Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Add or modify rules

  1. Click Hosts > Device Profiling Rules.
  2. Click the Add button or select a rule and click Modify.
  3. Refer to the tables below for information on each option on this window.
  4. On the Methods tab you can select one or more methods for identification.

    Note

    The device must meet criteria established for all of the methods selected.

  5. Select a single method of identification. If you find that too many devices match the rule, add a second method to refine the profiling process and reduce the number of false matches.
  6. Click OK to save.

General tab

Settings

Field

Definition

Enabled

Mark with a check mark to enable this rule. Disabled rules are skipped when comparing devices to rules.

Name

User specified name for this rule. Required.

Description

Description of the rule.

Note

User specified note that can be viewed by administrators and users with the appropriate Admin profile who manage devices that match this rule.

Notify Sponsor

If enabled, users whose Admin Profile gives them permission to manage devices associated with this rule are notified whenever a device has been matched to this rule. This includes rogues that have been processed again by clicking the Run button on the Device Profiling Rules window.

An e-mail is sent by the FortiNAC server or Control server indicating that a device matched this rule. The message would read as follows: 

A new rogue (00:12:3F:19:1A:F4), matching rule Windows, was found.

Requires that the Device Profile Rule Match event be enabled. It is enabled by default and should not be disabled.

Registration settings

Registration

Indicates whether device registration is automatic or manual.

Automatic: The device is registered immediately if the Register As option is enabled.

Manual: The device is registered manually from the Profiled Devices window. The Register As option on this window must be enabled in order to manually register the device.

Type

Device category in which a device matching this rule should be placed. This controls the icon associated with the device in the Host or Topology Views.

Tags

Mapping values to be applied to the firewall via the 550 Agent. Tags will take precedence over the userID

Role

Roles are attributes of users and hosts and are used as filters in User/Host Profiles. Those profiles are used to determine which Network Access Policy, Endpoint Compliance Policy or Supplicant Easy Connect Policy to apply.

If you are using Role-based access for hosts/devices managed in Topology View, select the role that controls access to the network for this device. If you are not using Role-based access, select NAC-Default.

Register To Logged In User (If Present)

If a user logs into the device being profiled, the user becomes the owner of that device in the FortiNAC database.

Note

This applies only to users that log in with an 802.1x supplicant configured to send the User ID.

If the device is registered to the logged in user, then any options selected under Register As are ignored even if Register As is enabled.

Register As

If Register To Logged In User is enabled, and a user is logged in, this option is ignored even if it is enabled.

If Register To Logged In User is disabled, this option is used to determine where to place the connecting device.

Click the check box to enable this option. Indicates where the registered device will be placed. Options include:

  • Device in Host View
  • Device in Topology View
  • Device in Host And Topology View

If the device is an Access Point and you register it in Host View, it is removed from the Host View and moved to Topology View after the first poll. It is also removed from the Concurrent License count once it is recognized as an Access Point.

Container

Select or create a container for this type of device. Click the New button to create a new Container. Containers are a mechanism used to group items in Topology.

This field remains disabled unless one of the Topology View options is selected in the Register As field.

Add to Group

Place devices in an existing group or create a new group for them. Grouping devices to manage them as a group instead of individually. See Groups view.

This field remains disabled unless one of the Host View options is selected in the Register As field.

Access Availability

Allows you to control when devices that match this rule can access the network. Options include: Always or Specify Time. This option is only enabled for devices that are managed in the Host View or both the Host View and the Topology View.

If you set times for Access Availability, devices that match this rule are marked "At Risk" for the Guest No Access admin scan during the time that they are not permitted to access the network.

Rule confirmation settings

Confirm Device Rule On Connect

If enabled, Device Profiler confirms that previously profiled devices associated with this rule still match this rule the next time they connect to the network.

Confirm Device Rule On Interval

If enabled, Device Profiler confirms at set intervals that previously profiled devices associated with this rule still match this rule. Interval options include Minutes, Hours, or Days.

Disable Device If Rule No Longer Matches Device

If enabled, Device Profiler disables previously profiled devices that no longer match their associated rule.

Specify access availability time

This option allows you to limit network access for a device based on the time of day and the day of the week. Any device associated with a rule, can only access the network as specified in the Access Availability field for the rule. This option is only enabled for devices that are managed in the Host View or both the Host View and the Topology View.

If you set times for Access Availability, FortiNAC periodically checks the access time for each device associated with the rule. When the device is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. When the time is reached that the device is allowed to access the network, the "At Risk" state is removed. These changes in state occur on the device record whether the device is connected to the network or not. If the device has a browser and connects to the network outside its allowed timeframe, a web page is displayed with the following message: "Your Network Access has been disabled. You are outside of your allowed time window. To regain network access call the help desk.".

  1. Click Hosts > Device Profiling Rules.
  2. Click select a rule and click Modify.
  3. In the Access Availability field select Specify Time.
  4. In the Time Range section enter the From and To times for the time of day that devices should be able to access the network.
  5. In the Days of the Week section select the days during which these devices should be allowed to access the network.
  6. Click OK.

Methods tab

Settings

Method

Definition

IP Range

Matches if the IP address of a device falls within one of the ranges specified. You must specify at least one IP range.

DHCP Fingerprinting

Matches by device type or with a custom set of attributes.

Match type

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled. The DHCP fingerprint is used to determine the Operating System of the device using FortiNAC's fingerprint database. For example, if the Operating System is Windows CE and the device type on the General Tab is Mobile Device, then the device matches this rule. If the Operating System is Windows CE and the device type on the General Tab is Gaming Device, then the device does not match this rule.

Match custom attributes

Matches if a set of custom attributes correspond to a DHCP packet from the device. Fields left blank will be ignored. The custom attributes supported are: DHCP message type, option list, vendor class (DHCP option 60), host name (DHCP option 12), parameter list (DHCP option 55) and operating system.

DHCP fingerprinting is more accurate than passive fingerprinting.

Note

It is recommended that you set up IP Helper addresses for DHCP on your routers when using DHCP fingerprinting.

Location

Matches if the device connects to the selected location on your network. Options are: anything within a Container in the Topology View, anything in a Port Group or anything in a Device Group.

HTTP/HTTPS

Matches if the device successfully responds to a HTTP request with optional fields for authentication parameters and response text. If multiple response values are entered, it will attempt to match any of them.

SNMP

Matches if the device successfully responds to a SNMP GET request for the OID specified. SNMP security credentials are required. If there are multiple security credentials, each set of credentials will be attempted to find a potential match. There is an optional field to match the response string value. If multiple string values are entered, it will attempt to match any of them.

SSH

Matches if the device successfully responds to a SSH client session request. User name and password credentials are required. If there are multiple credentials, each set of credentials will be attempted to find a potential match. The commands are used to automate interaction with the device. The possible commands are "expect" and "send". "expect" is a regular expression string that matches the response from the device. "send" will send a string to the device. "send" has two keywords %USERNAME% and %PASSWORD% for the username and password. There is an optional field to match the response string value. If multiple string values are entered, it will attempt to match any of them.

Telnet

Matches if the device successfully responds to a telnet client session request. User name and password credentials are not required. If there are multiple credentials, each set of credentials will be attempted to find a potential match. The commands are used to automate interaction with the device. The possible commands are "expect" and "send". "expect" is a regular expression string that matches the response from the device. "send" will send a string to the device. "send" has two keywords %USERNAME% and %PASSWORD% for the username and password. There is an optional field to match the response string value. If multiple string values are entered, it will attempt to match any of them.

TCP

Matches if the device provides a service on all of the ports specified. You must specify at least one port, but all specified ports must match. Multiple ports can be entered separated by commas, such as, 162, 175, 188. A range of ports can be entered using a hyphen, such as 204-215.

Active

Match Type

Matches if the device type selected on the General tab is the same as that determined by NMAP for the connecting device.

Match Custom

Matches if the response from the device contains the specified value. Either an exact string match or regular expression can be used.

Persistent Agent

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled, and if the device has an Agent installed on the host, such as, the Persistent Agent or one of the Mobile Agent. The Agent is used to determine the Operating System of the device. To register hosts running the Persistent Agent using this method, you must disable registration under Persistent Agent Properties. If you do not, the Persistent Agent may register the host before the Device Profiler has the opportunity to register it. See Credential configuration.

Passive Fingerprinting

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled. The DHCP fingerprint is used to determine the Operating System of the device. Based on FortiNAC's fingerprint database.

Vendor OUI

Matches if the Vendor OUI for the device corresponds to the OUI information selected for this method. You must specify at least one Vendor option. If there are multiple entries, the device only has to match one to match this rule. Options include:

Vendor Code — A specific Vendor OUI selected from the list in the FortiNAC database. To select the OUI begin typing the first few characters. A list of matching OUIs is displayed in a drop-down list.

Vendor Name — A single Vendor Name selected from the list in the FortiNAC database. To select the name, begin typing the first few characters. A list of matching Vendors is displayed in a drop-down list.

Note

The asterisk (*) wildcard can be used at the beginning and end to capture all variations of the Vendor Name (e.g., Avaya*).

Vendor Alias — Enter a Vendor alias that exists in the FortiNAC vendor database. Must be an exact match.

Note

The asterisk (*) wildcard can be used at the beginning and end to capture all variations of the Vendor Alias.

Device Type — Select a device type from the drop-down list provided. Includes items such as Alarm System or Card Reader. If this option is selected the device type associated with the Vendor OUI of the connecting device must match the device type for the Vendor in the FortiNAC vendor database.

UDP

Matches if the device provides a service on all of the ports specified. You must specify at least one port, but all specified ports must match. Multiple ports can be entered separated by commas, such as, 162, 175, 188. A range of ports can be entered using a hyphen, such as 204-215.

WinRM

Matches if the device successfully responds to a WinRM client session request. User name and password credentials are required. If there are multiple credentials, each set of credentials will be attempted to find a potential match. The commands are used to automate interaction with the device. Each command is run via Powershell. There is an optional field to match the response string value. If multiple string values are entered, it will attempt to match any of them.

WMI Profile

Matches if the device successfully responds to a WinRM or SSH client session request and successfully creates a profile through various Powershell commands primarily querying WMI. User name (user principal name format, such as winrmadmin@example.com) and password credentials are required. If there are multiple credentials, each set of credentials will be attempted to find a potential match. Additional options allow you to match specific versions of Microsoft Windows, installed applications, Windows Service statuses, running processes, serial number, and asset tag (with wildcard matching).

 

Requires Windows Management Framework 3.0.

Add or modify rules

  1. Click Hosts > Device Profiling Rules.
  2. Click the Add button or select a rule and click Modify.
  3. Refer to the tables below for information on each option on this window.
  4. On the Methods tab you can select one or more methods for identification.

    Note

    The device must meet criteria established for all of the methods selected.

  5. Select a single method of identification. If you find that too many devices match the rule, add a second method to refine the profiling process and reduce the number of false matches.
  6. Click OK to save.

General tab

Settings

Field

Definition

Enabled

Mark with a check mark to enable this rule. Disabled rules are skipped when comparing devices to rules.

Name

User specified name for this rule. Required.

Description

Description of the rule.

Note

User specified note that can be viewed by administrators and users with the appropriate Admin profile who manage devices that match this rule.

Notify Sponsor

If enabled, users whose Admin Profile gives them permission to manage devices associated with this rule are notified whenever a device has been matched to this rule. This includes rogues that have been processed again by clicking the Run button on the Device Profiling Rules window.

An e-mail is sent by the FortiNAC server or Control server indicating that a device matched this rule. The message would read as follows: 

A new rogue (00:12:3F:19:1A:F4), matching rule Windows, was found.

Requires that the Device Profile Rule Match event be enabled. It is enabled by default and should not be disabled.

Registration settings

Registration

Indicates whether device registration is automatic or manual.

Automatic: The device is registered immediately if the Register As option is enabled.

Manual: The device is registered manually from the Profiled Devices window. The Register As option on this window must be enabled in order to manually register the device.

Type

Device category in which a device matching this rule should be placed. This controls the icon associated with the device in the Host or Topology Views.

Tags

Mapping values to be applied to the firewall via the 550 Agent. Tags will take precedence over the userID

Role

Roles are attributes of users and hosts and are used as filters in User/Host Profiles. Those profiles are used to determine which Network Access Policy, Endpoint Compliance Policy or Supplicant Easy Connect Policy to apply.

If you are using Role-based access for hosts/devices managed in Topology View, select the role that controls access to the network for this device. If you are not using Role-based access, select NAC-Default.

Register To Logged In User (If Present)

If a user logs into the device being profiled, the user becomes the owner of that device in the FortiNAC database.

Note

This applies only to users that log in with an 802.1x supplicant configured to send the User ID.

If the device is registered to the logged in user, then any options selected under Register As are ignored even if Register As is enabled.

Register As

If Register To Logged In User is enabled, and a user is logged in, this option is ignored even if it is enabled.

If Register To Logged In User is disabled, this option is used to determine where to place the connecting device.

Click the check box to enable this option. Indicates where the registered device will be placed. Options include:

  • Device in Host View
  • Device in Topology View
  • Device in Host And Topology View

If the device is an Access Point and you register it in Host View, it is removed from the Host View and moved to Topology View after the first poll. It is also removed from the Concurrent License count once it is recognized as an Access Point.

Container

Select or create a container for this type of device. Click the New button to create a new Container. Containers are a mechanism used to group items in Topology.

This field remains disabled unless one of the Topology View options is selected in the Register As field.

Add to Group

Place devices in an existing group or create a new group for them. Grouping devices to manage them as a group instead of individually. See Groups view.

This field remains disabled unless one of the Host View options is selected in the Register As field.

Access Availability

Allows you to control when devices that match this rule can access the network. Options include: Always or Specify Time. This option is only enabled for devices that are managed in the Host View or both the Host View and the Topology View.

If you set times for Access Availability, devices that match this rule are marked "At Risk" for the Guest No Access admin scan during the time that they are not permitted to access the network.

Rule confirmation settings

Confirm Device Rule On Connect

If enabled, Device Profiler confirms that previously profiled devices associated with this rule still match this rule the next time they connect to the network.

Confirm Device Rule On Interval

If enabled, Device Profiler confirms at set intervals that previously profiled devices associated with this rule still match this rule. Interval options include Minutes, Hours, or Days.

Disable Device If Rule No Longer Matches Device

If enabled, Device Profiler disables previously profiled devices that no longer match their associated rule.

Specify access availability time

This option allows you to limit network access for a device based on the time of day and the day of the week. Any device associated with a rule, can only access the network as specified in the Access Availability field for the rule. This option is only enabled for devices that are managed in the Host View or both the Host View and the Topology View.

If you set times for Access Availability, FortiNAC periodically checks the access time for each device associated with the rule. When the device is not allowed to access the network it is marked "At Risk" for the Guest No Access admin scan. When the time is reached that the device is allowed to access the network, the "At Risk" state is removed. These changes in state occur on the device record whether the device is connected to the network or not. If the device has a browser and connects to the network outside its allowed timeframe, a web page is displayed with the following message: "Your Network Access has been disabled. You are outside of your allowed time window. To regain network access call the help desk.".

  1. Click Hosts > Device Profiling Rules.
  2. Click select a rule and click Modify.
  3. In the Access Availability field select Specify Time.
  4. In the Time Range section enter the From and To times for the time of day that devices should be able to access the network.
  5. In the Days of the Week section select the days during which these devices should be allowed to access the network.
  6. Click OK.

Methods tab

Settings

Method

Definition

IP Range

Matches if the IP address of a device falls within one of the ranges specified. You must specify at least one IP range.

DHCP Fingerprinting

Matches by device type or with a custom set of attributes.

Match type

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled. The DHCP fingerprint is used to determine the Operating System of the device using FortiNAC's fingerprint database. For example, if the Operating System is Windows CE and the device type on the General Tab is Mobile Device, then the device matches this rule. If the Operating System is Windows CE and the device type on the General Tab is Gaming Device, then the device does not match this rule.

Match custom attributes

Matches if a set of custom attributes correspond to a DHCP packet from the device. Fields left blank will be ignored. The custom attributes supported are: DHCP message type, option list, vendor class (DHCP option 60), host name (DHCP option 12), parameter list (DHCP option 55) and operating system.

DHCP fingerprinting is more accurate than passive fingerprinting.

Note

It is recommended that you set up IP Helper addresses for DHCP on your routers when using DHCP fingerprinting.

Location

Matches if the device connects to the selected location on your network. Options are: anything within a Container in the Topology View, anything in a Port Group or anything in a Device Group.

HTTP/HTTPS

Matches if the device successfully responds to a HTTP request with optional fields for authentication parameters and response text. If multiple response values are entered, it will attempt to match any of them.

SNMP

Matches if the device successfully responds to a SNMP GET request for the OID specified. SNMP security credentials are required. If there are multiple security credentials, each set of credentials will be attempted to find a potential match. There is an optional field to match the response string value. If multiple string values are entered, it will attempt to match any of them.

SSH

Matches if the device successfully responds to a SSH client session request. User name and password credentials are required. If there are multiple credentials, each set of credentials will be attempted to find a potential match. The commands are used to automate interaction with the device. The possible commands are "expect" and "send". "expect" is a regular expression string that matches the response from the device. "send" will send a string to the device. "send" has two keywords %USERNAME% and %PASSWORD% for the username and password. There is an optional field to match the response string value. If multiple string values are entered, it will attempt to match any of them.

Telnet

Matches if the device successfully responds to a telnet client session request. User name and password credentials are not required. If there are multiple credentials, each set of credentials will be attempted to find a potential match. The commands are used to automate interaction with the device. The possible commands are "expect" and "send". "expect" is a regular expression string that matches the response from the device. "send" will send a string to the device. "send" has two keywords %USERNAME% and %PASSWORD% for the username and password. There is an optional field to match the response string value. If multiple string values are entered, it will attempt to match any of them.

TCP

Matches if the device provides a service on all of the ports specified. You must specify at least one port, but all specified ports must match. Multiple ports can be entered separated by commas, such as, 162, 175, 188. A range of ports can be entered using a hyphen, such as 204-215.

Active

Match Type

Matches if the device type selected on the General tab is the same as that determined by NMAP for the connecting device.

Match Custom

Matches if the response from the device contains the specified value. Either an exact string match or regular expression can be used.

Persistent Agent

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled, and if the device has an Agent installed on the host, such as, the Persistent Agent or one of the Mobile Agent. The Agent is used to determine the Operating System of the device. To register hosts running the Persistent Agent using this method, you must disable registration under Persistent Agent Properties. If you do not, the Persistent Agent may register the host before the Device Profiler has the opportunity to register it. See Credential configuration.

Passive Fingerprinting

Matches if the device type selected on the General tab corresponds to the Operating System of the device being profiled. The DHCP fingerprint is used to determine the Operating System of the device. Based on FortiNAC's fingerprint database.

Vendor OUI

Matches if the Vendor OUI for the device corresponds to the OUI information selected for this method. You must specify at least one Vendor option. If there are multiple entries, the device only has to match one to match this rule. Options include:

Vendor Code — A specific Vendor OUI selected from the list in the FortiNAC database. To select the OUI begin typing the first few characters. A list of matching OUIs is displayed in a drop-down list.

Vendor Name — A single Vendor Name selected from the list in the FortiNAC database. To select the name, begin typing the first few characters. A list of matching Vendors is displayed in a drop-down list.

Note

The asterisk (*) wildcard can be used at the beginning and end to capture all variations of the Vendor Name (e.g., Avaya*).

Vendor Alias — Enter a Vendor alias that exists in the FortiNAC vendor database. Must be an exact match.

Note

The asterisk (*) wildcard can be used at the beginning and end to capture all variations of the Vendor Alias.

Device Type — Select a device type from the drop-down list provided. Includes items such as Alarm System or Card Reader. If this option is selected the device type associated with the Vendor OUI of the connecting device must match the device type for the Vendor in the FortiNAC vendor database.

UDP

Matches if the device provides a service on all of the ports specified. You must specify at least one port, but all specified ports must match. Multiple ports can be entered separated by commas, such as, 162, 175, 188. A range of ports can be entered using a hyphen, such as 204-215.

WinRM

Matches if the device successfully responds to a WinRM client session request. User name and password credentials are required. If there are multiple credentials, each set of credentials will be attempted to find a potential match. The commands are used to automate interaction with the device. Each command is run via Powershell. There is an optional field to match the response string value. If multiple string values are entered, it will attempt to match any of them.

WMI Profile

Matches if the device successfully responds to a WinRM or SSH client session request and successfully creates a profile through various Powershell commands primarily querying WMI. User name (user principal name format, such as winrmadmin@example.com) and password credentials are required. If there are multiple credentials, each set of credentials will be attempted to find a potential match. Additional options allow you to match specific versions of Microsoft Windows, installed applications, Windows Service statuses, running processes, serial number, and asset tag (with wildcard matching).

 

Requires Windows Management Framework 3.0.