FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193932


This article describes how to configure SSL VPN OS check for Windows 10 clients with specific Windows build number.




FortiGate v6.2 and above.



# config vpn ssl web portal
    edit <portal_name>
        set os-check enable
        set skip-check-for-unsupported-os <enable | disable>
        # config os-check-list { macos-bigsur-11 | macos-catalina-10.15 | macos-high-sierra-10.13 | macos-mojave-10.14 |
 macos-sierra-10.12 | os-x-el-capitan-10.11 | os-x-mavericks-10.9 | os-x-yosemite-10.10 |
 windows-7 | windows-8 | windows-8.1 | windows-10 | windows-2000 }

            set action check-up-to-date
            set tolerance <0~65535>
            set latest-patch-level <disable/0~65535>


Configuration example.

FortiGate with the below configuration accepts all FortiClient SSL VPN connections from Windows 10 build 18362 and newer.
Connection attempts from other operating systems will be denied.


# config vpn ssl web portal
    edit full-access
        set os-check enable
        set skip-check-for-unsupported-os disable
        # config os-check-list windows-10
            set action check-up-to-date
            set tolerance 1
            set latest-patch-level 18363


- To specify the acceptable patch level, set the latest-patch-level and the tolerance. The lowest acceptable patch level is the latest-patch-level minus tolerance.

In this case, the latest-patch-level is 18363, and tolerance is 1, so build 18362 is the lowest acceptable patch level.

- When skip-check-for-unsupported-os is set to disable as in the above example, unsupported operating systems such as Android or iOS will not be allowed to connect.

- For Windows 10 and Windows 8, the build number is the patch level.

- Windows 10 clients with older build number than 18362 will be presented with a warning message similar to the one bellow and their access will be denied.


Note: Host check works only for tunnel mode when Forticlient is involved. It does not work for web mode(browser).