Technical Tip: Blocking device based on OS detected using Dynamic address options under Firewall Policies

parteeksharma · ‎10-28-2024

Description

This article describes the feature to enable 'Dynamic address' under policies and block devices based on the OS detected.

Scope

FortiGate v7.4 and above.

Solution

This feature relies on device detection configured on the interface connected to user devices to determine device information. Only existing devices whose device information has already been detected by the FortiGate and is known can be added to this dynamic address subtype.

To use the dynamic Device & OS Identification subtype, the FortiGate should be working in NGFW Profile-based mode.

Go to System -> Feature Visibility and enable 'Dynamic Device & OS Identification'.

Once enabled, Go to the LAN interface and enable 'Device detection' at the interface level.

Create the address under Policy & Objects -> Addresses:

Type = Dynamic.
Sub Type = Device & OS Identification.
Software OS = Windows.

Create a firewall policy to block 'Windows OS' to connect internet. Go to Policy & Objects -> Firewall policy, select 'Create New' and configure as per below e.g.

Post this configuration, the traffic generated by Windows user detected on the interface will be blocked and this can be validated by checking under forward traffic logs:

Troubleshooting command:

diagnose user device list