Created on 03-31-2025 02:35 AM Edited on 07-16-2025 01:51 AM
Description | This article describes how the TCP/UDP device profiling method works and how to check profiling results when the rule does not match. |
Scope | FortiNAC-F. |
Solution |
When TCP or UDP methods are used for device profiling, FortiNAC will utilize the nmap scanner in order to identify open ports on the host. The following things should be taken into consideration:
To check details on the specific Nmap scan command and profiling results, enable debugging in FortiNAC CLI:
diagnose debug plugin enable ActiveFingerprint diagnose tail -F output.nessus
To test the rule, go to User & Hosts -> Adapters. Select the Adapter of the Host, and 'Right-click' it. Select 'Test Device Profiling rule'.
PORT STATE SERVICE Read data files from: /usr/bin/../share/nmap
The results show the following:
88/tcp filtered kerberos-sec
The rule fails since Port 88/tcp is in STATE=FILTERED.
This means that FortiNAC cannot determine if the port is open or closed. Either packets are dropped by a Firewall or the response is not allowed to reach FortiNAC. These results can also be verified in FortiNAC GUI in User & Hosts -> Endpoint Fingeprints.
Related documents: Technical Tip: Device profiling with the SNMP method |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.