| Description | This article describes how to leverage information in Endpoint Fingerprints to find the source of how Rogues/Hosts are learned. |
| Scope | FortiNAC-F, FortiNAC. |
| Solution |
FortiNAC creates Identity records each time a Host connects and uses the data in these records to build Rogue entries and then profile them automatically if they match a Device Profiling rule that is configured to automatically register. If this fails, the host will remain a Rogue.
Attributes for each Identity record can be checked under User & Hosts -> Endpoint Fingerprints by right-clicking a specific entry.
 Figure 1. Check Attributes for a specific Fingerprint Entry.
Figure 1 shows a DHCPv6 fingerprint source and its attributes on the top-right corner. Each detail can be used as a filter to match a device profiling rule with a DHCP fingerprint as a method.
A separate endpoint fingerprint record is added every time a new fingerprint is heard for a MAC. These can be from different sources and it is possible to select which source will be used to update registered host attributes and their priority under 'Set Source Rank'. It is important to select the source depending on accuracy and level of information available.
 Figure 2. Multiple fingeprint sources for same Host Record.
In Figure 2, it is possible to see different Fingerprint sources for same Rogue. Some sources will not provide OS or Host Name information and additionally might provide an incorrect 'Device Type' categorization that FortiNAC selects when registering the host. Examples may include 'RADIUS Auth Requests', 'FortiGuard', or 'Active' sources. As noted in Figure 2, there are is no data stored in the columns for OS and Hostname. Device type also shows the icon of a Server from the 'FortiGuard' source while DHCPv6 reports a 'W' windows device type. In User & Hosts -> Endpoint Fingerprints -> Set Source Rank, it is possible to rearrange rank and enable/disable 'update registered' option for each fingerprint source.
 Figure 3. Enabling "Update Registred" hosts option for DHCPv6 source and moving it to First rank.
At this point, FortiNAC will update records in 'Host View' with DHCPv6 source information as first priority. If there is no such record, it will continue down the list with the next one. As per figure 2, the Host will be updated with OS= Windows 10, Hostname= FortiDC, and Device type=Windows. When a new fingerprint is heard for a MAC or a Fingerprint is updated for the respective MAC address, FortiNAC will generate 'Host Identity Changed' events due to attribute changes or updates with the latest timestamp. If the Host is using the Persistent agent and Endpoint compliance policies are applied, FortiNAC will re-evaluate them since it detects attribute/identity changes. In the event logs of the host, 'Security test applied..' events generated from the scan performed by the agent should be expected.
Related documentation: Related articles: |
