As of FortiOS v7.4.1 and above, a global command has been introduced that will prevent SSL VPN web mode configuration in all SSL VPN portals.

By default, SSL VPN tunnel mode settings and the VPN -> SSL-VPN menus are hidden from the GUI.

To enable the VPN -> SSL-VPN GUI menus:

config system settings

    set gui-sslvpn enable

end

Starting from v7.4.1, if sslvpn-web-mode is enabled on global config, a red banner indicating 'The legacy SSL-VPN web mode has attack vectors inherent. Only tunnel mode is recommended for SSL VPN' will pop up on Authentication/Portal Mapping as below:

To remove it, SSL VPN-web-mode must be disabled by following the steps below :

Before applying this command, it is necessary to have the web mode option disabled for all SSL VPN portals. Disable it in the GUI:

When users try to access the SSL VPN via the web browser, the following HTTP Forbidden message appears:

Afterward, run the following commands:

config system global

    set sslvpn-web-mode disable

end

After applying this configuration, the SSL VPN web-mode configuration option will be unavailable in all portals:

Note that before v7.4.2, this will disable the feature but will not prevent FortiGate from loading the login page. On v7.4.2 and above, once SSL VPN web-mode is disabled globally, a 403 Forbidden page will be displayed instead.

Even though web mode is globally disabled, it will still be possible to see the logs for web mode VPN connection attempts under VPN events as 'ssl-exit-error' and 'ssl-alert'.

To remove the login page, refer to this KB article: Technical Tip: How to prevent the SSL-VPN web login portal from displaying when SSL-VPN web mode is ...

For an alternative to SSL VPN Web mode, refer to this KB article: Technical Tip: Alternatives to SSL VPN web mode.

For versions below 7.4.1, refer to the below article to disable the SSL VPN web-mode:

Technical Tip: How to disable SSL VPN Web Mode or Tunnel Mode in SSL VPN portal