Fortinet white logo
Fortinet white logo

Administration Guide

Asset Identity Center page

Asset Identity Center page

The Asset Identity Center page unifies information from detected addresses, devices, and users into a single page, while building a data structure to store the user and device information in the backend. The Asset view groups information by Device, while the Identity view groups information by User. Hover over a device or a user in the GUI to perform different actions relevant to the object, such as adding a firewall device address, adding an IP address, banning the IP, quarantining the host, and more.

To view the Asset Identity Center page:
  1. Go to Security Fabric > Asset Identity Center.

  2. Click Asset to view information by device.

    There are four donut charts with device related information: Software OS, Vulnerability Level, Status, and Interface.

    The default table columns are Device, Software OS, Address, User, FortiClient User, Vulnerabilities, Status, and Endpoint Tags. The optional columns are Device Family, Device Type, EMS Serial, EMS Tenant ID, Firewall Address, FortiSwitch, Hardware Vendor, Hardware Version, Hostname, Interface, IP Address, Last Seen, Port, Server, VLAN, and Vulnerability Level.

    Devices with vulnerabilities are highlighted in red.

  3. Click Identity to view information by user. The default table columns are User, Device, and Properties. The optional columns are IP Address, Logoff Time, and Logon Time.

    Each view has a dropdown option to view the information within different time frames (Latest, 1 hour, 24 hours, and 7 days). The page displays user and device relationships, such as which users are logged in to multiple devices or if multiple users are logged in to single devices.

  4. Hover over a device in the list to view the tooltip and possible actions. The options under the Firewall Address dropdown are Create Firewall Device Address and Create Firewall IP Address. The options under the Quarantine dropdown are Quarantine Host and Ban IP.

Diagnostics

The following options are available for diagnose user-device-store unified <option>:

Option

Description

device-memory-query

Get device records and associated user records from memory.

device-query

Get device records and associated user records from memory and disk.

user-memory-query

Get user records and associated device records from memory.

user-query

Get user records and associated device records from memory and disk.

re-query

Retrieve query by <query-id> <iteration-start> <iteration-count> (takes 0-3 arguments).

list

List unified queries.

clear

Delete all unified queries.

dump

Dump unified query stats by <query-id> (takes 0-1 arguments).

delete

Delete unified query by <query-id> (takes 0-1 arguments).

stats

Get statistics for unified queries.

debug

Enable/disable debug logs for unified queries.

IoT vulnerabilities

Hovering over the data in the Vulnerabilities column displays a list of FortiGuard IoT/OT Detected Vulnerabilities and FortiClient Detected Vulnerabilities. Clicking the View IoT/OT Vulnerabilities button in the tooltip opens the View IoT/OT Vulnerabilities table that includes the Vulnerability ID, Type, Severity, Reference, Description, and Patch Signature ID. Each entry in the Reference column includes the CVE number and a link to the CVE details.

The following settings are required to display IoT devices:

  1. The FortiGate must have a valid Attack Surface Security Rating service license.

  2. Device detection must be configured on a LAN interface used by IoT devices.

    To configure device detection in the GUI:
    1. Go to Network > Interfaces and edit a LAN interface.
    2. Enable Device detection.
    3. Click OK.
    To configure device detection in the CLI:
    config system interface
        edit <name>
            set device-identification enable
        next
    end
  3. Configure a firewall policy with an application control sensor.

To view IoT asset vulnerabilities in the GUI:
  1. Go to Security Fabric > Asset Identity Center. Ensure the Asset list view is selected.

  2. Select a device with IoT vulnerabilities.

  3. Hover over the Vulnerabilities count to view the tooltip and click View IoT/OT Vulnerabilities.

    A table with the list of vulnerabilities and related information for the device is displayed, including the CVE references and descriptions.

  4. Click a hyperlink in the Reference column to view more information about the CVE, or click Close.

To view IoT asset vulnerabilities in the CLI:
# diagnose user-device-store device memory list
...

        device_info
                'ipv4_address' = '1.1.1.2'
                'mac' = '**:**:**:**:**:**'
                'hardware_vendor' = 'Samsung'
                'hardware_type' = 'Home & Office'
                'hardware_family' = 'Computer'
				...
                'purdue_level' = '3'
                'iot_vuln_count' = '57'
                'max_vuln_level' = 'Critical'
                'total_vuln_count' = '100'
        ...
        iot_info
                'vendor' = 'Mozilla'
                'product' = 'Firefox'
                'version-min' = '113.0'
                'validity' = 'true'
        iot_vulnerability
                'vulnerability_id' = '551873'
                'severity' = '2'
                'type' = 'Improper Authentication'
                'description' = 'The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.'
                'references' = 'CVE-2011-3389'
                'date_added' = '2023-04-19T12:12:32'
                'date_updated' = '2023-04-19T12:12:32'
        iot_vulnerability
                'vulnerability_id' = '534577'
                'severity' = '2'
                'type' = 'Other'
                'description' = 'The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.'
                'references' = 'CVE-2011-0064'
                'date_added' = '2023-04-19T11:59:20'
                'date_updated' = '2023-04-19T11:59:20'
        iot_vulnerability
                'vulnerability_id' = '525700'
                'severity' = '1'
                'type' = 'Other'
                'description' = 'The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.'
                'references' = 'CVE-2012-4930'
                'date_added' = '2023-04-18T12:56:10'
                'date_updated' = '2023-04-18T12:56:10'
        ...

Asset Identity Center page

Asset Identity Center page

The Asset Identity Center page unifies information from detected addresses, devices, and users into a single page, while building a data structure to store the user and device information in the backend. The Asset view groups information by Device, while the Identity view groups information by User. Hover over a device or a user in the GUI to perform different actions relevant to the object, such as adding a firewall device address, adding an IP address, banning the IP, quarantining the host, and more.

To view the Asset Identity Center page:
  1. Go to Security Fabric > Asset Identity Center.

  2. Click Asset to view information by device.

    There are four donut charts with device related information: Software OS, Vulnerability Level, Status, and Interface.

    The default table columns are Device, Software OS, Address, User, FortiClient User, Vulnerabilities, Status, and Endpoint Tags. The optional columns are Device Family, Device Type, EMS Serial, EMS Tenant ID, Firewall Address, FortiSwitch, Hardware Vendor, Hardware Version, Hostname, Interface, IP Address, Last Seen, Port, Server, VLAN, and Vulnerability Level.

    Devices with vulnerabilities are highlighted in red.

  3. Click Identity to view information by user. The default table columns are User, Device, and Properties. The optional columns are IP Address, Logoff Time, and Logon Time.

    Each view has a dropdown option to view the information within different time frames (Latest, 1 hour, 24 hours, and 7 days). The page displays user and device relationships, such as which users are logged in to multiple devices or if multiple users are logged in to single devices.

  4. Hover over a device in the list to view the tooltip and possible actions. The options under the Firewall Address dropdown are Create Firewall Device Address and Create Firewall IP Address. The options under the Quarantine dropdown are Quarantine Host and Ban IP.

Diagnostics

The following options are available for diagnose user-device-store unified <option>:

Option

Description

device-memory-query

Get device records and associated user records from memory.

device-query

Get device records and associated user records from memory and disk.

user-memory-query

Get user records and associated device records from memory.

user-query

Get user records and associated device records from memory and disk.

re-query

Retrieve query by <query-id> <iteration-start> <iteration-count> (takes 0-3 arguments).

list

List unified queries.

clear

Delete all unified queries.

dump

Dump unified query stats by <query-id> (takes 0-1 arguments).

delete

Delete unified query by <query-id> (takes 0-1 arguments).

stats

Get statistics for unified queries.

debug

Enable/disable debug logs for unified queries.

IoT vulnerabilities

Hovering over the data in the Vulnerabilities column displays a list of FortiGuard IoT/OT Detected Vulnerabilities and FortiClient Detected Vulnerabilities. Clicking the View IoT/OT Vulnerabilities button in the tooltip opens the View IoT/OT Vulnerabilities table that includes the Vulnerability ID, Type, Severity, Reference, Description, and Patch Signature ID. Each entry in the Reference column includes the CVE number and a link to the CVE details.

The following settings are required to display IoT devices:

  1. The FortiGate must have a valid Attack Surface Security Rating service license.

  2. Device detection must be configured on a LAN interface used by IoT devices.

    To configure device detection in the GUI:
    1. Go to Network > Interfaces and edit a LAN interface.
    2. Enable Device detection.
    3. Click OK.
    To configure device detection in the CLI:
    config system interface
        edit <name>
            set device-identification enable
        next
    end
  3. Configure a firewall policy with an application control sensor.

To view IoT asset vulnerabilities in the GUI:
  1. Go to Security Fabric > Asset Identity Center. Ensure the Asset list view is selected.

  2. Select a device with IoT vulnerabilities.

  3. Hover over the Vulnerabilities count to view the tooltip and click View IoT/OT Vulnerabilities.

    A table with the list of vulnerabilities and related information for the device is displayed, including the CVE references and descriptions.

  4. Click a hyperlink in the Reference column to view more information about the CVE, or click Close.

To view IoT asset vulnerabilities in the CLI:
# diagnose user-device-store device memory list
...

        device_info
                'ipv4_address' = '1.1.1.2'
                'mac' = '**:**:**:**:**:**'
                'hardware_vendor' = 'Samsung'
                'hardware_type' = 'Home & Office'
                'hardware_family' = 'Computer'
				...
                'purdue_level' = '3'
                'iot_vuln_count' = '57'
                'max_vuln_level' = 'Critical'
                'total_vuln_count' = '100'
        ...
        iot_info
                'vendor' = 'Mozilla'
                'product' = 'Firefox'
                'version-min' = '113.0'
                'validity' = 'true'
        iot_vulnerability
                'vulnerability_id' = '551873'
                'severity' = '2'
                'type' = 'Improper Authentication'
                'description' = 'The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.'
                'references' = 'CVE-2011-3389'
                'date_added' = '2023-04-19T12:12:32'
                'date_updated' = '2023-04-19T12:12:32'
        iot_vulnerability
                'vulnerability_id' = '534577'
                'severity' = '2'
                'type' = 'Other'
                'description' = 'The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.'
                'references' = 'CVE-2011-0064'
                'date_added' = '2023-04-19T11:59:20'
                'date_updated' = '2023-04-19T11:59:20'
        iot_vulnerability
                'vulnerability_id' = '525700'
                'severity' = '1'
                'type' = 'Other'
                'description' = 'The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.'
                'references' = 'CVE-2012-4930'
                'date_added' = '2023-04-18T12:56:10'
                'date_updated' = '2023-04-18T12:56:10'
        ...