Skip to main content
herta
herta
New Member
October 26, 2020
Solved

mac-addr-check in SSL VPN tunnel mode?

  • October 26, 2020
  • 1 reply
  • 6277 views

We are moving our SSL VPN tunnel users from Pulse Secure to FortiGate (6.0.6). In Pulse Secure, we can limit access based on the remote user's MAC address. I found https://kb.fortinet.com/k....do?externalID=FD41648 which describes how to configure that for SSL VPN

web mode, but a number of our SSL VPN users will be using tunnel mode exclusively. Is there a way to configure a mac-addr-check in tunnel mode via a host check option? If not, is there another way to limit access based on some other unique feature of a remote device?

 

Kind regards,

 

Herta

    Best answer by Toshi_Esumi

    "config vpn ssl web portal" defines profiles for both types of VPN; tunnel mode and web mode. The KB describes only MAC address check portion of config in the portal. It should work regardless of the mode the users use. You can even enable both modes in one profile like below.

    As a matter of fact, when I enabled the mac-addr-check in tunnel mode enabled profile, it accepted it.

     

     config vpn ssl web portal       edit "full-access"         set tunnel-mode enable         set ipv6-tunnel-mode enable         set web-mode enable         set ip-pools "SSLVPN_TUNNEL_ADDR1"         set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"         set mac-addr-check enable     next  <snip>

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAnswer
    SuperUser
    October 26, 2020

    "config vpn ssl web portal" defines profiles for both types of VPN; tunnel mode and web mode. The KB describes only MAC address check portion of config in the portal. It should work regardless of the mode the users use. You can even enable both modes in one profile like below.

    As a matter of fact, when I enabled the mac-addr-check in tunnel mode enabled profile, it accepted it.

     

     config vpn ssl web portal       edit "full-access"         set tunnel-mode enable         set ipv6-tunnel-mode enable         set web-mode enable         set ip-pools "SSLVPN_TUNNEL_ADDR1"         set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"         set mac-addr-check enable     next  <snip>

    herta
    hertaAuthor
    New Member
    October 30, 2020

    Nice. Thanks for your help, Toshi Esumi.

    Terms & ConditionsAccessibility statement