Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.10 Administration Guide
    7.2.10
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    IoT detection service

    IoT detection service

    Internet of Things (IoT) detection is a subscription service that allows FortiGate to detect unknown devices in FortiGuard that are not detected by the local Device Database (CIDB). When the service is activated, FortiGate can send device information to the FortiGuard collection server. When a new device is detected, FortiGate queries the results from the FortiGuard query for more information about the device.

    This feature requires an IoT Detection Service license.

    FortiGate device requirements:

    The FortiGate device must be:

    • Registered with FortiCare
    • Connected to an anycast FortiGuard server
    How the service works:

    1. Enable Device Detection on an interface.

    2. FortiGate uses the interface to detect device traffic flow.

    3. Upon detecting traffic from an unknown device, FortiGate sends the device data to the FortiGuard collection server.

    4. The collection server returns data about the new device to the FortiGuard query server.

    5. If the device signature does not appear in the local Device Database (CIDB) or some fields are not complete, FortiGate queries FortiGuard for more information about the device.

    To view the latest device information in the GUI, go to Dashboard > Users & Devices and expand the Device Inventory widget.

    To debug the daemon in the CLI:

    1. Disable the local device database in order to force all queries to go to FortiGuard.

      # diagnose cid sigs disable

    2. Enable iotd debugs:

      # diagnose debug application iotd -1
# diagnose debug enable

      FortiGate sends the device data to the FortiGuard collection server:

      # [iotd] recv request from caller size:61
[iotd] service:collect hostname: ip: fd:-1 request tlv_len:41
[iotd] txt(.....y...w.....Jasons-iPhone6....579=23..)
[iotd] hex(02010007017903060f77fc0203000e4a61736f6e732d6950686f6e6536020400083537393d32330cff)
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip: fd:-1 got server hostname
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:-1 got server ip
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 socket created
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 connecting
[iotd] fd:13 monitor event:pollout
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 build req packet
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 collect resp:1(pending)

      The FortiGuard collection server returns new device data to the FortiGuard query server:

      [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got query resp
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 id:0 total_len:48 header_len:16 tlv_len:32 confidence:100 mac:f8:87:f1:1f:ab:95
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:32 type:1 len:6
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv category:'Mobile'
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:24 type:2 len:6
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv sub_category:'Mobile'
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:16 type:3 len:5
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv vendor:'Apple'
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:9 type:4 len:0
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:7 type:5 len:3
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv os:'iOS'
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:2 type:6 len:0
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 send query response to caller size:48
[iotd] txt(............d0 ...Mobile..Mobile..Apple....iOS..)
[iotd] hex(f887f11fab950000000000006430200001064d6f62696c6502064d6f62696c6503054170706c6504000503694f530600)
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 read resp:0(good)

    3. The query returns the device information including the information source (src fortiguard).

      # diagnose user device list
    vd root/0  f8:87:f1:1f:ab:95  gen 26  req OUA/34
        created 503s  gen 23  seen 102s  lan  gen 7
        ip 192.168.1.110  src arp
        hardware vendor 'Apple'  src fortiguard  id 0  weight 100
        type 'Mobile'  src fortiguard  id 0  weight 100
        family 'Mobile'  src fortiguard  id 0  weight 100
        os 'iOS'  src fortiguard  id 0  weight 100
        host 'Jasons-iPhone6'  src dhcp

    Using FortiManager as an override server for IoT query services

    FortiGate can use FortiManager as an override server for IoT query services. The FortiManager must be running 7.2.1 or later.

    All IoT daemon query and collected data can be sent to a FortiManager, instead of directly to FortiGuard. This is useful when there are strict policies controlling the kind of traffic that can go to the internet.

    To send all IoT daemon query and collected data to a FortiManager:
    config system central-management
    config server-list
        edit 1
            set server-type iot-query iot-collect
            set server-address <x.x.x.x>
        next
    end
end

    server-type iot-query iot-collect

    Set the FortiGuard service types:

    • iot-query: IoT query server.

    • iot-collect: IoT device collection server.

    server-address <x.x.x.x>

    Enter the IPv4 address of the FortiManager.
    Previous
    Next

    More Links

    Configuring IoT detection

    IoT detection service

    IoT detection service

    Internet of Things (IoT) detection is a subscription service that allows FortiGate to detect unknown devices in FortiGuard that are not detected by the local Device Database (CIDB). When the service is activated, FortiGate can send device information to the FortiGuard collection server. When a new device is detected, FortiGate queries the results from the FortiGuard query for more information about the device.

    This feature requires an IoT Detection Service license.

    FortiGate device requirements:

    The FortiGate device must be:

    • Registered with FortiCare
    • Connected to an anycast FortiGuard server
    How the service works:

    1. Enable Device Detection on an interface.

    2. FortiGate uses the interface to detect device traffic flow.

    3. Upon detecting traffic from an unknown device, FortiGate sends the device data to the FortiGuard collection server.

    4. The collection server returns data about the new device to the FortiGuard query server.

    5. If the device signature does not appear in the local Device Database (CIDB) or some fields are not complete, FortiGate queries FortiGuard for more information about the device.

    To view the latest device information in the GUI, go to Dashboard > Users & Devices and expand the Device Inventory widget.

    To debug the daemon in the CLI:

    1. Disable the local device database in order to force all queries to go to FortiGuard.

      # diagnose cid sigs disable

    2. Enable iotd debugs:

      # diagnose debug application iotd -1
# diagnose debug enable

      FortiGate sends the device data to the FortiGuard collection server:

      # [iotd] recv request from caller size:61
[iotd] service:collect hostname: ip: fd:-1 request tlv_len:41
[iotd] txt(.....y...w.....Jasons-iPhone6....579=23..)
[iotd] hex(02010007017903060f77fc0203000e4a61736f6e732d6950686f6e6536020400083537393d32330cff)
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip: fd:-1 got server hostname
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:-1 got server ip
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 socket created
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 connecting
[iotd] fd:13 monitor event:pollout
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 build req packet
[iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 collect resp:1(pending)

      The FortiGuard collection server returns new device data to the FortiGuard query server:

      [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got query resp
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 id:0 total_len:48 header_len:16 tlv_len:32 confidence:100 mac:f8:87:f1:1f:ab:95
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:32 type:1 len:6
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv category:'Mobile'
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:24 type:2 len:6
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv sub_category:'Mobile'
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:16 type:3 len:5
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv vendor:'Apple'
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:9 type:4 len:0
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:7 type:5 len:3
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv os:'iOS'
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:2 type:6 len:0
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 send query response to caller size:48
[iotd] txt(............d0 ...Mobile..Mobile..Apple....iOS..)
[iotd] hex(f887f11fab950000000000006430200001064d6f62696c6502064d6f62696c6503054170706c6504000503694f530600)
[iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 read resp:0(good)

    3. The query returns the device information including the information source (src fortiguard).

      # diagnose user device list
    vd root/0  f8:87:f1:1f:ab:95  gen 26  req OUA/34
        created 503s  gen 23  seen 102s  lan  gen 7
        ip 192.168.1.110  src arp
        hardware vendor 'Apple'  src fortiguard  id 0  weight 100
        type 'Mobile'  src fortiguard  id 0  weight 100
        family 'Mobile'  src fortiguard  id 0  weight 100
        os 'iOS'  src fortiguard  id 0  weight 100
        host 'Jasons-iPhone6'  src dhcp

    Using FortiManager as an override server for IoT query services

    FortiGate can use FortiManager as an override server for IoT query services. The FortiManager must be running 7.2.1 or later.

    All IoT daemon query and collected data can be sent to a FortiManager, instead of directly to FortiGuard. This is useful when there are strict policies controlling the kind of traffic that can go to the internet.

    To send all IoT daemon query and collected data to a FortiManager:
    config system central-management
    config server-list
        edit 1
            set server-type iot-query iot-collect
            set server-address <x.x.x.x>
        next
    end
end

    server-type iot-query iot-collect

    Set the FortiGuard service types:

    • iot-query: IoT query server.

    • iot-collect: IoT device collection server.

    server-address <x.x.x.x>

    Enter the IPv4 address of the FortiManager.
    Previous
    Next