Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ss26101983ss
New Contributor

how can i restrict unlicensed vpn versions connecting via VPN

the user can install the unlicensed version of forticlient and get unnoticed by the EMS which means they can circumvent the security profiles and settings applied to the users

Is there a way to avoid such connectivity of VPN to our network ?

8 REPLIES 8
gfleming
Staff
Staff
ss26101983ss

if you use the unlicensed version that machine will not be reporting to EMS and you can push the updates to the device that doesn't report to ems

Christian_89
Contributor III

hello
I would recommend the ZTNA approach.

btan
Staff
Staff

If you are looking to prevent FCT free-version to connect to your FGT VPN, you may follow below guide:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricted-SSL-VPN-to-FortiClient-connecte...

Note that this is a global setting in FGT.

Regards,
Bon
FarinaAhmed
New Contributor III

  1. Enable Endpoint Control on your FortiGate device to enforce policies that allow only authorized versions of FortiClient VPN to connect.

  2. Utilize FortiClient EMS to manage and control the deployment of FortiClient VPN. Enforce licensing requirements, monitor client versions, and push updates to ensure all endpoints are running licensed and authorized versions.

  3. Implement Network Access Control (NAC) mechanisms such as 802.1X authentication or NAC solutions to verify the presence of a valid and licensed FortiClient VPN version before granting network access.

  4. Create firewall policies on your FortiGate device that specifically allow traffic only from licensed FortiClient VPN versions.

  5. Educate users about the importance of using authorized and licensed versions of FortiClient VPN and the risks associated with unlicensed software.

Farina Ahmed
Farina Ahmed
ss26101983ss
New Contributor

is that possible to create firewall policies on Fortigates to allow only licensed version ?

srajeswaran

Firewall policy comes into picture after the VPN is connected, so it may not serve the purpose .

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
FortiNitish
Staff
Staff

You can enable the below settings, this will check the serial number , and only permit host machines connected to EMS.

# config system global
    set sslvpn-ems-sn-check enable
end

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors