Fortinet black logo

Administration Guide

IoT detection service

IoT detection service

Internet of Things (IoT) detection is part of the part of the Attack Surface Security Rating service that allows a FortiGate to download an IoT Detection package to detect unknown devices or to query in FortiGuard through the IoT Query service for devices that are not detected by the local Device Database (CIDB) or the IoT Detection DB (APDB). When the service is activated, FortiGate can send device information to the FortiGuard collection server. When a new device is detected, FortiGate queries the results from the FortiGuard query for more information about the device.

This feature requires an Attack Surface Security Rating service license.

FortiGate device requirements:

The FortiGate device must be:

  • Registered with FortiCare

  • Connected to an anycast FortiGuard server

How the service works:
  1. Enable Device Detection on an interface.

  2. FortiGate uses the interface to detect device traffic flow.

  3. Upon detecting traffic from an unknown device, FortiGate sends the device data to the FortiGuard collection server.

  4. The collection server returns data about the new device to the FortiGuard query server.

  5. If the device signature does not appear in the local Device Database (CIDB) or some fields are not complete, FortiGate queries FortiGuard for more information about the device.

To view the latest device information in the GUI, go to Dashboard > Assets & Identities and expand the Assets widget.

To debug the daemon in the CLI:
  1. Disable the local device database in order to force all queries to go to FortiGuard.

    # diagnose cid sigs disable
  2. Enable iotd debugs:

    # diagnose debug application iotd -1
    # diagnose debug enable

    FortiGate sends the device data to the FortiGuard collection server:

    # [iotd] recv request from caller size:61
    [iotd] service:collect hostname: ip: fd:-1 request tlv_len:41
    [iotd] txt(.....y...w.....Jasons-iPhone6....579=23..)
    [iotd] hex(02010007017903060f77fc0203000e4a61736f6e732d6950686f6e6536020400083537393d32330cff)
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip: fd:-1 got server hostname
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:-1 got server ip
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 socket created
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 connecting
    [iotd] fd:13 monitor event:pollout
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 build req packet
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 collect resp:1(pending)
    

    The FortiGuard collection server returns new device data to the FortiGuard query server:

    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got query resp
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 id:0 total_len:48 header_len:16 tlv_len:32 confidence:100 mac:f8:87:f1:1f:ab:95
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:32 type:1 len:6
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv category:'Mobile'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:24 type:2 len:6
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv sub_category:'Mobile'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:16 type:3 len:5
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv vendor:'Apple'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:9 type:4 len:0
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:7 type:5 len:3
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv os:'iOS'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:2 type:6 len:0
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 send query response to caller size:48
    [iotd] txt(............d0 ...Mobile..Mobile..Apple....iOS..)
    [iotd] hex(f887f11fab950000000000006430200001064d6f62696c6502064d6f62696c6503054170706c6504000503694f530600)
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 read resp:0(good)
    
  3. The query returns the device information including the information source (src fortiguard).

    # diagnose user device list
        vd root/0  f8:87:f1:1f:ab:95  gen 26  req OUA/34
            created 503s  gen 23  seen 102s  lan  gen 7
            ip 192.168.1.110  src arp
            hardware vendor 'Apple'  src fortiguard  id 0  weight 100
            type 'Mobile'  src fortiguard  id 0  weight 100
            family 'Mobile'  src fortiguard  id 0  weight 100
            os 'iOS'  src fortiguard  id 0  weight 100
            host 'Jasons-iPhone6'  src dhcp

Using FortiManager as an override server for IoT query services

FortiGate can use FortiManager as an override server for IoT query services. The FortiManager must be running 7.2.1 or later.

All IoT daemon query and collected data can be sent to a FortiManager, instead of directly to FortiGuard. This is useful when there are strict policies controlling the kind of traffic that can go to the internet.

To send all IoT daemon query and collected data to a FortiManager:
config system central-management
    config server-list
        edit 1
            set server-type iot-query iot-collect
            set server-address <x.x.x.x>
        next
    end
end

server-type iot-query iot-collect

Set the FortiGuard service types:

  • iot-query: IoT query server.

  • iot-collect: IoT device collection server.

server-address <x.x.x.x>

Enter the IPv4 address of the FortiManager.

IoT detection service

Internet of Things (IoT) detection is part of the part of the Attack Surface Security Rating service that allows a FortiGate to download an IoT Detection package to detect unknown devices or to query in FortiGuard through the IoT Query service for devices that are not detected by the local Device Database (CIDB) or the IoT Detection DB (APDB). When the service is activated, FortiGate can send device information to the FortiGuard collection server. When a new device is detected, FortiGate queries the results from the FortiGuard query for more information about the device.

This feature requires an Attack Surface Security Rating service license.

FortiGate device requirements:

The FortiGate device must be:

  • Registered with FortiCare

  • Connected to an anycast FortiGuard server

How the service works:
  1. Enable Device Detection on an interface.

  2. FortiGate uses the interface to detect device traffic flow.

  3. Upon detecting traffic from an unknown device, FortiGate sends the device data to the FortiGuard collection server.

  4. The collection server returns data about the new device to the FortiGuard query server.

  5. If the device signature does not appear in the local Device Database (CIDB) or some fields are not complete, FortiGate queries FortiGuard for more information about the device.

To view the latest device information in the GUI, go to Dashboard > Assets & Identities and expand the Assets widget.

To debug the daemon in the CLI:
  1. Disable the local device database in order to force all queries to go to FortiGuard.

    # diagnose cid sigs disable
  2. Enable iotd debugs:

    # diagnose debug application iotd -1
    # diagnose debug enable

    FortiGate sends the device data to the FortiGuard collection server:

    # [iotd] recv request from caller size:61
    [iotd] service:collect hostname: ip: fd:-1 request tlv_len:41
    [iotd] txt(.....y...w.....Jasons-iPhone6....579=23..)
    [iotd] hex(02010007017903060f77fc0203000e4a61736f6e732d6950686f6e6536020400083537393d32330cff)
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip: fd:-1 got server hostname
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:-1 got server ip
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 socket created
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 connecting
    [iotd] fd:13 monitor event:pollout
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 build req packet
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 collect resp:1(pending)
    

    The FortiGuard collection server returns new device data to the FortiGuard query server:

    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got query resp
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 id:0 total_len:48 header_len:16 tlv_len:32 confidence:100 mac:f8:87:f1:1f:ab:95
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:32 type:1 len:6
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv category:'Mobile'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:24 type:2 len:6
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv sub_category:'Mobile'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:16 type:3 len:5
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv vendor:'Apple'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:9 type:4 len:0
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:7 type:5 len:3
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv os:'iOS'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:2 type:6 len:0
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 send query response to caller size:48
    [iotd] txt(............d0 ...Mobile..Mobile..Apple....iOS..)
    [iotd] hex(f887f11fab950000000000006430200001064d6f62696c6502064d6f62696c6503054170706c6504000503694f530600)
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 read resp:0(good)
    
  3. The query returns the device information including the information source (src fortiguard).

    # diagnose user device list
        vd root/0  f8:87:f1:1f:ab:95  gen 26  req OUA/34
            created 503s  gen 23  seen 102s  lan  gen 7
            ip 192.168.1.110  src arp
            hardware vendor 'Apple'  src fortiguard  id 0  weight 100
            type 'Mobile'  src fortiguard  id 0  weight 100
            family 'Mobile'  src fortiguard  id 0  weight 100
            os 'iOS'  src fortiguard  id 0  weight 100
            host 'Jasons-iPhone6'  src dhcp

Using FortiManager as an override server for IoT query services

FortiGate can use FortiManager as an override server for IoT query services. The FortiManager must be running 7.2.1 or later.

All IoT daemon query and collected data can be sent to a FortiManager, instead of directly to FortiGuard. This is useful when there are strict policies controlling the kind of traffic that can go to the internet.

To send all IoT daemon query and collected data to a FortiManager:
config system central-management
    config server-list
        edit 1
            set server-type iot-query iot-collect
            set server-address <x.x.x.x>
        next
    end
end

server-type iot-query iot-collect

Set the FortiGuard service types:

  • iot-query: IoT query server.

  • iot-collect: IoT device collection server.

server-address <x.x.x.x>

Enter the IPv4 address of the FortiManager.