Fortinet black logo

Administration Guide

OT asset visibility and network topology

OT asset visibility and network topology

When the Operational Technology (OT) feature is enabled, tabs are added in the Asset Identity Center page to view the OT asset list and OT network topology using Purdue Levels. This feature is available regardless of whether a Security Fabric is enabled.

To enable the OT features in the GUI:
  1. Go to System > Feature Visibility.
  2. In the Additional Features section, enable Operational Technology (OT).
  3. Click Apply.
To enable the OT features in the CLI:
config system settings
    set gui-ot enable
end

Once enabled, the Security Fabric > Asset Identity Center page displays an Asset Identity List tab and an OT View tab.

  • The Asset Identity List tab includes a configurable Purdue Level column and a Show in OT View option for selected devices in the table.

  • The OT View tab shows a topology of detected components and connections mapped to Purdue Levels. The default view is locked, but devices can be dragged and dropped to other Purdue Levels if the view is unlocked.

Devices are assigned Purdue Level 3 by default and can be changed (except to level S, 0, or external), including FortiGates, managed FortiSwitches, and FortiAPs.

The following diagram lists the Purdue Levels based on OT network topologies:

To change the Purdue Level in the Asset Identity List tab:
  1. Go to Security Fabric > Asset Identity Center and select the Asset Identity List tab.
  2. Add the Purdue Level column to the table:
    1. Hover over the table header and click the gear icon (Configure Table).
    2. Select Purdue Level.
    3. Click Apply.
  3. Select a device and hover over the Purdue Level value.
  4. Click the pencil icon to edit the level.
  5. Select a value from the dropdown.

  6. Click Apply.
To change the Purdue Level in the OT View tab:
  1. Go to Security Fabric > Asset Identity Center and select the OT View tab.
  2. Click Unlock View.

  3. Select a device.
  4. Drag the device icon to another level row.

  5. Optionally, click Lock View to revert to the locked view.
To change the Purdue Level in the CLI:
# diagnose user-device-store device memory ot-purdue-set <mac> <ip> <level>

mac

Enter the MAC address of the device.

ip

Enter the IPv4 address of the device.

level

Enter the Purdue Level: 1, 1.5, 2, 2.5, 3, 3.5, 4, 5, 5.5.

To configure the FortiGate Purdue Level in the CLI:
config system global
    set purdue-level <level 1 - 5.5>
end
To configure the managed FortiSwitch Purdue Level in the CLI:
config switch-controller managed-switch
    edit "<managed FortiSwitch name>"
        set purdue-level <level 1 - 5.5>
    next
end
To configure the FortiAP Purdue Level in the CLI:
config wireless-controller wtp
    edit "<WTP ID>"
        set purdue-level <level 1 - 5.5>
    next
end

Configuring the Purdue Level for discovered assets based on detected interface

The default Purdue Level can be set or unset in the CLI (default-purdue-level) within the system interface configuration. The default Purdue Level can be applied to discovered assets based on the interface with which they were detected. This feature requires a FortiGuard Industrial Security Service (ISS) license on the FortiGate so the Industrial Database (ISDB) can be used. Device identification must be enabled on interfaces connected to OT devices.

config system interface
    edit <name>
        set device-identification enable
        set default-purdue-level {1 | 1.5| 2 | 2.5| 3 | 3.5 | 4 | 5 | 5.5}
    next
end

By default, the default-purdue-level value is 3. If the asset's Purdue Level is manually overridden, then it takes precedence over this default value set in the interface.

For example, if the default Purdue Level on port1 is changed to 3.5, subsequently, the Purdue Level of a detected device on port1 is manually changed to 4 on the Asset Identity Center page. After the manual change on the device, the Purdue Level remains at 4.

To configure the default Purdue Level:
  1. Configure the interface settings:

    config system interface
        edit "port1"
            set device-identification enable
            set default-purdue-level 3.5
        next
    end
  2. Verify that the Purdue Level as been updated in the user device store list:

    # diagnose user-device-store device memory list
    
    Record #1:
    
            device_info
                    'ipv4_address' = '192.168.1.64'
                    'mac' = '**:**:**:**:**:**'
                    'hardware_vendor' = 'Dell'
                    'hardware_type' = 'Home & Office'
                    'hardware_family' = 'Computer'
                    'vdom' = 'root'
                    'os_name' = 'Windows'
                    'os_version' = '10 / 2016'
                    'last_seen' = '1680115135'
                    'host_src' = 'mwbs'
                    'unjoined_forticlient_endpoint' = 'false'
                    'is_online' = 'true'
                    'active_start_time' = '1680113976'
                    'dhcp_lease_status' = 'leased'
                    'dhcp_lease_expire' = '1680651757'
                    'dhcp_lease_reserved' = 'false'
                    'dhcp_server_id' = '2'
                    'is_fortiguard_src' = 'true'
                    'purdue_level' = '3.5'
                    ...
  3. Go to Security Fabric > Asset Identity Center and select the Asset Identity List tab. The device's Purdue Level is currently 3.5.

  4. Manually change the device's Purdue Level:

    1. Select the device and hover over the Purdue Level value.

    2. Click the pencil icon to edit the level.

    3. Select 4 and click Apply.

  5. Verify that the Purdue Level as been updated in the user device store list:

    # diagnose user-device-store device memory list
    
    Record #1:
    
            device_info
                    'ipv4_address' = '192.168.1.64'
                    'mac' = '**:**:**:**:**:**'
                    'hardware_vendor' = 'Dell'
                    'hardware_type' = 'Home & Office'
                    'hardware_family' = 'Computer'
                    'vdom' = 'root'
                    'os_name' = 'Windows'
                    'os_version' = '10 / 2016'
                    'last_seen' = '1680115467'
                    'host_src' = 'mwbs'
                    'unjoined_forticlient_endpoint' = 'false'
                    'is_online' = 'true'
                    'active_start_time' = '1680113976'
                    'dhcp_lease_status' = 'leased'
                    'dhcp_lease_expire' = '1680651757'
                    'dhcp_lease_reserved' = 'false'
                    'dhcp_server_id' = '2'
                    'is_fortiguard_src' = 'true'
                    'purdue_level' = '4'
                    ...

More Links

OT asset visibility and network topology

When the Operational Technology (OT) feature is enabled, tabs are added in the Asset Identity Center page to view the OT asset list and OT network topology using Purdue Levels. This feature is available regardless of whether a Security Fabric is enabled.

To enable the OT features in the GUI:
  1. Go to System > Feature Visibility.
  2. In the Additional Features section, enable Operational Technology (OT).
  3. Click Apply.
To enable the OT features in the CLI:
config system settings
    set gui-ot enable
end

Once enabled, the Security Fabric > Asset Identity Center page displays an Asset Identity List tab and an OT View tab.

  • The Asset Identity List tab includes a configurable Purdue Level column and a Show in OT View option for selected devices in the table.

  • The OT View tab shows a topology of detected components and connections mapped to Purdue Levels. The default view is locked, but devices can be dragged and dropped to other Purdue Levels if the view is unlocked.

Devices are assigned Purdue Level 3 by default and can be changed (except to level S, 0, or external), including FortiGates, managed FortiSwitches, and FortiAPs.

The following diagram lists the Purdue Levels based on OT network topologies:

To change the Purdue Level in the Asset Identity List tab:
  1. Go to Security Fabric > Asset Identity Center and select the Asset Identity List tab.
  2. Add the Purdue Level column to the table:
    1. Hover over the table header and click the gear icon (Configure Table).
    2. Select Purdue Level.
    3. Click Apply.
  3. Select a device and hover over the Purdue Level value.
  4. Click the pencil icon to edit the level.
  5. Select a value from the dropdown.

  6. Click Apply.
To change the Purdue Level in the OT View tab:
  1. Go to Security Fabric > Asset Identity Center and select the OT View tab.
  2. Click Unlock View.

  3. Select a device.
  4. Drag the device icon to another level row.

  5. Optionally, click Lock View to revert to the locked view.
To change the Purdue Level in the CLI:
# diagnose user-device-store device memory ot-purdue-set <mac> <ip> <level>

mac

Enter the MAC address of the device.

ip

Enter the IPv4 address of the device.

level

Enter the Purdue Level: 1, 1.5, 2, 2.5, 3, 3.5, 4, 5, 5.5.

To configure the FortiGate Purdue Level in the CLI:
config system global
    set purdue-level <level 1 - 5.5>
end
To configure the managed FortiSwitch Purdue Level in the CLI:
config switch-controller managed-switch
    edit "<managed FortiSwitch name>"
        set purdue-level <level 1 - 5.5>
    next
end
To configure the FortiAP Purdue Level in the CLI:
config wireless-controller wtp
    edit "<WTP ID>"
        set purdue-level <level 1 - 5.5>
    next
end

Configuring the Purdue Level for discovered assets based on detected interface

The default Purdue Level can be set or unset in the CLI (default-purdue-level) within the system interface configuration. The default Purdue Level can be applied to discovered assets based on the interface with which they were detected. This feature requires a FortiGuard Industrial Security Service (ISS) license on the FortiGate so the Industrial Database (ISDB) can be used. Device identification must be enabled on interfaces connected to OT devices.

config system interface
    edit <name>
        set device-identification enable
        set default-purdue-level {1 | 1.5| 2 | 2.5| 3 | 3.5 | 4 | 5 | 5.5}
    next
end

By default, the default-purdue-level value is 3. If the asset's Purdue Level is manually overridden, then it takes precedence over this default value set in the interface.

For example, if the default Purdue Level on port1 is changed to 3.5, subsequently, the Purdue Level of a detected device on port1 is manually changed to 4 on the Asset Identity Center page. After the manual change on the device, the Purdue Level remains at 4.

To configure the default Purdue Level:
  1. Configure the interface settings:

    config system interface
        edit "port1"
            set device-identification enable
            set default-purdue-level 3.5
        next
    end
  2. Verify that the Purdue Level as been updated in the user device store list:

    # diagnose user-device-store device memory list
    
    Record #1:
    
            device_info
                    'ipv4_address' = '192.168.1.64'
                    'mac' = '**:**:**:**:**:**'
                    'hardware_vendor' = 'Dell'
                    'hardware_type' = 'Home & Office'
                    'hardware_family' = 'Computer'
                    'vdom' = 'root'
                    'os_name' = 'Windows'
                    'os_version' = '10 / 2016'
                    'last_seen' = '1680115135'
                    'host_src' = 'mwbs'
                    'unjoined_forticlient_endpoint' = 'false'
                    'is_online' = 'true'
                    'active_start_time' = '1680113976'
                    'dhcp_lease_status' = 'leased'
                    'dhcp_lease_expire' = '1680651757'
                    'dhcp_lease_reserved' = 'false'
                    'dhcp_server_id' = '2'
                    'is_fortiguard_src' = 'true'
                    'purdue_level' = '3.5'
                    ...
  3. Go to Security Fabric > Asset Identity Center and select the Asset Identity List tab. The device's Purdue Level is currently 3.5.

  4. Manually change the device's Purdue Level:

    1. Select the device and hover over the Purdue Level value.

    2. Click the pencil icon to edit the level.

    3. Select 4 and click Apply.

  5. Verify that the Purdue Level as been updated in the user device store list:

    # diagnose user-device-store device memory list
    
    Record #1:
    
            device_info
                    'ipv4_address' = '192.168.1.64'
                    'mac' = '**:**:**:**:**:**'
                    'hardware_vendor' = 'Dell'
                    'hardware_type' = 'Home & Office'
                    'hardware_family' = 'Computer'
                    'vdom' = 'root'
                    'os_name' = 'Windows'
                    'os_version' = '10 / 2016'
                    'last_seen' = '1680115467'
                    'host_src' = 'mwbs'
                    'unjoined_forticlient_endpoint' = 'false'
                    'is_online' = 'true'
                    'active_start_time' = '1680113976'
                    'dhcp_lease_status' = 'leased'
                    'dhcp_lease_expire' = '1680651757'
                    'dhcp_lease_reserved' = 'false'
                    'dhcp_server_id' = '2'
                    'is_fortiguard_src' = 'true'
                    'purdue_level' = '4'
                    ...