There may already be a post about this but I could not find it.
We have Fortigate Firewalls and use the FortiClient VPN to work from home.
We actually have a few users that connect to the VPN from home, on their personal computers, and then remote into their work desktops. We are finally getting laptops for these people, but it made me think, whats stopping them from installing FortiClient V7 from the internet and using our work credentials? The users that "can" connect to the VPN do have to be in a security group. But they could technically connect to our network with any device. Huge security risk, I know.
Is there a way to use \\Active Directory\Security Groups or something that we can allow only certain devices to connect to the VPN. Right now all we have is a Security Group that you have to be in to connect to the VPN. But if you're in that group, whats stopping you from connecting with any device you have or buy or find or........
You can control the access to your SSLVPN via the following options:
1. SSLVPN MAC address host check (require FortiClient EMS for 6.2.x and above)
2. ZTNA rule to control access to your internal network (require FortiClient EMS)
3. Configuring custom hostcheck to verify the domain name of the host (require FortiClient EMS for 6.2.x and above)
Option 1 would be tedious if you have a lot of machines that connects via SSLVPN. ZTNA would allow you to centrally manage all your FortiClient and assigning machines with tags on whether they are compliant to connect to the network. You may refer to the following documents for both options:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.