Method 1: Application Control.

Application Control has signatures available that allow the FortiGate to identify a device's operating system based on certain patterns of traffic that it transmits. With this, it is possible to prevent mobile devices from sending traffic through FortiGate by applying an Application Control profile to the FortiGate Firewall Policies.

Note: Modern devices are almost exclusively using HTTPS and other encrypted protocols to communicate with services over the network and the Internet. This encryption will hide many identifiable aspects of the devices' traffic and will largely prevent Application Control from being able to detect traffic on its own.

To combat this, TLS Deep Inspection must be applied to the Firewall Policy to allow the FortiGate to act as a Machine-in-the-Middle and decrypt encrypted user traffic. However, this will generate TLS errors/warnings on any device matching these Firewall Policies unless they have FortiGate's CA certificate installed (see here for more information: SSL/TLS deep inspection).

To use this method, use the following steps:

1. In the FortiGate GUI, navigate to Security Profiles -> Application Control and create/modify an Application Control profile.
2. Under Categories, select the Mobile category dropdown and change the action from the default of Monitor to Block.
   
   • The Mobile category currently contains three signatures representing the main mobile operating systems: Android, Apple.iPad (iPadOS), and Apple.iPhone (iOS).
   • As an alternative, the above signatures could be added directly to the Application and Filter Overrides section if each signature should have a separate action (for example, setting Android to Block and setting Apple.iPad/Apple.iPhone to Monitor).
3. Once the changes are complete, select OK to commit the changes to the Application Control profile.
4. Next, navigate to Policy & Objects -> Firewall Policy, create/modify a Firewall Policy entry, and add both the Application Control profile that was created in the earlier steps as well as a TLS/SSL profile with Deep Inspection enabled (such as the default 'deep-inspection' profile).

Method 2: MAC Address Objects in Firewall Policies.

In FortiOS 7.0 and later, it is possible to configure MAC-based Address Objects that can be used in Firewall Policies to govern access.

Note: MAC Address objects can only be used when the device to be allowed/blocked is on the same Layer 2 broadcast domain as the FortiGate. If the device is located behind another Layer 3 device (such as a core switch or router) then the FortiGate will not have visibility into the device's MAC address and the object/policy will never be matched.

1. Go to Policy & Objects -> Addresses, select the Address section, then select Create new.

2. Set an appropriate Name, then change the Type to 'Device (MAC Address)'.

3. Enter the MAC address of the device to be matched (or a range of MAC addresses), then select OK to commit the changes.
                                                                     

4. Go to Policy & Objects -> Firewall Policy and create/modify a Firewall Policy.

5. Apply the new MAC Address object in the Source field, then set the Action appropriately (the Accept action to allow incoming Sources using this MAC Address, or Deny to drop traffic matching the specified MAC Address).

Note: If the setup requirement is to completely disable the network/wifi join for mobile devices, NAC implementation is required. See Technical Tip: Usage of NAC Policies to block traffic from Mobile OS models (Android and iOS).