Description
This article describes how to configure FortiGate to only accept connections from EMS-Connected FortiClient endpoints.
Scope
FortiOS v6.4.2 and higher connected to EMS. FortiClient v7.2.1 and higher for IPsec connections.
Solution
Starting in FortiOS v6.4.2, a global setting checks for the EMS serial number for connections coming from FortiClient SSL VPN.
Starting in FortiOS v7.4.0, the global setting was replaced to enable FortiGate to check for the EMS serial number for connections coming from FortiClient Dial-up IPsec VPN.
Note:
Only FortiClient running version 7.2.1 or higher is supported for IPsec dial-up connections. Other third-party client dial-up VPN software is not affected.
Enabling this option will allow only endpoints connected to EMS to establish an SSL VPN tunnel to FortiGate.
Note.
Both FortiGate and FortiClient must be registered to the same EMS Server for this feature to work. This does not affect SSL VPN connections for web mode, only tunnel mode.
Configuration Steps.
- Configure the FortiClient EMS fabric connector as per the article below: Configuring FortiClient EMS.
- Enable EMS serial number check on FortiGate via CLI.
FortiOS v6.4.2 up to v7.2.10 and higher:
config system global
set sslvpn-ems-sn-check enable
end
For IPsec VPN, use the below commands:
config vpn ipsec phase1-interface
edit <phase1 name>
set ems-sn-check enable
end
V7.4.0 and higher.
config system global
set vpn-ems-sn-check enable
end
Note:
This attribute is read-only and enabled by default in FGT_VM64_FGCAWS and FGT_VM64_FGCKVM. In other platforms, it is disabled by default.
- Starting in FortiOS v7.0.0, users can configure a FortiGate to act as an SSL VPN client:
However, it only supports this feature starting in FortiOS v7.0.1 as per Resolved Issue ID 704066.
Verification of Results.
- If a connection attempt is made from a FortiClient not connected to the same EMS Server configured on FortiGate or not connected to any EMS Server, the connection will be refused.
-
If a connection attempt is made from a FortiClient connected to the same EMS server as the FortiGate, it will succeed.
FortiGate EMS Connection.
FortiClient EMS Connection.
Troubleshooting and Debugs.
- From FortiGate.
Verify EMS Serial Number and connectivity:
diagnose debug console timestamp enable
diagnose test application fcnacd 2
diagnose endpoint fctems test-connectivity <EMS Name>
diagnose debug application fcnacd -1
diagnose debug enable
Verify SSL VPN check for EMS Serial Number:
diagnose debug console timestamp enable
diagnose debug application sslvpn -1
diagnose debug enable
Verify IPsec Dial-up VPN check for EMS Serial Number:
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable
Example of successful logs of an SSL VPN connection:
[285:root:4]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[285:root:4]Got EMS SN: FCTEMS8821-----7
Example of unsuccessful SSL VPN connection attempt:
[217:root:46]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[217:root:46]Got EMS SN: FCTEMS0000-----8
[217:root:46]EMS SN checks failed.
- From FortiClient.
Verify SSL VPN debugs to confirm the EMS Serial Number is being sent in the connection.
Users can use Diagnostic Tool results:
FortiClient Diagnostic Tool.
Debug logs:
Enabling logging for features
Trace logs from the folder below:
C:\Program Files\Fortinet\FortiClient\logs\trace\sslvpndaemon_1.log.
C:\Program Files\Fortinet\FortiClient\logs\trace\FortiIKE_1.log.
