Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

Mobile Device Detection doesn't work properly

Hi experts,

 

I have a FortiGate and I want to create firewall policies based on device detection for mobile devices. I realized that FortiGate can detect only some iPhone and Android devices. I have made a test with two iPhones of different models and iOS version. FortiGate recognizes iPhone 5 but not iPhone 6. The same with two Android phones. They all connect via Wi-Fi to Meraki APs, and the APs are connected to one Meraki switch and then this switch is connected to FortiGate. I know this is due to fingerprinting, but I don't know how to solve this, since right now I cannot create my firewall policies per mobile device detection due to this limitation. Any idea?

 

Regards,

Julián

1 Solution
Nicholas_Doropoulos

Thanks. I'm assuming that device detection has already been enabled on the internal interface since you can identify some of your smartphones. Have you enabled the Active Scanning option as well?

 

Also, can you run the following command to identify the device detection method used:

 

diag user device list

 

And finally, run the following:

 

get sys arp

 

Can you see the mac addresses of the phones that have not been identified yet?

 

Thanks.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

View solution in original post

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
9 REPLIES 9
Nicholas_Doropoulos
Contributor

Could you share with us your Fortigate's model and version please?

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
fjulianom

Sure! It is a FortiGate 100E running version 5.6.3.

 

Regards,

Julián

Nicholas_Doropoulos

Thanks. I'm assuming that device detection has already been enabled on the internal interface since you can identify some of your smartphones. Have you enabled the Active Scanning option as well?

 

Also, can you run the following command to identify the device detection method used:

 

diag user device list

 

And finally, run the following:

 

get sys arp

 

Can you see the mac addresses of the phones that have not been identified yet?

 

Thanks.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
fjulianom

Hi Nicholas,

 

Yes, device detection is enabled on the interface, though I don't see the Active Scanning option:

 

 

I attach a excerpt of the two commands, and I have indicated one of the devices which is not identified as an example:

 

FG100E4Q17012150 # diagnose user device list hosts vd root/0 00:00:00:00:00:00 gen 3634 req TOHUS/3e created 9701423s gen 3 seen 0s LAN gen 387 vd root/0 a4:5d:36:11:4c:6d gen 822212 req TO/c created 8386117s gen 102473 seen 0s LAN gen 8148 ip 172.16.100.6 src none type 17 'Windows PC' src mwbs id 40 gen 3242 os 'Windows 8 / 2012' version '' src mwbs id 40 host 'SRVLIMAPP1D1' src dhcp vd root/0 b8:6b:23:2c:fc:b6 gen 831401 req TOS/e created 9692496s gen 2253 seen 0s VLAN 20 gen 49903 ip 172.20.100.59 src mac type 17 'Windows PC' src http id 2315 gen 452 os 'Windows' version '8 (x64)' src http id 2315 host 'LTP00003.STEVIAONEPERU.local' src dhcp vd root/0 b4:f1:da:af:ad:cb gen 831610 req TOUS/2e created 540722s gen 791803 seen 471s VLAN 19 gen 49929 ip 172.19.100.11 src mac host 'android-ec134b52449e12d' src dhcp

.

.

.

vd root/0 d0:25:98:4a:0c:15 gen 831126 req 0                                <<<<<<<<<<<< this is the device created 710807s gen 779261 seen 126s VLAN 18 gen 49873 type 16 'Router/NAT Device' src ac id 0 gen 3183

 

FG100E4Q17012150 # get sys arp Address Age(min) Hardware Addr Interface 172.18.100.25 0 80:19:34:f1:60:3f VLAN 18 172.20.100.51 0 d0:bf:9c:24:63:40 VLAN 20 172.16.100.5 0 2c:59:e5:4a:ae:b8 LAN 172.18.100.31 0 4a:7d:2b:f7:04:00 VLAN 18 172.20.100.57 0 70:5a:0f:1f:b8:5a VLAN 20 172.16.100.11 0 00:15:5d:64:05:00 LAN 172.18.100.20 0 4c:eb:42:f9:64:01 VLAN 18 172.16.100.125 1 e0:55:3d:62:5f:50 LAN 172.16.100.6 0 a4:5d:36:11:4c:6d LAN 172.18.100.32 0 ac:2b:6e:28:88:45 VLAN 18 172.18.100.15 0 f8:34:41:06:40:00 VLAN 18 172.20.100.58 0 54:e1:ad:74:34:aa VLAN 20 172.17.100.4 1 b4:99:ba:de:08:a3 VLAN 2 172.18.100.38 0 a4:c4:94:b2:73:2a VLAN 18 200.4.228.185 0 cc:16:7e:76:1b:49 wan2 172.16.100.126 0 e0:55:3d:62:53:30 LAN 172.18.100.21 2 ac:ed:5c:bd:4b:29 VLAN 18 172.18.100.27 0 e8:2a:ea:8e:9d:24 VLAN 18 172.16.100.41 0 00:d0:b8:2a:67:4b LAN 172.16.100.132 0 a0:d3:c1:e6:7d:97 LAN 172.20.100.53 0 00:25:ab:91:c5:15 VLAN 20 172.16.100.7 0 00:15:5d:64:04:01 LAN 172.20.100.59 0 b8:6b:23:2c:fc:b6 VLAN 20 172.16.100.127 0 e0:55:3d:62:57:90 LAN 172.18.100.22 0 d8:fc:93:1f:fc:43 VLAN 18 172.16.100.133 0 88:15:44:d9:89:31 LAN 172.16.100.190 0 54:ee:75:97:82:21 LAN 172.20.100.54 0 34:64:a9:c5:35:7b VLAN 20 172.16.100.8 0 58:97:bd:43:3f:40 LAN 172.16.100.156 0 40:a3:cc:96:e9:48 LAN 172.19.100.15 0 50:01:d9:29:c6:02 VLAN 19 172.18.100.23 0 ac:2b:6e:a3:29:f1 VLAN 18 161.132.123.169 0 fc:fb:fb:a1:7a:61 wan1 172.16.100.134 0 e0:55:3d:33:3a:e8 LAN 172.18.100.12 0 44:85:00:da:ef:17 VLAN 18 172.16.100.140 0 00:d0:b8:2e:86:03 LAN 172.18.100.18 0 a0:99:9b:12:da:a1 VLAN 18 172.20.100.50 0 c8:5b:76:20:29:8d VLAN 20 172.16.100.4 0 a4:5d:36:11:4c:6c LAN 172.20.100.56 0 50:7b:9d:9f:cf:b5 VLAN 20 172.16.100.124 0 e0:55:3d:62:f5:e0 LAN 172.20.100.62 0 3c:a8:2a:e1:8f:24 VLAN 20 172.18.100.42 3 d0:25:98:4a:0c:15 VLAN 18                    <<<<<<<<<<<<<<<< this is the device FG100E4Q17012150 #

fjulianom
New Contributor III

Hi Nicholas,

 

Based on the output I provided do you know why the mobile device detection doesn't work correctly?

 

Regards,

Julián

 

Nicholas_Doropoulos

Hi Julian,

 

Thanks for that info. Could you also provide the following:

 

1) What is the role assigned to the interface that VLAN 18 is associated with (LAN, WAN, DMZ or Undefined)? Given the version you are on there should be an "Active Scanning" option right below device detection.

 

2) Can you also point out to me in the same way as you did previously the smartphone(s) that DO get detected successfully so we can compare?

 

Thanks.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
fjulianom

Hi Nicholas,

 

1) The role is LAN and there is no such option:

 

 

2) Sure, look at this:

 

vd root/0 c8:14:51:69:d4:20 gen 665017 req TOU/2c   created 1928382s gen 665013 seen 1927958s LAN gen 40475   ip 172.16.100.153 src arp   type 1 'Android Phone' src http id 959 gen 2922   os 'Android' version '7.0' src http id 959   host 'HUAWEI_Mate_9_lite' src dhcp vd root/0 4c:8d:79:ca:44:27 gen 831618 req TOU/2c                        <<<<<<<<<<<<<< detected OK   created 606820s gen 786949 seen 413s VLAN 19 gen 49926   ip 172.19.100.17 src arp   type 11 'iPhone' src dhcp id 134 gen 3179   os 'iPhone' version '' src dhcp id 134   host 'iPhonedeJulian' src dhcp vd root/0 54:ee:75:97:82:21 gen 831189 req TO/c   created 2870676s gen 565693 seen 4s LAN gen 49880   ip 172.16.100.190 src mac   type 17 'Windows PC' src http id 2378 gen 3256   os 'Windows' version '8.1 (x64)' src http id 2378   host 'X1CARBONJORTIZ.STEVIAONEPERU.local' src dhcp

.

.

.

vd root/0 a4:5d:36:11:4c:6f gen 816311 req TOUS/2e   created 9699761s gen 693 seen 203997s LAN gen 48727   ip 172.16.100.191 src mac   host 'ILOMX23360024' src dhcp vd root/0 d0:25:98:4a:0c:15 gen 831126 req 0                                    <<<<<<<<<<<< not detected   created 710807s gen 779261 seen 126s VLAN 18 gen 49873   type 16 'Router/NAT Device' src ac id 0 gen 3183 vd root/0 5c:c3:07:90:f6:78 gen 829497 req 0   created 4153920s gen 458798 seen 22191s LAN gen 49708   ip 172.16.100.173 src none   type 16 'Router/NAT Device' src tc id 0 gen 2453

 

Nicholas, I realized the device correctly detected is through interface VLAN 19 and the device not detected is through VLAN 18. The configuration of both VLANs are the same except VLAN 19 has activated the DHCP server and VLAN 18 has a DHCP relay pointing to the corporate DHCP server. Could be that the reason? I have to test joining the device not detected to VLAN 19 and see the results.

 

Regards,

Julián

 

Nicholas_Doropoulos

Hi Julian,

 

That is very likely to be the reason yes, which is why I wanted us to compare the outputs of both phones as they were bound to differ on something.

 

Feel free to carry out your testing and let me know of the results.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
fjulianom

Hi Nicholas,

 

I have joined the device which was not detected to VLAN 19 but it keeps without being detected. I thought it could be something related to DHCP fingerprinting, but it seems that's not the reason...

 

 

Weird...

 

Regards,

Julián

Labels
Top Kudoed Authors