Capability was added to FortiSwith to work with FortiGate and the new FortiGuard IoT detection service for the purpose of device identification.
FortiSwitch devices are now able to assist FortiGates with capturing the most accurate device information, allowing FortiGate to identify devices for the user device list. When the new FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.
To use this feature, the following are required:
The following CLI command and parameters were added under
switch-controller to control when FortiSwitch should start and stop collecting device packets for FortiGate:
config switch-controller system
The confidence value for the MAC entry. The Value is re-queried when it is below this value.
The IoT scan interval.
|iot-holdoff||The creation time for the MAC entry. The time must be greater than this value for an entry to be created.||
Default = 5 minutes
|iot-mac-idle||The idle time for the MAC entry. The MAC entry is removed after this value.||
Default = 1440 minutes
In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.
- This CLI command is configured with the IoT parameters.
FGT_A (global) # config switch-controller system
FGT_A (system) # get
iot-scan-interval : 30
iot-holdoff : 5
iot-mac-idle : 1440
FGT_A (system) # end
- When the scheduled time to capture the packets is reached, the diagnose command initiates the scan.
FGT_A (vdom1) # dia switch-controller traffic-capture show
MAC session-in-use switch fortilink-interface-name port status
08:5b:0e:06:6a:d4 1 S248EPTF18001384 port11 port1 running
node add = 16
node delete = 15
node add failed = 0
node delete failed = 0
- A corresponding sniffer profile is created on FortiSwitch to help collect the data.
S524DN4K16000116 # config system sniffer-profile
S524DN4K16000116 (sniffer-profile) # show
config system sniffer-profile
set filter "ether host 08:5b:0e:06:6a:d4"
set max-pkt-count 1000
set max-pkt-len 256
set switch-interface "port1"
- The data is collected and sent to the FortiGuard service for identification. The device information is updated in the device list with src fortiguard.
FGT_A (vdom1) # dia user device list
vd vdom1/1 08:5b:0e:06:6a:d4 gen 17 req OUA/34
created 42s gen 13 seen 1s onboarding.13 gen 4
hardware vendor 'FORTINET' src fortiguard id 0 weight 100
type 'Network' src fortiguard id 0 weight 100
family 'Router' src fortiguard id 0 weight 100
os 'NULL' src fortiguard id 0 weight 100
hardware version 'FortiAP-320B' id 0 weight 100
host 'FP320B3X13000599' src capwap