Description
This article describes how to enable 'Device Detection' to allow FortiOS to monitor networks and gather information about units operating on those networks.
Scope
FortiGate v6.2.1 and above. The device detection and identification feature creates a database of discovered devices in the memory of the FortiGate unit. Depending on the size of the network, this database can become quite big. Therefore, consider this aspect when enabling device-identification of low-end models (under 200-Series). It is not recommended to enable this feature on 'Wi-Fi' or 'Guest-WIFI' interfaces that serve numerous clients, as the database size will grow exponentially.
Solution
It is possible to enable 'Device Detection' to allow FortiOS to monitor networks and gather information about devices operating on those networks, including:
- MAC address.
- IP address.
- Operating system.
- Hostname.
- Username.
- Endpoint tags.
- When FortiOS detected the unit, and on which interface.
It is possible to enable 'Device Detection' separately on each interface in Network -> Interfaces. Also, device detection can be enabled through the CLI:
config system interface
edit <interface_name>
set device-identification enable
end
'Device Detection' is intended for devices that are directly connected to LAN and DMZ ports. The widget is only available when the Interface Role is LAN, DMZ, or Undefined. It is not available when the role is WAN. If enabled on a WAN port, 'Device Detection' can be unable to determine the OS on some units.
It is possible to enable active scanning on the interface to find hosts whose unit types FortiOS cannot determine passively. (not available feature for v7.0 and above).
Since FortiOS v7.2 the daemon responsible for device detection is named cid (Client Identification daemon). Before v7.2, the daemon was named src-vis.
When FortiOS manages FortiSwitches through FortiController, FortiSwitchOS can parse LLDP messages from voice devices and send that information to the device detection daemon in FortiOS to add information into the device detection database.
It is also possible to manually add units to the 'Device Inventory' to ensure that a device with multiple interfaces displays as a single device.
To view the device inventory monitor in the GUI: go to Dashboard -> Users & Devices.
Note:
In newer versions such as v7.4.2, v7.4.3, v7.4.4, v7.4.5, and v7.6.0, Users & devices options are replaced with Assets and Identities.
When the user has issues viewing correct information under Asset Identity Center, the following commands will help to verify via the CLI:
diagnose user device stats
diagnose user device list
diagnose user-device-store device memory list
diagnose user-device-store unified device-query
diagnose user-device-store unified user-query
diagnose user-device-store unified list
diagnose debug enable
diagnose test application wad 2500 <----- switch to wad-user-info context.
diagnose test application wad 168 <----- user-device store stats dump on v7.0.
diagnose test application wad 178 <----- user-device store stats dump on v7.2 and v7.4.
diagnose test application wad 2000 <----- switch back to WAD manager context.
In environments where devices are connected through a managed FortiSwitch, sometimes device information is not displayed in the GUI or CLI using previous commands:
In this case, to enable device detection, the parameter data-sync-interval, must be different from zero (0, default value):
config switch-controller system
set data-sync-interval <30-1800 seconds>
end
Related documents:
