Skip to main content
kamarale
kamarale
New Member
April 10, 2025
Question

SSL VPN with posture/compliance for some client and some without

  • April 10, 2025
  • 1 reply
  • 796 views

Hello.
We have configured the FGT as an SSL VPN terminator, implementing posture/compliance controls with the FortiClient EMS without any issues.
To force clients to not "skip" the posture and connect to the VPN by downloading FortiClient Free (since doing this the EMS cannot enforce the client's posture), we added the command in the FGT:

 

config system global
set vpn-ems-sn-check enable
end

 

We tested this and it works fine.
The issue is that now we need a mixed environment: clients with posture and clients without posture (i.e., FortiClient Free and not connected to the EMS).
For this, the current solution doesn't work anymore...

Is there a way to do this granularly by SSL VPN portal or similar? From what I've seen, SSL VPN is for the entire FGT globally.

thank you
regards



 

1 reply

AEK
SuperUser
AEK
SuperUser
April 10, 2025

Hello

You can use groups. Put users having FCT in a group and users with Free FCT in another group. Then create firewall rule with ZTNA tags and with first group as source. And other rule without ZTNA tags and with second group as source.

AEK
kamarale
kamaraleAuthor
New Member
April 10, 2025

Hello AEK,

ok, with that they would be able to connect to the VPN right? but no access to internal resources...

I saw this link,and is more granular with ipsec it seams...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-SSL-VPN-and-Dial-up-IPsec-to-only-devices/ta-p/214456

 

Thank you!

Terms & ConditionsAccessibility statement