Fortinet black logo

Control Manager

Add or modify device profiling rule

Copy Link
Copy Doc ID c0e495af-7299-11e9-81a4-00505692583a:733817
Download PDF

Add or modify device profiling rule

  1. Click Hosts > Device Profiling Rules.

  2. Click the Add button or select a rule and click Modify.

  3. Refer to the tables below for information on each option on this window.

  4. On the Methods tab you can select one or more methods for identification.

    The device must meet criteria established for all of the methods selected.

    Select a single method of identification. If you find that too many devices match the rule, add a second method to refine the profiling process and reduce the number of false matches.

  5. Click OK to save.

Device profiling rule - General tab

Field

Definition

Enabled

Mark with a check mark to enable this rule. Disabled rules are skipped when comparing devices to rules.

Name

User specified name for this rule. Required.

Description

Description of the rule.

Note

User specified note that can be viewed by administrators and users with the appropriate Admin profile who manage devices that match this rule.

Notify Sponsor

If enabled, users whose Admin Profile gives them permission to manage devices associated with this rule are notified whenever a device has been matched to this rule. This includes rogues that have been processed again by clicking the Run button on the Device Profiling Rules window.

An e-mail is sent by the FortiNAC server or Control server indicating that a device matched this rule. The message would read as follows:

A new rogue (00:12:3F:19:1A:F4), matching rule Windows, was found.

Requires that the Device Profile Rule Match event be enabled. It is enabled by default and should not be disabled.

Registration Settings

Registration

Indicates whether device registration is automatic or manual.

Automatic: The device is registered immediately if the Register As option is enabled.

Manual: The device is registered manually from the Profiled Devices window. The Register As option on this window must be enabled in order to manually register the device.

Type

Device category in which a device matching this rule should be placed. This controls the icon associated with the device in the Host or Topology Views.

Role

Roles are attributes of users and hosts and are used as filters in User/Host Profiles. Those profiles are used to determine which Network Access Policy, Endpoint Compliance Policy or Supplicant Easy Connect Policy to apply.

If you are using Role-based access for hosts/devices managed in Topology View, select the role that controls access to the network for this device. If you are not using Role-based access, select NAC-Default.

Register To Logged In User (If Present)

If a user logs into the device being profiled, the user becomes the owner of that device in the FortiNAC database.

This applies only to users that log in with an 802.1x supplicant configured to send the User ID.

If the device is registered to the logged in user, then any options selected under Register As are ignored even if Register As is enabled.

Register As

If Register To Logged In User is enabled, and a user is logged in, this option is ignored even if it is enabled.

If Register To Logged In User is disabled, this option is used to determine where to place the connecting device.

Click the check box to enable this option. Indicates where the registered device will be placed. Options include:

Device in Host View

Device in Topology View

Device in Host And Topology View

If the device is an Access Point and you register it in Host View, it is removed from the Host View and moved to Topology View after the first poll. It is also removed from the Concurrent License count once it is recognized as an Access Point.

Container

Select or create a container for this type of device. Click the New button to create a new Container. Containers are a mechanism used to group items in Topology.

This field remains disabled unless one of the Topology View options is selected in the Register As field.

Add to Group

Place devices in an existing group or create a new group for them. Grouping devices to manage them as a group instead of individually. See Groups view.

This field remains disabled unless one of the Host View options is selected in the Register As field.

Access Availability

Allows you to control when devices that match this rule can access the network. Options include: Always or Specify Time. This option is only enabled for devices that are managed in the Host View or both the Host View and the Topology View.

If you set times for Access Availability, devices that match this rule are marked "At Risk" for the Guest No Access admin scan during the time that they are not permitted to access the network.

Rule Confirmation Settings

Confirm Device Rule On Connect

If enabled, Device Profiler confirms that previously profiled devices associated with this rule still match this rule the next time they connect to the network.

Confirm Device Rule On Interval

If enabled, Device Profiler confirms at set intervals that previously profiled devices associated with this rule still match this rule. Interval options include Minutes, Hours, or Days.

Disable Device If Rule No Longer Matches Device

If enabled, Device Profiler disables previously profiled devices that no longer match their associated rule.

Specify access availability rime for service profiling rule

This option allows you to limit network access for a device based on the time of day and the day of the week. Any device associated with a rule, can only access the network as specified in the Access Availability field for the rule. This option is only enabled for devices that are managed in the Host View or both the Host View and the Topology View.

If you set times for Access Availability, FortiNAC periodically checks the access time for each device associated with the rule. When the device is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. When the time is reached that the device is allowed to access the network, the "At Risk" state is removed. These changes in state occur on the device record whether the device is connected to the network or not. If the device has a browser and connects to the network outside its allowed timeframe, a web page is displayed with the following message: "Your Network Access has been disabled. You are outside of your allowed time window. To regain network access call the help desk.".

  1. Click Hosts > Device Profiling Rules.
  2. Click select a rule and click Modify.
  3. In the Access Availability field select Specify Time.
  4. In the Time Range section enter the From and To times for the time of day that devices should be able to access the network.
  5. In the Days of the Week section select the days during which these devices should be allowed to access the network.
  6. Click OK.

Device profiling rule - methods tab

Device Profiling Rule - Methods Tab Field Definitions

Method

Definition

IP Range

Matches if the IP address of a device falls within one of the ranges specified. You must specify at least one IP range.

DHCP Fingerprinting

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled. The DHCP fingerprint is used to determine the Operating System of the device.

For example, if the Operating System is Windows CE and the device type on the General Tab is Mobile Device, then the device matches this rule. If the Operating System is Windows CE and the device type on the General Tab is Gaming Device, then the device does not match this rule.

DHCP fingerprinting is more accurate than Passive fingerprinting.

Based on FortiNAC's fingerprint database.

It is recommended that you set up IP Helper addresses for DHCP on your routers when using DHCP fingerprinting.

Location

Matches if the device connects to the selected location on your network. Options are: anything within a Container in the Topology View, anything in a Port Group or anything in a Device Group.

TCP

Matches if the device provides a service on all of the ports specified. You must specify at least one port, but all specified ports must match. Multiple ports can be entered separated by commas, such as, 162, 175, 188. A range of ports can be entered using a hyphen, such as 204-215.

Active

Matches if the device type selected on the General tab is the same as that determined by NMAP for the connecting device.

Persistent Agent

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled, and if the device has an Agent installed on the host, such as, the Persistent Agent or one of the Mobile Agents. The Agent is used to determine the Operating System of the device. To register hosts running the Persistent Agent using this method, you must disable registration under Persistent Agent Properties. If you do not, the Persistent Agent may register the host before the Device Profiler has the opportunity to register it.

Passive Fingerprinting

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled. The DHCP Fingerprint is used to determine the Operating System of the device. Based on FortiNAC's fingerprint database.

Vendor OUI

Matches if the Vendor OUI for the device corresponds to the OUI information selected for this method. You must specify at least one Vendor option. If there are multiple entries, the device only has to match one to match this rule. Options include:

Vendor Code — A specific Vendor OUI selected from the list in the FortiNAC database. To select the OUI begin typing the first few characters. A list of matching OUIs is displayed in a drop-down list.

Vendor Name — A single Vendor Name selected from the list in the FortiNAC database. To select the name, begin typing the first few characters. A list of matching Vendors is displayed in a drop-down list.

The asterisk (*) wildcard can be used at the beginning and end to capture all variations of the Vendor Name (e.g., Avaya*).

Vendor Alias — Enter a Vendor alias that exists in the FortiNAC vendor database. Must be an exact match.

The asterisk (*) wildcard can be used at the beginning and end to capture all variations of the Vendor Alias.

Device Type — Select a device type from the drop-down list provided. Includes items such as Alarm System or Card Reader. If this option is selected the device type associated with the Vendor OUI of the connecting device must match the device type for the Vendor in the FortiNAC vendor database.

UDP

Matches if the device provides a service on all of the ports specified. You must specify at least one port, but all specified ports must match. Multiple ports can be entered separated by commas, such as, 162, 175, 188. A range of ports can be entered using a hyphen, such as 204-215.

Add or modify device profiling rule

  1. Click Hosts > Device Profiling Rules.

  2. Click the Add button or select a rule and click Modify.

  3. Refer to the tables below for information on each option on this window.

  4. On the Methods tab you can select one or more methods for identification.

    The device must meet criteria established for all of the methods selected.

    Select a single method of identification. If you find that too many devices match the rule, add a second method to refine the profiling process and reduce the number of false matches.

  5. Click OK to save.

Device profiling rule - General tab

Field

Definition

Enabled

Mark with a check mark to enable this rule. Disabled rules are skipped when comparing devices to rules.

Name

User specified name for this rule. Required.

Description

Description of the rule.

Note

User specified note that can be viewed by administrators and users with the appropriate Admin profile who manage devices that match this rule.

Notify Sponsor

If enabled, users whose Admin Profile gives them permission to manage devices associated with this rule are notified whenever a device has been matched to this rule. This includes rogues that have been processed again by clicking the Run button on the Device Profiling Rules window.

An e-mail is sent by the FortiNAC server or Control server indicating that a device matched this rule. The message would read as follows:

A new rogue (00:12:3F:19:1A:F4), matching rule Windows, was found.

Requires that the Device Profile Rule Match event be enabled. It is enabled by default and should not be disabled.

Registration Settings

Registration

Indicates whether device registration is automatic or manual.

Automatic: The device is registered immediately if the Register As option is enabled.

Manual: The device is registered manually from the Profiled Devices window. The Register As option on this window must be enabled in order to manually register the device.

Type

Device category in which a device matching this rule should be placed. This controls the icon associated with the device in the Host or Topology Views.

Role

Roles are attributes of users and hosts and are used as filters in User/Host Profiles. Those profiles are used to determine which Network Access Policy, Endpoint Compliance Policy or Supplicant Easy Connect Policy to apply.

If you are using Role-based access for hosts/devices managed in Topology View, select the role that controls access to the network for this device. If you are not using Role-based access, select NAC-Default.

Register To Logged In User (If Present)

If a user logs into the device being profiled, the user becomes the owner of that device in the FortiNAC database.

This applies only to users that log in with an 802.1x supplicant configured to send the User ID.

If the device is registered to the logged in user, then any options selected under Register As are ignored even if Register As is enabled.

Register As

If Register To Logged In User is enabled, and a user is logged in, this option is ignored even if it is enabled.

If Register To Logged In User is disabled, this option is used to determine where to place the connecting device.

Click the check box to enable this option. Indicates where the registered device will be placed. Options include:

Device in Host View

Device in Topology View

Device in Host And Topology View

If the device is an Access Point and you register it in Host View, it is removed from the Host View and moved to Topology View after the first poll. It is also removed from the Concurrent License count once it is recognized as an Access Point.

Container

Select or create a container for this type of device. Click the New button to create a new Container. Containers are a mechanism used to group items in Topology.

This field remains disabled unless one of the Topology View options is selected in the Register As field.

Add to Group

Place devices in an existing group or create a new group for them. Grouping devices to manage them as a group instead of individually. See Groups view.

This field remains disabled unless one of the Host View options is selected in the Register As field.

Access Availability

Allows you to control when devices that match this rule can access the network. Options include: Always or Specify Time. This option is only enabled for devices that are managed in the Host View or both the Host View and the Topology View.

If you set times for Access Availability, devices that match this rule are marked "At Risk" for the Guest No Access admin scan during the time that they are not permitted to access the network.

Rule Confirmation Settings

Confirm Device Rule On Connect

If enabled, Device Profiler confirms that previously profiled devices associated with this rule still match this rule the next time they connect to the network.

Confirm Device Rule On Interval

If enabled, Device Profiler confirms at set intervals that previously profiled devices associated with this rule still match this rule. Interval options include Minutes, Hours, or Days.

Disable Device If Rule No Longer Matches Device

If enabled, Device Profiler disables previously profiled devices that no longer match their associated rule.

Specify access availability rime for service profiling rule

This option allows you to limit network access for a device based on the time of day and the day of the week. Any device associated with a rule, can only access the network as specified in the Access Availability field for the rule. This option is only enabled for devices that are managed in the Host View or both the Host View and the Topology View.

If you set times for Access Availability, FortiNAC periodically checks the access time for each device associated with the rule. When the device is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. When the time is reached that the device is allowed to access the network, the "At Risk" state is removed. These changes in state occur on the device record whether the device is connected to the network or not. If the device has a browser and connects to the network outside its allowed timeframe, a web page is displayed with the following message: "Your Network Access has been disabled. You are outside of your allowed time window. To regain network access call the help desk.".

  1. Click Hosts > Device Profiling Rules.
  2. Click select a rule and click Modify.
  3. In the Access Availability field select Specify Time.
  4. In the Time Range section enter the From and To times for the time of day that devices should be able to access the network.
  5. In the Days of the Week section select the days during which these devices should be allowed to access the network.
  6. Click OK.

Device profiling rule - methods tab

Device Profiling Rule - Methods Tab Field Definitions

Method

Definition

IP Range

Matches if the IP address of a device falls within one of the ranges specified. You must specify at least one IP range.

DHCP Fingerprinting

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled. The DHCP fingerprint is used to determine the Operating System of the device.

For example, if the Operating System is Windows CE and the device type on the General Tab is Mobile Device, then the device matches this rule. If the Operating System is Windows CE and the device type on the General Tab is Gaming Device, then the device does not match this rule.

DHCP fingerprinting is more accurate than Passive fingerprinting.

Based on FortiNAC's fingerprint database.

It is recommended that you set up IP Helper addresses for DHCP on your routers when using DHCP fingerprinting.

Location

Matches if the device connects to the selected location on your network. Options are: anything within a Container in the Topology View, anything in a Port Group or anything in a Device Group.

TCP

Matches if the device provides a service on all of the ports specified. You must specify at least one port, but all specified ports must match. Multiple ports can be entered separated by commas, such as, 162, 175, 188. A range of ports can be entered using a hyphen, such as 204-215.

Active

Matches if the device type selected on the General tab is the same as that determined by NMAP for the connecting device.

Persistent Agent

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled, and if the device has an Agent installed on the host, such as, the Persistent Agent or one of the Mobile Agents. The Agent is used to determine the Operating System of the device. To register hosts running the Persistent Agent using this method, you must disable registration under Persistent Agent Properties. If you do not, the Persistent Agent may register the host before the Device Profiler has the opportunity to register it.

Passive Fingerprinting

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled. The DHCP Fingerprint is used to determine the Operating System of the device. Based on FortiNAC's fingerprint database.

Vendor OUI

Matches if the Vendor OUI for the device corresponds to the OUI information selected for this method. You must specify at least one Vendor option. If there are multiple entries, the device only has to match one to match this rule. Options include:

Vendor Code — A specific Vendor OUI selected from the list in the FortiNAC database. To select the OUI begin typing the first few characters. A list of matching OUIs is displayed in a drop-down list.

Vendor Name — A single Vendor Name selected from the list in the FortiNAC database. To select the name, begin typing the first few characters. A list of matching Vendors is displayed in a drop-down list.

The asterisk (*) wildcard can be used at the beginning and end to capture all variations of the Vendor Name (e.g., Avaya*).

Vendor Alias — Enter a Vendor alias that exists in the FortiNAC vendor database. Must be an exact match.

The asterisk (*) wildcard can be used at the beginning and end to capture all variations of the Vendor Alias.

Device Type — Select a device type from the drop-down list provided. Includes items such as Alarm System or Card Reader. If this option is selected the device type associated with the Vendor OUI of the connecting device must match the device type for the Vendor in the FortiNAC vendor database.

UDP

Matches if the device provides a service on all of the ports specified. You must specify at least one port, but all specified ports must match. Multiple ports can be entered separated by commas, such as, 162, 175, 188. A range of ports can be entered using a hyphen, such as 204-215.