Fortinet white logo
Fortinet white logo

Administration Guide

Use FortiSwitch to query FortiGuard IoT service for device details

Use FortiSwitch to query FortiGuard IoT service for device details

FortiSwitch can work with FortiGate and the FortiGuard IoT detection service to perform device identification.

FortiSwitch devices can assist FortiGates with capturing accurate device information, allowing FortiGate to identify devices for the user device list. When the FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.

Note

To use this feature, the following are required:

The following CLI commands control when FortiSwitch should start and stop collecting device packets for FortiGate:

config switch-controller system

set iot-weight-threshold <integer>

set iot-scan-interval <integer>

set iot-holdoff <integer>

set iot-mac-idle <integer>

end

Parameter

Description

iot-weight-threshold

The confidence value for the MAC entry (disable = 0, default = 1).

iot-scan-interval

The IoT scan interval, in minutes (2 - 4294967295, disable = 0, default = 60).

iot-holdoff

The creation time for the MAC entry, in minutes (default = 5).

The time must be greater than this value for an entry to be created.

iot-mac-idle

The idle time for the MAC entry, in minutes (default = 1440).

The MAC entry is removed after this value.

Example

In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.

To configure IoT device information collection for identification:
  1. On the FortiGate, configure the switch controller IoT parameters:
    config switch-controller system
        set iot-weight-threshold 80
        set iot-scan-interval 30
        set iot-holdoff 5
        set iot-mac-idle 1440
    end
  2. On the FortiSwitch, create a sniffer profile to help collect the data:
    config system sniffer-profile
        edit "08:5b:0e:06:6a:d4"
            set filter "ether host 08:5b:0e:06:6a:d4"
            set max-pkt-count 1000
            set max-pkt-len 256
            set switch-interface "port1"
        next
    end

    See the FortiSwitch CLI Reference for more information.

To confirm that the scan is working:
  1. When the packet capture scheduled time is reached, check that the scan has started:
    # diagnose switch-controller traffic-capture show
    MAC                     session-in-use  switch                  fortilink-interface-name    port              status
    =========================================================================================================================
    08:5b:0e:06:6a:d4       1               S248EPTF00000000        port11                      port1             running
    
    Global stats:
    ================
    node add = 16
    node delete = 15
    node add failed = 0
    node delete failed = 0
  2. Data are collected and sent to the FortiGuard service for identification. Device information is updated in the device list to include src fortiguard:
    # diagnose user device list
    hosts
      vd vdom1/1  08:5b:0e:06:6a:d4  gen 17  req OUA/34
        created 42s  gen 13  seen 1s  onboarding.13  gen 4
        hardware vendor 'FORTINET'  src fortiguard  id 0  weight 100
        type 'Network'  src fortiguard  id 0  weight 100
        family 'Router'  src fortiguard  id 0  weight 100
        os 'NULL'  src fortiguard  id 0  weight 100
        hardware version 'FortiAP-320B'  src fortiguard  id 0  weight 100
        host 'FP320B3X13000599'  src capwap

Use FortiSwitch to query FortiGuard IoT service for device details

Use FortiSwitch to query FortiGuard IoT service for device details

FortiSwitch can work with FortiGate and the FortiGuard IoT detection service to perform device identification.

FortiSwitch devices can assist FortiGates with capturing accurate device information, allowing FortiGate to identify devices for the user device list. When the FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.

Note

To use this feature, the following are required:

The following CLI commands control when FortiSwitch should start and stop collecting device packets for FortiGate:

config switch-controller system

set iot-weight-threshold <integer>

set iot-scan-interval <integer>

set iot-holdoff <integer>

set iot-mac-idle <integer>

end

Parameter

Description

iot-weight-threshold

The confidence value for the MAC entry (disable = 0, default = 1).

iot-scan-interval

The IoT scan interval, in minutes (2 - 4294967295, disable = 0, default = 60).

iot-holdoff

The creation time for the MAC entry, in minutes (default = 5).

The time must be greater than this value for an entry to be created.

iot-mac-idle

The idle time for the MAC entry, in minutes (default = 1440).

The MAC entry is removed after this value.

Example

In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.

To configure IoT device information collection for identification:
  1. On the FortiGate, configure the switch controller IoT parameters:
    config switch-controller system
        set iot-weight-threshold 80
        set iot-scan-interval 30
        set iot-holdoff 5
        set iot-mac-idle 1440
    end
  2. On the FortiSwitch, create a sniffer profile to help collect the data:
    config system sniffer-profile
        edit "08:5b:0e:06:6a:d4"
            set filter "ether host 08:5b:0e:06:6a:d4"
            set max-pkt-count 1000
            set max-pkt-len 256
            set switch-interface "port1"
        next
    end

    See the FortiSwitch CLI Reference for more information.

To confirm that the scan is working:
  1. When the packet capture scheduled time is reached, check that the scan has started:
    # diagnose switch-controller traffic-capture show
    MAC                     session-in-use  switch                  fortilink-interface-name    port              status
    =========================================================================================================================
    08:5b:0e:06:6a:d4       1               S248EPTF00000000        port11                      port1             running
    
    Global stats:
    ================
    node add = 16
    node delete = 15
    node add failed = 0
    node delete failed = 0
  2. Data are collected and sent to the FortiGuard service for identification. Device information is updated in the device list to include src fortiguard:
    # diagnose user device list
    hosts
      vd vdom1/1  08:5b:0e:06:6a:d4  gen 17  req OUA/34
        created 42s  gen 13  seen 1s  onboarding.13  gen 4
        hardware vendor 'FORTINET'  src fortiguard  id 0  weight 100
        type 'Network'  src fortiguard  id 0  weight 100
        family 'Router'  src fortiguard  id 0  weight 100
        os 'NULL'  src fortiguard  id 0  weight 100
        hardware version 'FortiAP-320B'  src fortiguard  id 0  weight 100
        host 'FP320B3X13000599'  src capwap