Skip to main content
hrahuman_FTNT
Staff & Editor
hrahuman_FTNT
Staff & Editor
January 7, 2015

Technical Tip: Devices are not identified properly

  • January 7, 2015
  • 0 replies
  • 43308 views

Description

 

This article explains the reasons why devices are not properly identified and solution to process the identification.
Sometimes incorrect device name is visible in the device Inventory, but the MAC address is correct. 
 
FortiGate uses different methods to identify devices and gather information about them. 
This information is extracted from different protocols when traffic passes through FortiGate 
So, the device name is not mandatory to be the Hostname of the device.
 
Scope
 
FortiGate.

Solution
 
Possible problems that might be encountered with device identification:
 
  1. Only one MAC address for all devices is shown:
Check to see whether there is a Layer 3 device (router or L3 switch) between the FortiGate and client workstations.
Device identification in FortiOS is based on MAC address. If the FortiGate is unable to see the client's MAC address, identification will not work. If clients are not on the same network as FortiGate, use agent-based device authentication (FortiClient). 2) Device identification is not complete. The FortiGate may not have enough information to identify the device.
For example, if only ICMP is forwarded through the FortiGate, then the OS version can't be verified. Alternate Test: Try sending some HTTP traffic through the FortiGate and see if the device is now identified properly. The following CLI command can be used for device identification troubleshooting:

 

diagnose user device list   <----- List all recognized hosts.


It will show the list of all hosts recognized by FortiGate.
Depending on the network, it will show the following information in this output:

 

vd 0  00:23:d4:55:45:00  gen 8  req 0  redir 0  last 18s  port1
ip 172.18.1.14  ip6 fe40::9420:9560:1dcf:8e16
type 8 'Windows PC'  src dhcp  c 1  gen 3
os 'Windows'  version ''  src dhcp  id  24  c 1
host 'TEST-PC'  src dhcp
user 'testuser' src forticlient
endpoint 2

 

The output above, it shows the device IP and MAC address, device type, OS version, hostname, and user (if identified), and which traffic was a source (src) for the identification. Additionally, there is one more solution to tackle that:

  • It is possible to delete the device detected and allow the FortiGate to detect it again.
  • The following command can be used to delete a device using the MAC address using CLI:

 

diagnose user device delete
<mac>    MAC address (xx:xx:xx:xx:xx:xx)

 

  1. A single IP address appears associated with multiple hostnames or devices.

     

By default, FortiGate retains discovered devices in its device inventory and does not remove them until the device has not been seen on the network for 28 consecutive days. This behavior can lead to situations where a single IP address appears associated with multiple hostnames or devices over time. This typically occurs when the DHCP lease expires (and the IP is reassigned to a new device) before the 28-day inactivity timeout is reached.

 

Recommended workaround is to adjust discovered-device-timeout using the following commands:
 

config system settings
    set discovered-device-timeout <1-365 days>
end

 

Related article:

Technical Tip: Enable 'Device Detection' to allow FortiOS to monitor networks

Terms & ConditionsAccessibility statement