Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Toshi_Esumi
Esteemed Contributor III

num of MAC address limit in SSL VPN filtering

When we configure this SSL VPN MAC address filtering, what system limit would dictate the max number of MAC addresses we can configure on an FGT (no vdom/muti-vdom)?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-address-check-on-SSL-VPN-connections/t...

The max value table doesn't seem to have the exact matching object.
https://docs.fortinet.com/max-value-table

Toshi

2 Solutions
hbac
Staff
Staff

Hi @Toshi_Esumi,

 

Yes, https://docs.fortinet.com/max-value-table doesn't show that information. However, you can run 'print tablesize' command and look for the following lines:

 

vpn.ssl.web.portal:mac-addr-check-rule: 0 0 0
vpn.ssl.web.portal:mac-addr-check-rule:mac-addr-list: 0 0 0

 

For more information, please refer to https://community.fortinet.com/t5/FortiGate/Technical-Note-FortiGate-maximum-values-table/ta-p/19247...

 

Regards, 

View solution in original post

hbac

@Toshi_Esumi,

 

If you refer to this line "vpn.ssl.web.portal:mac-addr-check-rule: 0 0 0", I believe the first number means number of entries you can create under "mac-addr-check-rule". 

 

# config vpn ssl web portal

# edit full-access

# config mac-addr-check-rule     <<<    Parent table.

# edit 1                                           <<<    Child table.

 

Regards, 

View solution in original post

6 REPLIES 6
hbac
Staff
Staff

Hi @Toshi_Esumi,

 

Yes, https://docs.fortinet.com/max-value-table doesn't show that information. However, you can run 'print tablesize' command and look for the following lines:

 

vpn.ssl.web.portal:mac-addr-check-rule: 0 0 0
vpn.ssl.web.portal:mac-addr-check-rule:mac-addr-list: 0 0 0

 

For more information, please refer to https://community.fortinet.com/t5/FortiGate/Technical-Note-FortiGate-maximum-values-table/ta-p/19247...

 

Regards, 

Toshi_Esumi
Esteemed Contributor III

Not sure why 'grep' doesn't work for this command, but I got the same all '0's on our multi-vdom 1500D as well. I guess '0' means no hard limit.

The explanation in the KB for the first number says below but not clear to me.
"1) The first number refers to the maximum number allowed for the child table in its parent entry."
Could you elaborate a little more?

Toshi

 

Toshi_Esumi
Esteemed Contributor III

Does anyone have the answer about the meaning of the first number, especially for the meaning of the "child tabple" and the "parent table?

Toshi

hbac

@Toshi_Esumi,

 

If you refer to this line "vpn.ssl.web.portal:mac-addr-check-rule: 0 0 0", I believe the first number means number of entries you can create under "mac-addr-check-rule". 

 

# config vpn ssl web portal

# edit full-access

# config mac-addr-check-rule     <<<    Parent table.

# edit 1                                           <<<    Child table.

 

Regards, 

Toshi_Esumi
Esteemed Contributor III

Ok, I see the meaning now. This particular one is actually the child table is "edit <name>" though. But the same concept would apply.

Thank you for explaining it @hbac 

Toshi

sawyer8
New Contributor

This is good to know, thank you. We are restricting our enterprise apps to be able t be accessed only if you are on our internal network with an SSO provider. It is working. we have restricted the log in from our SSO to only let the user log in if they are inside our network. when we do "what is my ip" the entire company gets the same public IP https://mobdro.bio/

Labels
Top Kudoed Authors