- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Endpoint Control/Device Groups: FGT only pushes c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Endpoint Control/Device Groups: FGT only pushes custom FCT config to client when using " Primary" mac
FortiOS 5.0.9
I am having issues getting specific forticlient profiles pushed to named devices that have been assigned to device groups. The following is my analysis of the issue and identifies what I believe to be a bug:
When a client (Forticlient 5.0.9) registers to the Fortigate (5.0.9), it identifies all of the clients mac addresses (i.e. lan mac, wireless mac, fortiiclient vpn mac, etc..). By way of example the following is the output of a mouse-over of my laptop on the Device Definitions page. Note that four macs are identified.
Device PA0042449-mayer
Primary MACe4:11:5b:2b:a3:2f (port1)
MAC Addresscc:52:af:ec:5e:23 ()
MAC Address10:0b:a9:1b:4e:d4 ()
MAC Address10:0b:a9:1b:4e:d5 ()
OSWindows / 7 Service Pack 1
HostnamePA0042449
DomainGOVSOLUTIONS.COM
Usernamemayer
IP Address135.22.254.39
Last Seen12:00:56 (port1)
FortiClient State Registered
In order to add the device to a device group and thereby be able to push a specific forticlient profile to it, I need to make the device permanent (i.e. give it an alias).
When I make that device entry permanent - by double-clicking its entry and giving it an alias, only one of its mac address become associated with the name/alias. By way of example, I made the above entry permanent giving it the name ' PA0042449-mayer" .
When viewed through the Fortigate GUI, the name/alias appears to be associated with all 4 macs. Here is the new Device Definition mouse-over output:
Device PA0042449-mayer
Primary MAC10:0b:a9:1b:4e:d5 (port1)
MAC Addresscc:52:af:ec:5e:23 ()
MAC Addresse4:11:5b:2b:a3:2f ()
MAC Address10:0b:a9:1b:4e:d4 ()
OSWindows / 7 Service Pack 1
HostnamePA0042449
Usernamemayer
IP Address135.22.255.40
Last Seen13:43:08 (port1)
But viewed through the CLI, the name/alias appears to only be associated with one macaddress.:
fgfct-01 # config user device
fgfct-01 (device) # edit PA0042449-mayer
fgfct-01 (PA0042449-mayer) # show
config user device
edit " PA0042449-mayer"
set mac e4:11:5b:2b:a3:2f
set type windows-pc
next
end
The result - and the issue I am trying to define - is that when I add that named device to a device group, the associated forticlient profile is only pushed when the laptop is connected via the one MAC shown in the Config User Device entry. If the laptop connects via another mac address - say wireless or vpn, the the laptop gets the " default" profile.
So for Fortigate GUI Device Definition display purposes, the assigned name/alias is associated with all of the device' s mac addresses. But for the purposes of device group membership and forticlient profile pushes, then device name/alias is only associated with a single address.
Am I doing something wrong or is this a bug?
Rich Mayer
LGS Innovations
Rich Mayer
LGS Innovations
Rich Mayer LGS Innovations
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Had this exact same issue and opened a TAC ticket, they are calling it an identified bug. The work around for me for the moment was to use username rather than MAC. Its no ideal but it got me pas where i needed. I' m assuming you' re on 5.2?
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
Related Posts
- unsupported antivirus for FortiNAC 117 Views
- Automatically Ban Malicious Inbound IPs using... 262 Views
- FNAC persistence agent deployments 368 Views
- FortiClient 7.2 - will not connect... 833 Views
- EMS cloud: Registration attempt by Endpoint... 758 Views
Labels
-
FortiGate
6,566 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.