Description

This article explains how to enable FortiClient EMS Serial Number check on FortiGate before allowing to establish a VPN connection. This feature enhances VPN security on FortiGate by only allowing VPN connection requests from the FortiClient's which are managed by a FortiClient EMS connected to FortiGate via Security Fabric all other VPN connection requests are denied.

Scope

FortiGate, FortiClient EMS, FortiClient Windows, FortiClient MacOS, FortiClient Linux.

Solution

Requirements:

• Security Fabric Connector between FortiClient EMS and FortiGate is up and is in connected state.
• FortiClient Telemetry Status: Connected and online with FortiClient EMS without VPN.

1. Configuration: FortiOS v7.4.1 - v7.4.3.

• The configuration below applies to both SSL VPN and IPsec VPN.

config system global
     set vpn-ems-sn-check {enable | disable}
end

1. 1. IPsec VPN also has a configuration independent to the above config to perform FortiClient EMS SN Check.

• When the above configuration is added, FortiGate only verifies the FortiClient EMS Serial Number for the connection requested to the IPsec Tunnel in which this config is specified.

config vpn ipsec phase1-interface
edit <phase1-name>
    set ems-sn-check {enable | disable}
end

2. Configuration: FortiOS v7.4.4 - v7.4.8, v7.6.0 - v7.6.2.

• For these versions, the config for IPsec and SSL VPN tunnels are separated.
• For SSL VPN:

config system global
    set vpn-ems-sn-check {enable | disable}
end

• For IPsec:
  
  

config vpn ipsec phase1-interface
edit <phase1-name>
    set ems-sn-check {enable | disable}
end​