Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hamza_derbali
New Contributor

Created on ‎05-22-2024 09:18 AM

Issue with MAC Address-Based Policy on VPN Tunnel Interface

Hello,

I'm trying to create a MAC address-based policy using the VPN tunnel interface as the incoming interface, but it's not working and it authorizes all MAC addresses of the VPN users.

 

Do I need a license for this?

Regards,

 

policy mac based.png

Labels:
931
0 Kudos
1 Solution
ozkanaltas
Valued Contributor III
In response to Hamza_derbali

Created on ‎05-22-2024 10:45 PM

Hello @Hamza_derbali ,

 

I found a document about that. This document shows you can't apply a mac-based host check with a free client.

 

https://docs.fortinet.com/document/forticlient/7.0.0/new-features/651315/fortigate-powered-host-chec...

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
839
5 REPLIES 5
ozkanaltas
Valued Contributor III

Created on ‎05-22-2024 09:22 AM

Hello @Hamza_derbali ,

 

Mac-address-based policy just works on Layer2 networks. Because of that, you can't apply a mac-based policy for SSL-VPN. 

 

Also, I can't see a mac-address object on your screenshot. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
926
hbac
Staff
Staff

Created on ‎05-22-2024 11:55 AM

Hi @Hamza_derbali,

 

Please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-address-check-on-SSL-VPN-connections/t...

 

Regards, 

874
Hamza_derbali
New Contributor
In response to hbac

Created on ‎05-22-2024 01:00 PM

Hello @hbac ,

Thanks, but I've already seen this article. The issue I'm facing now is determining whether the host checker requires an additional license for accurate information. For your information, I'm using FortiClient 7.2.4.

Regards,

865
0 Kudos
ozkanaltas
Valued Contributor III
In response to Hamza_derbali

Created on ‎05-22-2024 10:45 PM

Hello @Hamza_derbali ,

 

I found a document about that. This document shows you can't apply a mac-based host check with a free client.

 

https://docs.fortinet.com/document/forticlient/7.0.0/new-features/651315/fortigate-powered-host-chec...

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
840
hbac
Staff
Staff
In response to Hamza_derbali

Created on ‎05-23-2024 08:51 AM

Hi @Hamza_derbali,

 

It is working in my lab. I'm using FortiClient 7.0.9 free version. I configured SSLVPN to deny my MAC address:

Atlantis-kvm60 (full-access) # show
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set ip-mode user-group
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set mac-addr-check enable
set mac-addr-action deny
config mac-addr-check-rule
edit "1"
set mac-addr-list 00:53:6d:6f:48:02
next
end
next
endhost.PNG

 

Regards, 

821
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.