This feature relies on device detection configured on the interface connected to user devices to determine device information. Only existing devices whose device information has already been detected by the FortiGate and is known can be added to this dynamic address subtype. 

1. To use the dynamic Device & OS Identification subtype, the FortiGate should be working in NGFW Profile-based mode.#

Note: Switching from profile-based to policy-based mode converts policies to policy-based. To avoid issues, create a new VDOM for the policy-based mode. Recommend backing up the configuration before switching modes. 

2. Go to System -> Feature Visibility and enable 'Dynamic Device & OS Identification'.

3. Once enabled, go to the LAN interface and enable 'Device detection' at the interface level.

4. Create the address under Policy & Objects -> Addresses:

• Type = Dynamic.
• Sub Type = Device & OS Identification.
• Software OS = Windows.
• Software Version.

The Software Version can be added. Depending on the hardware model, the address can be configured and settings adjusted as needed. The example below is for an iPhone mobile device.

5. Create a firewall policy to block 'Block iphone' from connecting to the internet. Go to Policy & Objects -> Firewall policy, select 'Create New', and configure.
   
   Example:
   
   

   

    

6. Post this configuration, the traffic generated by Windows users detected on the interface will be blocked, and this can be validated by checking under forward traffic logs:

Troubleshooting command:

diagnose user device list 

Related document:

Profile-based NGFW vs policy-based NGFW