Disable SSL VPN Portal

If you are in an environment where you want to make sure that the SSL VPN portal page does NOT show that is fine. You can use the following command to disable the SSL VPN Portal page of a FortiGate

Config VPN SSL Settings
Set sslvpn-enable disable
End

This is commonly used when you are wanting to accept only IPSec tunnels etc to your device. I usually just leave mine up and customize the page to look cool and creative but that is me!


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiGate, FortiOS, How To on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

11 thoughts on “Disable SSL VPN Portal

  1. Fortinet User

    It appears this command does not work on a FortGate 60D

    set sslvpn-enable disable

    command parse error before ‘sslvpn-enable’
    Command fail. Return code -61

    Reply
      1. Craig

        Hi Mike-

        I know this is an old post, but how do you disable in 5.6.3. PCI Compliance scanning is picking up on the SSL and failing the scan because of the self signed certificate.

        Reply
          1. Elias

            Unfortunately doesn’t seem to work anymore:
            Please set source-interface in vpn.ssl.settings as some of the authentication rules do not have source-interface.

            object check operator error, -2007, discard the setting

            Command fail. Return code -2007

  2. KotoPathe

    Hey,
    Here is an issue I am having.
    I have two sites each with FGT300e. Let’s called them Site A and B.
    Site A: has a faster WAN service (fiber – local IP: 10.66.2.1)
    Site B: slow internet service (copper- public: 22.3.4.1)
    Site A and B are interconnected with a local fiber loop through a switch.
    – I have Site A and B configured with routes/policy for local subnets. That is working fine.
    – Now, I want site B internet service to go through Site.
    Configured Static route/policy pointing to that but still no luck. Traffic either goes through the slow WAN link with public IP or drops.
    Any idea what I might be doing wrong? How do I get this done? Making sure site B gets internet service via site A.

    Reply
  3. Anand

    To Mike, As you mentioned you customize web portal instead of shutting it out, how you do it?
    Otherwise is it possible to redirect that to something else?

    Thanks

    Reply
  4. marek

    Hey Guru, we are running FG 100E with 6.0.9 version but command you are suggesting: set sslvpn-enable disable
    gives reply:
    command parse error before ‘sslvpn-enable’
    Command fail. Return code -61

    Do you know any effective way to disable ssl-vpn leaving only ipsec ones?

    Nowadays it’s much more important when there is known Apache Guacamole bug known…

    Reply
    1. Mike Post author

      You can configure the SSLVPN to not listen on the external interfaces. That is one method.

      Reply
  5. Aymen Aymen

    Hi,
    Hopefully getting an answer. Is it possible to implement lifetime rules for SSL accounts? For example deactivate a customer account after 3 months if there was no connection and delete it after 6 months?
    Thank you in advance

    Reply
  6. Mike

    To completely disable SSL VPN:

    – On a FortiGate without VDOMs:

    # config system interface

    edit ssl.root

    set status down

    end

    – On a FortiGate with VDOMs:

    # config vdom

    edit

    config system interface

    edit ssl.

    set status down

    end

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.