Skip to main content
ebilcari
Staff
ebilcari
Staff
May 4, 2026

Technical Tip: Device profiling using the SNMP method

  • May 4, 2026
  • 0 replies
  • 52 views

Description

This article describes how the SNMP device profiling method works and how to check profiling results.

Scope

 FortiNAC.

Solution

The device profiling feature in FortiNAC is used to classify unknown (rogue) devices by using different methods to register and classify the end devices. These methods are recommended for classifying devices with embedded systems that do not have a logged-in user and do not support alternative identification methods.


The SNMP method can be used to scan the device for particular OID values and classify the device only when the conditions are met. Using SNMPv3 is recommended as it provides authentication and encryption.


Create the Device Profiling rule in Users & Hosts -> Device Profiling Rules.

c7918edf.png


Note:
The same rule can also combine additional methods to further verify the device before registration. Rule ranking is an important factor as well. For testing purposes, it is recommended to place new rules at the top.

To verify that the host is responding to the SNMP query from FortiNAC and the OID returned value matches, a quick test can also be performed by FortiNAC CLI:


fnac76  # execute enter-shell
fnac76:~$ snmpget -v3 -u gimi -l authPriv -a SHA -A '12345678' -x AES -X '12345678' 10.7.32.11 1.3.6.1.2.1.1.5.0
SNMPv2-MIB::sysName.0 = STRING: debi01


To check details on the SNMP interactions and profiling results, enable debugging in FortiNAC CLI:


fnac76  # diagnose debug plugin enable ActiveFingerprint
fnac76  # diagnose tail -f output.nessus


Below is an example of a successful test rule:


2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - performScans() rule = FS Hosts mac = 02:09:0F:00:07:02 enabled = true
2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - performScan() rule = FS Hosts mac = 02:09:0F:00:07:02 method = SnmpMethod
2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod - mac = 02:09:0F:00:07:02 ip = 10.7.32.11
2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod -   user = gimi
2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod -   userPassword = *****
2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod -   userPrivacyPassword = *****
2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod -   authenticationProtocol = 1.3.6.1.6.3.10.1.1.3
2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod -   privacyProtocol = 1.3.6.1.6.3.10.1.2.4
2026-05-04 11:34:54.328 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod - performScan() target = 10.7.32.11/161 OID = [1.3.6.1.2.1.1.5.0 = Null]
2026-05-04 11:34:54.351 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod - SNMP Response. target = 10.7.32.11/161
  RESPONSE[{contextEngineID=80:00:1f:88:80:b7:8c:f4:31:44:cc:f0:69:00:00:00:00, contextName=}, requestID=143792769, errorStatus=0, errorIndex=0, VBS[1.3.6.1.2.1.1.5.0 = debi01]]
2026-05-04 11:34:54.351 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod - getSnmpStatus() type = -94 error = 0 errorIndex = 0
2026-05-04 11:34:54.351 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod - getSnmpStatus() retval = 0
2026-05-04 11:34:54.351 +0200 [p: default-threadpool; w: 2] DEBUG yams.dpc.SnmpMethod - Request Succeeded. target = 10.7.32.11/161 response = debi01
2026-05-04 11:34:54.351 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - performScan() rule = FS Hosts mac = 02:09:0F:00:07:02 method = SnmpMethod fingerprint = Fingerprint [dbid=null, s  ource=SNMP, physAddress=02:09:0F:00:07:02, ipAddress=10.7.32.11, hostName=null, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={1.3.6.1.2.1.1.5.0=debi01, OID=1.3.6.1.2.1.1.5.0, R  ESPONSE=debi01, PORTS=161}]
2026-05-04 11:34:54.351 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - performScan(FS Hosts) Method (SnmpMethod) matches data collected
2026-05-04 11:34:54.351 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - process() SNMP 02:09:0F:00:07:02
2026-05-04 11:34:54.353 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - testRuleMatch() matching rule. rule = FS Hosts mac = 02:09:0F:00:07:02 ip = 10.7.32.11
2026-05-04 11:34:54.353 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - matchRule(FS Hosts) Method (OUIMethod) matches data collected
2026-05-04 11:34:54.353 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - matchRule(FS Hosts) Method (IPRangeMethod) matches data collected
2026-05-04 11:34:54.353 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - matchRule(FS Hosts) Method (TCPPortMethod) matches data collected
2026-05-04 11:34:54.353 +0200 [p: default-threadpool; w: 2] DEBUG yams.ActiveFingerprint - matchRule(FS Hosts) Method (SnmpMethod) matches data collected


Note:

FortiNAC uses multiple methods to profile devices. Some methods fall under Already Collected Data (such as Vendor OUI and FortiGuard), while others are categorized as Needs to Be Read (such as SNMP, TCP, and similar methods). For methods in the latter category, the host IP address must be recently updated in FortiNAC through a successful Layer 3 poll of the network device acting as the gateway for the rogue devices. More details can be found in: Device Profiler Configuration.


The database of Endpoint Fingerprints will also get updated and include the details of the device:


7620f23d.png


Related articles:

Technical Tip: Device profiling methods for IoT/OT devices and nmap scanning

Technical Tip: Device profiling using the TCP or UDP methods

Technical Tip: Device Profiling Rule with the SSH Method

      Terms & ConditionsAccessibility statement