Fortinet black logo

Administration Guide

IoT detection service

IoT detection service

Internet of Things (IoT) detection is part of the Attack Surface Security Rating service that allows FortiGate to:

  • Download an IoT Detection signature package (IOTD), which is used to detect and extract metadata of IoT devices

  • Query FortiGuard IoT Query service for devices that are not detected by the local Device Database (CIDB) or by the IoT Detection signatures

  • Query the FortiGuard vulnerability lookup server to look up vulnerabilities for a device

The service allows the FortiGate to accurately detect and identify connected IoT devices and to identify vulnerabilities that apply to these devices.

Applications

A subscription to the IoT detection service provides many practical applications.

Device information

Enable the FortiGate to obtain updated device information, store the information in the asset inventory, and display the information in various places, such as the Dashboard > Asset and Identities widget.

Vulnerability information

Enable the FortiGate to query and display vulnerabilities associated with a device on the Asset and Identities widget.

Allow managed FortiSwitch and FortiAP devices to query device info

Device detection is effective when devices are connected on an interface. As such, when devices are connected to managed FortiSwitch and FortiAP devices, they can utilize IoT detection to gather information about the connected devices.

See FortiAP query to FortiGuard IoT service to determine device details for more information. See also FortiSwitch Devices Managed by FortiOS guide.

Perform NAC on IoT devices with vulnerabilities

NAC policies can be configured to detect devices with different levels of vulnerabilities and assign these devices dynamically to a quarantine VLAN.

See OT and IoT virtual patching on NAC policies.

Perform IoT Vulnerability rating check in Security Rating

Using the Security Fabric > Security Rating feature, perform a FortiGuard IoT Vulnerability check to identify devices with detected vulnerabilities.

Detect and log IoT devices in Application Control

IoT signatures are used in application control to detect and log IoT devices. In Security Profiles > Application Signatures, filter on the IoT category to see the list of IoT application signatures. Alternatively, view the signatures using the following command:

# get application name status | grep IoT -B2 -A10

Device detection

When device detection is enabled on an interface, FortiGate will perform passive scanning on incoming traffic to collect information about devices such as their MAC address, IP address, Operating System, Hostname, username, endpoint tags and interface in which it entered . The firewall is able to scan different protocols to obtain basic device information. FortiGates by default comes with a built-in local Device Database (CIDB) containing information about known devices which can be used to obtain more detailed information.

When the CIDB cannot identify the device, FortiGate can utilize the IoT Query service by sending some device information to the FortiGuard collection server. If a new device is detected, FortiGate obtains the results from the FortiGuard query for more information about the device.

Configurations

This feature requires an Attack Surface Security Rating service license.

FortiGate device requirements:

The FortiGate device must be:

  • Registered with FortiCare

  • Connected to an anycast FortiGuard server

How the service works:
  1. Enable Device Detection on an interface.

  2. FortiGate uses the interface to detect device traffic flow.

  3. Upon detecting traffic from an unknown device, FortiGate sends the device data to the FortiGuard collection server.

  4. The collection server returns data about the new device to the FortiGuard query server.

  5. If the device signature does not appear in the local Device Database (CIDB) or some fields are not complete, FortiGate queries FortiGuard for more information about the device.

To view the latest device information in the GUI, go to Dashboard > Assets & Identities and expand the Assets widget. For more information, see Asset Identity Center page.

To debug the IoT daemon in the CLI:
  1. Enable iotd real-time debugs to collect information about the communication between FortiGate and the FortiGuard server:

    # diagnose debug application iotd -1
    # diagnose debug enable
  2. Optionally, disable the local device database to force all queries to go to FortiGuard.

    # diagnose cid sigs disable
  3. View the debug output.

    FortiGate sends the device data to the FortiGuard collection server:

    # [iotd] recv request from caller size:61
    [iotd] service:collect hostname: ip: fd:-1 request tlv_len:41
    [iotd] txt(.....y...w.....Jasons-iPhone6....579=23..)
    [iotd] hex(02010007017903060f77fc0203000e4a61736f6e732d6950686f6e6536020400083537393d32330cff)
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip: fd:-1 got server hostname
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:-1 got server ip
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 socket created
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 connecting
    [iotd] fd:13 monitor event:pollout
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 build req packet
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 collect resp:1(pending)
    

    The FortiGuard collection server returns new device data to the FortiGuard query server:

    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got query resp
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 id:0 total_len:48 header_len:16 tlv_len:32 confidence:100 mac:f8:87:f1:1f:ab:95
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:32 type:1 len:6
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv category:'Mobile'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:24 type:2 len:6
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv sub_category:'Mobile'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:16 type:3 len:5
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv vendor:'Apple'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:9 type:4 len:0
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:7 type:5 len:3
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv os:'iOS'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:2 type:6 len:0
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 send query response to caller size:48
    [iotd] txt(............d0 ...Mobile..Mobile..Apple....iOS..)
    [iotd] hex(f887f11fab950000000000006430200001064d6f62696c6502064d6f62696c6503054170706c6504000503694f530600)
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 read resp:0(good)
    
  4. Upon completion of the FortiGuard query, the query server returns the device information including the information source (src fortiguard).

    # diagnose user device list
        vd root/0  f8:87:f1:1f:ab:95  gen 26  req OUA/34
            created 503s  gen 23  seen 102s  lan  gen 7
            ip 192.168.1.110  src arp
            hardware vendor 'Apple'  src fortiguard  id 0  weight 100
            type 'Mobile'  src fortiguard  id 0  weight 100
            family 'Mobile'  src fortiguard  id 0  weight 100
            os 'iOS'  src fortiguard  id 0  weight 100
            host 'Jasons-iPhone6'  src dhcp

Using FortiManager as an override server for IoT query services

FortiGate can use FortiManager as an override server for IoT query services. The FortiManager must be running 7.2.1 or later.

All IoT daemon query and collected data can be sent to a FortiManager, instead of directly to FortiGuard. This is useful when there are strict policies controlling the kind of traffic that can go to the internet.

To send all IoT daemon query and collected data to a FortiManager:
config system central-management
    config server-list
        edit 1
            set server-type vpatch-query iot-collect
            set server-address <x.x.x.x>
        next
    end
end

server-type vpatch-query iot-collect

Set the FortiGuard service types:

  • vpatch-query: Virtual patch query server.

  • iot-collect: IoT device collection server.

server-address <x.x.x.x>

Enter the IPv4 address of the FortiManager.

IoT detection service

IoT detection service

Internet of Things (IoT) detection is part of the Attack Surface Security Rating service that allows FortiGate to:

  • Download an IoT Detection signature package (IOTD), which is used to detect and extract metadata of IoT devices

  • Query FortiGuard IoT Query service for devices that are not detected by the local Device Database (CIDB) or by the IoT Detection signatures

  • Query the FortiGuard vulnerability lookup server to look up vulnerabilities for a device

The service allows the FortiGate to accurately detect and identify connected IoT devices and to identify vulnerabilities that apply to these devices.

Applications

A subscription to the IoT detection service provides many practical applications.

Device information

Enable the FortiGate to obtain updated device information, store the information in the asset inventory, and display the information in various places, such as the Dashboard > Asset and Identities widget.

Vulnerability information

Enable the FortiGate to query and display vulnerabilities associated with a device on the Asset and Identities widget.

Allow managed FortiSwitch and FortiAP devices to query device info

Device detection is effective when devices are connected on an interface. As such, when devices are connected to managed FortiSwitch and FortiAP devices, they can utilize IoT detection to gather information about the connected devices.

See FortiAP query to FortiGuard IoT service to determine device details for more information. See also FortiSwitch Devices Managed by FortiOS guide.

Perform NAC on IoT devices with vulnerabilities

NAC policies can be configured to detect devices with different levels of vulnerabilities and assign these devices dynamically to a quarantine VLAN.

See OT and IoT virtual patching on NAC policies.

Perform IoT Vulnerability rating check in Security Rating

Using the Security Fabric > Security Rating feature, perform a FortiGuard IoT Vulnerability check to identify devices with detected vulnerabilities.

Detect and log IoT devices in Application Control

IoT signatures are used in application control to detect and log IoT devices. In Security Profiles > Application Signatures, filter on the IoT category to see the list of IoT application signatures. Alternatively, view the signatures using the following command:

# get application name status | grep IoT -B2 -A10

Device detection

When device detection is enabled on an interface, FortiGate will perform passive scanning on incoming traffic to collect information about devices such as their MAC address, IP address, Operating System, Hostname, username, endpoint tags and interface in which it entered . The firewall is able to scan different protocols to obtain basic device information. FortiGates by default comes with a built-in local Device Database (CIDB) containing information about known devices which can be used to obtain more detailed information.

When the CIDB cannot identify the device, FortiGate can utilize the IoT Query service by sending some device information to the FortiGuard collection server. If a new device is detected, FortiGate obtains the results from the FortiGuard query for more information about the device.

Configurations

This feature requires an Attack Surface Security Rating service license.

FortiGate device requirements:

The FortiGate device must be:

  • Registered with FortiCare

  • Connected to an anycast FortiGuard server

How the service works:
  1. Enable Device Detection on an interface.

  2. FortiGate uses the interface to detect device traffic flow.

  3. Upon detecting traffic from an unknown device, FortiGate sends the device data to the FortiGuard collection server.

  4. The collection server returns data about the new device to the FortiGuard query server.

  5. If the device signature does not appear in the local Device Database (CIDB) or some fields are not complete, FortiGate queries FortiGuard for more information about the device.

To view the latest device information in the GUI, go to Dashboard > Assets & Identities and expand the Assets widget. For more information, see Asset Identity Center page.

To debug the IoT daemon in the CLI:
  1. Enable iotd real-time debugs to collect information about the communication between FortiGate and the FortiGuard server:

    # diagnose debug application iotd -1
    # diagnose debug enable
  2. Optionally, disable the local device database to force all queries to go to FortiGuard.

    # diagnose cid sigs disable
  3. View the debug output.

    FortiGate sends the device data to the FortiGuard collection server:

    # [iotd] recv request from caller size:61
    [iotd] service:collect hostname: ip: fd:-1 request tlv_len:41
    [iotd] txt(.....y...w.....Jasons-iPhone6....579=23..)
    [iotd] hex(02010007017903060f77fc0203000e4a61736f6e732d6950686f6e6536020400083537393d32330cff)
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip: fd:-1 got server hostname
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:-1 got server ip
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 socket created
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 connecting
    [iotd] fd:13 monitor event:pollout
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 build req packet
    [iotd] service:collect hostname:globaldevcollect.fortinet.net ip:173.243.138.29 fd:13 collect resp:1(pending)
    

    The FortiGuard collection server returns new device data to the FortiGuard query server:

    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got query resp
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 id:0 total_len:48 header_len:16 tlv_len:32 confidence:100 mac:f8:87:f1:1f:ab:95
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:32 type:1 len:6
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv category:'Mobile'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:24 type:2 len:6
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv sub_category:'Mobile'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:16 type:3 len:5
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv vendor:'Apple'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:9 type:4 len:0
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:7 type:5 len:3
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 got tlv os:'iOS'
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 remaining_len:2 type:6 len:0
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 send query response to caller size:48
    [iotd] txt(............d0 ...Mobile..Mobile..Apple....iOS..)
    [iotd] hex(f887f11fab950000000000006430200001064d6f62696c6502064d6f62696c6503054170706c6504000503694f530600)
    [iotd] service:query hostname:globaldevquery.fortinet.net ip:173.243.140.16 fd:17 read resp:0(good)
    
  4. Upon completion of the FortiGuard query, the query server returns the device information including the information source (src fortiguard).

    # diagnose user device list
        vd root/0  f8:87:f1:1f:ab:95  gen 26  req OUA/34
            created 503s  gen 23  seen 102s  lan  gen 7
            ip 192.168.1.110  src arp
            hardware vendor 'Apple'  src fortiguard  id 0  weight 100
            type 'Mobile'  src fortiguard  id 0  weight 100
            family 'Mobile'  src fortiguard  id 0  weight 100
            os 'iOS'  src fortiguard  id 0  weight 100
            host 'Jasons-iPhone6'  src dhcp

Using FortiManager as an override server for IoT query services

FortiGate can use FortiManager as an override server for IoT query services. The FortiManager must be running 7.2.1 or later.

All IoT daemon query and collected data can be sent to a FortiManager, instead of directly to FortiGuard. This is useful when there are strict policies controlling the kind of traffic that can go to the internet.

To send all IoT daemon query and collected data to a FortiManager:
config system central-management
    config server-list
        edit 1
            set server-type vpatch-query iot-collect
            set server-address <x.x.x.x>
        next
    end
end

server-type vpatch-query iot-collect

Set the FortiGuard service types:

  • vpatch-query: Virtual patch query server.

  • iot-collect: IoT device collection server.

server-address <x.x.x.x>

Enter the IPv4 address of the FortiManager.