Fortinet black logo

New Features

Added ability in FortiSwitch to query FortiGuard IoT service for device details

Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:416659
Download PDF

Added ability in FortiSwitch to query FortiGuard IoT service for device details

Capability was added to FortiSwith to work with FortiGate and the new FortiGuard IoT detection service for the purpose of device identification.

FortiSwitch devices are now able to assist FortiGates with capturing the most accurate device information, allowing FortiGate to identify devices for the user device list. When the new FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.

Note

To use this feature, the following are required:

The following CLI command and parameters were added under switch-controller to control when FortiSwitch should start and stop collecting device packets for FortiGate:

config switch-controller system

set iot-weight-threshold

set iot-scan-interval

set iot-holdoff

set iot-mac-idle

Parameter

Description

Type

Defaults

iot-weight-threshold

The confidence value for the MAC entry. The Value is re-queried when it is below this value.

Integer

  • Default = 1
  • Disable = 0
iot-scan-interval

The IoT scan interval.

Integer

  • Minimum minutes = 2
  • Maximum minutes = 4294967295
  • Default = 60 minutes
  • Disable = 0
iot-holdoff The creation time for the MAC entry. The time must be greater than this value for an entry to be created.

Integer

Default = 5 minutes

iot-mac-idle The idle time for the MAC entry. The MAC entry is removed after this value.

Default = 1440 minutes

Example

Example topology

FGT500E-----FSW248EP(port1)-----FortiAP

In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.

To collect IoT device information for identification in the CLI:
  1. This CLI command is configured with the IoT parameters.

    FGT_A (global) # config switch-controller system

    FGT_A (system) # get

    iot-weight-threshold: 80

    iot-scan-interval : 30

    iot-holdoff : 5

    iot-mac-idle : 1440

    FGT_A (system) # end

  2. When the scheduled time to capture the packets is reached, the diagnose command initiates the scan.

    FGT_A (vdom1) # dia switch-controller traffic-capture show

    MAC session-in-use switch fortilink-interface-name port status

    =========================================================================================================================

    08:5b:0e:06:6a:d4 1 S248EPTF18001384 port11 port1 running

    Global stats:

    ================

    node add = 16

    node delete = 15

    node add failed = 0

    node delete failed = 0

  3. A corresponding sniffer profile is created on FortiSwitch to help collect the data.

    S524DN4K16000116 # config system sniffer-profile

    S524DN4K16000116 (sniffer-profile) # show

    config system sniffer-profile

    edit "08:5b:0e:06:6a:d4"

    set filter "ether host 08:5b:0e:06:6a:d4"

    set max-pkt-count 1000

    set max-pkt-len 256

    set switch-interface "port1"

    next

    end

  4. The data is collected and sent to the FortiGuard service for identification. The device information is updated in the device list with src fortiguard.

    FGT_A (vdom1) # dia user device list

    hosts

    vd vdom1/1 08:5b:0e:06:6a:d4 gen 17 req OUA/34

    created 42s gen 13 seen 1s onboarding.13 gen 4

    hardware vendor 'FORTINET' src fortiguard id 0 weight 100

    type 'Network' src fortiguard id 0 weight 100

    family 'Router' src fortiguard id 0 weight 100

    os 'NULL' src fortiguard id 0 weight 100

    hardware version 'FortiAP-320B' id 0 weight 100

    host 'FP320B3X13000599' src capwap

Added ability in FortiSwitch to query FortiGuard IoT service for device details

Capability was added to FortiSwith to work with FortiGate and the new FortiGuard IoT detection service for the purpose of device identification.

FortiSwitch devices are now able to assist FortiGates with capturing the most accurate device information, allowing FortiGate to identify devices for the user device list. When the new FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.

Note

To use this feature, the following are required:

The following CLI command and parameters were added under switch-controller to control when FortiSwitch should start and stop collecting device packets for FortiGate:

config switch-controller system

set iot-weight-threshold

set iot-scan-interval

set iot-holdoff

set iot-mac-idle

Parameter

Description

Type

Defaults

iot-weight-threshold

The confidence value for the MAC entry. The Value is re-queried when it is below this value.

Integer

  • Default = 1
  • Disable = 0
iot-scan-interval

The IoT scan interval.

Integer

  • Minimum minutes = 2
  • Maximum minutes = 4294967295
  • Default = 60 minutes
  • Disable = 0
iot-holdoff The creation time for the MAC entry. The time must be greater than this value for an entry to be created.

Integer

Default = 5 minutes

iot-mac-idle The idle time for the MAC entry. The MAC entry is removed after this value.

Default = 1440 minutes

Example

Example topology

FGT500E-----FSW248EP(port1)-----FortiAP

In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.

To collect IoT device information for identification in the CLI:
  1. This CLI command is configured with the IoT parameters.

    FGT_A (global) # config switch-controller system

    FGT_A (system) # get

    iot-weight-threshold: 80

    iot-scan-interval : 30

    iot-holdoff : 5

    iot-mac-idle : 1440

    FGT_A (system) # end

  2. When the scheduled time to capture the packets is reached, the diagnose command initiates the scan.

    FGT_A (vdom1) # dia switch-controller traffic-capture show

    MAC session-in-use switch fortilink-interface-name port status

    =========================================================================================================================

    08:5b:0e:06:6a:d4 1 S248EPTF18001384 port11 port1 running

    Global stats:

    ================

    node add = 16

    node delete = 15

    node add failed = 0

    node delete failed = 0

  3. A corresponding sniffer profile is created on FortiSwitch to help collect the data.

    S524DN4K16000116 # config system sniffer-profile

    S524DN4K16000116 (sniffer-profile) # show

    config system sniffer-profile

    edit "08:5b:0e:06:6a:d4"

    set filter "ether host 08:5b:0e:06:6a:d4"

    set max-pkt-count 1000

    set max-pkt-len 256

    set switch-interface "port1"

    next

    end

  4. The data is collected and sent to the FortiGuard service for identification. The device information is updated in the device list with src fortiguard.

    FGT_A (vdom1) # dia user device list

    hosts

    vd vdom1/1 08:5b:0e:06:6a:d4 gen 17 req OUA/34

    created 42s gen 13 seen 1s onboarding.13 gen 4

    hardware vendor 'FORTINET' src fortiguard id 0 weight 100

    type 'Network' src fortiguard id 0 weight 100

    family 'Router' src fortiguard id 0 weight 100

    os 'NULL' src fortiguard id 0 weight 100

    hardware version 'FortiAP-320B' id 0 weight 100

    host 'FP320B3X13000599' src capwap