Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-27-2018 07:20 AM Edited on ‎09-17-2024 07:58 AM By Moderator

Article Id 197420

Technical Tip: Methods used to learn host name and operating system information

Description

 

This article describes the methods on how to update Host Name and Operating System (OS) information to provide enhanced endpoint visibility.  Host record information can be viewed by navigating to User & Hosts -> Host View in the Administration UI. 

 

Scope

 

FortiNAC.

 

Solution

 

Following methods can update host attributes with OS and Host Name information.
 
  1. DHCP Fingerprints.

 

When a DHCP packet (discover, request or inform) is heard on the network, OS and host name information is updated for the existing rogue record.  If the host record does not already exist, it is created (regardless of online status). 

    • In order to listen for DHCP Fingerprints, IP Address Helpers for production networks must be configured to point at the eth0/Port1 interface of FortiNAC.
    • Not all DHCP fingerprints provide host name.
    • OS is not always able to be determined for all DHCP packets.  The device’s DHCP fingerprint may be unknown or too similar to other devices to name an OS.
    • Learned fingerprint information can be viewed in the Administration UI under User & Hosts -> Endpoint Fingerprints.
    • Following article describes how to track Rogue hosts through endpoint fingeprints.
    • It is possible to enable/disable the Rogue entry creation based on Learned DHCP fingerprints in System -> Settings -> User/host management -> Device profiler as shown in Figure 1. This might not be neccessary since in some network environments it can add a large number of rogues hosts from unmanaged areas of the network.

 

Figure 1. Enable the option to create Rogue entries from received DHCP packets.Figure 1. Enable the option to create Rogue entries from received DHCP packets.

 

  1. FortiGate firewall session polling.

     

    When a firewall session is read from a modeled FortiGate, OS and host name information is updated for the existing rogue record.  If the host record does not already exist, it is created (regardless of online status).  


    Figure 2. Enable Rogue host creation from polled session data.Figure 2. Enable Rogue host creation from polled session data.

     

     
     
  2. Agent.
     
    Dissolvable or Persistent Agent needs to be installed on the end station in order to update information. Registered host records will not be updated from information obtained from DHCP Fingerprints or firewall sessions.

     

     

  3. MDM Integrations.

     

     

Example with Gsuite integration.

 

FortiNAC collects the following host data from GSuite:

 

  • Operating System.
  • Model (Hardware Type).
  • Host Name.
  • Serial Number.
  • Owner (User).

 

Related documentation:

FortiClient EMS integration

Labels:
1787
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.