Added ability in FortiSwitch to query FortiGuard IoT service for device details
Capability was added to FortiSwith to work with FortiGate and the new FortiGuard IoT detection service for the purpose of device identification.
FortiSwitch devices are now able to assist FortiGates with capturing the most accurate device information, allowing FortiGate to identify devices for the user device list. When the new FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.
To use this feature, the following are required:
|
The following CLI command and parameters were added under switch-controller
to control when FortiSwitch should start and stop collecting device packets for FortiGate:
config switch-controller system
set iot-weight-threshold
set iot-scan-interval
set iot-holdoff
set iot-mac-idle
Parameter |
Description |
Type |
Defaults |
---|---|---|---|
iot-weight-threshold |
The confidence value for the MAC entry. The Value is re-queried when it is below this value. |
Integer |
|
iot-scan-interval |
The IoT scan interval. |
Integer |
|
iot-holdoff | The creation time for the MAC entry. The time must be greater than this value for an entry to be created. |
Integer |
Default = 5 minutes |
iot-mac-idle | The idle time for the MAC entry. The MAC entry is removed after this value. |
|
Default = 1440 minutes |
Example
Example topology
FGT500E-----FSW248EP(port1)-----FortiAP
In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.
To collect IoT device information for identification in the CLI:
- This CLI command is configured with the IoT parameters.
FGT_A (global) # config switch-controller system
FGT_A (system) # get
iot-weight-threshold: 80
iot-scan-interval : 30
iot-holdoff : 5
iot-mac-idle : 1440
FGT_A (system) # end
- When the scheduled time to capture the packets is reached, the diagnose command initiates the scan.
FGT_A (vdom1) # dia switch-controller traffic-capture show
MAC session-in-use switch fortilink-interface-name port status
=========================================================================================================================
08:5b:0e:06:6a:d4 1 S248EPTF18001384 port11 port1 running
Global stats:
================
node add = 16
node delete = 15
node add failed = 0
node delete failed = 0
- A corresponding sniffer profile is created on FortiSwitch to help collect the data.
S524DN4K16000116 # config system sniffer-profile
S524DN4K16000116 (sniffer-profile) # show
config system sniffer-profile
edit "08:5b:0e:06:6a:d4"
set filter "ether host 08:5b:0e:06:6a:d4"
set max-pkt-count 1000
set max-pkt-len 256
set switch-interface "port1"
next
end
- The data is collected and sent to the FortiGuard service for identification. The device information is updated in the device list with src fortiguard.
FGT_A (vdom1) # dia user device list
hosts
vd vdom1/1 08:5b:0e:06:6a:d4 gen 17 req OUA/34
created 42s gen 13 seen 1s onboarding.13 gen 4
hardware vendor 'FORTINET' src fortiguard id 0 weight 100
type 'Network' src fortiguard id 0 weight 100
family 'Router' src fortiguard id 0 weight 100
os 'NULL' src fortiguard id 0 weight 100
hardware version 'FortiAP-320B' id 0 weight 100
host 'FP320B3X13000599' src capwap