|
For asset visibility, IoT device discovery, and location analytics integrations it can be useful to scan for BLE devices.
The required steps are as follows.
- Create a BLE profile.
The first step is to configure a BLE profile on the FortiGate (this is later attached to the FortiAP Profile):
config wireless-controller ble-profile
edit "BLE-Scan"
set scan enable
set scan-period 60
set scan-window 30
set scan-interval 100
next
end
- scan enable – turns on BLE scanning.
- scan-period – the duration of each scan, (in seconds).
- scan-window and scan-interval – define how aggressively the FortiAP listens.
-
Apply the BLE profile to a FortiAP profile.
Next, attach the new BLE profile to the Access Point profile that the FortiAP is using:
config wireless-controller wtp-profile
edit "FAP-231F-profile"
set ble-profile "BLE-Scan"
next
end
If necessary, assign this FortiAP profile to the desired Access Points; if the profile is already in use by the FortiAP, this is not needed.
-
Verify that BLE devices are detected.
Assuming there are Bluetooth devices that are within range of the FortiAPs that now use the BLE profile, these devices can now be listed on the CLI.
Use the following diagnostic command to see devices scanned by the FortiAPs:
FGT # diagnose wireless-controller wlac -c ble-de
Sample output:
FGT # diagnose wireless-controller wlac -c ble-dev
BLE_DEV (002/003) vfid 000, mac 00:00:1B:00:B1:E5
rssi : 1
addr type : random
name : Shelly1MiniG3
manufacture : Xerox
first seen : Sep 15 11:13
last seen : Aug 03 05:34
scanned by : FP234FTF12345678
BLE_DEV (003/003) vfid 000, mac 00:23:45:0B:00:B5
rssi : -86
addr type : public
name : Shelly1PMMiniG3
manufacture : Xerox
first seen : Sep 15 11:13
last seen : May 28 03:58
scanned by : FP234FTF12345678
5. Interpretation of the output.
The fields in the above output correspond to the descriptions below:
- mac – The Bluetooth device's MAC address (can be random or public).
- rssi – The received signal strength indicator; higher (closer to 0) means nearer.
- addr type – Public or random (depends on device advertising mode).
- name – BLE advertising name (sometimes includes vendor/product).
- manufacture - The vendor that made the BLE hardware (not always shown).
- first/last seen – Useful for tracking presence and duration.
- scanned by – The serial number of the Access Point that detected the Bluetooth device.
Use Cases.
Below are some suggested cases where this data could be useful:
- IoT visibility: Detect smart plugs, sensors, wearables, or unknown devices.
- Rogue device detection: Spot unexpected BLE radios in your environment.
- Location tracking: If multiple FortiAPs hear the same device, approximate location via RSSI.
- Integration: Export logs to FortiAnalyzer or FortiPresence for historical and analytics dashboards.
Notes:
- BLE scan data is metadata only (MAC, RSSI, UUID, etc.). FortiGate does not proxy BLE traffic.
- Ensure the FortiAP model supports BLE hardware.
- For advertisement/beacon use cases (iBeacon/Eddystone), configure advertise enable in the BLE profile.
|
