Description
This article describes a solution to block SSLVPN connection from smartphones and allow only specific windows and MAC OS.
Solution
A useful feature available on a SSL VPN connection is the ability to check OS version and allow SSLVPN connection.
Configure OS check in the FortiGate SSLVPN web portal and map the web portal to the user group in SSLVPN setting.
OS check can be enabled only via CLI in 6.0.
# config vpn ssl web portal
edit full-access
set os-check enable
# config os-check-list windows-2000
end
# config os-check-list windows-7
end
# config os-check-list windows-8
end
# config os-check-list windows-8.1
end
# config os-check-list windows-10
end
# config os-check-list os-x-mavericks-10.9
end
# config os-check-list os-x-yosemite-10.10
end
# config os-check-list os-x-el-capitan-10.11
end
# config os-check-list macos-sierra-10.12
end
# config os-check-list macos-high-sierra-10.13
end
# config os-check-list macos-mojave-10.14
end
set skip-check-for-unsupported-os disable
next
end
OS check can be enabled via GUI in 6.2.
Go to VPN -> SSL-VPN Portals, edit portal and enable 'Host Check'.
If the OS check is enabled from GUI, disable 'skip-check-for-unsupported-os' from CLI.
# config vpn ssl web portalMap the web portal to the SSLVPN user group in authentication rule.
edit full-access
set skip-check-for-unsupported-os disable
end
With this configuration, only PC running with OS version allowed in 'os-check-lis't will be able to connect SSLVPN and Smart phone’s SSLVPN connection will be blocked.
Note: The Host/OS check works only for tunnel mode when FortiClient is involved. It does not work for web mode(browser) as expected.
