Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiyong
Staff
Staff

Created on ‎06-21-2023 11:52 PM Edited on ‎06-21-2023 11:53 PM By Community Manager

Article Id 260603

Technical Tip: Analysis of symptoms allowed without registering a MAC address in sslvpn mac-address-check

Description This article describes a situation where the administrator manages the MAC address of the SSL VPN user and describes symptoms of normal log-in even with a non-allowed mac address.
Scope FortiGate.
Solution
Example: 
 
Remote Access PC Ethernet Adaptor Ethernet0:
 
= 00:0C:29:C2:2D:70
 
config vpn ssl web portal
    edit "full-access"
...
        set mac-addr-check enable
            config mac-addr-check-rule
                edit "maclist"
                   set mac-addr-list 11:11:11:11:11:11
                next
            end
 
[2612:root:e]deconstruct_session_id:716 decode session id ok, user=[guest], group=[],authserver=[],portal=[full-access],host[10.200.20.10],realm=[],csrf_token=[8F976B2C2583CB2565CACBFA1561945],idx=0,auth=1,sid=e4d190f,login=1686893772,access=1686893772,saml_logout_url=no,pip=no,grp_info=[H01LjG],rmt_grp_info=[]
[2612:root:e]host check result:0 0000,10.0.19045,00:0c:29:c2:2d:70|20:c1:9b:1c:bb:e5|00:09:0f:aa:00:01
[2612:root:e]rmt_hcvalidate_cb_handler:535 MAC address check failed
[2612:root:0]sslvpn_internal_remove_one_web_session:3603 web session (root:guest::10.200.20.10:0 1) removed for Server terminated session normally
 
However, occasionally, when applying mac-address-list, a problem occurs when registering the mac address of a FortiClient adapter among multiple mac addresses. (Intermittent allow occurs).
 
Remote Access PC Fortinet SSL VPN Virtual Ethernet Adapter:
 
= 00:09:0F:AA:00:01
 
config vpn ssl web portal
    edit "full-access"
...
        set mac-addr-check enable
            config mac-addr-check-rule
                edit "maclist"
                    set mac-addr-list 00:09:0f:aa:00:01
                next
            end
 
[2612:root:14]host check result:0 0000,10.0.19045,00:0c:29:c2:2d:70|20:c1:9b:1c:bb:e5|00:09:0f:aa:00:01
...
[2612:root:14]sslvpn_reserve_dynip:1540 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[2612:root:14]form_ipv4_pol_split_tunnel_addr:79 Matched policy (id = 9) to add ipv4 split tunnel routing address
[2612:root:14]form_ipv4_pol_split_tunnel_addr:79 Matched policy (id = 7) to add ipv4 split tunnel routing address
...
[2612:root:15]Add auth logon for user guest:, matched group number 1
[2612:root:14]SSL state:fatal decode error (10.200.20.10)
[2612:root:0]ap_read,105, error=1, errno=0 ssl 0x7f3bb1bd1000 Success. error:0A000126:SSL routines::unexpected eof while reading
 
Solution:
Remove FortiClient MAC address (00:09:0f:aa:00:01).
600
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.