Description

This article describes how to address the 'Your device has network restrictions—please connect to your VPN' message displayed over FortiClient in FortiSASE.

Scope

FortiClient, FortiSASE.

Solution

When the Network Lockdown feature is enabled in the endpoint profile for FortiSASE users, it is expected behavior for off-fabric users to see the Network Lockdown notification message on the FortiClient.

This occurs because Network Lockdown enforces strict traffic control, allowing communication only through the FortiSASE fabric. As a result, when the endpoint is detected as off-fabric, FortiClient blocks non-compliant network access and displays the corresponding Network Lockdown message to the end user.

However, in some scenarios, on-fabric FortiClient users may also observe the message, 'Device has network restriction. Please connect to VPN.'

This behavior is expected when Network Lockdown is enabled and the FortiSASE auto-connect VPN setting is configured as Manual.

In this state, although the endpoint is detected as on-fabric, FortiClient does not automatically establish the FortiSASE VPN tunnel. As Network Lockdown enforces that traffic must pass through the FortiSASE fabric, the client restricts network access until the VPN connection is manually initiated, resulting in the above message being displayed.

Recommended action:

Configure the FortiSASE VPN auto-connect mode to Automatic to ensure the tunnel is established without user intervention. This prevents on-fabric users from encountering the network restriction message and ensures seamless access.