FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that Linux, iOS, and Android cannot get the host MAC Address. Mac Address Check for those clients is not supported and will by default bypass the Host MAC check.
Scope
FortiGate, FortiClient.
Solution
By default, 'skip-check-for-unsupported-os' is enabled. This will allow all the unsupported OS to establish SSL VPN connection while skipping host check:
config vpn ssl web portal edit <portal-name> set os-check enable set skip-check-for-unsupported-os enable <<<<< config os-check-list windows-10 set action allow end next end
Disabling 'skip-check-for-unsupported-os' will block all other OS irrespective of whether they are available in the FortiGate host check OS database.
For instance, the below configurations would only allow Windows 11 users to connect, all other OS platforms will not be able to connect to SSL VPN:
config vpn ssl web portal edit <portal-name> set os-check enable set skip-check-for-unsupported-os disable config os-check-list windows-11 set action allow end next end
