Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mtanveer
New Contributor

Created on ‎08-03-2022 11:54 PM

Fortigate mac binding for ipsec vpn clients

Dear's,

 

Please suggest how to bind vpn client's IP with MAC address to validate the actual client. 

 

Regards.

Labels:
4081
0 Kudos
5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Created on ‎08-04-2022 12:06 AM

Hello,

 

I have found this KB article:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-client-MAC-binding-supported-platf...

 

Could you please tell me if it helps?

 

Regards

Anthony-Fortinet Community Team.
4074
0 Kudos
mtanveer
New Contributor
In response to Anthony_E

Created on ‎08-04-2022 02:19 AM

Thanks Anthony but our case is little different we have configured client public IP's in foritgate firewall and virtual IP is assigned through Forti client which we have whitelisted. Now we intend to configured the client public IP should be binded with MAC. Dual check verification for connection established i.e MAC and IP both should be matched as client provide us.

Currently we checked multiple ways but unable to find the actual MAC of client's machine.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DHCP-IP-address-reservation-with-Dial-up-I...

 

This article help us but unable to find the MAC of client.

 

Regards.

4067
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎08-04-2022 02:20 AM

Hello,

 

Oh ok.

Let s continue to find something for helping you :)!

 

Regards,

Anthony-Fortinet Community Team.
4066
0 Kudos
Yurisk
SuperUser
SuperUser

Created on ‎08-04-2022 06:53 AM Edited on ‎08-04-2022 06:56 AM

I you mean to check connected clients for their MAC addresses as well, then you need MAC address check/rules - https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-host-check-on-SSL-VPN/ta-p/194337?exte...  

It works with tunnel mode SSL VPN mode only. 

 

https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/360620/config-vpn-ssl-web-portal 

 

My (unsolicited) opinion is that it is more pain than gain, a maintenance burden without substantial security benefit (or MAC filtering! Cool, then MAC-changer will fix it right..). 

 

Have you considered client certificate authentication as additional step? This would confine a user to the only PC/laptop/etc which has the certificate installed. 

 

N.B. If you  really mean  to allocate IP based on MAC address of the client (Forticlient does not assign a new MAC on connection, so you can't control this part), then I've never heard of such service in firewalls, but who knows...

Yuri Slobodyanyuk
Yuri Slobodyanyuk
4060
0 Kudos
mtanveer
New Contributor
In response to Yurisk

Created on ‎08-04-2022 11:54 PM

Thanks Yurisk for your valuable input, but we dialup vpn in over environment. 

4049
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.