Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎09-05-2019 06:16 AM Edited on ‎05-03-2024 08:37 AM

Article Id 191302

Technical Tip: DHCP Fingerprint Profiling Rule does not match upon initial connection

Description

 

This article describes the case when the device Profiling Rule using DHCP Fingerprint method does not match when a rogue host first connects.  However, the rule matches the second time the host is evaluated (either by re-running the rule or deleting the host from Users & Hosts -> Host  and reconnecting).

This behavior can occur if the DHCP fingerprint is not received before the host is evaluated by the rule.  Once the DHCP fingerprint containing the hostname is received, it is saved in the database.  Since the information is now available, the host will match upon re-evaluation. 

Diagnose:
 
  1. Enable ActiveFingerprint debug in the FortiNAC CLI:
    CentOS: nacdebug -name ActiveFingerprint true
    FortiNACOS: diagnose debug plugin enable ActiveFingerprint
  2. Tail the output.nessus log. 
    CentOS:  tail -F /bsc/logs/output.nessus I grep -i fingerprint
    FortiNAC-OS:  diagnose tail -F output.nessus
  3. Connect a new host to the network.
 
If fingerprint data is not received in time, the following message appears: 'No fingerprint data found for rule. Putting back on queue. Rule …'.

Scope
Version: 9.x, vF7.x

Solution
Once the rogue record is created, the system waits 3 minutes to receive a fingerprint by default. 
 
Note: Profiling waits for fingerprint information before evaluating. Therefore, increasing the wait time for fingerprints will increase the time it takes to evaluate a host. Testing should be done to verify the appropriate amount of time to wait for the data. 

 

Timers for fingerprint evaluation are set in the following file on the Application Server:
 
/bsc/campusMgr/nessus_loader/properties_plugin/activeFingerprint.properties
scanRetryDelay=60000
serviceGracePeriod=120000

Rogue record creation time = RCTIME
 
By default, the system waits for RCTIME plus 2 minutes 'serviceGracePeriod=120000' for DHCP fingerprint data during rule evaluation.

If there is no fingerprint data, the rogue is put back in the queue for 1 minute ('scanRetryDelay=60000').

 

CentOS: Increase 'serviceGracePeriod' to allow more time to receive a fingerprint.

FortiNAC-OS: Wait time cannot be changed.

 

 

Related Articles:

Technical Note: View DHCP Fingerprint information received from the production network

Labels:
3235
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.