Hello everyone!
is it doable to restrict IPsec vpn access (forticlent) based on certian mac addresses
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Even if it was possible, what is the purpose? If you only want trusted clients to connect, then the certificate route is the best way to go.
What client are you guys using? With both the SSL (NetExtender/Mobile Connect) and Global (IPsec) you can see the MAC address of the device used to establish the connection (Either in users or VPN -> DHCP depending on the client) and you could potentially create a SSL VPN -> LAN or VPN -> LAN rule to allow access from a white listed address group that contained approved MACs.
With the Global, you can also allow the IP addressing to be lease only (either pointing to the SonicWALLs internal DHCP or relay to another DHCP server); We have customers who set aside a separate subnet for the GVC connections and all the leases in that subnet are statics.
As others have pointed out though, a MAC address is a trivial thing to spoof - so even if you wanted to figure out how to successfully implement something it would not be the most effective as crafty users are likely to get around that if they get ahold of a white listed MAC.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.