Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SMabille
Contributor

Device detection

Hi, Fortigate 200D, 5.0.4 and 5.0.5: How and when are devices detected/identified? I' m sure this was working in the past, but now the online column in device definition stays empty. It seems that all my devices were last seen about 10 days ago. Client devices don' t have Forticlient installed Step taken: - Upgrade from 5.0.4 to 5.0.5, so that rebooted my Fortigate. - " diagnose user device clear" . - deleted some permanent entries of device that are currently communicating, they are not detected/added to the list. Any idea? Thanks, Stephane

1 Solution
neonbit
Valued Contributor

FortiOS 5.4 has an enhancement to device identification called 'active device identification'. It allows you to actively scan devices that can't be determined by passive means using the vulnerability scan engine.

 

I've tested the beta in a lab and the device identification worked well, but it was only for a directly connected network. Not sure how well it will handle a multi level LANs (cant test that scenario in my lab).

View solution in original post

9 REPLIES 9
Bromont_FTNT
Staff
Staff

You still have " Detect and Identify Devices" selected in the interface menu?
SMabille
Contributor

Of course. Even tried disable it, re-enable it without effect.
Adrian
New Contributor II

SMabille wrote:
Hi, Fortigate 200D, 5.0.4 and 5.0.5: How and when are devices detected/identified? I' m sure this was working in the past, but now the online column in device definition stays empty. It seems that all my devices were last seen about 10 days ago. Client devices don' t have Forticlient installed Step taken: - Upgrade from 5.0.4 to 5.0.5, so that rebooted my Fortigate. - " diagnose user device clear" . - deleted some permanent entries of device that are currently communicating, they are not detected/added to the list. Any idea? Thanks, Stephane
Hi,

 

I have a similar issue where with FG 500D on 5.2.3 GA with a Brocade ICX on the LAN side. It only detects the Brocade and 1 more device. That's it. It doesn't see the hundreds of devices on the LAN. If I delete that one more device, it will randomly detect another one and that's it.

 

Any updates on your end ?

 

Thank you,

 

Adi

natech
New Contributor

If you're using the Brocade as a router (layer 3), then MAC addresses won't "pass."

 

You have some choices:

 

1) 802.1x authentication on the clients and having it send RADIUS accounting updates to the FortiGate.

 

2) Install FortiClient on the clients.

 

3) Put the clients on their own VLAN, with a routing interface enabled on the Forti.

 

 

 

Adrian wrote:

SMabille wrote:
Hi, Fortigate 200D, 5.0.4 and 5.0.5: How and when are devices detected/identified? I' m sure this was working in the past, but now the online column in device definition stays empty. It seems that all my devices were last seen about 10 days ago. Client devices don' t have Forticlient installed Step taken: - Upgrade from 5.0.4 to 5.0.5, so that rebooted my Fortigate. - " diagnose user device clear" . - deleted some permanent entries of device that are currently communicating, they are not detected/added to the list. Any idea? Thanks, Stephane

I have a similar issue where with FG 500D on 5.2.3 GA with a Brocade ICX on the LAN side. It only detects the Brocade and 1 more device. That's it. It doesn't see the hundreds of devices on the LAN. If I delete that one more device, it will randomly detect another one and that's it.

 

Any updates on your end ?

 

Thank you,

 

Adi

Adrian
New Contributor II

Hi natech,

 

Options 1 is a bit complicated to implement and Option 2 is a no go due to a critical bug in FortiClient that kernelpanics OS X randomly.

 

That leaves Option 3. My clients are already on their own separate VLANS (wifi corp, wifi guest, LAN corp, etc.) I'm just not sure what you mean by the "routing interdaface configured on the Forti". Do you mind elaborating a bit on this ?

 

Thank you,

 

Adrian

Camshaft007
New Contributor

I'm in the same boat actually.  I have a simple setup at home as well,

 

Modem->FGT90D-Internal1 (10.1.255.1/30) <->Cisco3750G (10.1.255.2/30) <->LAN

 

All my devices are showing up detected as the SWITCH Mac addres vs. device mac address.  I'm actually routing between my FGT and my L3 Switch (muliple vlans and OSPF between switch and FW)... I figured perhaps disabling Proxy ARP between the the Routed Interface on the Switch and FW would correct this problem, but that didn't help.  I'm runnig 5.2.4 on my 90D.

 

Installing FCT on my devices is a no fly zone if I plan on attempting to use FGTs version of "NAC" in my work environment.  I have the same situation at work as we are routing betweet a CoreSwitch and our 1500D Cluster(s).

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
neonbit
Valued Contributor

FortiOS 5.4 has an enhancement to device identification called 'active device identification'. It allows you to actively scan devices that can't be determined by passive means using the vulnerability scan engine.

 

I've tested the beta in a lab and the device identification worked well, but it was only for a directly connected network. Not sure how well it will handle a multi level LANs (cant test that scenario in my lab).

Adrian
New Contributor II

neonbit wrote:

FortiOS 5.4 has an enhancement to device identification called 'active device identification'. It allows you to actively scan devices that can't be determined by passive means using the vulnerability scan engine.

 

I've tested the beta in a lab and the device identification worked well, but it was only for a directly connected network. Not sure how well it will handle a multi level LANs (cant test that scenario in my lab).

Are you in any way able to do a test with a routed interface ? Because honestly, this is how the FortiGates are installed in an enterprise environment.

 

I don't have a spare FortiGate to do tests with unfortunately :(

emnoc
Esteemed Contributor III

FWIW

 

I've seem numerous device detection flaws with Andorid devces ( phone vrs tablets ). Detection is not 100% fool-proof imho.

Than with any thing http a user-agent switcher will flaw the detection.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors