Description
This article describes how to configure SSL VPN OS check for Windows 10 clients with specific Windows build number.
Scope
FortiGate v6.2 and above.
Solution
# config vpn ssl web portal
edit <portal_name>
set os-check enable
set skip-check-for-unsupported-os <enable | disable>
# config os-check-list { macos-bigsur-11 | macos-catalina-10.15 | macos-high-sierra-10.13 | macos-mojave-10.14 |
macos-sierra-10.12 | os-x-el-capitan-10.11 | os-x-mavericks-10.9 | os-x-yosemite-10.10 |
windows-7 | windows-8 | windows-8.1 | windows-10 | windows-2000 }
set action check-up-to-date
set tolerance <0~65535>
set latest-patch-level <disable/0~65535>
end
next
end
Configuration example.
FortiGate with the below configuration accepts all FortiClient SSL VPN connections from Windows 10 build 18362 and newer.
Connection attempts from other operating systems will be denied.
# config vpn ssl web portal
edit full-access
set os-check enable
set skip-check-for-unsupported-os disable
# config os-check-list windows-10
set action check-up-to-date
set tolerance 1
set latest-patch-level 18363
end
next
end
Notes:
- To specify the acceptable patch level, set the latest-patch-level and the tolerance. The lowest acceptable patch level is the latest-patch-level minus tolerance.
In this case, the latest-patch-level is 18363, and tolerance is 1, so build 18362 is the lowest acceptable patch level.
- When skip-check-for-unsupported-os is set to disable as in the above example, unsupported operating systems such as Android or iOS will not be allowed to connect.
- For Windows 10 and Windows 8, the build number is the patch level.
- Windows 10 clients with older build number than 18362 will be presented with a warning message similar to the one bellow and their access will be denied.
Note: Host check works only for tunnel mode when Forticlient is involved. It does not work for web mode(browser).
