Help
FortiMonitor
FortiMonitor is a holistic, SaaS-based digital experience and network performance monitoring solution which combines monitoring, network incident management, automation, and network configuration management into a single source of truth
Rahulv
Staff
Staff

Created on ‎01-05-2024 07:43 AM

Article Id 291694

Technical Tip: FortiMonitor Onsight discovery rule

Description This article describes the Onsight discovery and discovery rule configuration.
Scope

FortiMonitor, Onsight, Auto-discovery.
Solution Onsight auto-discovery: 

It is a feature that helps in discovering network devices and servers in the network. Additionally, it enables the detection of ports based on the ports selected in the discovery rule. It is possible to read more about it here.

 

When a discovery is triggered for a network device multiple steps are performed:

  1. ICMP scan is initiated to check the connectivity.
  2. TCP scan is done for the ports selected under the discovery rule.
  3. UDP scan will be performed next. By default, the port selected will be 161.
  4. Lastly, the SNMPwalk will be done with the credentials configured on the FortiMonitor. Additionally, there are two important aspects of the SNMPwalk:
    • SNMPwalk will run against all the hosts that have port '161' open.
    • If the SNMPwalk is not complete due to a 'timeout' or 'incorrect credentials' then the SNMPwalk will be attempted four more times before skipping the network device.

Below are the steps performed when a discovery is triggered for a server:

  1. ICMP scan from the Onsight will be initiated to check the connectivity.
  2. TCP scan will be performed next for the ports that were selected or added under the discovery rule.

 

Note: It is important to know how a network is defined under the discovery rule. There are multiple steps involved for an auto-discovery to complete (both Server and Network device) and display the devices. The discovery time depends on the size of the network defined under the discovery rule.

 

The discovery logs can be viewed or fetched from Onsight, below are the steps for it:

  1. SSH to the Onsight collector.
  2. Switch to onsight shell: sudo onsight shell.
  3. To view the live logs run the command: tail -f /var/log/appliance-discovery/discoveryengine.log.

When a discovery rule is created or edited, the rule set will kick off right after. Below is an example log that displays the start of the discovery:

2023-12-13 06:56:22,960 INFO Performing discovery on range 1 @DiscoveryEngine.py:220
2023-12-13 06:56:22,962 INFO Queueing do_network_scan_discovery discovery, current queue depth: 0 @DiscoveryEngine.py:200
2023-12-13 06:56:22,963 INFO Starting network scan discovery 1 for 172.31.16.0/20 @DiscoveryEngine.py:270
2023-12-13 06:56:22,972 INFO Performing ICMP scan for discovery range 1 (172.31.16.0/20) @DiscoveryEngine.py:283
2023-12-13 06:56:58,058 INFO Performing TCP scan for discovery range 1 (172.31.16.0/20) on selected ports 80,443,21,110,143,25,53,22,3306,554,5432,1433,5222,995,993,587 @DiscoveryEngine.py:303
2023-12-13 06:58:52,396 INFO Performing UDP scan for discovery range 1 (172.31.16.0/20) on ports 161,1024 @DiscoveryEngine.py:332
2023-12-13 07:00:34,542 INFO Attempting SNMP connection to 172.31.16.1:161 with credential 2288 @DiscoveryEngine.py:352
2023-12-13 07:00:34,542 INFO Performing walk: /usr/bin/snmpbulkwalk-fm --hexOutputLength=0 -r 1 -t 1 -Ir -OnUq -Oe -v2c <AUTH> 172.31.16.1:161 1.3.6.1.2.1.1.1 @DiscoveryEngine.py:686

 

102
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.