Technical Tip: IoT device profiling using FortiGuard Intelligence and behavioral analysis in FortiNAC-F

Description

This article describes how FortiNAC-F enhances device profiling using:

• FortiGuard IoT intelligence.

• Behavioral analysis (network activity patterns).

• Multi-method correlation.

This enables high-confidence classification of IoT/OT devices, even when traditional profiling methods are insufficient.

Scope

• FortiNAC-F v7.x /v9.x.

• FortiGuard IoT Service.

• Device profiling engine.

• IoT / OT environments.

Solution

FortiNAC uses a rule-based profiling engine enhanced by FortiGuard IoT intelligence, which provides:

• Vendor identification.

• Device category classification.

• Known IoT signatures.

Behavioral analysis complements this by evaluating:

• Network traffic patterns.

• Open ports and services.

• Communication behavior.

Components:

• FortiNAC-F (Profiler + Policy Engine).

• FortiGuard IoT cloud service.

• Network infrastructure (Switches/APs/Firewalls).

• IoT / OT endpoints.

FortiNAC can gather information about the connected devices from multiple sources within the network.

Profiling workflow:

Step-by-step process.

1. Device connects → identified as a Rogue device.
   
   

2. FortiNAC collects attributes:

   • MAC address (OUI).

   • DHCP fingerprint.

   • Traffic data.
     
     

3. FortiGuard IoT lookup performed.
   
   

4. Behavioral indicators evaluated:

   • Ports.

   • Protocols.

   • Communication patterns.
     
     

5. Profiling rules correlate:

   • Local attributes.

   • FortiGuard data.
     
     

6. Device classified with:

   • Type.

   • Vendor.

   • Role.
     
     

7. Policy enforcement applied.

Enable Device Profiling:

Log in to the FortiNAC-F GUI console. Expand System -> Select Settings ->Select User/Host Management -> Select Device Profiler.

Example rule: Smart camera.

Conditions:

• FortiGuard Category = Camera.

• Vendor OUI = Axis / Hikvision.

• Open Port = 554 (RTSP).

• HTTP response contains a camera signature.

Actions:

• Type: Camera.

• Role: IoT_Camera.

• Register as: Host.

Log in to the FortiNAC GUI console. Expand Users & Hosts -> Select Device Profiling Rules -> Select Add to create a device profiling rule.

It is recommended to use multiple profiling methods for accuracy.

Scenario 1: IP Camera.

• RTSP traffic detected.

• FortiGuard category: Camera.

• OUI matches Axis.

Classified as Camera.

Scenario 2: Printer.

• Port 9100 open.

• DHCP fingerprint: Printer.

• Periodic SNMP.

Classified as Printer.

Scenario 3: PLC (OT Device).

• Protocol: Modbus.

• Vendor: Siemens.

• FortiGuard category: Industrial.

Classified as an Industrial Device.

Policy enforcement.

Once classified:

• Role assigned automatically

• Network access policy applied

Example:

Best practices:

• Combine multiple methods: OUI + FortiGuard + Behavior.

• Use FortiGuard First: Faster classification.

• Optimize rule order:

1. FortiGuard-based.

2. OUI.

3. Behavioral.

4. Active scanning.

Avoid:

• Single-method rules.

• Overlapping conditions.

• Excessive active scans.

Troubleshooting.

Issue: Device not classified.

• Check:

  • FortiGuard connectivity.

  • Profiling enabled.

  • Device visible in the network.

Issue: Incorrect classification.

• Adjust:

  • Rule order.

  • Add behavioral conditions.

Issue: No FortiGuard data.

• Verify:

  • License.

  • Internet access.

Related documents:

Technical Tip: Device profiling using the SNMP method

Device Profiling rules

Technical Tip: Device profiling methods for IoT/OT devices and nmap scanning