Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lunhas2k4
New Contributor II

Device Inventory- not working

Hi guys,

 

Hope you guys can help me out.

 

I have a router behind a firewall. All my internal traffic comes from the router then goes to the firewall and out.

 

We are unable to identify any mac-address in the device inventory. We only see 1 mac-address that is the router's mac-address. We've already disabled ip proxy-arp globally on the Cisco router and still get the same result. We are using FortiOS 5.4.4.

 

Thanks in advance for the  help.

 

Regards,

 

Lunhas2k4

Carlitos loves firewalls

NSE4 (5.4,6.0)

NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)

NSE7 (Enterprise Firewall 6.0)

Carlitos loves firewalls NSE4 (5.4,6.0) NSE5 (Fortimanager 6.0, Fortianalyzer 6.0) NSE7 (Enterprise Firewall 6.0)
4 REPLIES 4
oheigl
Contributor II

That's exactly what the router does, it splits the layer 2 networks (broadcast domains). That's the reason you only see one MAC address. You would need to rearrange your network - put the FortiGate into the layer 2 network where your devices reside in.

Myth
New Contributor III

Im kind of wondering the same thing here. I know the manual specifically says 'directly attached devices' - so I'd like to know technically what this means as most devices with not, physically, be directly attached to ones Fortigate, that makes no sense.

 

From my setup I get a full device inventory when a subnets gateway exists on the Fortigate device. Additionally like you, when I have a static route from my CORE switch to the Fortigate - all I get is one device and the VLAN's mac address registers in the Fortigate.

 

So is the point of difference> Directly connected, as stated in the admin guide, means having the gateway on the Fortigate?

 

I'd really like to know this, as on my CORE I have 30+ VLANS. Then I route all of them out to the internet via a single vlan. I dont want to have to remove the route and have 30+ gateways configured on the Fortigate. But ideally I want full inventory list.

 

Any one an expert in this? How is anyone in similar setups getting full device inventory when your subnets gateway is NOT on the Fortigate?

 

Thanks so much.

Ollie

 

 

darwin_FTNT

Device identification works by using mac address and ip address as key for identification.  The corresponding values are os/username/etc.  It works fine in my wifi at home or BYOD environment.  You can setup the FGT as one-arm sniffer mode and it should work too.

Myth
New Contributor III

Thanks I will look at the one-arm sniffer.

 

Is that effectively an additional interface on the FGT trunked with all necessary vlans + an IP in each? Scrapes all the vlans at a L2 level? But this is not used for firewall bound traffic, just for 'sniffing' I've not done this before.

 

My other thought was to use my existing trunk where the current outbound traffic flows. Assign VLAN interfaces on the FGT side, give it an IP that is not the default Gateway. Then on the CORE switch, where all the traffic lives + 30 VLANS, have an internal route for traffic to remain within the core. e.g. 10.10.0.0/11 10.10.0.1, then for each VLAN have a default route the VLAN interface on the FGT, like this:

 

0.0.0.0/0 10.10.0.10

0.0.0.0/0 10.10.1.10

0.0.0.0/0 10.10.2.10

0.0.0.0/0 10.10.3.10

 

That way keeping all CORE traffic from traversing the FGT. And only out bound traffic will traverse the FGT. But Im not sure if this is possible and if the routes will conflict/overlap.

 

Cheers!

Top Kudoed Authors