| Description | This article describes how to use the filter in the Dashboard -> Assets & Identities. |
| Scope | FortiGate. |
| Solution |
If one wants to monitor the current status of users and devices connected to the network, a new feature is available on the 7.4.0 OS version. All of the widgets can be expanded to be viewed as monitors. In the monitor view, it is possible to create firewall addresses, de-authenticate a user, or remove a device from the network. Assets and Identities can be found under the Dashboard GUI.
Below are some widgets that can show the following information :
Device Inventory: List Hardware and software connected to the network. Firewall users: List and monitor users logged in to the network. Quarantine: Monitor quarantine devices. Matched NAC Devices: Monitor VLANs assigned to devices by FortiSwitch NAC policies.
Device Inventory Monitoring and Filtering. First, it is necessary to enable device detection on the interface: Network -> Interface -> Device Detection Enable.
By doing this, it will allow FortiOS to monitor the network and to collect information regarding the operational devices in the same subnet with this interface, such as MAC Address, IP Address, Hostname, OS, Username, Vulnerabilities, Status, Endpoint Tags, and FortiClient User information. The widget is only available when the Interface Role is LAN, DMZ, or Undefined.
When selecting the MAC address under Assets, it is possible to find more information regarding the device, like Operating System, Interface, Online Interface, etc. To get information for a specific device, it is possible to use a filter for different columns like hostname, MAC address or IP address, device, Software OS, and Interface:
Each view has a drop-down option to view the information within different time frames (Latest, 1 hour, 24 hours, and 7 days). Vulnerability information is displayed when applicable. The page displays user and device relationships, such as which users are logged in to multiple devices or if multiple users are logged in to a single device.
Note: Device detection on FortiGate relies on MAC addresses. When enabled on an interface, it assumes that traffic originates directly from devices within the same subnet. If traffic is routed from a different subnet, the original device's MAC address is replaced by the MAC address of the router’s outgoing interface due to Layer 2 behaviour. As a result, FortiGate will only detect the router’s MAC address, not the end device's, leading to inaccurate device information.
This is especially relevant in cloud environments like Azure. Virtual machines (VMs) often reside in protected subnets that differ from the Azure FortiGate's internal subnet. Traffic from these VMs is routed through the Azure SDN virtual router. Consequently, if device detection is enabled on the FortiGate's internal interface, it will detect the MAC address of the SDN router rather than that of the VM. In such scenarios, device detection is not suitable.
Related document: |
