This article describes FortiEDR IoT Device Scanning and why it might not see devices discovered.

The IoT Device scanning feature scans networks local to the Collector to discover non-workstation devices, such as printers, cameras, and more. In some cases, despite configuring IoT Device Scanning, no results are found. The following points will help explain how IoT Device Discovery works, as well as explain the conditionsunder  which it will not run.

FortiEDR is designed only to start an IoT Device Scan if the following prerequisites are met:

1. At least five Collectors reside in the same subnet with the same external (e.g. WAN) IP address.
2. The network has a CIDR equal to or greater in size than a /17 (255.255.128.0) network. This is to avoid scanning smaller networks, such as home or satellite offices. Scanning is not isolated to the assigned subnet of the device. FortiEDR will attempt to scan the /17 network by default. If the Collector cannot reach devices in the various subnets (i.e., due to east-west firewall rules or routing), no IoT scan will be triggered. For example, if an endpoint is assigned the IP address of 10.10.100.10/24, FortiEDR will attempt to scan the range 10.10.0.0-10.10.127.255 (/17), if the network allows it. Fortinet TAC can adjust the parameters above through a support ticket and is dependent on the environment.
   
   
3. The endpoints are running Windows workstation edition operating systems. IoT Device Scanning will not work for Windows Servers or Linux. Note that Windows XP is not supported here.
4. The Collectors are in a ‘Running’ operational state. IoT Device Scanning will not commence if the Collectors are disabled, isolated, or degraded.