FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bpozdena_FTNT
Description
This article describes how to configure SSL VPN OS check for Windows 10 clients with specific Windows build number.

Solution
# config vpn ssl web portal
    edit <portal_name>
        set os-check enable
        set skip-check-for-unsupported-os <enable | disable>
        # config os-check-list { macos-bigsur-11 | macos-catalina-10.15 | macos-high-sierra-10.13 | macos-mojave-10.14 |
 macos-sierra-10.12 | os-x-el-capitan-10.11 | os-x-mavericks-10.9 | os-x-yosemite-10.10 |
 windows-7 | windows-8 | windows-8.1 | windows-10 | windows-2000 }

            set action check-up-to-date
            set tolerance <0~65535>
            set latest-patch-level <disable/0~65535>
        end
    next
end
Configuration example.

FortiGate with the bellow configuration accepts all FortiClient SSL VPN connections from Windows 10 build 18362 and newer.
Connection attempts from other operating systems will be denied.

# config vpn ssl web portal
    edit full-access
        set os-check enable
        set skip-check-for-unsupported-os disable
        # config os-check-list windows-10
            set action check-up-to-date
            set tolerance 1
            set latest-patch-level 18363
        end
    next
end
Notes:
- To specify the acceptable patch level, set the latest-patch-level and the tolerance. The lowest acceptable patch level is the latest-patch-level minus tolerance. In this case, the latest-patch-level is 18363, and tolerance is 1, so build 18362 is the lowest acceptable patch level.
- When skip-check-for-unsupported-os is set to disable as in above example, unsupported operating systems such as Android or iOS will not be allowed to connect.
- For Windows 10 and Windows 8, the build number is the patch level.
- Windows 10 clients with older build number than 18362 will be presented with a warning message similar to the one bellow and their access will be denied.



Contributors