Description
This article describes how to configure FortiGate to only accept connections from EMS-Connected FortiClient endpoints.
Scope
FortiOS v6.4.2 and higher connected to EMS. FortiClient v7.2.1 and higher for IPsec connections.
Solution
Starting in FortiOS 6.4.2, there is a global setting that checks for the EMS serial number for connections coming from FortiClient SSL VPN.
Starting in FortiOS 7.4.0, the global setting was replaced to enable FortiGate to also check for the EMS serial number for connections coming from FortiClient Dial-up IPsec VPN.
Note:
For IPsec Dial-up connections, only FortiClient running version 7.2.1 or higher is supported. Other third-party client dial-up VPN software are not affected.
By enabling this option, only endpoints connected to EMS will be able to establish SSL VPN tunnel to FortiGate.
Note.
Both FortiGate and FortiClient must be registered to the same EMS Server for this feature to work. This does not affect SSL VPN connections for web mode, only tunnel mode.
Configuration Steps
- Configure the FortiClient EMS fabric connector as per the article below: Configuring FortiClient EMS
- Enable EMS serial number check on FortiGate via CLI.
FortiOS 6.4.2 up to 7.2.6:
config system global
set sslvpn-ems-sn-check enable
end
For IPSec VPN, use the below commands...
config vpn ipsec phase1-interface
edit <phase1 name>
set ems-sn-check enable
end
V7.4.0 and higher (v 7.2 branch may have this change implemented starting in v7.2.7):
config system global
set vpn-ems-sn-check enable
end
Note:
This attribute is read-only and enabled by default in FGT_VM64_FGCAWS and FGT_VM64_FGCKVM. In other platforms, it is disabled by default.
- Starting in FortiOS 7.0.0, users can configure a FortiGate to act as an SSL VPN client:
However, it only supports this feature starting in FortiOS 7.0.1 as per Resolved Issue ID 704066.
Verification of Results.
- If a connection attempt is made from a FortiClient that is not connected to the same EMS Server configured on FortiGate or not connected to any EMS Server, the connection will be refused.
- If a connection attempt is made from a FortiClient connected to the same EMS server as the FortiGate, then it will be successful.
FortiGate EMS Connection.
FortiClient EMS Connection.
Troubleshooting and Debugs.
- From FortiGate.
Verify EMS Serial Number and connectivity:
diagnose debug console timestamp enable
diagnose test application fcnacd 2
diagnose endpoint fctems test-connectivity <EMS Name>
diagnose debug application fcnacd -1
diagnose debug enable
Verify SSL VPN check for EMS Serial Number:
diagnose debug console timestamp enable
diagnose debug application sslvpn -1
diagnose debug enable
Verify IPsec Dial-up VPN check for EMS Serial Number:
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable
Example of successful logs of an SSL VPN connection:
[285:root:4]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[285:root:4]Got EMS SN: FCTEMS8821-----7
Example of unsuccessful SSL VPN connection attempt:
[217:root:46]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[217:root:46]Got EMS SN: FCTEMS0000-----8
[217:root:46]EMS SN checks failed.
- From FortiClient.
Verify SSL VPN debugs to confirm EMS Serial Number is being sent in the connection.
Users can use Diagnostic Tool results:
FortiClient Diagnostic Tool.
Debug logs:
Enabling logging for features
Trace logs from the folder below:
C:\Program Files\Fortinet\FortiClient\logs\trace\sslvpndaemon_1.log
C:\Program Files\Fortinet\FortiClient\logs\trace\FortiIKE_1.log
