Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mtanveer
New Contributor

Fortigate mac binding for ipsec vpn clients

Dear's,

 

Please suggest how to bind vpn client's IP with MAC address to validate the actual client. 

 

Regards.

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello,

 

I have found this KB article:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-client-MAC-binding-supported-platf...

 

Could you please tell me if it helps?

 

Regards

Anthony-Fortinet Community Team.
mtanveer

Thanks Anthony but our case is little different we have configured client public IP's in foritgate firewall and virtual IP is assigned through Forti client which we have whitelisted. Now we intend to configured the client public IP should be binded with MAC. Dual check verification for connection established i.e MAC and IP both should be matched as client provide us.

Currently we checked multiple ways but unable to find the actual MAC of client's machine.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DHCP-IP-address-reservation-with-Dial-up-I...

 

This article help us but unable to find the MAC of client.

 

Regards.

Anthony_E
Community Manager
Community Manager

Hello,

 

Oh ok.

Let s continue to find something for helping you :)!

 

Regards,

Anthony-Fortinet Community Team.
Yurisk
Valued Contributor

I you mean to check connected clients for their MAC addresses as well, then you need MAC address check/rules - https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337?exte...  

It works with tunnel mode SSL VPN mode only. 

 

https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/360620/config-vpn-ssl-web-portal 

 

My (unsolicited) opinion is that it is more pain than gain, a maintenance burden without substantial security benefit (or MAC filtering! Cool, then MAC-changer will fix it right..). 

 

Have you considered client certificate authentication as additional step? This would confine a user to the only PC/laptop/etc which has the certificate installed. 

 

N.B. If you  really mean  to allocate IP based on MAC address of the client (Forticlient does not assign a new MAC on connection, so you can't control this part), then I've never heard of such service in firewalls, but who knows...

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
mtanveer

Thanks Yurisk for your valuable input, but we dialup vpn in over environment.