Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bpozdena_FTNT
Staff
Staff

Created on ‎05-15-2020 12:04 AM Edited on ‎02-26-2025 06:41 AM By Moderator

Article Id 193932

Technical Tip: How to configure FortiClient SSL VPN check for Windows version and build

Description


This article describes how to configure SSL VPN OS check for Windows 10 clients with specific Windows build number.

 

Scope

 

FortiGate v6.2 and above.


Solution

 

First, identify the portal being used in the SSL VPN connection. To do this, browse the SSL-VPN settings menu and check the Authentication/Portal Mapping section.

 

Portal SSL VPN.png

 

Operating System check must be configured from the CLI with the commands below.

 

config vpn ssl web portal
    edit <portal_name>
        set os-check enable
        set skip-check-for-unsupported-os <enable | disable>
            config os-check-list { macos-bigsur-11 | macos-catalina-10.15 | macos-mojave-10.14 |
 macos-monterrey-12 | macos-sequoia-15 | macos-sonoma-14 | macos-ventura-13 |
 windows-7 | windows-8.1 | windows-10 | windows-11 }
                set action check-up-to-date
                set tolerance <0~65535>
                set latest-patch-level <disable/0~65535>
            end
    next
end

 

Configuration example.

FortiGate with the below configuration accepts all FortiClient SSL VPN connections from Windows 10 build 18362 and newer.
Connection attempts from other operating systems will be denied.

 

config vpn ssl web portal
    edit full-access
        set os-check enable
        set skip-check-for-unsupported-os disable
            config os-check-list windows-10
                set action check-up-to-date
                set tolerance 1
                set latest-patch-level 18363
            end
    next
end

 

Note:

  • To specify the acceptable patch level, set the latest-patch-level and the tolerance. The lowest acceptable patch level is the latest-patch-level minus tolerance. In this case, the latest-patch-level is 18363, and tolerance is 1, so build 18362 is the lowest acceptable patch level.
  • When skip-check-for-unsupported-os is set to disable as in the above example, unsupported operating systems such as Android or iOS will not be allowed to connect.
  • For Windows 10 and Windows 8, the build number is the patch level.
  • Windows 10 clients with older build number than 18362 will be presented with a warning message similar to the one below and their access will be denied.

 

 

Note:

Host check works only for tunnel mode when FortiClient is involved. It does not work for web mode (browser).

11262
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.