FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff & Editor
Staff & Editor
Article Id 385014
Description This article describes how the TCP/UDP device profiling method works and how to check profiling results when the rule does not match.
Scope FortiNAC-F.
Solution

When TCP or UDP methods are used for device profiling, FortiNAC will utilize the nmap scanner in order to identify open ports on the host.

The following things should be taken into consideration:

  1. Ports entered are logically AND-ed. This means that all comma-separated entries should be identified by FortiNAC as open.
  2. The port state must be 'OPEN' for all selected ports.


Figure 1. Creating a Device profiling rule with TCP method.Figure 1. Creating a Device profiling rule with TCP method.

 

To check details on the specific Nmap scan command and profiling results, enable debugging in FortiNAC CLI:

 

diagnose debug plugin enable ActiveFingerprint

diagnose tail -F output.nessus

 

To test the rule, go to User & Hosts -> Adapters.

Select the Adapter of the Host, and 'Right-click' it. Select 'Test Device Profiling rule'.


2025-03-27 15:48:51.940 +0100 [p: default-threadpool; w: 3] DEBUG yams.dpc.TCPPortMethod - cmd = sudo /bsc/campusMgr/bin/internal/nmap -s tcp -p 445,88 -o /h ome/cm/fingerprints/nmap_tcp_10.10.10.3.xml -ip 10.10.10.3


2025-03-27 15:48:53.249 +0100 [p: default-threadpool; w: 3] DEBUG yams.ActiveFingerprint - performScan() rule = Services_check mac = 00:15:5D:E4:1F:4A method = TCPPortMethod fingerprint = Fingerprint [dbid=null, source=TCP, physAddress=00:15:5D:E4:1F:4A, ipAddress=10.10.10.3, hostName=null, entityTag=null, os=nul l, createTime=null, lastHeardTime=null, attributes={OUTPUT=Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-27 15:48 CET
Initiating Connect Scan at 15:48
Scanning 10.10.10.3 [2 ports]
Discovered open port 445/tcp on 10.10.10.3
Completed Connect Scan at 15:48, 1.20s elapsed (2 total ports)
Nmap scan report for 10.10.10.3
Host is up (0.00085s latency).

PORT STATE SERVICE
88/tcp filtered kerberos-sec
445/tcp open microsoft-ds

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds
, PORTS=445}]
2025-03-27 15:48:53.249 +0100 [p: default-threadpool; w: 3] DEBUG yams.ActiveFingerprint - performScan(Services_check) Method (TCPPortMethod) does not match data collected

 

The results show the following:

 

88/tcp filtered kerberos-sec
445/tcp open microsoft-ds

 

The rule fails since Port 88/tcp is in STATE=FILTERED.

 

This means that FortiNAC cannot determine if the port is open or closed. Either packets are dropped by a Firewall or the response is not allowed to reach FortiNAC.

These results can also be verified in FortiNAC GUI in User & Hosts -> Endpoint Fingeprints.

 

Related documents:

Device Profiler Configuration

Technical Tip: Device profiling with the SNMP method

Technical Tip: Device Profiling Rule with the SSH Method

Endpoint Fingeprints