Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Added ability in FortiSwitch to query FortiGuard IoT service for device details

Capability was added to FortiSwith to work with FortiGate and the new FortiGuard IoT detection service for the purpose of device identification.

FortiSwitch devices are now able to assist FortiGates with capturing the most accurate device information, allowing FortiGate to identify devices for the user device list. When the new FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.

Note

To use this feature, the following are required:

The following CLI command and parameters were added under switch-controller to control when FortiSwitch should start and stop collecting device packets for FortiGate:

config switch-controller system

set iot-weight-threshold 

set iot-scan-interval  

set iot-holdoff 

set iot-mac-idle   

Parameter

Description

Type

Defaults

iot-weight-threshold

The confidence value for the MAC entry. The Value is re-queried when it is below this value.

Integer

  • Default = 1
  • Disable = 0
iot-scan-interval

The IoT scan interval.

Integer

  • Minimum minutes = 2
  • Maximum minutes = 4294967295
  • Default = 60 minutes
  • Disable = 0
iot-holdoff  The creation time for the MAC entry. The time must be greater than this value for an entry to be created.

Integer

Default = 5 minutes

iot-mac-idle  The idle time for the MAC entry. The MAC entry is removed after this value.

 

Default = 1440 minutes

Example

Example topology

FGT500E-----FSW248EP(port1)-----FortiAP

In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.

To collect IoT device information for identification in the CLI:
  1. This CLI command is configured with the IoT parameters.

    FGT_A (global) # config switch-controller system

    FGT_A (system) # get

    iot-weight-threshold: 80

    iot-scan-interval   : 30

    iot-holdoff         : 5

    iot-mac-idle        : 1440

    FGT_A (system) # end

  2. When the scheduled time to capture the packets is reached, the diagnose command initiates the scan.

    FGT_A (vdom1) # dia switch-controller traffic-capture show

    MAC                     session-in-use  switch                  fortilink-interface-name    port              status

    =========================================================================================================================

    08:5b:0e:06:6a:d4       1               S248EPTF18001384        port11                  port1            running

    Global stats:

    ================

    node add = 16

    node delete = 15

    node add failed = 0

    node delete failed = 0

  3. A corresponding sniffer profile is created on FortiSwitch to help collect the data.

    S524DN4K16000116 # config system sniffer-profile

    S524DN4K16000116 (sniffer-profile) # show

    config system sniffer-profile

    edit "08:5b:0e:06:6a:d4"

    set filter "ether host 08:5b:0e:06:6a:d4"

    set max-pkt-count 1000

    set max-pkt-len 256

    set switch-interface "port1"

    next

    end

  4. The data is collected and sent to the FortiGuard service for identification. The device information is updated in the device list with src fortiguard.

    FGT_A (vdom1) # dia user device list

    hosts

    vd vdom1/1  08:5b:0e:06:6a:d4  gen 17  req OUA/34

    created 42s  gen 13  seen 1s  onboarding.13  gen 4

    hardware vendor 'FORTINET'  src fortiguard  id 0  weight 100

    type 'Network'  src fortiguard  id 0  weight 100

    family 'Router'  src fortiguard  id 0  weight 100

    os 'NULL'  src fortiguard  id 0  weight 100

    hardware version 'FortiAP-320B'    id 0  weight 100

    host 'FP320B3X13000599'  src capwap

Added ability in FortiSwitch to query FortiGuard IoT service for device details

Capability was added to FortiSwith to work with FortiGate and the new FortiGuard IoT detection service for the purpose of device identification.

FortiSwitch devices are now able to assist FortiGates with capturing the most accurate device information, allowing FortiGate to identify devices for the user device list. When the new FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.

Note

To use this feature, the following are required:

The following CLI command and parameters were added under switch-controller to control when FortiSwitch should start and stop collecting device packets for FortiGate:

config switch-controller system

set iot-weight-threshold 

set iot-scan-interval  

set iot-holdoff 

set iot-mac-idle   

Parameter

Description

Type

Defaults

iot-weight-threshold

The confidence value for the MAC entry. The Value is re-queried when it is below this value.

Integer

  • Default = 1
  • Disable = 0
iot-scan-interval

The IoT scan interval.

Integer

  • Minimum minutes = 2
  • Maximum minutes = 4294967295
  • Default = 60 minutes
  • Disable = 0
iot-holdoff  The creation time for the MAC entry. The time must be greater than this value for an entry to be created.

Integer

Default = 5 minutes

iot-mac-idle  The idle time for the MAC entry. The MAC entry is removed after this value.

 

Default = 1440 minutes

Example

Example topology

FGT500E-----FSW248EP(port1)-----FortiAP

In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.

To collect IoT device information for identification in the CLI:
  1. This CLI command is configured with the IoT parameters.

    FGT_A (global) # config switch-controller system

    FGT_A (system) # get

    iot-weight-threshold: 80

    iot-scan-interval   : 30

    iot-holdoff         : 5

    iot-mac-idle        : 1440

    FGT_A (system) # end

  2. When the scheduled time to capture the packets is reached, the diagnose command initiates the scan.

    FGT_A (vdom1) # dia switch-controller traffic-capture show

    MAC                     session-in-use  switch                  fortilink-interface-name    port              status

    =========================================================================================================================

    08:5b:0e:06:6a:d4       1               S248EPTF18001384        port11                  port1            running

    Global stats:

    ================

    node add = 16

    node delete = 15

    node add failed = 0

    node delete failed = 0

  3. A corresponding sniffer profile is created on FortiSwitch to help collect the data.

    S524DN4K16000116 # config system sniffer-profile

    S524DN4K16000116 (sniffer-profile) # show

    config system sniffer-profile

    edit "08:5b:0e:06:6a:d4"

    set filter "ether host 08:5b:0e:06:6a:d4"

    set max-pkt-count 1000

    set max-pkt-len 256

    set switch-interface "port1"

    next

    end

  4. The data is collected and sent to the FortiGuard service for identification. The device information is updated in the device list with src fortiguard.

    FGT_A (vdom1) # dia user device list

    hosts

    vd vdom1/1  08:5b:0e:06:6a:d4  gen 17  req OUA/34

    created 42s  gen 13  seen 1s  onboarding.13  gen 4

    hardware vendor 'FORTINET'  src fortiguard  id 0  weight 100

    type 'Network'  src fortiguard  id 0  weight 100

    family 'Router'  src fortiguard  id 0  weight 100

    os 'NULL'  src fortiguard  id 0  weight 100

    hardware version 'FortiAP-320B'    id 0  weight 100

    host 'FP320B3X13000599'  src capwap