Description
This article describes how to use Port Mirroring (SPAN) to assist FortiNAC on profiling devices.
Scope
FortiNAC, FortiNAC-F.
Solution
FortiNAC is capable of monitoring some network packets to profile devices. DHCP Fingerprints are the most common, since DHCP packets may carry endpoint information.
One way to send information to FortiNAC is using Port Mirroring, also known as SPAN, from switches to its eth0 interface. By that, a new endpoint fingerprint can be gathered from network traffic to FortiNAC, assisting it with device profiling.
To optimize computing resources on both FortiNAC and the switch, apply filters to specify what network packets will be sent to FortiNAC's eth0 interface. An example is to filter for UDP Port 67 and 68.
Since each switch has its own CLI syntax, this article won't cover commands to configure port mirrors on switches, but it is possible to check how to configure Port Mirroring on FortiSwitches here.
Note:
FortiNAC has two interfaces: eth0 and eth1. The eth0 may be used for endpoint profiling, but eth1 should not since it is used mainly for isolation purposes. Therefore, it will not be possible to send network traffic (mirrored or not) to FortiNAC's eth1 interface to profile devices.
