When profiling with the SNMP method, FortiNAC will send a SNMP Get Request to the Isolated device and will expect a response to the queried OID. In the device profiling rule, it is possible to specify which part of the returned string will be matched in order for the profiling or categorization to be applied in the device.

This method can be very useful when profiling IoT or 'headless' devices which have no user associated with them. By querying for specific OIDs, it is possible to leverage unique attributes of these devices in order to be accurate in profiling them.

As an example, a windows device will be profiled through the SNMP method by using OID 1.3.6.1.2.1.1.1.0, which will return Operating System and Hardware Information.

Step 1: Make sure SNMP is enabled on the device and configured to accept queries from FortiNAC.

In Windows, go to System -> Optional Features and add the feature 'Simple Network Management Protocol (SNMP)'.

Configure and enable the SNMP service by going to Start -> Run and run 'services.msc'.

Figure 1. Enable and Configure the SNMP service on Windows host.

Step 2: Validate SNMP communication and response from FortiNAC.

Using the FortiNAC CLI, it is possible to validate the response returned from the host to be profiled.

This can be done by using the snmpwalk tool:

naclab1 # execute enter-shell

naclab1:~$ snmpwalk -v2c -c fortinacCentos 172.16.60.5 1.3.6.1.2.1.1.1.0

SNMPv2-MIB::sysDescr.0 = STRING: Hardware: Intel64 Family 6 Model 140 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 19045 Multiprocessor Free)

The returned string can be used as matching criteria for the rule.

The output above confirms that FortiNAC is able to fetch the expected information.

Step 3: Configure the Device profiling rule and test if it matches.

In the profiling method, select 'SNMP' and enter the following parameters:

1. OID.
2. Security String.
3. String required to Match.

In this case, the requirement is to match only the OS version. By using '*', it is possible to ignore other characters before and after the required string to match.

Figure 2. Configuration of SNMP method in Device profiling rules.

FortiNAC will build Endpoint Fingerprint profiles for information it collects from the SNMP source.

To have a better idea of the built profile, go to Users & Hosts -> Endpoint Fingerprints and filter for source SNMP.

Right-click the entry and select 'Show Attributes'.

Figure 3. Validating Fingeprint Profiles in Endpoint Fingeprints view.

Using the FortiNAC CLI, verify that the rule matches.

1. Enable CLI debugs and tail output:

naclab1 # diagnose debug plugin enable ActiveFingerprint
naclab1 # diagnose tail -F output.nessus

Select 'Test Rule' by right-clicking the Adapter record in Users & Hosts -> Adapters.

Filtered CLI output will show the following events that confirm the rule match:

yams.ActiveFingerprint FINER :: 2025-02-17 10:40:06:224 :: #20 :: testRuleMatch() starting rule = Windows_SNMP mac = 00:0C:29:76:58:5D

yams.ActiveFingerprint FINER :: 2025-02-17 10:40:06:225 :: #20 :: testRuleMatch() performing scans. rule = Windows_SNMP mac = 00:0C:29:76:58:5D ip = 172.16.60.5

.

.

yams.dpc.SnmpMethod FINER :: 2025-02-17 10:40:06:227 :: #20 :: performScan() target = 172.16.60.5/161 OID = [1.3.6.1.2.1.1.1.0 = Null]

org.snmp4j.Snmp FINE :: 2025-02-17 10:40:06:227 :: #20 :: Running pending sync request with handle PduHandle[546403932] and retry count left 1

org.snmp4j.transport.DefaultUdpTransportMapping FINE :: 2025-02-17 10:40:06:227 :: #20 :: Sending message to 172.16.60.5/161 with length 51: YYYYYYYYYYY

org.snmp4j.transport.DefaultUdpTransportMapping FINE :: 2025-02-17 10:40:06:230 :: #88 :: Received message from /172.16.60.5/161 with length 186: XXXXXXXXX

yams.dpc.SnmpMethod FINER :: 2025-02-17 10:40:06:231 :: #20 :: SNMP Response. target = 172.16.60.5/161

  RESPONSE[requestID=546403932, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1.0 = Hardware: Intel64 Family 6 Model 140 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 19045 Multiprocessor Free)]]

.

.

yams.ActiveFingerprint FINER :: 2025-02-17 10:40:06:256 :: #20 :: matchRule(Windows_SNMP) Method (SnmpMethod) matches data collected

yams.ActiveFingerprint FINER :: 2025-02-17 10:40:06:256 :: #20 :: testRuleMatch() Rule matches: Windows_SNMP 00:0C:29:76:58:5D [Fingerprint [dbid=null, source=SNMP, physAddress=00:0C:29:76:58:5D, ipAddress=172.16.60.5, hostName=null, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={OID=1.3.6.1.2.1.1.1.0, RESPONSE=Hardware: Intel64 Family 6 Model 140 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 19045 Multiprocessor Free), 1.3.6.1.2.1.1.1.0=Hardware: Intel64 Family 6 Model 140 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 19045 Multiprocessor Free), PORTS=161}]]

Related documents:

• Device Profiling rules - FortiNAC-F documentation
• Device Profiling Best practices - FortiNAC-F documentation