Description
This article describes how to disable the device database/device detection completely on the FortiGate.
Going to the interface settings and disabling 'Device detection' is not enough in some cases where devices might still be populated from other sources, especially when there's a Fortiswitch being managed by the FortiGate.
Network Administrators may desire to disable the device database for troubleshooting purposes or performance and compliance matters, or when requested to do so by Fortinet Support.
Scope
FortiGate.
Solution
Physical and logical interfaces can have the 'Device detection' option disabled to prevent the FortiGate from parsing discovered endpoint data before populating them into the Device Inventory Dashboard.
This option allows to control 'per interface' what goes into the device database.
This is true when the FortiGate is 'Only' used. This article describes how that works later when having other managed devices such as a FortiSwitch:
Or from the CLI:
config system interface
edit "portxx"
set device-identification disable|enable
next
end
The 'per-vdom' setting below controls how long those entries remain in the Device inventory without sending data. By default, records are deleted after 28 days of inactivity.
config system settings
set discovered-device-timeout 28 <1-365 days>
end
It is possible to use the command below to purge the device database manually where ALL records would be deleted permanently.
If there is 'device-identification' enabled on the interface, the database will normally repopulate as endpoints that are actively sending data will be re-learned.
diag user device clear
In some cases, there is a FortiSwitch-managed device where the Switch itself might introduce and synchronize endpoint data into the device database, even if all of the options above are disabled.
One of those options is the 'network-assisted' device detection, which is a global setting applied to ALL managed switches.
config switch-controller network-monitor-settings
set network-monitoring disable
end
The option 'update-user-device' also is enabled by default and is set to push device data into the FortiGate's database.
config switch-controller global
set update-user-device mac-cache lldp dhcp-snooping l2-db l3-db
end
It is not possible to fully disable or unset the option 'update-user-device', so it is set to lldp in this article; meaning the Fortiswitch will only send lldp-capable devices to the FortiGate, which may reduce drastically the number of objects.
config switch-controller global
set update-user-device lldp
end
If these settings are applied for the 1st time, and to disable and purge the device database, make sure to clear it out after making those changes (use diag user device clear) .
Troubleshooting:
The debug src-vis process on FortiOS v7.0.x and below provides more information on the Device Identification feature:
diag debug application src-vis -1
diag debug enable
The following is the debug CID process on FortiOS v7.2.x and above, as src-vis was replaced by cid:
diagnose debug application cid -1
diag debug enable
The following debug WAD process may be called as follows if the endpoint information comes from a FortiSwitch device, for example.
diagnose user-device-store unified debug enable
diagnose wad debug enable category info
diagnose wad debug enable level verbose
diag debug enable
By disabling 'device-identification' from interfaces, disabling 'network-assisted' device detection from FortiSwitches, adjusting update-user-device, and purging the database with 'diag user device clear', it is possible to observe an 'empty' Device inventory Dashboard on the FortiGate.
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.