Technical Tip: Restrict SSL VPN and Dial-up IPsec to only devices with FortiClient connected to FortiClient EMS Server
Description
This article describes how to configure FortiGate to only accept connections from EMS-Connected FortiClient endpoints.
Scope
v6.4.2 and higher connected to EMS. FortiClient v7.2.1 and higher for IPsec connections.
Solution
Starting in v6.4.2, a global setting checks for the EMS serial number for connections coming from FortiClient SSL VPN.
Starting in v7.4.0, the global setting was replaced to enable FortiGate to check for the EMS serial number for connections coming from FortiClient Dial-up IPsec VPN.
Note:
Only FortiClient running v7.2.1 or higher is supported for IPsec dial-up connections. Other third-party client dial-up VPN software is not affected.
Enabling this option will allow only endpoints connected to EMS to establish an SSL VPN tunnel to FortiGate.
Note.
Both FortiGate and FortiClient must be registered to the same EMS Server for this feature to work. This does not affect SSL VPN connections for web mode, only tunnel mode.
Configuration Steps.
- Configure the FortiClient EMS fabric connector as per the article below: Configuring FortiClient EMS.
- Enable EMS serial number check on FortiGate via CLI.
For SSL VPN:
- V6.4.2 up to v7.2.11:
config system global
set sslvpn-ems-sn-check enable
end
- From v7.4.0:
config system global
set vpn-ems-sn-check enable
end
Example of unsuccessful IPsec attempt:
For IPsec VPN, use the commands below. This option is enabled by default from FortiOS v7.6. Reference: Troubleshooting Tip: EMS Serial Number (SN) verification is enabled by default, which cause IPsec dial-up VPN connections to fail
config vpn ipsec phase1-interface
edit <phase1 name>
set ems-sn-check enable
end
Note:
This attribute is read-only and enabled by default in FGT_VM64_FGCAWS and FGT_VM64_FGCKVM. In other platforms, it is disabled by default.
- Starting in v7.0.0, users can configure a FortiGate to act as an SSL VPN client: FortiGate as SSL VPN Client.
However, it only supports this feature starting in FortiOS v7.0.1 as per Resolved Issue ID 704066.
Note:
Mobile devices like iPhone, Android, etc., do not support the EMS serial number check for IPsec VPN.
Verification of Results.
- If a connection attempt is made from a FortiClient not connected to the same EMS Server configured on FortiGate or not connected to any EMS Server, the connection will be refused.
-
If a connection attempt is made from a FortiClient connected to the same EMS server as the FortiGate, it will succeed.
FortiGate EMS Connection.
FortiClient EMS Connection.
Troubleshooting and Debugs.
- From FortiGate, verify the EMS Serial Number and connectivity:
diagnose debug console timestamp enable
diagnose test application fcnacd 2
diagnose endpoint fctems test-connectivity <EMS Name>
diagnose debug application fcnacd -1
diagnose debug enable
Verify SSL VPN check for EMS Serial Number:
diagnose debug console timestamp enable
diagnose debug application sslvpn -1
diagnose debug enable
Verify IPsec Dial-up VPN check for EMS Serial Number:
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable
To stop the debug processes in the end, press 'Ctrl+C' and enter 'diagnose debug disable'.
Example of successful logs of an SSL VPN connection:
[285:root:4]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[285:root:4]Got EMS SN: FCTEMS8821-----7
Example of unsuccessful SSL VPN connection attempt:
[217:root:46]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[217:root:46]Got EMS SN: FCTEMS0000-----8
[217:root:46]EMS SN checks failed.
- From FortiClient.
Verify SSL VPN debugs to confirm the EMS Serial Number is being sent in the connection.
Users can use Diagnostic Tool results: FortiClient Diagnostic Tool
Debug logs: Enabling logging for features.
Trace logs from the folder below:
C:\Program Files\Fortinet\FortiClient\logs\trace\sslvpndaemon_1.log.
C:\Program Files\Fortinet\FortiClient\logs\trace\FortiIKE_1.log.