Description
This article describes how to enable MAC host check for SSL VPN in tunnel mode.
Scope
FortiGate, FortiClient.
Note:
Host-check features are not supported for FortiClient versions between 6.2.0 and 7.0.2.
Starting from FortiClient 7.0.3, host check features are available. See the FortiClient 7.0.0 New Features list for more information.
Linux, iOS, and Android cannot get the host MAC Address; Mac Address Check for those clients is not supported.
Solution
A MAC Address check must be configured from the CLI with the commands below.
config vpn ssl web portal
edit <portal_name>
set tunnel-mode enable
set mac-addr-check enable
config mac-addr-check-rule
edit <rule_name>
set mac-addr-list <address> [address]
set mac-addr-mask <mask between 1-48>
next
end
set mac-addr-action {allow | deny}
next
end
See Configuring OS and host check - FortiGate administration guide for more information.
The MAC Addresses of all host adapters are sent to FortiGate at the time of connection. If any of them match a MAC address from the list configured in the rules applied to the SSL VPN Portal, the rule will trigger and the action defined will take place.
Note:
When creating the web portal through the CLI, make sure tunnel-mode is enabled. Otherwise, it will not be possible to enable the MAC address check.
set mac
set mac-addr-check-enable
command parse error before 'mac-addr-check-enable'
Command fail. Return code -61
Note:
The default value of 'mac-addr-mask' is '48'. The default value of 'mac-addr-action' is 'allow'.
Verification and Troubleshooting.
Test workstation MAC Addresses:
ipconfig /all | findstr Physical
Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
Physical Address. . . . . . . . . : 5C-85-7E-39-BE-67
Physical Address. . . . . . . . . : D8-9E-F3-7F-3F-A8
Physical Address. . . . . . . . . : 9E-B6-D0-F9-BC-31
Physical Address. . . . . . . . . : AE-B6-D0-F9-BC-31
Physical Address. . . . . . . . . : 9C-B6-D0-F9-BC-31
Physical Address. . . . . . . . . : 9C-B6-D0-F9-BC-32
FortiGate SSL VPN Web Portal:
config vpn ssl web portal
edit "MAC-Address-Check-Portal"
set tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
config bookmark-group
edit "gui-bookmarks"
next
end
set mac-addr-check enable
config mac-addr-check-rule
edit "DellXPS"
set mac-addr-list 9e:b6:d0:f9:bc:39
next
end
set mac-addr-action allow
next
end
Since none of the host MAC addresses match the value of config mac-addr-check-rule (9e:b6:d0:f9:bc:39) configured on the FortiGate, the connection will be denied.
Multiple Mac addresses can be appended.
It is possible to keep appending addresses in ‘set mac-addr-list <address>’.
In the below example:
config vpn ssl web portal
edit <portal_name>
set mac-addr-check enable
config mac-addr-check-rule
edit <rule_name>
set mac-addr-list 00:09:0F:FE:00:01 5C:85:7E:39:BE:67
set mac-addr-mask <mask between 1-48>
next
end
set set mac-addr-action {allow | deny}
next
end
This can be verified from log level 'info' or 'debug'.
Browse to Log & Report -> System Events -> VPN Events and check for the 'tunnel-down' events.
In the CLI, logs can also be displayed and a filter may be used to shorten the output.
The filter below will display 100 lines of logs related to failed attempts of SSL VPN connections retrieved from disk.
execute log filter device 1
execute log filter category
execute log filter field tunneltype "ssl-web"
execute log filter field actin "tunnel-down"
execute log display
date=2022-12-24 time=15:39:55 eventtime=1671925195366302823 tz="-0800" logid="0101039425" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-web" tunnelid=1769925909 remip=192.168.101.71 user="carloss" group="Host-Check-Local-Group" dst_host="N/A" reason="A user has logged in but host check MAC address failed. Hostcheck data: 0000,10.0.22000,d8:9e:f3:7f:3f:a8|00:09:0f:aa:00:01|9c:b6:d0:f9:bc:32|5c:85:7e:39:be:67|9c:b6:d0:f9:bc:31|9e:b6:d0:f9:bc:31|ae:b6:d0:f9:bc:31" duration=0 sentbyte=0 rcvdbyte=0 msg="SSL tunnel shutdown"
From a console or SSH session, debug logging can be enabled as per the commands below.
diagnose debug console timestamp enable
diagnose debug application sslvpn -1
diagnose debug enable
The output will look similar to the following excerpt:
2022-12-24 15:39:55 [301:root:a]req: /remote/hostcheck_validate
2022-12-24 15:39:55 [301:root:a]host check result:0 0000,10.0.22000,d8:9e:f3:7f:3f:a8|00:09:0f:aa:00:01|9c:b6:d0:f9:bc:32|5c:85:7e:39:be:67|9c:b6:d0:f9:bc:31|9e:b6:d0:f9:bc:31|ae:b6:d0:f9:bc:31
2022-12-24 15:39:55 [301:root:a]rmt_hcvalidate_cb_handler:402 MAC address check failed
Note:
Details from the debug logs above can be found in Configuring OS and host check - FortiGate administration guide.
From the client side, the user will be presented with the following warning message.
Related articles:
Technical Tip: FortiClient licensing and support
Technical Tip: How to configure FortiClient SSL VPN check for Windows version and build
