| Description | This article describes the behavior of the 'Device vulnerability lookup on FortiGuard' system event and guides on suppressing these log alerts in FortiGates. |
| Scope | FortiGate, FortiOS, FortiGuard |
| Solution |
Users may observe frequent system event logs on the FortiGate with the following log description:
date=2024-09-04 time=16:36:05 eventtime=1725438965395795389 tz="+0800" logid="0100020150" type="event" subtype="system" level="notice" vd="root" logdesc="Device vulnerability lookup on FortiGuard" mac="11:22:33:44:55:66" ip=172.16.116.100 vendor="Yealink" product="voip_phone" model="SIP-T46S" versionmin="66.84.0.125" versionmax="N/A" vulnresult="unknown" vulncnt=0
This log entry is generated when the FortiGate performs an IoT device vulnerability check by querying FortiGuard for information on connected endpoints. These queries are triggered by device detection features enabled on the interface.
In networks with many devices, especially phones or unmanaged IoT devices, this lookup can occur frequently, leading to high log volume.
To reduce or eliminate these logs, disable device detection on the interface where the affected devices are connected:
This will stop the FortiGate from querying FortiGuard for device vulnerability lookups and prevent the generation of these specific logs.
Related document: |
