I saw this come up on the new FortiOS 5.2.1 release forum, in regards to device identification and layer 3 devices. See below, I wanted to know how others are identifying devices from the Fortigate if it is connected to a L3 device and running OSPF. I submitted a ticket a while back and the same answer as below is what I received. I was planning on using two 1500D or 1000C' s in HA to replace my network core in the next couple years, but didn' t know if there was a workaround now. " Do the categorizations for the devices stay the same over time? Are all of them browsing the web? Device Identification makes use of MAC manufacturer codes, VCI identifiers in DHCP broadcasts, information in SYN packets, and HTTP user-agent strings. Obviously, not all of this information is available at once. If a host connects, but never generates HTTP port 80 traffic, then all you would have to go on are MAC addresses, if the manufacturer is well-known and matches the brand of the device, and any leaked identity information from NetBIOS traffic, the DHCP broadcast, etc. Are any devices connecting from behind a Layer-3 device where others connect more directly? Another limitation is that the MAC address is how the FortiGate references each device, so if more than one device is sourced from behind the same MAC (i.e., from a router or L3 switch), then the FortiGate has no way of knowing who is ultimately generating the traffic. Best to move this thread to a new topic eventually, if it goes beyond simple answers."