Technical Tip: FortiManager fails to push 'device-identification enable' to FortiGate

Symptoms:

1. A CLI template contains a set of device-identification commands for a specific interface.
2. Installation logs show that the command is either skipped or the FortiGate remains set to device-identification disable.
3. After re-verification in FortiManager, the setting appears reverted or not applied.

Root cause:

In FortiManager v7.4.10 and earlier, a logic dependency exists between the interface role and the device-identification feature. FortiManager skips pushing the device-identification command when the interface role is set to Undefined or WAN.

This behavior is based on the assumption that device identification (MAC/OUI tracking) is only applicable to internal networks, such as LAN or DMZ.

Solution and workaround:

1. Workaround: Update the interface role.

To resolve the issue without upgrading, change the interface role to LAN or DMZ.

• Via Device Manager:
  Navigate to Device Manager -> [Device Name] -> Network -> Interfaces, edit the target interface, and set the Role to LAN.
• Via CLI Template:
  If interfaces are managed via templates, ensure the role is explicitly defined:

config system interface
    edit "port1"
        set role lan
        set device-identification enable
    next
end

2. Permanent fix (upgrade).
   This behavior is corrected in FortiManager v7.6.6 and later. In these versions, the limitation is removed, and device-identification can be pushed regardless of interface role (including WAN or Undefined).

Verification.

After changing the interface role to LAN/DMZ:

1. Run Install Wizard -> Install Configuration.
2. In the Install Preview, confirm that the following configuration is included:

config system interface
    edit "port1"
        set device-identification enable
    next
end

3. Log in to the FortiGate CLI and verify using:

get system interface <name>

And it will confirm the setting is active.