Skip to main content
Myth
Myth
New Member
May 7, 2018
Question

Device Detection on LAN vs WAN

  • May 7, 2018
  • 1 reply
  • 17462 views

I have a relatively new environment, currently no Device Detection enabled on interfaces and I'm curious if anyone is using it enabled on WAN interfaces or purely internal facing interfaces?

 

In 5.4.8 in the UI the option is only available when you define the interface as LAN. I'm guessing its not much use enabled on a public facing interface? But thought I'd check here.

 

The reason I ask is I am currently whitelisting access to some services in DMZ via IP and I am curious if its possible to do it using Devices / hardware address?

 

Thanks!

    1 reply

    Nicholas_Doropoulos
    Nicholas_Doropoulos
    New Member
    May 7, 2018

    Hi Myth,

     

    Device detection is intended for devices directly connected to your LAN ports. In theory, device detection can also be enabled on a WAN port but it may be unable to determine the operating system on some devices. Hosts whose device type cannot be determined passively can be found by enabling active scanning on the interface.

     

    Regarding your second question, you can enable device detection on your DMZ interface via the MAC address method. Other device detection methods include:

     

    [ul]IP address[/ul][ul]operating system[/ul][ul]hostname[/ul][ul]user name[/ul][ul]how long ago the device was detected and on which FortiGate interface[/ul]

     

    Let us know if there is anything else.

    Myth
    MythAuthor
    New Member
    May 15, 2018

    Thanks Nick, good help.

     

    Couple of things - Can enabling active scanning really enable a FG device to identify devices coming in on a wan interface across public internet?

     

    You mention enabling device detection in different modes, mac address, IP, OS, hostname... Where do you define the mode that device detection operates on a specific interface?

     

    Cheers!

    M

    Nicholas_Doropoulos
    Nicholas_Doropoulos
    New Member
    May 29, 2018

    Hi Myth,

     

    Device identification can be employed by two modes: agent-based and agentless.

     

    The previously discussed detection modes fall into the agentless method whereby clients require DIRECT connectivity to the Fortigate. That is why are mainly used for local transmissions of traffic say from LAN or DMZ to FGT. You can't really choose the detection method as far as I'm aware but you can identify the detection method being used with the following command:

     

    diag user device list

     

    If you want your FGT to identify devices over your WAN interface, then you would be using the agent-based method that would require forticlient and fortitelemetry (which is a mandatory feature to allow for the forticlient's registration).

     

    I hope that helps.

     

    Terms & ConditionsAccessibility statement