FortiGate MAC host check on SSL VPN

This article describes how to configure a MAC host check on SSL VPN.

 

When a remote client attempts to log in to the portal, the FortiGate unit can be configured to check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. This can ensure better security in case a password is compromised.

MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of it. MAC host checking is configured in the CLI using the commands:

conf vpn ssl web portal

  edit portal

    set mac-addr-check enable

    set mac-addr-action allow

    config mac-addr-check-rule

      edit "rule1"

        set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d

        set mac-addr-mask 48

  end

end