Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rickyrickuk
New Contributor

Lots of unknown devices showing in Device Inventory

Hi, has anyone seen anything like this?

On my lab Fortigate, I am seeing 1000's of devices under Dashboard/Users & Devices/Device Inventory that all show offline but being online at some point in the last couple of weeks. They all have IPs starting 198.x.x.x and various macs and vendors and all show on my internal LAN interface.

If I search the traffic logs, there is nothing from 198.x.x.x so not sure where they are coming from.

I have not seen any online at any stage, so wonder if its a bug of some sort?

I am running code 6.4.4 on this device.

Thanks

3 REPLIES 3
thuynh_FTNT
Staff
Staff

Hi Ricky, thank you for your report.  >If I search the traffic logs, there is nothing from 198.x.x.x so not sure where they are coming from.

The device data from device inventory list is from the FGT's device detection engine which is scanning incoming packets on the interfaces via various protocols. However, not all traffic will have logs as it depends on if logging is enabled in forward traffic policies. Some endpoint data are also retrieved from FortiClient/EMS and FortiAP/FortiSwitch so they are not necessary generating pass-through traffic.

 

You can review the device inventory data via the following commands. The first command should tell you which interface the device was seen on, from how long ago, and from which protocol (via "src").

 

"diagnose user device list" 

"diagnose user device stats"

 

You can also clear the list and monitor if they come back

"diagnose user device clear"

 

 

rickyrickuk

thuynh wrote:

Hi Ricky, thank you for your report.  >If I search the traffic logs, there is nothing from 198.x.x.x so not sure where they are coming from.

The device data from device inventory list is from the FGT's device detection engine which is scanning incoming packets on the interfaces via various protocols. However, not all traffic will have logs as it depends on if logging is enabled in forward traffic policies. Some endpoint data are also retrieved from FortiClient/EMS and FortiAP/FortiSwitch so they are not necessary generating pass-through traffic.

 

You can review the device inventory data via the following commands. The first command should tell you which interface the device was seen on, from how long ago, and from which protocol (via "src").

 

"diagnose user device list" 

"diagnose user device stats"

 

You can also clear the list and monitor if they come back

"diagnose user device clear"

 

 

Thanks for the tips, I have logging on all my internal rules at present. I don't have any Fortiswitch or other Fortigate products on this test network either.

 

I ran the "diagnose user device list" and see lots of these 198.x.x.x entries (198.x.x.x isnt on my internal LAN), a few examples are below but there are hundreds. :

 

vd root/0 46:b9:fa:7d:f7:53 gen 66156 req OHUSA/3e created 77897s gen 66155 seen 77897s internal gen 343 ip 198.185.171.95 src arp vd root/0 52:ec:4b:df:9c:3e gen 96567 req OHUSA/3e created 34520s gen 96566 seen 34520s internal gen 463 ip 198.236.30.10 src arp vd root/0 f0:e4:7f:65:fa:11 gen 51644 req OHUSA/3e created 96440s gen 51643 seen 96440s internal gen 281 ip 198.228.46.93 src arp

 

I also see my valid 192.168.1.x entries, which some of which are src arp and some src http.

 

If I show the arp table there are only 192.168.1.x entries.

 

"diagnose user device stats" shows :

 

Home # diagnose user device stats generation.global 118248 generation.seen 556 generation.deletion 0 count 556 joined 0 create_failed 0 fd 6 hash 2048

 

I rebooted yesterday which initially cleared all the 198.x.x.x addresses but they soon started coming back !

 

I also ran a network packet capture, on the fortigate GUI, on the internal interface for a few hours and it only picked up a few valid requests from internal devices (192.168.1.x) to 198.x.x.x addresses on the internet (Windows update I think).

 

Thanks, Ricky

thuynh_FTNT

Hi Ricky, sorry super late response as just got notification on this just now. Were you able to figure out what's going on? Did it go away with the latest FOS version?

>vd root/0 46:b9:fa:7d:f7:53 gen 66156 req OHUSA/3e created 77897s gen 66155 seen 77897s internal gen 343 ip 198.185.171.95 src arp 

The IP is a public IP so it's not from private LAN. Is there some script or something scanning your network? Source from ARP which means it's from ARP broadcast.

I'd get in contact with our Support team so they help troubleshooting further.

Labels
Top Kudoed Authors