FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Article Id 214456
Description

 

This article describes how to configure FortiGate to only accept connections from EMS-Connected FortiClient endpoints.

 

Scope

 

FortiOS v6.4.2 and higher connected to EMS. FortiClient v7.2.1 and higher for IPsec connections.

 

Solution

 

Starting in FortiOS v6.4.2, a global setting checks for the EMS serial number for connections coming from FortiClient SSL VPN.

Starting in FortiOS v7.4.0, the global setting was replaced to enable FortiGate to check for the EMS serial number for connections coming from FortiClient Dial-up IPsec VPN.

Note:
Only FortiClient running version 7.2.1 or higher is supported for IPsec dial-up connections. Other third-party client dial-up VPN software is not affected.

 

Enabling this option will allow only endpoints connected to EMS to establish an SSL VPN tunnel to FortiGate.

 

Note.

Both FortiGate and FortiClient must be registered to the same EMS Server for this feature to work. This does not affect SSL VPN connections for web mode, only tunnel mode.

 

Configuration Steps.

 

  1. Configure the FortiClient EMS fabric connector as per the article below: Configuring FortiClient EMS.

 

CarlosColombini_0-1655076701709.png

 

  1. Enable EMS serial number check on FortiGate via CLI.


FortiOS v6.4.2 up to v7.2.10 and higher:

 

config system global

    set sslvpn-ems-sn-check enable

end

 

For IPsec VPN, use the below commands:

 

config vpn ipsec phase1-interface

    edit <phase1 name>

        set ems-sn-check enable

end


V7.4.0 and higher.

 

config system global

    set vpn-ems-sn-check enable

end

 

Note:

This attribute is read-only and enabled by default in FGT_VM64_FGCAWS and FGT_VM64_FGCKVM. In other platforms, it is disabled by default.

 

  1. Starting in FortiOS v7.0.0, users can configure a FortiGate to act as an SSL VPN client:

FortiGate as SSL VPN Client 


However, it only supports this feature starting in FortiOS v7.0.1 as per Resolved Issue ID 704066.

 

Verification of Results.

  1. If a connection attempt is made from a FortiClient not connected to the same EMS Server configured on FortiGate or not connected to any EMS Server, the connection will be refused.

 

CarlosColombini_2-1655077507321.png

 

CarlosColombini_3-1655077535616.png

 

  1. If a connection attempt is made from a FortiClient connected to the same EMS server as the FortiGate, it will succeed.

     

FortiGate EMS Connection.

 

CarlosColombini_0-1655078104749.png

 

FortiClient EMS Connection.

 

CarlosColombini_0-1655080382060.png

 

CarlosColombini_5-1655077826760.png

 

Troubleshooting and Debugs.

  1. From FortiGate.

Verify EMS Serial Number and connectivity:

 

diagnose debug console timestamp enable
diagnose test application fcnacd 2

diagnose endpoint fctems test-connectivity <EMS Name>
diagnose debug application fcnacd -1
diagnose debug enable

 

Verify SSL VPN check for EMS Serial Number:


diagnose debug console timestamp enable
diagnose debug application sslvpn -1
diagnose debug enable

 

Verify IPsec Dial-up VPN check for EMS Serial Number:


diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

 

Example of successful logs of an SSL VPN connection:


[285:root:4]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[285:root:4]Got EMS SN: FCTEMS8821-----7


Example of unsuccessful SSL VPN connection attempt:


[217:root:46]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[217:root:46]Got EMS SN: FCTEMS0000-----8
[217:root:46]EMS SN checks failed.

  1. From FortiClient.
    Verify SSL VPN debugs to confirm the EMS Serial Number is being sent in the connection.


Users can use Diagnostic Tool results:
FortiClient Diagnostic Tool.

Debug logs:
Enabling logging for features

Trace logs from the folder below:
C:\Program Files\Fortinet\FortiClient\logs\trace\sslvpndaemon_1.log.
C:\Program Files\Fortinet\FortiClient\logs\trace\FortiIKE_1.log.