Fortinet white logo
Fortinet white logo

Administration Guide

Discovery

Discovery

FortiNAC can search the network based on IP ranges and determine what SNMP enabled devices exist on the network. Once a device is discovered, FortiNAC creates a model for the device in the database and places the device in the Network Devices list.

FortiNAC receives traps and communicates with devices through SNMPv1, SNMPv2, and SNMPv3.

When the Use CDP option on the Discovery window is enabled, FortiNAC queries devices about other connected devices on the network. If a device has this discovery protocol enabled it gathers and stores information about devices it manages and devices it can contact on the network. Enabling the Cisco Discovery Protocol (CDP) when adding search criteria for discovery allows FortiNAC to query devices for information about those secondary devices. For example, FortiNAC can query a device and discover routers and switches connected to the original device. FortiNAC can then query those secondary devices and so on, until the edge of the network is reached. Only devices with CDP enabled will respond to a CDP query.

When a discovery process is started for a particular container, the status of that process is displayed in the Containers view. Click Refresh on the Containers view to update the status periodically.

Note:

  • Important: When adding IP ranges, the total number of IP addresses covered should not exceed 65,000 (example: range 1 + range 2 + range 3 = 65,000). Otherwise, the discovery may not complete.
  • In large networks, discovery can take an extended amount of time.
  • If a device has multiple interfaces, each with a different IP address that is configured with its own SNMP settings, multiple representations of the same device will be added to FortiNAC. FortiNAC does not consolidate the duplicates in this case.
  • When configuring the device itself, use only letters, numbers and hyphens (-) in names for items within the device configuration, in security strings and in SNMP credentials. Other characters may prevent FortiNAC from reading the device configuration. For example, in many cases the # sign is interpreted by FortiNAC as a prompt. Cisco restricts the use of @ and #.
  1. Go to Network Devices > Topology > Customer > Containers.
  2. Select a Container that will be populated by the discovery process.
  3. Click Start Discovery in the Containers panel.
  4. The Discovery Settings window displays.
  5. If you would like to search for devices using the Cisco Discovery Protocol, click the Use CDP check box to enable it.
  6. On the IP Range tab, click Add.
  7. Enter the Starting and Ending IP addresses of the range to be queried for new devices. If you selected Use CDP, only the starting IP address is required.

    If you have an extensive network and you plan to use CDP, it is recommended that you limit the number of levels queried beyond the initial device. In large networks, discovery can take an extended amount of time and may cause delays. For information on limiting the depth of the CDP discovery see Network device.

  8. Add all of the IP ranges required.
  9. Click Next or click the SNMP Credentials tab.
  10. Under SNMPv1 Security Strings, enter the read/write security strings to use when communicating with the discovered devices. Click Add to add a security string. Select a security string and click Delete to remove it from the list.
  11. Under SNMPv3 Credentials, click Add to enter the settings to use when communicating with the discovered devices.
    Settings

    Field

    Definition

    SNMP Protocol

    Available options are AuthPriv or AuthNo Priv.

    User Name

    User Name for access to the device. Recommended but not required.

    Authentication Protocol

    Available options are:

    MD5

    SHA1 (Recommended)

    Authentication
    Password

    Specify password to match what the device is using.

    Privacy Protocol

    Available options are:

    DES

    AES-128 (Recommended)

    Privacy Password

    Specify password to match what the device is using.

    Note

    If the device is configured for AuthPriv, the authentication password, Privacy Protocol and Privacy password are required. If the device is configured for AuthNoPriv, only the authentication password is required.

  12. Click Next or click the CLI Credentials tab.
  13. Click Add to enter CLI Credentials for managing discovered devices.
    Settings

    Field

    Definition

    User Name

    The user name used to log on to the device for configuration. This is for CLI access.

    Note

    For devices using API credentials, enter the serial number for the appliance.

    Password

    The password required to configure the device. This is for CLI access.

    Note

    For devices using API credentials, enter the REST API Key.

    Enable Password

    The enable password for the device. This is for CLI access. Depending on the configuration, you may not need both the password and the enable password.

    Protocol Type

    Use Telnet, SSH1 or SSH2 to logon to the device for configuration.

  14. Click OK to start the discovery process. The process runs in the background.

    The status of a discovery task is displayed in the Devices header.

  15. Click Cancel Discovery to cancel the discovery process.

Discovery

Discovery

FortiNAC can search the network based on IP ranges and determine what SNMP enabled devices exist on the network. Once a device is discovered, FortiNAC creates a model for the device in the database and places the device in the Network Devices list.

FortiNAC receives traps and communicates with devices through SNMPv1, SNMPv2, and SNMPv3.

When the Use CDP option on the Discovery window is enabled, FortiNAC queries devices about other connected devices on the network. If a device has this discovery protocol enabled it gathers and stores information about devices it manages and devices it can contact on the network. Enabling the Cisco Discovery Protocol (CDP) when adding search criteria for discovery allows FortiNAC to query devices for information about those secondary devices. For example, FortiNAC can query a device and discover routers and switches connected to the original device. FortiNAC can then query those secondary devices and so on, until the edge of the network is reached. Only devices with CDP enabled will respond to a CDP query.

When a discovery process is started for a particular container, the status of that process is displayed in the Containers view. Click Refresh on the Containers view to update the status periodically.

Note:

  • Important: When adding IP ranges, the total number of IP addresses covered should not exceed 65,000 (example: range 1 + range 2 + range 3 = 65,000). Otherwise, the discovery may not complete.
  • In large networks, discovery can take an extended amount of time.
  • If a device has multiple interfaces, each with a different IP address that is configured with its own SNMP settings, multiple representations of the same device will be added to FortiNAC. FortiNAC does not consolidate the duplicates in this case.
  • When configuring the device itself, use only letters, numbers and hyphens (-) in names for items within the device configuration, in security strings and in SNMP credentials. Other characters may prevent FortiNAC from reading the device configuration. For example, in many cases the # sign is interpreted by FortiNAC as a prompt. Cisco restricts the use of @ and #.
  1. Go to Network Devices > Topology > Customer > Containers.
  2. Select a Container that will be populated by the discovery process.
  3. Click Start Discovery in the Containers panel.
  4. The Discovery Settings window displays.
  5. If you would like to search for devices using the Cisco Discovery Protocol, click the Use CDP check box to enable it.
  6. On the IP Range tab, click Add.
  7. Enter the Starting and Ending IP addresses of the range to be queried for new devices. If you selected Use CDP, only the starting IP address is required.

    If you have an extensive network and you plan to use CDP, it is recommended that you limit the number of levels queried beyond the initial device. In large networks, discovery can take an extended amount of time and may cause delays. For information on limiting the depth of the CDP discovery see Network device.

  8. Add all of the IP ranges required.
  9. Click Next or click the SNMP Credentials tab.
  10. Under SNMPv1 Security Strings, enter the read/write security strings to use when communicating with the discovered devices. Click Add to add a security string. Select a security string and click Delete to remove it from the list.
  11. Under SNMPv3 Credentials, click Add to enter the settings to use when communicating with the discovered devices.
    Settings

    Field

    Definition

    SNMP Protocol

    Available options are AuthPriv or AuthNo Priv.

    User Name

    User Name for access to the device. Recommended but not required.

    Authentication Protocol

    Available options are:

    MD5

    SHA1 (Recommended)

    Authentication
    Password

    Specify password to match what the device is using.

    Privacy Protocol

    Available options are:

    DES

    AES-128 (Recommended)

    Privacy Password

    Specify password to match what the device is using.

    Note

    If the device is configured for AuthPriv, the authentication password, Privacy Protocol and Privacy password are required. If the device is configured for AuthNoPriv, only the authentication password is required.

  12. Click Next or click the CLI Credentials tab.
  13. Click Add to enter CLI Credentials for managing discovered devices.
    Settings

    Field

    Definition

    User Name

    The user name used to log on to the device for configuration. This is for CLI access.

    Note

    For devices using API credentials, enter the serial number for the appliance.

    Password

    The password required to configure the device. This is for CLI access.

    Note

    For devices using API credentials, enter the REST API Key.

    Enable Password

    The enable password for the device. This is for CLI access. Depending on the configuration, you may not need both the password and the enable password.

    Protocol Type

    Use Telnet, SSH1 or SSH2 to logon to the device for configuration.

  14. Click OK to start the discovery process. The process runs in the background.

    The status of a discovery task is displayed in the Devices header.

  15. Click Cancel Discovery to cancel the discovery process.