Description

This article describes how to enable 'Device Detection' to allow FortiOS to monitor networks and gather information about units operating on those networks.

Scope

FortiOS versions 6.2.1 and above.
The device detection and identification feature creates a database of discovered devices in the memory of the FortiGate unit. Depending on the size of the network, this database can become quite big. Therefore, consider this aspect when enabling device-identification of low-end models (under 200-Series). Also, it is not recommended to enable this feature on Wifi or Guest-Wifi interfaces that serve a large number of clients, as the database size will grow exponentially.

Solution

It is possible to enable 'Device Detection' to allow FortiOS to monitor networks and gather information about devices operating on those networks, including:

• MAC address.
• IP address.
• Operating system.
• Hostname.
• Username.
• Endpoint tags.
• When FortiOS detected the unit and on which interface.

It is possible to enable 'Device Detection' separately on each interface in Network -> Interfaces.
'Device Detection' is intended for devices that are directly connected to LAN and DMZ ports. The widget is only available when the Interface Role is LAN, DMZ, or Undefined. It is not available when the role is WAN.

If enabled on a WAN port, 'Device Detection' can be unable to determine the OS on some units.
It is possible to enable active scanning on the interface to find hosts whose unit types FortiOS cannot determine passively.

It is also possible to manually add units to the 'Device Inventory' to ensure that a device with multiple interfaces displays as a single device.

To view the device inventory monitor in the GUI:
Go to Dashboard -> Users & Devices.

Note:

In newer versions such as 7.4.2, 7.4.3, 7.4.4, 7.4.5, and 7.6.0 Users & devices options are replaced with Assets and Identities.