FortiMonitor is a holistic, SaaS-based digital experience and network performance monitoring solution which combines monitoring, network incident management, automation, and network configuration management into a single source of truth
Article Id 291694
Description This article describes the Onsight discovery and discovery rule configuration.

FortiMonitor, Onsight, Auto-discovery.

Solution Onsight auto-discovery: 

It is a feature that helps in discovering network devices and servers in the network. Additionally, it enables the detection of ports based on the ports selected in the discovery rule. It is possible to read more about it here.


When a discovery is triggered for a network device multiple steps are performed:

  1. ICMP scan is initiated to check the connectivity.
  2. TCP scan is done for the ports selected under the discovery rule.
  3. UDP scan will be performed next. By default, the port selected will be 161.
  4. Lastly, the SNMPwalk will be done with the credentials configured on the FortiMonitor. Additionally, there are two important aspects of the SNMPwalk:
    • SNMPwalk will run against all the hosts that have port '161' open.
    • If the SNMPwalk is not complete due to a 'timeout' or 'incorrect credentials' then the SNMPwalk will be attempted four more times before skipping the network device.

Below are the steps performed when a discovery is triggered for a server:

  1. ICMP scan from the Onsight will be initiated to check the connectivity.
  2. TCP scan will be performed next for the ports that were selected or added under the discovery rule.


Note: It is important to know how a network is defined under the discovery rule. There are multiple steps involved for an auto-discovery to complete (both Server and Network device) and display the devices. The discovery time depends on the size of the network defined under the discovery rule.


The discovery logs can be viewed or fetched from Onsight, below are the steps for it:

  1. SSH to the Onsight collector.
  2. Switch to onsight shell: sudo onsight shell.
  3. To view the live logs run the command: tail -f /var/log/appliance-discovery/discoveryengine.log.

When a discovery rule is created or edited, the rule set will kick off right after. Below is an example log that displays the start of the discovery:

2023-12-13 06:56:22,960 INFO Performing discovery on range 1
2023-12-13 06:56:22,962 INFO Queueing do_network_scan_discovery discovery, current queue depth: 0
2023-12-13 06:56:22,963 INFO Starting network scan discovery 1 for
2023-12-13 06:56:22,972 INFO Performing ICMP scan for discovery range 1 (
2023-12-13 06:56:58,058 INFO Performing TCP scan for discovery range 1 ( on selected ports 80,443,21,110,143,25,53,22,3306,554,5432,1433,5222,995,993,587
2023-12-13 06:58:52,396 INFO Performing UDP scan for discovery range 1 ( on ports 161,1024
2023-12-13 07:00:34,542 INFO Attempting SNMP connection to with credential 2288
2023-12-13 07:00:34,542 INFO Performing walk: /usr/bin/snmpbulkwalk-fm --hexOutputLength=0 -r 1 -t 1 -Ir -OnUq -Oe -v2c <AUTH>