| Description |
This article describes how to disable SSL VPN web mode configuration in all SSL VPN portals. |
| Scope | FortiGate v7.4.1. |
| Solution |
As of FortiOS 7.4.1 and above, a global command has been introduced that will prevent SSL VPN web mode configuration in all SSL VPN portals.
Starting from v7.4.1, if sslvpn-web-mode is enabled on global config, a red banner indicating 'The legacy SSL-VPN web mode has attack vectors inherent. Only tunnel mode is recommended for SSLV PN' will pop up on Authentication/Portal Mapping as per below:
To remove it, SSL VPN-web-mode must be disabled by following the steps below :
Before applying this command, it is necessary to have the web mode option disabled for all SSL VPN portals. Disable it in the GUI:
When users try to access the SSL VPN via the web browser, the following HTTP Forbidden message appears:
Afterward, run the following commands:
config system global set sslvpn-web-mode disable end
After applying this configuration, the SSL VPN web-mode configuration option will be unavailable in all portals:
Note that before v7.4.2, this will disable the feature but will not prevent FortiGate from loading the login page. On v7.4.2 and above once SSL VPN web-mode is disabled globally, a 403 Forbidden page will be displayed instead.
Even though web mode is globally disabled, it will still be possible to see the logs for web mode VPN connection attempts under VPN events as 'ssl-exit-error' and 'ssl-alert'.
To remove the login page, refer to Technical Tip: How to prevent the SSL-VPN web login portal from displaying when SSL-VPN web mode is .... |
