Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezendecs
New Contributor

Device Identity get wrong IP address

Hi All,

   

   I'm using "Device Identity" feature.

   My device, a Tablet Android (TAB_RFLPTM000001) have the mac address "38:2d:d1:8f:ef:a5". At this moment it get the IP "10.10.0.201" by DHCP (Windows Server, not firewall).     In Device Definitions page it show using another IP address "10.10.0.198".     Look the arp table attached and see that in arp table the relation between MAC<->IP is corret, but in device definitions not.     I think that because this the traffic is not getting in the correct policy.

 

    How the firewall check the correct IP address of the Device?

 

    Any suggestion?

 

    Look attached.

 

Regards.

Claudio Rezende
Claudio Rezende
3 REPLIES 3
Ralph1973
Contributor

The same issue occured today at a customer site, when we were looking at the gathered device list.

It looks like that this happens when using (lacp) trunks/ port channels.

It seemed that we solved the problem by use a non used interface, put it in the vlan that you want to monitor, without an ip address (unless you prefer) and then turn on device monitor.

 

maybe this helps for you.

 

Regards,

Ralph Willemsen

Arnhem, Netherlands

emnoc
Esteemed Contributor III

Device identity is not 100% fool proof. Here's what I believed happen;

 

Your device got an address { 10.10.0.198 } via MS-dhcp. Then it request another  dhcp provided address {10.10.0.201} but the fortigate never update the  device list. I 've seen this a half-dozen time or more where the FGT device list are not correct, even the devices reported are not correct ( phone vrs tablet ).

 

If i may ask, "What's your dhcp lease times ? "

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
xsilver_FTNT

emnoc wrote:

Device identity is not 100% fool proof.

Correct, and it cannot be as it is doing passive fingerprint from network traffic made by device, unless FortiClient is used to make device detection more reliable by providing device identification and reporting the device to FortiGate. There's no active fingerprint done as of now.

 

If you do want fool-proof identity based access, then use at least DHCP done by FGT and IP assigned per MAC, or better do 802.1x with device certificate identification/authentication to network (wired/wireless).

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors