Use FortiSwitch to query FortiGuard IoT service for device details
FortiSwitch can work with FortiGate and the FortiGuard IoT detection service to perform device identification.
FortiSwitch devices can assist FortiGates with capturing accurate device information, allowing FortiGate to identify devices for the user device list. When the FortiGuard IoT detection service is activated, FortiGate will leverage the IoT detection service to help reduce the workload for device identification.
To use this feature, the following are required:
|
The following CLI commands control when FortiSwitch should start and stop collecting device packets for FortiGate:
config switch-controller system
set iot-weight-threshold <integer>
set iot-scan-interval <integer>
set iot-holdoff <integer>
set iot-mac-idle <integer>
end
Parameter |
Description |
---|---|
iot-weight-threshold |
The confidence value for the MAC entry (disable = 0, default = 1). |
iot-scan-interval |
The IoT scan interval, in minutes (2 - 4294967295, disable = 0, default = 60). |
iot-holdoff |
The creation time for the MAC entry, in minutes (default = 5). The time must be greater than this value for an entry to be created. |
iot-mac-idle |
The idle time for the MAC entry, in minutes (default = 1440). The MAC entry is removed after this value. |
Example
In this example, FortiSwitch will help FortiGate collect packets from FortiAP every 30 minutes and stop for 30 minutes. FortiSwitch will stop collecting packets from FortiAP when the weight of the device information reaches a threshold of 80.
To configure IoT device information collection for identification:
- On the FortiGate, configure the switch controller IoT parameters:
config switch-controller system set iot-weight-threshold 80 set iot-scan-interval 30 set iot-holdoff 5 set iot-mac-idle 1440 end
- On the FortiSwitch, create a sniffer profile to help collect the data:
config system sniffer-profile edit "08:5b:0e:06:6a:d4" set filter "ether host 08:5b:0e:06:6a:d4" set max-pkt-count 1000 set max-pkt-len 256 set switch-interface "port1" next end
See the FortiSwitch CLI Reference for more information.
To confirm that the scan is working:
- When the packet capture scheduled time is reached, check that the scan has started:
# diagnose switch-controller traffic-capture show MAC session-in-use switch fortilink-interface-name port status ========================================================================================================================= 08:5b:0e:06:6a:d4 1 S248EPTF00000000 port11 port1 running Global stats: ================ node add = 16 node delete = 15 node add failed = 0 node delete failed = 0
- Data are collected and sent to the FortiGuard service for identification. Device information is updated in the device list to include
src fortiguard
:# diagnose user device list hosts vd vdom1/1 08:5b:0e:06:6a:d4 gen 17 req OUA/34 created 42s gen 13 seen 1s onboarding.13 gen 4 hardware vendor 'FORTINET' src fortiguard id 0 weight 100 type 'Network' src fortiguard id 0 weight 100 family 'Router' src fortiguard id 0 weight 100 os 'NULL' src fortiguard id 0 weight 100 hardware version 'FortiAP-320B' src fortiguard id 0 weight 100 host 'FP320B3X13000599' src capwap