Fortinet Document Library

Version:

Version:


Table of Contents

More Links

Use FortiSwitch to query FortiGuard IoT service for device details

Administration Guide

Download PDF
Copy Link

IoT detection service

Internet of Things (IoT) detection is a subscription service that allows FortiGate to detect unknown devices in FortiGuard that are not detected by the local Device Database (CIDB). When the service is activated, FortiGate can send device information to the FortiGuard collection server. When a new device is detected, FortiGate queries the results from the FortiGuard query for more information about the device.

The IoT detection service requires an IOTH contract, which is part of the Enterprise and 360 Protection bundle, or can be purchased on its own.

FortiGate device requirements:

The FortiGate device must be:

  • Registered with FortiCare
  • Connected to an anycast FortiGuard server
How the service works:
  1. Enable Device Detection on an interface..
  2. FortiGate uses the interface to detect device traffic flow.
  3. Upon detecting traffic from an unknown device, FortiGate sends the device data to the FortiGuard collection server.
  4. The collection server returns data about the new device to the FortiGuard query server.
  5. If the device signature does not appear in the local Device Database (CIDB) or some fields are not complete, FortiGate queries FortiGuard for more information about the device.

To view the latest device information in the GUI, go to Dashboard > Users & Devices and expand the Device Inventory widget.

To debug the daemon in the CLI:
  1. Disable the local device database in order to force all queries to go to FortiGuard.

    diagnose src-vis local-sig disable

  2. Enable iotd debugs.

    diagnose debug application iotd -1

    diagnose debug enable

    FortiGate sends the device data to the FortiGuard collection server.

    FortiWiFi-60E # [iotd] recv request from caller size:61

    [iotd] service:collect hostname: ip: fd:-1 request tlv_len:41

    [iotd] txt(.....y...w.....Jasons-iPhone6....579=23..)

    [iotd] hex(02010007017903060f77fc0203000e4a61736f6e732d6950686f6e6536020400083537393d32330cff)

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip: fd:-1 got server hostname

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:-1 got server ip

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:13 socket created

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:13 connecting

    [iotd] fd:13 monitor event:pollout

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:13 build req packet

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:13 collect resp:1(pending)

    The FortiGuard collection server returns new device data to the FortiGuard query server.

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got query resp

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 id:0 total_len:48 header_len:16 tlv_len:32 confidence:100 mac:f8:87:f1:1f:ab:95

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:32 type:1 len:6

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got tlv category:'Mobile'

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:24 type:2 len:6

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got tlv sub_category:'Mobile'

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:16 type:3 len:5

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got tlv vendor:'Apple'

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:9 type:4 len:0

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:7 type:5 len:3

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got tlv os:'iOS'

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:2 type:6 len:0

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 send query response to caller size:48

    [iotd] txt(............d0 ...Mobile..Mobile..Apple....iOS..)

    [iotd] hex(f887f11fab950000000000006430200001064d6f62696c6502064d6f62696c6503054170706c6504000503694f530600)

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 read resp:0(good)

  3. The query returns the device information including the information source (src fortiguard).

    diagnose user device list

    vd root/0  f8:87:f1:1f:ab:95  gen 26  req OUA/34

    created 503s  gen 23  seen 102s  lan  gen 7

    ip 192.168.1.110  src arp

    hardware vendor 'Apple'  src fortiguard  id 0  weight 100

    type 'Mobile'  src fortiguard  id 0  weight 100

    family 'Mobile'  src fortiguard  id 0  weight 100

    os 'iOS'  src fortiguard  id 0  weight 100

    host 'Jasons-iPhone6'  src dhcp

More Links

IoT detection service

Internet of Things (IoT) detection is a subscription service that allows FortiGate to detect unknown devices in FortiGuard that are not detected by the local Device Database (CIDB). When the service is activated, FortiGate can send device information to the FortiGuard collection server. When a new device is detected, FortiGate queries the results from the FortiGuard query for more information about the device.

The IoT detection service requires an IOTH contract, which is part of the Enterprise and 360 Protection bundle, or can be purchased on its own.

FortiGate device requirements:

The FortiGate device must be:

  • Registered with FortiCare
  • Connected to an anycast FortiGuard server
How the service works:
  1. Enable Device Detection on an interface..
  2. FortiGate uses the interface to detect device traffic flow.
  3. Upon detecting traffic from an unknown device, FortiGate sends the device data to the FortiGuard collection server.
  4. The collection server returns data about the new device to the FortiGuard query server.
  5. If the device signature does not appear in the local Device Database (CIDB) or some fields are not complete, FortiGate queries FortiGuard for more information about the device.

To view the latest device information in the GUI, go to Dashboard > Users & Devices and expand the Device Inventory widget.

To debug the daemon in the CLI:
  1. Disable the local device database in order to force all queries to go to FortiGuard.

    diagnose src-vis local-sig disable

  2. Enable iotd debugs.

    diagnose debug application iotd -1

    diagnose debug enable

    FortiGate sends the device data to the FortiGuard collection server.

    FortiWiFi-60E # [iotd] recv request from caller size:61

    [iotd] service:collect hostname: ip: fd:-1 request tlv_len:41

    [iotd] txt(.....y...w.....Jasons-iPhone6....579=23..)

    [iotd] hex(02010007017903060f77fc0203000e4a61736f6e732d6950686f6e6536020400083537393d32330cff)

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip: fd:-1 got server hostname

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:-1 got server ip

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:13 socket created

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:13 connecting

    [iotd] fd:13 monitor event:pollout

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:13 build req packet

    [iotd] service:collect hostname:qadevcollect.fortinet.net ip:192.168.100.133 fd:13 collect resp:1(pending)

    The FortiGuard collection server returns new device data to the FortiGuard query server.

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got query resp

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 id:0 total_len:48 header_len:16 tlv_len:32 confidence:100 mac:f8:87:f1:1f:ab:95

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:32 type:1 len:6

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got tlv category:'Mobile'

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:24 type:2 len:6

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got tlv sub_category:'Mobile'

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:16 type:3 len:5

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got tlv vendor:'Apple'

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:9 type:4 len:0

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:7 type:5 len:3

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 got tlv os:'iOS'

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 remaining_len:2 type:6 len:0

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 send query response to caller size:48

    [iotd] txt(............d0 ...Mobile..Mobile..Apple....iOS..)

    [iotd] hex(f887f11fab950000000000006430200001064d6f62696c6502064d6f62696c6503054170706c6504000503694f530600)

    [iotd] service:query hostname:qadevquery.fortinet.net ip:192.168.100.248 fd:17 read resp:0(good)

  3. The query returns the device information including the information source (src fortiguard).

    diagnose user device list

    vd root/0  f8:87:f1:1f:ab:95  gen 26  req OUA/34

    created 503s  gen 23  seen 102s  lan  gen 7

    ip 192.168.1.110  src arp

    hardware vendor 'Apple'  src fortiguard  id 0  weight 100

    type 'Mobile'  src fortiguard  id 0  weight 100

    family 'Mobile'  src fortiguard  id 0  weight 100

    os 'iOS'  src fortiguard  id 0  weight 100

    host 'Jasons-iPhone6'  src dhcp