Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
herta
New Contributor II

mac-addr-check in SSL VPN tunnel mode?

We are moving our SSL VPN tunnel users from Pulse Secure to FortiGate (6.0.6). In Pulse Secure, we can limit access based on the remote user's MAC address. I found https://kb.fortinet.com/k....do?externalID=FD41648 which describes how to configure that for SSL VPN

web mode, but a number of our SSL VPN users will be using tunnel mode exclusively. Is there a way to configure a mac-addr-check in tunnel mode via a host check option? If not, is there another way to limit access based on some other unique feature of a remote device?

 

Kind regards,

 

Herta

1 Solution
Toshi_Esumi
SuperUser
SuperUser

"config vpn ssl web portal" defines profiles for both types of VPN; tunnel mode and web mode. The KB describes only MAC address check portion of config in the portal. It should work regardless of the mode the users use. You can even enable both modes in one profile like below.

As a matter of fact, when I enabled the mac-addr-check in tunnel mode enabled profile, it accepted it.

 

 config vpn ssl web portal       edit "full-access"         set tunnel-mode enable         set ipv6-tunnel-mode enable         set web-mode enable         set ip-pools "SSLVPN_TUNNEL_ADDR1"         set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"         set mac-addr-check enable     next  <snip>

View solution in original post

2 REPLIES 2
Toshi_Esumi
SuperUser
SuperUser

"config vpn ssl web portal" defines profiles for both types of VPN; tunnel mode and web mode. The KB describes only MAC address check portion of config in the portal. It should work regardless of the mode the users use. You can even enable both modes in one profile like below.

As a matter of fact, when I enabled the mac-addr-check in tunnel mode enabled profile, it accepted it.

 

 config vpn ssl web portal       edit "full-access"         set tunnel-mode enable         set ipv6-tunnel-mode enable         set web-mode enable         set ip-pools "SSLVPN_TUNNEL_ADDR1"         set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"         set mac-addr-check enable     next  <snip>

herta
New Contributor II

Nice. Thanks for your help, Toshi Esumi.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors