Skip to main content
Hatibi
Staff & Editor
Hatibi
Staff & Editor
May 28, 2026

Technical Tip: Track Rogues that do not match profiling rules or stop being processed by the Device Profiler

  • May 28, 2026
  • 0 replies
  • 15 views

Description

This article describes how to get alerts when Rogues stop being processed by the Device profiler or when they do not match any device profiling rules.

Scope

FortiNAC-F v7.6.

Solution

The device profiler engine in FortiNAC will perform the following evaluations on a Rogue:

  1. Pass: The device is registered based on the matched rule settings.

  2. Fail: The Device evaluation process continues to the next rule.

  3. Cannot Evaluate: The Device evaluation process stops at this rule, and the host is left in Rogue state. This happens when FortiNAC is unable to get the latest L3 (arp info) and does not have accurate data (IP <-> MAC info) to profile the Rogue.


In some environments, corporate policies might require a way to get alerted or to be able to track the devices that are not registered but connected to the network. It is possible to trigger alerts based on events generated when FortiNAC cannot evaluate a rogue or when the rogue fails to match any profiling rules.


  1. Trigger Alerts when FortiNAC cannot evaluate and stops the profiling process for a rogue.

In such cases, FortiNAC will generate the event 'Device Profiling Rule Missing Data'. This event is disabled by default.


To enable the event generation:

  • Go to Logs->Event & Alarms->Management. 

  • 'Right-click' the event 'Device Profiling Rule Missing Data'.

  • Select 'Log Internal'.


At this point, whenever a Rogue has stopped being evaluated by the device profiler, the event will be generated.

Based on the frequency desired, it is possible to create an SMS or email alert to be sent to a group of administrators.


To create the Alert:

  • Go to Logs -> Event & Alarms -> Mappings.

  • Select 'Add' to create a new Event to Alarm mapping.

  • Select 'Device Profiling Rule Missing Data' as the triggering Event.

  • Configure other settings as required.


75478909.png

Figure 1. Configuration settings for Event to Alarm Mapping.


  1. Trigger Alerts when FortiNAC fails to find any matching rules for the Rogue.

This scenario can be covered by enabling a 'Catch all' device profiling rule with an option of 'Manual' registration. Rogues that match this rule will be added in a custom group 'Rogues_Catchall', which is custom created, and then will be listed in User & Hosts -> Profiled Devices. The group is required in order to trigger the alerts only for these matching hosts going to the Catch_all rule. The administrators will be alerted and can then manually validate and confirm registration, create a new rule to match this type of hosts or investigate further where this host is being learned from.


Alternatively it is possible to also use the 'Automatic' registration method on the 'Catch all' rule, which will also require a Network Access Policy that moves the registered host to the Isolation VLAN.


For each case, the event that is generated will respectively be 'Device Profiling Manual Registration' or 'Device Profiling Automatic Registration'.


Initially, enable the 'Catch All' device profiling rule and enable the manual and group settings.

  • Go to User & Hosts -> Device Profiling Rules.

  • Edit 'Catch all'.

  • Configure settings for Registration method and group. The group needs to be manually created. In this example the custom created group is 'Rogues_Catchall'.


bc661a09.png

Figure 2. Example configuration of 'Catch all' rule.


To enable the event generation only for hosts in the 'Rogues_Catchall' group:

  • Go to Logs -> Event & Alarms -> Management. 

  • 'Right click' the event 'Device Profiling Manual Registration'.

  • Select 'Log Internal'.

  • 'Right click' again on the event 'Device Profiling Manual Registration'.

  • Select 'Modify Group'.

  • Select the group 'Rogues_Catchall'.


At this point the event will only be generated for hosts that are moved to this custom group when they match the 'Catch all' profiling rule.


To create the Alert:

  • Go to Logs -> Event & Alarms -> Mappings.

  • Select 'Add' to create a new Event to Alarm mapping.

  • Select 'Device Profiling Manual Registration' as triggering Event.

  • Configure the required settings as in example a). 


Related document:

Device Profiler Configuration

      Terms & ConditionsAccessibility statement