FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 194337



This article describes how to enable MAC host check for SSL VPN in tunnel mode. 




FortiGate, FortiClient.



Host-check features are not supported for FortiClient versions between 6.2.0 and 7.0.2. 
Starting from FortiClient v7.0.3, host check features are available. See the FortiClient 7.0.0 New Features list for more information.
Linux, iOS, and Android cannot get the host MAC Address; Mac Address Check for those clients is not supported. 

Configuring MAC host check on FortiGate is only possible via CLI and not supported on GUI to set.



First, identify the portal being used in the SSL VPN connection. To do this, browse the SSL-VPN settings menu and check the Authentication/Portal Mapping section.


Portal SSL VPN.png


A MAC Address check must be configured from the CLI with the commands below.


config vpn ssl web portal

    edit <portal_name>  -----------> Portal identified in the the previous step.

        set tunnel-mode enable

        set mac-addr-check enable

         config mac-addr-check-rule

             edit <rule_name>

                 set mac-addr-list <address> [address]

                 set mac-addr-mask <mask between 1-48>



        set mac-addr-action {allow | deny}




See Configuring OS and host check - FortiGate administration guide for more information.


The MAC Addresses of all host adapters are sent to FortiGate at the time of connection. If any of them match a MAC address from the list configured in the rules applied to the SSL VPN Portal, the rule will trigger and the action defined will take place.


When creating the web portal through the CLI, make sure tunnel-mode is enabled. Otherwise, it will not be possible to enable the MAC address check.


set mac

set mac-addr-check-enable

command parse error before 'mac-addr-check-enable'
Command fail. Return code -61


The default value of 'mac-addr-mask' is '48'. The default value of 'mac-addr-action' is 'allow'.


Verification and Troubleshooting.


Test workstation MAC Addresses:

ipconfig /all | findstr Physical
Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
Physical Address. . . . . . . . . : 5C-85-7E-39-BE-67
Physical Address. . . . . . . . . : D8-9E-F3-7F-3F-A8
Physical Address. . . . . . . . . : 9E-B6-D0-F9-BC-31
Physical Address. . . . . . . . . : AE-B6-D0-F9-BC-31
Physical Address. . . . . . . . . : 9C-B6-D0-F9-BC-31
Physical Address. . . . . . . . . : 9C-B6-D0-F9-BC-32

FortiGate SSL VPN Web Portal:

config vpn ssl web portal

    edit "MAC-Address-Check-Portal"

        set tunnel-mode enable

        set web-mode enable

        set ip-pools "SSLVPN_TUNNEL_ADDR1"

         config bookmark-group

             edit "gui-bookmarks"



        set mac-addr-check enable

         config mac-addr-check-rule

             edit "DellXPS"

                 set mac-addr-list 9e:b6:d0:f9:bc:39



        set mac-addr-action allow




Since none of the host MAC addresses match the value of config mac-addr-check-rule (9e:b6:d0:f9:bc:39) configured on the FortiGate, the connection will be denied.


Multiple Mac addresses can be appended.

It is possible to keep appending addresses in ‘set mac-addr-list <address>’.

In the below example:


config vpn ssl web portal 

    edit <portal_name> 

        set mac-addr-check enable 

            config mac-addr-check-rule 

                edit <rule_name> 

                    set mac-addr-list 00:09:0F:FE:00:01 5C:85:7E:39:BE:67 

                    set mac-addr-mask <mask between 1-48> 



        set set mac-addr-action {allow | deny} 




Adding a MAC address to the existing list can be done with the following command 'append mac-addr-list <mac_addr>':


config vpn ssl web portal

    edit <portal_name>       

        config mac-addr-check-rule

            edit <rule_name>

                append mac-addr-list <mac_addr>







MAC address list does not allow to addition of MAC address in a group. Multiple MAC Addresses need to be added to the list directly.

This can be verified from log level 'info' or 'debug'.

Browse to Log & Report -> System Events -> VPN Events and check for the 'tunnel-down' events.



In the CLI, logs can also be displayed and a filter may be used to shorten the output.

The filter below will display 100 lines of logs related to failed attempts of SSL VPN connections retrieved from disk.


execute log filter device 1

execute log filter category
execute log filter field tunneltype "ssl-web"

execute log filter field actin "tunnel-down"
execute log display


date=2022-12-24 time=15:39:55 eventtime=1671925195366302823 tz="-0800" logid="0101039425" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-web" tunnelid=1769925909 remip= user="carloss" group="Host-Check-Local-Group" dst_host="N/A" reason="A user has logged in but host check MAC address failed. Hostcheck data: 0000,10.0.22000,d8:9e:f3:7f:3f:a8|00:09:0f:aa:00:01|9c:b6:d0:f9:bc:32|5c:85:7e:39:be:67|9c:b6:d0:f9:bc:31|9e:b6:d0:f9:bc:31|ae:b6:d0:f9:bc:31" duration=0 sentbyte=0 rcvdbyte=0 msg="SSL tunnel shutdown"


From a console or SSH session, debug logging can be enabled as per the commands below.


diagnose debug console timestamp enable

diagnose debug application sslvpn -1
diagnose debug enable

The output will look similar to the following except:


2022-12-24 15:39:55 [301:root:a]req: /remote/hostcheck_validate
2022-12-24 15:39:55 [301:root:a]host check result:0 0000,10.0.22000,d8:9e:f3:7f:3f:a8|00:09:0f:aa:00:01|9c:b6:d0:f9:bc:32|5c:85:7e:39:be:67|9c:b6:d0:f9:bc:31|9e:b6:d0:f9:bc:31|ae:b6:d0:f9:bc:31
2022-12-24 15:39:55 [301:root:a]rmt_hcvalidate_cb_handler:402 MAC address check failed



Details from the debug logs above can be found in Configuring OS and host check.


From the client side, the user will be presented with the following warning message.




Related articles: