Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HeretoLearn23
New Contributor

FortiNAC Device Profile Rules - HTTP/HTTPS

Looking to create a Device Profile Rule to use HTTP/HTTPs Methods and having issues with the path requirement. 

Im wanting to do this for printers with a gui.

Here are some examples of what I have tried for paths:

/wcd/spa_main.html

x.x.x.x/wcd/spa_main.html

Underscore.min.js

jquery-ui.min.css

 

Has anyone used this method before and can you please provide me some examples of what I should be looking for?

 

Thank you

4 REPLIES 4
ebilcari
Staff
Staff

The configuration should be simple, open a URL path and checking the content for a specific value to match. The path you provided seems valid "/wcd/spa_main.html" and it can be used.

Are this printers using HTTP or HTTPS? The HTTPS may cause some problem with certificate validation in FNAC if the printers are using their self signed certificates.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
HeretoLearn23

It is using https with a self signed cert.

ebilcari

If that is the case than based on my previous experience, the problem relies on the SAN attribute missing on the printer's self signed certificate. FNAC will not treat it as a valid certificate so it can't proceed loading the page. For testing purposes you can generate a valid certificate and upload it in one of the printers to verify if DPR configurations are done properly.

To get more information you can enable this debug and check live on the logs the reason of failure (maybe is something else):

> nacdebug -name ActiveFingerprint true

> logs

> tf output.nessus

In the end remember to disable the debug:

> nacdebug -name ActiveFingerprint

In case you are running the new FNAC-F you need to "#execute enter" first.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ndumaj

On the output.nessus you should see similar output:

yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:830 :: #66 :: rule = Rule1 isEnabled = true

yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:834 :: #66 :: Criteria unsatisfied. Putting back on queue. rule = Rule12, mac = 00:24:xx:xx:xx:xx
yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:917 :: #66 :: performScans() rule = Rule2 mac = 00:24:xx:xx:xx:xx

yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:423 :: #66 :: Rule does not match: Rule2-Name 00:24:xx:xx:xx:xx <--MAC of the host

yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:423 :: #66 :: Rule does not match:Rule3-Name 00:24:xx:xx:xx:xx <--MAC of the host
yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:423 :: #66 :: rule = Rule3 isEnabled = true
yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:423 :: #66 :: performScans() rule = Rule3-Name mac = 00:24:xx:xx:xx:xx <--MAC of the host

 

yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:032 :: #66 :: performScan(Rule3-Name) Method (Method used) matches data previously collected
yams.ActiveFingerprint FINER :: 2024-MM-DD HH:MM:SS:032 :: #66 :: Rule matches: Rule3-Name 00:24:xx:xx:xx:xx [Fingerprint [dbid=null, source=xxx , physAddress=00:24:xx:xx:xx:xx, ipAddress=172.xxxx, hostName=null, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={....}]]

If there are busy logs you can filter by MAC:

> logs

> tf output.nessus | egrep -i "xx:xx:xx:xx:xx:xx|xx-xx-xx-xx-xx-xx"  <-- replace xx:xx:xx:xx:xx:xx with host MAC

BR

- Happy to help, hit like and accept the solution -
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors