Skip to main content
mtanveer
mtanveer
New Member
August 4, 2022
Question

Fortigate mac binding for ipsec vpn clients

  • August 4, 2022
  • 3 replies
  • 6192 views

Dear's,

 

Please suggest how to bind vpn client's IP with MAC address to validate the actual client. 

 

Regards.

3 replies

Anthony_E
Staff
Anthony_E
Staff
August 4, 2022

Hello,

 

I have found this KB article:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-client-MAC-binding-supported-platforms/ta-p/196088

 

Could you please tell me if it helps?

 

Regards

Best Regards
mtanveer
mtanveerAuthor
New Member
August 4, 2022

Thanks Anthony but our case is little different we have configured client public IP's in foritgate firewall and virtual IP is assigned through Forti client which we have whitelisted. Now we intend to configured the client public IP should be binded with MAC. Dual check verification for connection established i.e MAC and IP both should be matched as client provide us.

Currently we checked multiple ways but unable to find the actual MAC of client's machine.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DHCP-IP-address-reservation-with-Dial-up-IPsec-VPN/ta-p/192740

 

This article help us but unable to find the MAC of client.

 

Regards.

Anthony_E
Staff
Anthony_E
Staff
August 4, 2022

Hello,

 

Oh ok.

Let s continue to find something for helping you :)!

 

Regards,

Best Regards
Yurisk
SuperUser
Yurisk
SuperUser
August 4, 2022

I you mean to check connected clients for their MAC addresses as well, then you need MAC address check/rules - https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337?externalID=FD41648  

It works with tunnel mode SSL VPN mode only. 

 

https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/360620/config-vpn-ssl-web-portal 

 

My (unsolicited) opinion is that it is more pain than gain, a maintenance burden without substantial security benefit (or MAC filtering! Cool, then MAC-changer will fix it right..). 

 

Have you considered client certificate authentication as additional step? This would confine a user to the only PC/laptop/etc which has the certificate installed. 

 

N.B. If you  really mean  to allocate IP based on MAC address of the client (Forticlient does not assign a new MAC on connection, so you can't control this part), then I've never heard of such service in firewalls, but who knows...

mtanveer
mtanveerAuthor
New Member
August 5, 2022

Thanks Yurisk for your valuable input, but we dialup vpn in over environment. 

Terms & ConditionsAccessibility statement