Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
earthlab
New Contributor III

Created on ‎05-23-2024 07:26 AM

Device Inventory detected 5K devices

Hello everyone,

I am using FortiGate 60F with FortiOS 7.2.8. When I opened the Device Inventory Monitor in the management console, it detected as many as 5000 devices. Normally, there are fewer than 100 devices.

No IP addresses are displayed, and the MAC addresses shown are also unnatural. The detected interface v170 segment is a /24 LAN. I believe this detection is a bug. When I restart the FortiGate, it returns to the normal number of devices.

Has anyone else experienced a similar issue?

スクリーンショット 2024-05-23 23.04.59.png

スクリーンショット 2024-05-23 23.04.55.png

  

Labels:
1045
0 Kudos
6 REPLIES 6
ozkanaltas
Valued Contributor III

Created on ‎05-23-2024 07:32 AM

Hello @earthlab ,

 

If it's not a bug, I think one device on your network did a Mac spoofing attack. Because these mac addresses are created randomly. 

 

If you have a network access control device (NAC) you can detect that device. Or you can review your FortiGate system logs maybe FortiGate shows something about that.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1031
earthlab
New Contributor III
In response to ozkanaltas

Created on ‎05-23-2024 08:00 AM

@ozkanaltas 

Thank you for your response. I also considered the possibility of spoofing, but the number of detected devices is too large for that. Additionally, the detected devices have MAC addresses like 00:00:00:00:00:00, 00:00:00:00:00:01, etc., which seems strange for an attack.

Unfortunately, there is no NAC on this network. This device sends logs to the FortiGate Cloud, but I haven't found any clues there.

1020
0 Kudos
earthlab
New Contributor III
In response to earthlab

Created on ‎05-24-2024 11:40 PM

I tried to capture mac address on the next of fortigate v170 side L2 intelligent switch.
* The switch's MAC address-table aging time is over 10 days.

 

uplink----FG ---*----L2SW**-----other devices.
*It has only one connection , and it runs vlan170.
**FDB is here I checked.

 

And then the swich's FDB talbes said there ware 65 mac addresses.
But Fortigate said 196 devices.
the 196 devices includes bit Multicast address but still too many.

I think thant, if some deveic did a Mac spoofing attack, the Switch will capture mac addresses. isn't it?

890
0 Kudos
earthlab
New Contributor III

Created on ‎05-23-2024 08:00 AM Edited on ‎05-23-2024 08:04 AM

スクリーンショット 2024-05-24 0.03.31.png
Normally there are over 50 devices.

1019
0 Kudos
Debbie_FTNT
Staff
Staff
In response to earthlab

Created on ‎05-23-2024 08:13 AM

Hey earthlab,

 

I have not seen that before, and as the devices have disappeared post reboot it is hard to say what happened.

If this reoccurs, you can use this command:
#dia user device list

It dumps the devices, including some information on how the devices were detected; that might give you a better idea of where the device entries come from.

You can also clear the device list that way (without needing to reboot):
#dia user device clear

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1001
earthlab
New Contributor III
In response to Debbie_FTNT

Created on ‎05-23-2024 08:59 AM

@Debbie_FTNT 
Thank you for your response.

 

>#dia user device list

 

I have the output of the command.

 

Like 

vd root/0 b0:00:00:00:00:00 gen 248084 req OHUSA/3e
created 1969194s gen 228011 seen 1916738s v170 gen 183728

.... there are so many output.

 

I found out what time it was detected, but there were no particular abnormalities during that time.
I'm going to think about detecting MAC address snooping outside of the FortiGate.

979
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.