How to Disable SSL VPN on FortiGate
7 min read
Overview
This tutorial explains how to disable SSL VPN functionality on a FortiGate firewall using the GUI and CLI. It also includes verification commands, VDOM examples, older FortiOS handling, and FortiOS 7.6.3+ notes where SSL VPN tunnel mode has been replaced by IPsec VPN and web mode is referred to as Agentless VPN.
Use this when SSL VPN is no longer required, when migrating remote access to IPsec VPN, or when reducing the exposed attack surface of the firewall.
Important: Do not disable SSL VPN blindly if users still depend on it. Confirm that remote access has already been migrated, or you will cut users off.
Tested / Applicable Scope
- FortiGate / FortiOS
- FortiOS 7.2.x
- FortiOS 7.0.x
- FortiOS 6.4.9 and later
- Older handling for FortiOS 6.4.8 and earlier, 6.2.x, and 6.0.x
- VDOM and non-VDOM environments
- FortiOS 7.6.3 and later Agentless VPN / IPsec migration considerations
Recommended Change Preparation
Before making changes, collect the current configuration and identify whether SSL VPN is still used.
1. Backup the FortiGate configuration
From the GUI:
- Go to Dashboard.
- Select your admin account menu.
- Choose Configuration.
- Download a backup copy.
From the CLI, at minimum capture the relevant SSL VPN and firewall policy sections:
show vpn ssl settings
show vpn ssl web portal
show firewall policy
If VDOMs are enabled:
config vdom
edit <vdom-name>
show vpn ssl settings
show vpn ssl web portal
show firewall policy
end
2. Check whether SSL VPN is active
diagnose sys process pidof sslvpnd
diagnose sys tcpsock | grep sslvpnd
If SSL VPN is active, you may see process IDs or listening sockets. After proper disablement, these commands should return no SSL VPN process or socket.
3. Identify SSL VPN firewall policies
Look for policies using an SSL VPN interface, usually ssl.root or ssl.<vdom-name>.
show firewall policy | grep -f ssl
If the above does not show enough context, use:
show firewall policy
Then manually locate policies where the source interface or destination interface references the SSL VPN interface.
Method 1: Disable SSL VPN from the GUI
Use this method for FortiOS 7.2.x, 7.0.x, and 6.4.9 or later.
- Log in to the FortiGate GUI.
- Go to VPN > SSL-VPN Settings.
- Disable Enable SSL-VPN.
- Click Apply.
GUI note
If Enable SSL-VPN is enabled but no interface is selected under Listen on Interface(s), SSL VPN is effectively not listening. However, this is not as clean as explicitly disabling SSL VPN where the firmware allows it.
Method 2: Disable SSL VPN from the CLI
FortiGate without VDOMs
config vpn ssl settings
set status disable
end
FortiGate with VDOMs
config vdom
edit <vdom-name>
config vpn ssl settings
set status disable
end
end
Replace <vdom-name> with the actual VDOM name.
Example:
config vdom
edit root
config vpn ssl settings
set status disable
end
end
Method 3: Older FortiOS Versions — Shut Down the SSL VPN Interface
Use this for FortiOS 6.4.8 and earlier, 6.2.x, and 6.0.x where the newer set status disable method may not be available.
FortiGate without VDOMs
config system interface
edit ssl.root
set status down
next
end
FortiGate with VDOMs
config vdom
edit <vdom-name>
config system interface
edit ssl.<vdom-name>
set status down
next
end
end
Example:
config vdom
edit root
config system interface
edit ssl.root
set status down
next
end
end
Important limitation
Shutting down the ssl.root or ssl.<vdom> interface blocks portal access, but the sslvpnd process may continue running if SSL VPN interfaces are still referenced by firewall policies. If your goal is full service shutdown, disable or remove SSL VPN firewall policies as well.
Method 4: Disable SSL VPN Firewall Policies
This method applies to all FortiOS versions and is useful when SSL VPN firewall policies still reference ssl.root or ssl.<vdom-name>.
GUI method
- Go to Policy & Objects > Firewall Policy.
- Locate policies referencing
ssl.rootorssl.<vdom-name>. - Right-click each SSL VPN policy.
- Set Status to Disable.
CLI method — non-VDOM
config firewall policy
edit <policy-id>
set status disable
next
end
Example:
config firewall policy
edit 25
set status disable
next
end
CLI method — VDOM
config vdom
edit <vdom-name>
config firewall policy
edit <policy-id>
set status disable
next
end
end
Method 5: FortiOS 7.6.3 and Later — Agentless VPN / SSL VPN Web Mode
Starting in FortiOS 7.6.3, SSL VPN tunnel mode is removed and replaced by IPsec VPN tunnel mode. SSL VPN web mode becomes Agentless VPN on supported models.
If Agentless VPN / SSL VPN web mode is not required, disable it.
Disable Agentless VPN from the GUI
- Go to VPN > Agentless VPN Settings.
- Disable Agentless VPN status.
- Apply the change.
Disable SSL VPN web mode globally from the CLI
config system global
set sslvpn-web-mode disable
end
Verify web mode setting
config system global
show full | grep sslvpn-web-mode
end
Expected result:
set sslvpn-web-mode disable
Verification After Disabling SSL VPN
Run these checks after the change.
1. Confirm SSL VPN process is stopped
diagnose sys process pidof sslvpnd
Expected result:
No process ID should be returned.
2. Confirm SSL VPN has no listening socket
diagnose sys tcpsock | grep sslvpnd
Expected result:
No sslvpnd socket should be returned.
3. Confirm firewall policies are disabled
show firewall policy | grep -f ssl
If policies still reference ssl.root or ssl.<vdom-name>, review whether they should be disabled or removed.
4. Test externally
From an external network, test the previous SSL VPN URL or port.
Example:
nc -vz <firewall-public-ip-or-fqdn> 443
Or, if SSL VPN used a custom port:
nc -vz <firewall-public-ip-or-fqdn> <ssl-vpn-port>
A failed connection is expected if SSL VPN was fully disabled and no other service is listening on that port.
Do not rely only on a browser test. A portal page disappearing does not always prove the daemon is stopped. Always verify the process and listening socket.
Rollback Procedure
Use rollback only if SSL VPN must be restored.
Re-enable SSL VPN on FortiOS 6.4.9 / 7.0.x / 7.2.x and similar
config vpn ssl settings
set status enable
end
Then confirm the correct listening interface, port, certificate, authentication rules, and portal mappings are configured.
Re-enable old SSL VPN interface method
config system interface
edit ssl.root
set status up
next
end
Re-enable a disabled firewall policy
config firewall policy
edit <policy-id>
set status enable
next
end
Re-enable web mode globally, if required
config system global
set sslvpn-web-mode enable
end
Operational Notes
- If SSL VPN is no longer required, disabling the SSL VPN service is cleaner than only removing users or firewall rules.
- If the SSL VPN interface remains referenced in policies, the SSL VPN daemon may still run on older firmware behavior.
- For FortiOS 7.6.3 and later, plan migration to IPsec VPN before upgrading if users still rely on SSL VPN tunnel mode.
- If the goal is security hardening, also review local-in policy, admin HTTPS exposure, trusted hosts, and WAN-facing services.
- If users report VPN failure after this change, that is expected. This change intentionally removes SSL VPN access.
Quick Command Summary
Disable SSL VPN — common modern method
config vpn ssl settings
set status disable
end
Disable SSL VPN — VDOM
config vdom
edit <vdom-name>
config vpn ssl settings
set status disable
end
end
Disable old SSL VPN interface
config system interface
edit ssl.root
set status down
next
end
Disable SSL VPN firewall policy
config firewall policy
edit <policy-id>
set status disable
next
end
Disable SSL VPN web mode globally
config system global
set sslvpn-web-mode disable
end
Verify
diagnose sys process pidof sslvpnd
diagnose sys tcpsock | grep sslvpnd
References
- Fortinet Community: Technical Tip - How to disable SSL VPN functionality on FortiGate
- Fortinet Docs: SSL VPN best practices
- Fortinet Docs: SSL VPN tunnel mode replaced with IPsec VPN
- Fortinet Docs: Shut off all SSL VPN access
- Fortinet Community: How to prevent the SSL VPN web login portal from displaying