Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Track device traffic statistics when NAC is enabled 7.2.4

    Track device traffic statistics when NAC is enabled 7.2.4

    Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.3, you can use the FortiOS CLI to report device statistics when NAC is enabled. The device statistics report the MAC addresses of known devices, the number of packets and bytes received, the number of seconds since the last update, and the age of the MAC counter in seconds.

    Note

    • Only statistics for receive counters are reported.

    • If a device moves to a different FortiSwitch unit, the MAC counters are reallocated.

    • If a FortiSwitch unit cannot track both bytes and packets, a zero is displayed for whichever value cannot be tracked. If a FortiSwitch unit cannot track device statistics at all, the entry will be missing from the CLI command output.

    • This feature is supported on the following FortiSwitch models: FSR-124D, FSR-224F-FPOE, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E.

    • Accuracy is not guaranteed.
    To display device statistics:

    1. Enable NAC.

      config user nac-policy

      edit <NAC_policy_name>

      set status enable

      next

      end

    2. Enable packet counting in the MAC policy. By default, packet counting is disabled.

      config switch-controller mac-policy

      edit <MAC_policy_name>

      set count enable

      next

      end

    3. Specify how long inactive MAC addresses are kept before being removed from the client database. By default, MAC addresses are kept for 24 hours. The range of values is 0-168 hours. If you set this option to 0, the value for the mac-aging-interval setting is used instead.

      config switch-controller global

      set mac-retention-period <number_of_hours>

      end

    4. Enter the following command to display the device statistics:

      diagnose switch-controller telemetry show mac-stats

      For example:

      diagnose switch-controller telemetry show mac-stats

MAC                Packets        Bytes      Last Update (secs ago)  Age
------------------------------------------------------------------------------------
00:00:00:00:00:0f     234562    2356546842           41             23433
00:00:00:00:14:21      44273        456346           68              7477
00:03:7a:a8:82:e7      12346         34545           30            983452
00:04:f2:f3:2b:7f       4357        345345           30             23423
00:04:f2:f6:77:05     463453       4564564          430         362456265
00:04:f2:f6:7a:6a      34535       1312354           30             23423
00:04:f2:f6:7b:66      73821        345345           68            374546
00:05:9a:3c:7a:00         43          9144           68            456725
    Previous
    Next

    Track device traffic statistics when NAC is enabled 7.2.4

    Track device traffic statistics when NAC is enabled 7.2.4

    Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.3, you can use the FortiOS CLI to report device statistics when NAC is enabled. The device statistics report the MAC addresses of known devices, the number of packets and bytes received, the number of seconds since the last update, and the age of the MAC counter in seconds.

    Note

    • Only statistics for receive counters are reported.

    • If a device moves to a different FortiSwitch unit, the MAC counters are reallocated.

    • If a FortiSwitch unit cannot track both bytes and packets, a zero is displayed for whichever value cannot be tracked. If a FortiSwitch unit cannot track device statistics at all, the entry will be missing from the CLI command output.

    • This feature is supported on the following FortiSwitch models: FSR-124D, FSR-224F-FPOE, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E.

    • Accuracy is not guaranteed.
    To display device statistics:

    1. Enable NAC.

      config user nac-policy

      edit <NAC_policy_name>

      set status enable

      next

      end

    2. Enable packet counting in the MAC policy. By default, packet counting is disabled.

      config switch-controller mac-policy

      edit <MAC_policy_name>

      set count enable

      next

      end

    3. Specify how long inactive MAC addresses are kept before being removed from the client database. By default, MAC addresses are kept for 24 hours. The range of values is 0-168 hours. If you set this option to 0, the value for the mac-aging-interval setting is used instead.

      config switch-controller global

      set mac-retention-period <number_of_hours>

      end

    4. Enter the following command to display the device statistics:

      diagnose switch-controller telemetry show mac-stats

      For example:

      diagnose switch-controller telemetry show mac-stats

MAC                Packets        Bytes      Last Update (secs ago)  Age
------------------------------------------------------------------------------------
00:00:00:00:00:0f     234562    2356546842           41             23433
00:00:00:00:14:21      44273        456346           68              7477
00:03:7a:a8:82:e7      12346         34545           30            983452
00:04:f2:f3:2b:7f       4357        345345           30             23423
00:04:f2:f6:77:05     463453       4564564          430         362456265
00:04:f2:f6:7a:6a      34535       1312354           30             23423
00:04:f2:f6:7b:66      73821        345345           68            374546
00:05:9a:3c:7a:00         43          9144           68            456725
    Previous
    Next