- unsafe
Legacy StringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - url
Obscuration String - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - user
Peer String - Name of user peer.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- web
Mode StringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - wins
Server1 String - WINS server 1.
- wins
Server2 String - WINS server 2.
- x
Content StringType Options - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - ztna
Trusted StringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
Outputs
All input properties are implicitly available as output properties. Additionally, the Settings resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Settings Resource
Get an existing Settings resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SettingsState, opts?: CustomResourceOptions): Settings
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
algorithm: Optional[str] = None,
auth_session_check_source_ip: Optional[str] = None,
auth_timeout: Optional[int] = None,
authentication_rules: Optional[Sequence[SettingsAuthenticationRuleArgs]] = None,
auto_tunnel_static_route: Optional[str] = None,
banned_cipher: Optional[str] = None,
browser_language_detection: Optional[str] = None,
check_referer: Optional[str] = None,
ciphersuite: Optional[str] = None,
client_sigalgs: Optional[str] = None,
default_portal: Optional[str] = None,
deflate_compression_level: Optional[int] = None,
deflate_min_data_size: Optional[int] = None,
dns_server1: Optional[str] = None,
dns_server2: Optional[str] = None,
dns_suffix: Optional[str] = None,
dtls_heartbeat_fail_count: Optional[int] = None,
dtls_heartbeat_idle_timeout: Optional[int] = None,
dtls_heartbeat_interval: Optional[int] = None,
dtls_hello_timeout: Optional[int] = None,
dtls_max_proto_ver: Optional[str] = None,
dtls_min_proto_ver: Optional[str] = None,
dtls_tunnel: Optional[str] = None,
dual_stack_mode: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
encode2f_sequence: Optional[str] = None,
encrypt_and_store_password: Optional[str] = None,
force_two_factor_auth: Optional[str] = None,
get_all_tables: Optional[str] = None,
header_x_forwarded_for: Optional[str] = None,
hsts_include_subdomains: Optional[str] = None,
http_compression: Optional[str] = None,
http_only_cookie: Optional[str] = None,
http_request_body_timeout: Optional[int] = None,
http_request_header_timeout: Optional[int] = None,
https_redirect: Optional[str] = None,
idle_timeout: Optional[int] = None,
ipv6_dns_server1: Optional[str] = None,
ipv6_dns_server2: Optional[str] = None,
ipv6_wins_server1: Optional[str] = None,
ipv6_wins_server2: Optional[str] = None,
login_attempt_limit: Optional[int] = None,
login_block_time: Optional[int] = None,
login_timeout: Optional[int] = None,
port: Optional[int] = None,
port_precedence: Optional[str] = None,
reqclientcert: Optional[str] = None,
route_source_interface: Optional[str] = None,
saml_redirect_port: Optional[int] = None,
server_hostname: Optional[str] = None,
servercert: Optional[str] = None,
source_address6_negate: Optional[str] = None,
source_address6s: Optional[Sequence[SettingsSourceAddress6Args]] = None,
source_address_negate: Optional[str] = None,
source_addresses: Optional[Sequence[SettingsSourceAddressArgs]] = None,
source_interfaces: Optional[Sequence[SettingsSourceInterfaceArgs]] = None,
ssl_client_renegotiation: Optional[str] = None,
ssl_insert_empty_fragment: Optional[str] = None,
ssl_max_proto_ver: Optional[str] = None,
ssl_min_proto_ver: Optional[str] = None,
status: Optional[str] = None,
tlsv10: Optional[str] = None,
tlsv11: Optional[str] = None,
tlsv12: Optional[str] = None,
tlsv13: Optional[str] = None,
transform_backward_slashes: Optional[str] = None,
tunnel_addr_assigned_method: Optional[str] = None,
tunnel_connect_without_reauth: Optional[str] = None,
tunnel_ip_pools: Optional[Sequence[SettingsTunnelIpPoolArgs]] = None,
tunnel_ipv6_pools: Optional[Sequence[SettingsTunnelIpv6PoolArgs]] = None,
tunnel_user_session_timeout: Optional[int] = None,
unsafe_legacy_renegotiation: Optional[str] = None,
url_obscuration: Optional[str] = None,
user_peer: Optional[str] = None,
vdomparam: Optional[str] = None,
web_mode_snat: Optional[str] = None,
wins_server1: Optional[str] = None,
wins_server2: Optional[str] = None,
x_content_type_options: Optional[str] = None,
ztna_trusted_client: Optional[str] = None) -> Settings
func GetSettings(ctx *Context, name string, id IDInput, state *SettingsState, opts ...ResourceOption) (*Settings, error)
public static Settings Get(string name, Input<string> id, SettingsState? state, CustomResourceOptions? opts = null)
public static Settings get(String name, Output<String> id, SettingsState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Algorithm string
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - Auth
Session stringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - Auth
Timeout int - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- Authentication
Rules List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Authentication Rule> - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - Auto
Tunnel stringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - Banned
Cipher string - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- Browser
Language stringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - Check
Referer string - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - Ciphersuite string
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - Client
Sigalgs string - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - Default
Portal string - Default SSL VPN portal.
- Deflate
Compression intLevel - Compression level (0~9).
- Deflate
Min intData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- Dns
Server1 string - DNS server 1.
- Dns
Server2 string - DNS server 2.
- Dns
Suffix string - DNS suffix used for SSL-VPN clients.
- Dtls
Heartbeat intFail Count - Number of missing heartbeats before the connection is considered dropped.
- Dtls
Heartbeat intIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- Dtls
Heartbeat intInterval - Interval between DTLS heartbeat.
- Dtls
Hello intTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- Dtls
Max stringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - Dtls
Min stringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - Dtls
Tunnel string - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - Dual
Stack stringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Encode2f
Sequence string - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - Encrypt
And stringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - Force
Two stringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Header
XForwarded stringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - Hsts
Include stringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - Http
Compression string - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - string
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - Http
Request intBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- Http
Request intHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- Https
Redirect string - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - Idle
Timeout int - SSL VPN disconnects if idle for specified time in seconds.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Wins
Server1 string - IPv6 WINS server 1.
- Ipv6Wins
Server2 string - IPv6 WINS server 2.
- Login
Attempt intLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- Login
Block intTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- Login
Timeout int - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- Port int
- SSL-VPN access port (1 - 65535).
- Port
Precedence string - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - Reqclientcert string
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - Route
Source stringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - Saml
Redirect intPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- Server
Hostname string - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- Servercert string
- Name of the server certificate to be used for SSL-VPNs.
- Source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - Source
Address6s List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Source Address6> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - Source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - Source
Addresses List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Source Address> - Source address of incoming traffic. The structure of
source_address
block is documented below. - Source
Interfaces List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Source Interface> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - Ssl
Client stringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - Ssl
Insert stringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - Ssl
Max stringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - Ssl
Min stringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - Status string
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - Tlsv10 string
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - Tlsv11 string
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - Tlsv12 string
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - Tlsv13 string
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - Transform
Backward stringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - Tunnel
Addr stringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - Tunnel
Connect stringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - Tunnel
Ip List<Pulumiverse.Pools Fortios. Vpn. Ssl. Inputs. Settings Tunnel Ip Pool> - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - Tunnel
Ipv6Pools List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Tunnel Ipv6Pool> - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - Tunnel
User intSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- Unsafe
Legacy stringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - Url
Obscuration string - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - User
Peer string - Name of user peer.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Web
Mode stringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - Wins
Server1 string - WINS server 1.
- Wins
Server2 string - WINS server 2.
- XContent
Type stringOptions - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - Ztna
Trusted stringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- Algorithm string
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - Auth
Session stringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - Auth
Timeout int - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- Authentication
Rules []SettingsAuthentication Rule Args - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - Auto
Tunnel stringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - Banned
Cipher string - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- Browser
Language stringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - Check
Referer string - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - Ciphersuite string
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - Client
Sigalgs string - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - Default
Portal string - Default SSL VPN portal.
- Deflate
Compression intLevel - Compression level (0~9).
- Deflate
Min intData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- Dns
Server1 string - DNS server 1.
- Dns
Server2 string - DNS server 2.
- Dns
Suffix string - DNS suffix used for SSL-VPN clients.
- Dtls
Heartbeat intFail Count - Number of missing heartbeats before the connection is considered dropped.
- Dtls
Heartbeat intIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- Dtls
Heartbeat intInterval - Interval between DTLS heartbeat.
- Dtls
Hello intTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- Dtls
Max stringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - Dtls
Min stringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - Dtls
Tunnel string - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - Dual
Stack stringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Encode2f
Sequence string - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - Encrypt
And stringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - Force
Two stringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Header
XForwarded stringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - Hsts
Include stringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - Http
Compression string - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - string
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - Http
Request intBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- Http
Request intHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- Https
Redirect string - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - Idle
Timeout int - SSL VPN disconnects if idle for specified time in seconds.
- Ipv6Dns
Server1 string - IPv6 DNS server 1.
- Ipv6Dns
Server2 string - IPv6 DNS server 2.
- Ipv6Wins
Server1 string - IPv6 WINS server 1.
- Ipv6Wins
Server2 string - IPv6 WINS server 2.
- Login
Attempt intLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- Login
Block intTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- Login
Timeout int - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- Port int
- SSL-VPN access port (1 - 65535).
- Port
Precedence string - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - Reqclientcert string
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - Route
Source stringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - Saml
Redirect intPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- Server
Hostname string - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- Servercert string
- Name of the server certificate to be used for SSL-VPNs.
- Source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - Source
Address6s []SettingsSource Address6Args - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - Source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - Source
Addresses []SettingsSource Address Args - Source address of incoming traffic. The structure of
source_address
block is documented below. - Source
Interfaces []SettingsSource Interface Args - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - Ssl
Client stringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - Ssl
Insert stringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - Ssl
Max stringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - Ssl
Min stringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - Status string
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - Tlsv10 string
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - Tlsv11 string
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - Tlsv12 string
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - Tlsv13 string
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - Transform
Backward stringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - Tunnel
Addr stringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - Tunnel
Connect stringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - Tunnel
Ip []SettingsPools Tunnel Ip Pool Args - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - Tunnel
Ipv6Pools []SettingsTunnel Ipv6Pool Args - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - Tunnel
User intSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- Unsafe
Legacy stringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - Url
Obscuration string - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - User
Peer string - Name of user peer.
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Web
Mode stringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - Wins
Server1 string - WINS server 1.
- Wins
Server2 string - WINS server 2.
- XContent
Type stringOptions - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - Ztna
Trusted stringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- algorithm String
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - auth
Session StringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - auth
Timeout Integer - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- authentication
Rules List<SettingsAuthentication Rule> - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - auto
Tunnel StringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - banned
Cipher String - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- browser
Language StringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - check
Referer String - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - ciphersuite String
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - client
Sigalgs String - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - default
Portal String - Default SSL VPN portal.
- deflate
Compression IntegerLevel - Compression level (0~9).
- deflate
Min IntegerData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- dns
Server1 String - DNS server 1.
- dns
Server2 String - DNS server 2.
- dns
Suffix String - DNS suffix used for SSL-VPN clients.
- dtls
Heartbeat IntegerFail Count - Number of missing heartbeats before the connection is considered dropped.
- dtls
Heartbeat IntegerIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- dtls
Heartbeat IntegerInterval - Interval between DTLS heartbeat.
- dtls
Hello IntegerTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- dtls
Max StringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Min StringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Tunnel String - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - dual
Stack StringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- encode2f
Sequence String - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - encrypt
And StringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - force
Two StringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- header
XForwarded StringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - hsts
Include StringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - http
Compression String - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - String
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - http
Request IntegerBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- http
Request IntegerHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- https
Redirect String - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - idle
Timeout Integer - SSL VPN disconnects if idle for specified time in seconds.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Wins
Server1 String - IPv6 WINS server 1.
- ipv6Wins
Server2 String - IPv6 WINS server 2.
- login
Attempt IntegerLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- login
Block IntegerTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- login
Timeout Integer - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- port Integer
- SSL-VPN access port (1 - 65535).
- port
Precedence String - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - reqclientcert String
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - route
Source StringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - saml
Redirect IntegerPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- server
Hostname String - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- servercert String
- Name of the server certificate to be used for SSL-VPNs.
- source
Address6Negate String - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s List<SettingsSource Address6> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address StringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses List<SettingsSource Address> - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces List<SettingsSource Interface> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - ssl
Client StringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - ssl
Insert StringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - ssl
Max StringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - ssl
Min StringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - status String
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - tlsv10 String
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - tlsv11 String
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - tlsv12 String
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - tlsv13 String
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - transform
Backward StringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - tunnel
Addr StringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - tunnel
Connect StringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - tunnel
Ip List<SettingsPools Tunnel Ip Pool> - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - tunnel
Ipv6Pools List<SettingsTunnel Ipv6Pool> - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - tunnel
User IntegerSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- unsafe
Legacy StringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - url
Obscuration String - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - user
Peer String - Name of user peer.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- web
Mode StringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - wins
Server1 String - WINS server 1.
- wins
Server2 String - WINS server 2.
- x
Content StringType Options - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - ztna
Trusted StringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- algorithm string
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - auth
Session stringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - auth
Timeout number - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- authentication
Rules SettingsAuthentication Rule[] - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - auto
Tunnel stringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - banned
Cipher string - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- browser
Language stringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - check
Referer string - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - ciphersuite string
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - client
Sigalgs string - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - default
Portal string - Default SSL VPN portal.
- deflate
Compression numberLevel - Compression level (0~9).
- deflate
Min numberData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- dns
Server1 string - DNS server 1.
- dns
Server2 string - DNS server 2.
- dns
Suffix string - DNS suffix used for SSL-VPN clients.
- dtls
Heartbeat numberFail Count - Number of missing heartbeats before the connection is considered dropped.
- dtls
Heartbeat numberIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- dtls
Heartbeat numberInterval - Interval between DTLS heartbeat.
- dtls
Hello numberTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- dtls
Max stringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Min stringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Tunnel string - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - dual
Stack stringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- encode2f
Sequence string - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - encrypt
And stringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - force
Two stringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- header
XForwarded stringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - hsts
Include stringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - http
Compression string - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - string
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - http
Request numberBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- http
Request numberHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- https
Redirect string - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - idle
Timeout number - SSL VPN disconnects if idle for specified time in seconds.
- ipv6Dns
Server1 string - IPv6 DNS server 1.
- ipv6Dns
Server2 string - IPv6 DNS server 2.
- ipv6Wins
Server1 string - IPv6 WINS server 1.
- ipv6Wins
Server2 string - IPv6 WINS server 2.
- login
Attempt numberLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- login
Block numberTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- login
Timeout number - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- port number
- SSL-VPN access port (1 - 65535).
- port
Precedence string - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - reqclientcert string
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - route
Source stringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - saml
Redirect numberPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- server
Hostname string - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- servercert string
- Name of the server certificate to be used for SSL-VPNs.
- source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s SettingsSource Address6[] - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses SettingsSource Address[] - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces SettingsSource Interface[] - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - ssl
Client stringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - ssl
Insert stringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - ssl
Max stringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - ssl
Min stringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - status string
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - tlsv10 string
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - tlsv11 string
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - tlsv12 string
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - tlsv13 string
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - transform
Backward stringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - tunnel
Addr stringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - tunnel
Connect stringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - tunnel
Ip SettingsPools Tunnel Ip Pool[] - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - tunnel
Ipv6Pools SettingsTunnel Ipv6Pool[] - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - tunnel
User numberSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- unsafe
Legacy stringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - url
Obscuration string - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - user
Peer string - Name of user peer.
- vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- web
Mode stringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - wins
Server1 string - WINS server 1.
- wins
Server2 string - WINS server 2.
- x
Content stringType Options - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - ztna
Trusted stringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- algorithm str
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - auth_
session_ strcheck_ source_ ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - auth_
timeout int - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- authentication_
rules Sequence[SettingsAuthentication Rule Args] - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - auto_
tunnel_ strstatic_ route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - banned_
cipher str - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- browser_
language_ strdetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - check_
referer str - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - ciphersuite str
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - client_
sigalgs str - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - default_
portal str - Default SSL VPN portal.
- deflate_
compression_ intlevel - Compression level (0~9).
- deflate_
min_ intdata_ size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- dns_
server1 str - DNS server 1.
- dns_
server2 str - DNS server 2.
- dns_
suffix str - DNS suffix used for SSL-VPN clients.
- dtls_
heartbeat_ intfail_ count - Number of missing heartbeats before the connection is considered dropped.
- dtls_
heartbeat_ intidle_ timeout - Idle timeout before DTLS heartbeat is sent.
- dtls_
heartbeat_ intinterval - Interval between DTLS heartbeat.
- dtls_
hello_ inttimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- dtls_
max_ strproto_ ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls_
min_ strproto_ ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls_
tunnel str - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - dual_
stack_ strmode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- encode2f_
sequence str - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - encrypt_
and_ strstore_ password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - force_
two_ strfactor_ auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- header_
x_ strforwarded_ for - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - hsts_
include_ strsubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - http_
compression str - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - str
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - http_
request_ intbody_ timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- http_
request_ intheader_ timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- https_
redirect str - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - idle_
timeout int - SSL VPN disconnects if idle for specified time in seconds.
- ipv6_
dns_ strserver1 - IPv6 DNS server 1.
- ipv6_
dns_ strserver2 - IPv6 DNS server 2.
- ipv6_
wins_ strserver1 - IPv6 WINS server 1.
- ipv6_
wins_ strserver2 - IPv6 WINS server 2.
- login_
attempt_ intlimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- login_
block_ inttime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- login_
timeout int - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- port int
- SSL-VPN access port (1 - 65535).
- port_
precedence str - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - reqclientcert str
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - route_
source_ strinterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - saml_
redirect_ intport - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- server_
hostname str - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- servercert str
- Name of the server certificate to be used for SSL-VPNs.
- source_
address6_ strnegate - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source_
address6s Sequence[SettingsSource Address6Args] - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source_
address_ strnegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source_
addresses Sequence[SettingsSource Address Args] - Source address of incoming traffic. The structure of
source_address
block is documented below. - source_
interfaces Sequence[SettingsSource Interface Args] - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - ssl_
client_ strrenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - ssl_
insert_ strempty_ fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - ssl_
max_ strproto_ ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - ssl_
min_ strproto_ ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - status str
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - tlsv10 str
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - tlsv11 str
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - tlsv12 str
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - tlsv13 str
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - transform_
backward_ strslashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - tunnel_
addr_ strassigned_ method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - tunnel_
connect_ strwithout_ reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - tunnel_
ip_ Sequence[Settingspools Tunnel Ip Pool Args] - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - tunnel_
ipv6_ Sequence[Settingspools Tunnel Ipv6Pool Args] - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - tunnel_
user_ intsession_ timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- unsafe_
legacy_ strrenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - url_
obscuration str - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - user_
peer str - Name of user peer.
- vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- web_
mode_ strsnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - wins_
server1 str - WINS server 1.
- wins_
server2 str - WINS server 2.
- x_
content_ strtype_ options - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - ztna_
trusted_ strclient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
- algorithm String
- Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Valid values:
high
,medium
,default
,low
. - auth
Session StringCheck Source Ip - Enable/disable checking of source IP for authentication session. Valid values:
enable
,disable
. - auth
Timeout Number - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
- authentication
Rules List<Property Map> - Authentication rule for SSL VPN. The structure of
authentication_rule
block is documented below. - auto
Tunnel StringStatic Route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Valid values:
enable
,disable
. - banned
Cipher String - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
- browser
Language StringDetection - Enable/disable overriding the configured system language based on the preferred language of the browser. Valid values:
enable
,disable
. - check
Referer String - Enable/disable verification of referer field in HTTP request header. Valid values:
enable
,disable
. - ciphersuite String
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - client
Sigalgs String - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Valid values:
no-rsa-pss
,all
. - default
Portal String - Default SSL VPN portal.
- deflate
Compression NumberLevel - Compression level (0~9).
- deflate
Min NumberData Size - Minimum amount of data that triggers compression (200 - 65535 bytes).
- dns
Server1 String - DNS server 1.
- dns
Server2 String - DNS server 2.
- dns
Suffix String - DNS suffix used for SSL-VPN clients.
- dtls
Heartbeat NumberFail Count - Number of missing heartbeats before the connection is considered dropped.
- dtls
Heartbeat NumberIdle Timeout - Idle timeout before DTLS heartbeat is sent.
- dtls
Heartbeat NumberInterval - Interval between DTLS heartbeat.
- dtls
Hello NumberTimeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
- dtls
Max StringProto Ver - DTLS maximum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Min StringProto Ver - DTLS minimum protocol version. Valid values:
dtls1-0
,dtls1-2
. - dtls
Tunnel String - Enable DTLS to prevent eavesdropping, tampering, or message forgery. Valid values:
enable
,disable
. - dual
Stack StringMode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- encode2f
Sequence String - Encode \2F sequence to forward slash in URLs. Valid values:
enable
,disable
. - encrypt
And StringStore Password - Encrypt and store user passwords for SSL-VPN web sessions. Valid values:
enable
,disable
. - force
Two StringFactor Auth - Enable to force two-factor authentication for all SSL-VPNs. Valid values:
enable
,disable
. - get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- header
XForwarded StringFor - Forward the same, add, or remove HTTP header. Valid values:
pass
,add
,remove
. - hsts
Include StringSubdomains - Add HSTS includeSubDomains response header. Valid values:
enable
,disable
. - http
Compression String - Enable to allow HTTP compression over SSL-VPN tunnels. Valid values:
enable
,disable
. - String
- Enable/disable SSL-VPN support for HttpOnly cookies. Valid values:
enable
,disable
. - http
Request NumberBody Timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
- http
Request NumberHeader Timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
- https
Redirect String - Enable/disable redirect of port 80 to SSL-VPN port. Valid values:
enable
,disable
. - idle
Timeout Number - SSL VPN disconnects if idle for specified time in seconds.
- ipv6Dns
Server1 String - IPv6 DNS server 1.
- ipv6Dns
Server2 String - IPv6 DNS server 2.
- ipv6Wins
Server1 String - IPv6 WINS server 1.
- ipv6Wins
Server2 String - IPv6 WINS server 2.
- login
Attempt NumberLimit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
- login
Block NumberTime - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
- login
Timeout Number - SSLVPN maximum login timeout (10 - 180 sec, default = 30).
- port Number
- SSL-VPN access port (1 - 65535).
- port
Precedence String - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Valid values:
enable
,disable
. - reqclientcert String
- Enable to require client certificates for all SSL-VPN users. Valid values:
enable
,disable
. - route
Source StringInterface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Valid values:
enable
,disable
. - saml
Redirect NumberPort - SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side.
- server
Hostname String - Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection.
- servercert String
- Name of the server certificate to be used for SSL-VPNs.
- source
Address6Negate String - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s List<Property Map> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address StringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses List<Property Map> - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces List<Property Map> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - ssl
Client StringRenegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. Valid values:
disable
,enable
. - ssl
Insert StringEmpty Fragment - Enable/disable insertion of empty fragment. Valid values:
enable
,disable
. - ssl
Max StringProto Ver - SSL maximum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - ssl
Min StringProto Ver - SSL minimum protocol version. Valid values:
tls1-0
,tls1-1
,tls1-2
,tls1-3
. - status String
- Enable/disable SSL-VPN. Valid values:
enable
,disable
. - tlsv10 String
- Enable/disable TLSv1.0. Valid values:
enable
,disable
. - tlsv11 String
- Enable/disable TLSv1.1. Valid values:
enable
,disable
. - tlsv12 String
- Enable/disable TLSv1.2. Valid values:
enable
,disable
. - tlsv13 String
- Enable/disable TLSv1.3. Valid values:
enable
,disable
. - transform
Backward StringSlashes - Transform backward slashes to forward slashes in URLs. Valid values:
enable
,disable
. - tunnel
Addr StringAssigned Method - Method used for assigning address for tunnel. Valid values:
first-available
,round-robin
. - tunnel
Connect StringWithout Reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. Valid values:
enable
,disable
. - tunnel
Ip List<Property Map>Pools - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ip_pools
block is documented below. - tunnel
Ipv6Pools List<Property Map> - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. The structure of
tunnel_ipv6_pools
block is documented below. - tunnel
User NumberSession Timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (default = 30). On FortiOS versions 6.2.0-7.4.3: 1 - 255 sec. On FortiOS versions >= 7.4.4: 1 - 86400 sec.
- unsafe
Legacy StringRenegotiation - Enable/disable unsafe legacy re-negotiation. Valid values:
enable
,disable
. - url
Obscuration String - Enable to obscure the host name of the URL of the web browser display. Valid values:
enable
,disable
. - user
Peer String - Name of user peer.
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- web
Mode StringSnat - Enable/disable use of IP pools defined in firewall policy while using web-mode. Valid values:
enable
,disable
. - wins
Server1 String - WINS server 1.
- wins
Server2 String - WINS server 2.
- x
Content StringType Options - Add HTTP X-Content-Type-Options header. Valid values:
enable
,disable
. - ztna
Trusted StringClient - Enable/disable verification of device certificate for SSLVPN ZTNA session. Valid values:
enable
,disable
.
Supporting Types
SettingsAuthenticationRule, SettingsAuthenticationRuleArgs
- Auth string
- SSL VPN authentication method restriction.
- Cipher string
- SSL VPN cipher strength. Valid values:
any
,high
,medium
. - Client
Cert string - Enable/disable SSL VPN client certificate restrictive. Valid values:
enable
,disable
. - Groups
List<Pulumiverse.
Fortios. Vpn. Ssl. Inputs. Settings Authentication Rule Group> - User groups. The structure of
groups
block is documented below. - Id int
- ID (0 - 4294967295).
- Portal string
- SSL VPN portal.
- Realm string
- SSL VPN realm.
- Source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - Source
Address6s List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Authentication Rule Source Address6> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - Source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - Source
Addresses List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Authentication Rule Source Address> - Source address of incoming traffic. The structure of
source_address
block is documented below. - Source
Interfaces List<Pulumiverse.Fortios. Vpn. Ssl. Inputs. Settings Authentication Rule Source Interface> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - User
Peer string - Name of user peer.
- Users
List<Pulumiverse.
Fortios. Vpn. Ssl. Inputs. Settings Authentication Rule User> - User name. The structure of
users
block is documented below.
- Auth string
- SSL VPN authentication method restriction.
- Cipher string
- SSL VPN cipher strength. Valid values:
any
,high
,medium
. - Client
Cert string - Enable/disable SSL VPN client certificate restrictive. Valid values:
enable
,disable
. - Groups
[]Settings
Authentication Rule Group - User groups. The structure of
groups
block is documented below. - Id int
- ID (0 - 4294967295).
- Portal string
- SSL VPN portal.
- Realm string
- SSL VPN realm.
- Source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - Source
Address6s []SettingsAuthentication Rule Source Address6 - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - Source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - Source
Addresses []SettingsAuthentication Rule Source Address - Source address of incoming traffic. The structure of
source_address
block is documented below. - Source
Interfaces []SettingsAuthentication Rule Source Interface - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - User
Peer string - Name of user peer.
- Users
[]Settings
Authentication Rule User - User name. The structure of
users
block is documented below.
- auth String
- SSL VPN authentication method restriction.
- cipher String
- SSL VPN cipher strength. Valid values:
any
,high
,medium
. - client
Cert String - Enable/disable SSL VPN client certificate restrictive. Valid values:
enable
,disable
. - groups
List<Settings
Authentication Rule Group> - User groups. The structure of
groups
block is documented below. - id Integer
- ID (0 - 4294967295).
- portal String
- SSL VPN portal.
- realm String
- SSL VPN realm.
- source
Address6Negate String - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s List<SettingsAuthentication Rule Source Address6> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address StringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses List<SettingsAuthentication Rule Source Address> - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces List<SettingsAuthentication Rule Source Interface> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - user
Peer String - Name of user peer.
- users
List<Settings
Authentication Rule User> - User name. The structure of
users
block is documented below.
- auth string
- SSL VPN authentication method restriction.
- cipher string
- SSL VPN cipher strength. Valid values:
any
,high
,medium
. - client
Cert string - Enable/disable SSL VPN client certificate restrictive. Valid values:
enable
,disable
. - groups
Settings
Authentication Rule Group[] - User groups. The structure of
groups
block is documented below. - id number
- ID (0 - 4294967295).
- portal string
- SSL VPN portal.
- realm string
- SSL VPN realm.
- source
Address6Negate string - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s SettingsAuthentication Rule Source Address6[] - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address stringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses SettingsAuthentication Rule Source Address[] - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces SettingsAuthentication Rule Source Interface[] - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - user
Peer string - Name of user peer.
- users
Settings
Authentication Rule User[] - User name. The structure of
users
block is documented below.
- auth str
- SSL VPN authentication method restriction.
- cipher str
- SSL VPN cipher strength. Valid values:
any
,high
,medium
. - client_
cert str - Enable/disable SSL VPN client certificate restrictive. Valid values:
enable
,disable
. - groups
Sequence[Settings
Authentication Rule Group] - User groups. The structure of
groups
block is documented below. - id int
- ID (0 - 4294967295).
- portal str
- SSL VPN portal.
- realm str
- SSL VPN realm.
- source_
address6_ strnegate - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source_
address6s Sequence[SettingsAuthentication Rule Source Address6] - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source_
address_ strnegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source_
addresses Sequence[SettingsAuthentication Rule Source Address] - Source address of incoming traffic. The structure of
source_address
block is documented below. - source_
interfaces Sequence[SettingsAuthentication Rule Source Interface] - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - user_
peer str - Name of user peer.
- users
Sequence[Settings
Authentication Rule User] - User name. The structure of
users
block is documented below.
- auth String
- SSL VPN authentication method restriction.
- cipher String
- SSL VPN cipher strength. Valid values:
any
,high
,medium
. - client
Cert String - Enable/disable SSL VPN client certificate restrictive. Valid values:
enable
,disable
. - groups List<Property Map>
- User groups. The structure of
groups
block is documented below. - id Number
- ID (0 - 4294967295).
- portal String
- SSL VPN portal.
- realm String
- SSL VPN realm.
- source
Address6Negate String - Enable/disable negated source IPv6 address match. Valid values:
enable
,disable
. - source
Address6s List<Property Map> - IPv6 source address of incoming traffic. The structure of
source_address6
block is documented below. - source
Address StringNegate - Enable/disable negated source address match. Valid values:
enable
,disable
. - source
Addresses List<Property Map> - Source address of incoming traffic. The structure of
source_address
block is documented below. - source
Interfaces List<Property Map> - SSL VPN source interface of incoming traffic. The structure of
source_interface
block is documented below. - user
Peer String - Name of user peer.
- users List<Property Map>
- User name. The structure of
users
block is documented below.
SettingsAuthenticationRuleGroup, SettingsAuthenticationRuleGroupArgs
- Name string
- Group name.
- Name string
- Group name.
- name String
- Group name.
- name string
- Group name.
- name str
- Group name.
- name String
- Group name.
SettingsAuthenticationRuleSourceAddress, SettingsAuthenticationRuleSourceAddressArgs
- Name string
- IPv6 address name.
- Name string
- IPv6 address name.
- name String
- IPv6 address name.
- name string
- IPv6 address name.
- name str
- IPv6 address name.
- name String
- IPv6 address name.
SettingsAuthenticationRuleSourceAddress6, SettingsAuthenticationRuleSourceAddress6Args
- Name string
- Name string
- name String
- name string
- name str
- name String
SettingsAuthenticationRuleSourceInterface, SettingsAuthenticationRuleSourceInterfaceArgs
- Name string
- Interface name.
- Name string
- Interface name.
- name String
- Interface name.
- name string
- Interface name.
- name str
- Interface name.
- name String
- Interface name.
SettingsAuthenticationRuleUser, SettingsAuthenticationRuleUserArgs
- Name string
- User name.
- Name string
- User name.
- name String
- User name.
- name string
- User name.
- name str
- User name.
- name String
- User name.
SettingsSourceAddress, SettingsSourceAddressArgs
- Name string
- IPv6 address name.
- Name string
- IPv6 address name.
- name String
- IPv6 address name.
- name string
- IPv6 address name.
- name str
- IPv6 address name.
- name String
- IPv6 address name.
SettingsSourceAddress6, SettingsSourceAddress6Args
- Name string
- Name string
- name String
- name string
- name str
- name String
SettingsSourceInterface, SettingsSourceInterfaceArgs
- Name string
- Interface name.
- Name string
- Interface name.
- name String
- Interface name.
- name string
- Interface name.
- name str
- Interface name.
- name String
- Interface name.
SettingsTunnelIpPool, SettingsTunnelIpPoolArgs
- Name string
- Address name.
- Name string
- Address name.
- name String
- Address name.
- name string
- Address name.
- name str
- Address name.
- name String
- Address name.
SettingsTunnelIpv6Pool, SettingsTunnelIpv6PoolArgs
- Name string
- Name string
- name String
- name string
- name str
- name String
Import
VpnSsl Settings can be imported using any of these accepted formats:
$ pulumi import fortios:vpn/ssl/settings:Settings labelname VpnSslSettings
If you do not want to import arguments of block:
$ export “FORTIOS_IMPORT_TABLE”=“false”
$ pulumi import fortios:vpn/ssl/settings:Settings labelname VpnSslSettings
$ unset “FORTIOS_IMPORT_TABLE”
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- fortios pulumiverse/pulumi-fortios
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
fortios
Terraform Provider.