Fortinet black logo

Administration Guide

Enhancing VPN security using EMS SN verification

The EMS serial number (SN) verification feature restricts establishing a VPN connection to the FortiGate to only licensed FortiClient endpoints. The EMS SN verification is performed by the FortiGate and the feature requires that the FortiGate and FortiClient endpoints both must be connected to the same FortiClient EMS.

EMS SN verification is performed when a FortiClient user attempts to establish a VPN connection to the FortiGate. During the VPN establishment process:

  • FortiClient sends the SN of the FortiClient EMS that manages it to the FortiGate.

  • The FortiGate performs a check to confirm whether the EMS SN sent by the FortiClient corresponds to same FortiClient EMS to which the FortiGate itself is connected to.

  • The FortiGate allows the user to connect to the VPN only if the EMS SN match.

This feature prevents the free VPN-only standalone FortiClient users from connecting to VPN, thus enhancing VPN security. This setting can only be enabled from the CLI.

To enable the EMS SN verification in the CLI:
config system global
    set vpn-ems-sn-check {enable | disable}
end

Command

Description

set vpn-ems-sn-check {enable | disable} Enable or disable verification of the EMS serial number in the SSL-VPN and IPsec VPN connection.

The EMS serial number (SN) verification feature restricts establishing a VPN connection to the FortiGate to only licensed FortiClient endpoints. The EMS SN verification is performed by the FortiGate and the feature requires that the FortiGate and FortiClient endpoints both must be connected to the same FortiClient EMS.

EMS SN verification is performed when a FortiClient user attempts to establish a VPN connection to the FortiGate. During the VPN establishment process:

  • FortiClient sends the SN of the FortiClient EMS that manages it to the FortiGate.

  • The FortiGate performs a check to confirm whether the EMS SN sent by the FortiClient corresponds to same FortiClient EMS to which the FortiGate itself is connected to.

  • The FortiGate allows the user to connect to the VPN only if the EMS SN match.

This feature prevents the free VPN-only standalone FortiClient users from connecting to VPN, thus enhancing VPN security. This setting can only be enabled from the CLI.

To enable the EMS SN verification in the CLI:
config system global
    set vpn-ems-sn-check {enable | disable}
end

Command

Description

set vpn-ems-sn-check {enable | disable} Enable or disable verification of the EMS serial number in the SSL-VPN and IPsec VPN connection.