FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 277629



This article describes how to disable the device database/device detection completely on the FortiGate. 

Going to the interface settings and disabling 'Device detection' is not enough in some cases where devices might still be populated from other sources, especially when there's a Fortiswitch being managed by the FortiGate. 


Network Administrators may desire to disable the device database for troubleshooting purposes or performance and compliance matters, or when requested to do so by Fortinet Support.








Physical and logical interfaces can have the 'Device detection' option disabled to prevent the FortiGate from parsing discovered endpoint data before populating them into the Device Inventory Dashboard. 

This option allows to control 'per interface' what goes into the device database. 

This is true when the FortiGate is 'Only' used. This article describes how that works later when having other managed devices such as a FortiSwitch:




Or from the CLI: 


config system interface
    edit "portxx"
        set device-identification disable|enable


The 'per-vdom' setting below controls how long those entries remain in the Device inventory without sending data. By default, records are deleted after 28 days of inactivity. 


config system settings

    set discovered-device-timeout 28 <1-365 days>



It is possible to use the command below to purge the device database manually where ALL records would be deleted permanently. 

If there is 'device-identification' enabled on the interface, the database will normally repopulate as endpoints that are actively sending data will be re-learned. 


diag user device clear


In some cases, there is a FortiSwitch-managed device where the Switch itself might introduce and synchronize endpoint data into the device database, even if all of the options above are disabled. 

One of those options is the 'network-assisted' device detection, which is a global setting applied to ALL managed switches. 


config switch-controller network-monitor-settings

    set network-monitoring disable



The option 'update-user-device' also is enabled by default and is set to push device data into the FortiGate's database. 


config switch-controller global
    set update-user-device mac-cache lldp dhcp-snooping l2-db l3-db


It is not possible to fully disable or unset the option 'update-user-device', so it is set to lldp in this article; meaning the Fortiswitch will only send lldp-capable devices to the FortiGate, which may reduce drastically the number of objects. 


config switch-controller global
    set update-user-device lldp


If these settings are applied for the 1st time, and to disable and purge the device database, make sure to clear it out after making those changes (use diag user device clear) .




The debug src-vis process on FortiOS v7.0.x and below provides more information on the Device Identification feature:


diag debug application src-vis -1

diag debug enable


The following is the debug CID process on FortiOS v7.2.x and above, as src-vis was replaced by cid:


diagnose debug application cid -1 

diag debug enable 


The following debug WAD process may be called as follows if the endpoint information comes from a FortiSwitch device, for example.


diagnose user-device-store unified debug enable
diagnose wad debug enable category info
diagnose wad debug enable level verbose

diag debug enable 


By disabling 'device-identification' from interfaces, disabling 'network-assisted' device detection from FortiSwitches, adjusting update-user-device, and purging the database with 'diag user device clear', it is possible to observe an 'empty' Device inventory Dashboard on the FortiGate. 




Related documents: