Created on
06-12-2022
08:15 PM
Edited on
02-24-2025
06:37 AM
By
Jean-Philippe_P
This article describes how to configure FortiGate to only accept connections from EMS-Connected FortiClient endpoints.
FortiOS v6.4.2 and higher connected to EMS. FortiClient v7.2.1 and higher for IPsec connections.
Starting in FortiOS v6.4.2, a global setting checks for the EMS serial number for connections coming from FortiClient SSL VPN.
Starting in FortiOS v7.4.0, the global setting was replaced to enable FortiGate to check for the EMS serial number for connections coming from FortiClient Dial-up IPsec VPN.
Note:
Only FortiClient running version 7.2.1 or higher is supported for IPsec dial-up connections. Other third-party client dial-up VPN software is not affected.
Enabling this option will allow only endpoints connected to EMS to establish an SSL VPN tunnel to FortiGate.
Note.
Both FortiGate and FortiClient must be registered to the same EMS Server for this feature to work. This does not affect SSL VPN connections for web mode, only tunnel mode.
Configuration Steps.
FortiOS v6.4.2 up to v7.2.10 and higher:
config system global
set sslvpn-ems-sn-check enable
end
For IPsec VPN, use the below commands:
config vpn ipsec phase1-interface
edit <phase1 name>
set ems-sn-check enable
end
V7.4.0 and higher.
config system global
set vpn-ems-sn-check enable
end
Note:
This attribute is read-only and enabled by default in FGT_VM64_FGCAWS and FGT_VM64_FGCKVM. In other platforms, it is disabled by default.
However, it only supports this feature starting in FortiOS v7.0.1 as per Resolved Issue ID 704066.
Verification of Results.
If a connection attempt is made from a FortiClient connected to the same EMS server as the FortiGate, it will succeed.
FortiGate EMS Connection.
FortiClient EMS Connection.
Troubleshooting and Debugs.
Verify EMS Serial Number and connectivity:
diagnose debug console timestamp enable
diagnose test application fcnacd 2
diagnose endpoint fctems test-connectivity <EMS Name>
diagnose debug application fcnacd -1
diagnose debug enable
Verify SSL VPN check for EMS Serial Number:
diagnose debug console timestamp enable
diagnose debug application sslvpn -1
diagnose debug enable
Verify IPsec Dial-up VPN check for EMS Serial Number:
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable
Example of successful logs of an SSL VPN connection:
[285:root:4]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[285:root:4]Got EMS SN: FCTEMS8821-----7
Example of unsuccessful SSL VPN connection attempt:
[217:root:46]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[217:root:46]Got EMS SN: FCTEMS0000-----8
[217:root:46]EMS SN checks failed.
Users can use Diagnostic Tool results:
FortiClient Diagnostic Tool.
Debug logs:
Enabling logging for features
Trace logs from the folder below:
C:\Program Files\Fortinet\FortiClient\logs\trace\sslvpndaemon_1.log.
C:\Program Files\Fortinet\FortiClient\logs\trace\FortiIKE_1.log.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.