Fortinet black logo

Administration Guide

Adding a rule

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:29753
Download PDF

Adding a rule

  1. Go to Hosts > Device Profiling Rules.
  2. Click Add.
  3. In the General tab, select Enabled.
  4. Enter a Name, Description, and Note.
  5. (Optional) Select Notify Sponsor. If selected, administrators with permission to manage devices associated with this rule are notified when a new device matches the rule.
  6. Use the table below to configure Registration Settings:

    Registration

    Automatic: The device is registered immediately if the Register as option is selected.

    Manual: The device is registered manually from Profiled Devices. Register as must be selected in order to manually register the device.

    Type

    Select the device category in which a device matching this rule is placed.

    To create a new type, click .

    Role

    If you are using role-based access for hosts and devices managed in Topology, select the role that controls access to the network for this device. If you are not using role-based access, select NAC-Default.

    To create a new role, click .

    Register as

    Select where the registered device is placed. Options include:

    • Device in Host View
    • Device in Topology (if you select this option, select the Container)
    • Device in Host View and Topology (if you select this option, select the Container)
    • Host to User (if you select this option, enter the User ID)
    • Host to Logged In User (If Present)

    If the device is an access point and you register it in Host View, it is removed from Host View and moved to Topology after the first poll. It is also removed from the concurrent license count once it is recognized as an access point.

    Add to Group

    Select this option to add the device to a group. This option is not available if Register as is set to Device in Topology.

    To create a new group, click .

    Access Availability

    Determine when devices that match this rule are permitted to access the network. You can either select Always or specify a time.

  7. Select the appropriate Rule Confirmation Settings:
    • Confirm Device Rule On Connect: Check that a previously profiled device still matches the rule every time it connects.
    • Confirm Device Rule On Interval: Check that a previously profiled device still matches the rule at regular time intervals. You can set the interval for a set number of minutes, hours, or days.
    • Disable Device If Rule No Longer Matches Device: Disable a previously profiled device if it no longer matches the rule.
  8. In the Methods tab, select one or more methods to use for device identification. The device must meet the criteria established for all of the methods selected to match the rule.

    Use the table below to select the method(s):

    Active

    Select a method to determine rule matching:

    • Match Type
    • Match Custom

    If you select Match Custom, enter either an exact string or regular expression to match.

    DHCP Fingerprinting

    Select a method to determine rule matching with DHCP:

    • Match Type
    • Match Custom Attributes

    If you select Match Custom Attributes, fields left blank are ignored.

    It is recommended that you set up IP helper addresses for DHCP on your routers when using DHCP fingerprinting.

    HTTP/HTTPS

    Determine rule matching by sending an HTTP/HTTPS request. Select the Protocol, Port, and Path used to send requests to the device.

    If required, select Authentication and enter user credentials.

    (Optional) Select Match and enter a response message. If you enter multiple response values, the device matches if any of the values are found.

    IP Range

    Click Add and enter an IP range to match.

    Location

    Click Add and select the container(s) to match.

    Passive

    Select a Match Type to use with passive fingerprinting.

    Persistent Agent

    Set Match Type to an operating system. To use this method, devices must have a FortiNAC agent installed.

    To register hosts running the Persistent Agent using this method, you must disable registration under Persistent Agent Properties. For more information, see Credential configuration.

    SNMP

    Determine rule matching by sending an SNMP GET request for the OID specified.

    Click Add and enter security credentials for SNMP V1/V2c and/or SNMP V3. If you enter multiple credentials, the device matches if any of the credentials are found.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    SSH

    Determine rule matching by sending an SSH client session request.

    Credentials: Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Commands: Click Add and enter commands for the request. The possible commands are:

    • expect: A regular expression string that matches the response from the device.
    • send: A string sent to the device that has two keywords, %USERNAME% and %PASSWORD%.

    A series of commands can be configured as an automated way to interact with the CLI on the device. The commands are executed in order, starting from the top.

    Only a single command can be executed at a time. Multiple commands cannot be chained together (pipes "|" are not supported).

    Example
    expect: User Name:
    send: %USERNAME%\n
    expect: Password:
    send: %PASSWORD%\n
    expect: Dell-3324#
    send: show system\n

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    TCP

    Click Add and enter a TCP port to match. You can enter multiple ports, separated by commas, or a port range using a hyphen. If you enter multiple ports, all ports must match.

    Telnet

    Determine rule matching by sending a telnet client session request.

    (Optional) Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Click Add and enter commands for the request. The possible commands are:

    • expect: A regular expression string that matches the response from the device.
    • send: A string sent to the device that has two keywords, %USERNAME% and %PASSWORD%.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    UDP

    Click Add and enter a UDP port to match. You can enter multiple ports, separated by commas, or a port range using a hyphen. If you enter multiple ports, all ports must match.

    Vendor OUI

    Determine rule matching using the vendor OUI.

    Click Add to configure an OUI. You can add the following field types:

    • Vendor Code: To use a vendor code, enter the first characters in the code, then select a code from the available list.
    • Vendor Name: To use a vendor name, enter the first characters in the name, then select a code from the available list. You can use a wildcard (*) at the beginning and end of the vendor name.
    • Vendor Alias: Enter a vendor alias that exists in the FortiNAC vendor database. You can use a wildcard (*) at the beginning and end of the vendor alias.
    • Device Type: Select a device type. If you select this option, the device type associated with the connecting device must match the device type for the vendor in the FortiNAC database.

    For more information, see Vendor OUIs.

    WinRM

    Determine rule matching by sending a WinRM client session request.

    Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Click Add and enter commands for the request.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    For more information on requirements and setup, see WinRM Device Profile Requirements and Setup.

    WMI Profile

    Determine rule matching by sending a WinRM or SSH client session request and creating a WMI profile.

    Set Protocol to WinRM or SSH and enter the Port.

    Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Additional options allow you to match specific versions of Microsoft Windows, installed applications, Windows Service statuses, running processes, serial numbers, and asset tags (with wildcard matching).

    For more information on requirements and setup, see WinRM Device Profile Requirements and Setup.

    Network Traffic

    Determine rule matching using network flow.

    Set Protocol to TCP, UDP, or Other.

    Enter the Destination Port.

    (Optional) Enable Apply Destination as Source Device and enter the Destination IP.

    You must configure firewall session polling to use this method. For more information, see Firewall session polling.

    FortiGate

    Select a method to determine rule matching using information from firewall sessions:

    • Match Type
    • Match Custom

    If you select Match Custom, enter either an exact string match or regular expression to match.

    You must configure firewall session polling to use this method. For more information, see Firewall session polling.

    ONVIF

    Determine rule matching using ONVIF.

    • Select Add to define the ONVIF profiles that the device must support.
      • Profile A – For products used in an electronic access control system
      • Profile C - For door control and event management systems.
      • Profile G - For IP-based video systems. A Profile G device (e.g., an IP network camera or video encoder).
      • Profile Q - For IP-based video systems and its aim is to provide quick discovery and basic configuration of Profile Q conformant products (e.g., network camera, network switch, network monitor) on a network.
      • Profile S - For IP-based video systems. A Profile S device (e.g., an IP network camera or video encoder)
      • Profile T - For IP-based video systems. Profile T supports video streaming features such as the use of H.264 and H.265 encoding formats.
    • (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.
  9. Click OK.

Adding a rule

  1. Go to Hosts > Device Profiling Rules.
  2. Click Add.
  3. In the General tab, select Enabled.
  4. Enter a Name, Description, and Note.
  5. (Optional) Select Notify Sponsor. If selected, administrators with permission to manage devices associated with this rule are notified when a new device matches the rule.
  6. Use the table below to configure Registration Settings:

    Registration

    Automatic: The device is registered immediately if the Register as option is selected.

    Manual: The device is registered manually from Profiled Devices. Register as must be selected in order to manually register the device.

    Type

    Select the device category in which a device matching this rule is placed.

    To create a new type, click .

    Role

    If you are using role-based access for hosts and devices managed in Topology, select the role that controls access to the network for this device. If you are not using role-based access, select NAC-Default.

    To create a new role, click .

    Register as

    Select where the registered device is placed. Options include:

    • Device in Host View
    • Device in Topology (if you select this option, select the Container)
    • Device in Host View and Topology (if you select this option, select the Container)
    • Host to User (if you select this option, enter the User ID)
    • Host to Logged In User (If Present)

    If the device is an access point and you register it in Host View, it is removed from Host View and moved to Topology after the first poll. It is also removed from the concurrent license count once it is recognized as an access point.

    Add to Group

    Select this option to add the device to a group. This option is not available if Register as is set to Device in Topology.

    To create a new group, click .

    Access Availability

    Determine when devices that match this rule are permitted to access the network. You can either select Always or specify a time.

  7. Select the appropriate Rule Confirmation Settings:
    • Confirm Device Rule On Connect: Check that a previously profiled device still matches the rule every time it connects.
    • Confirm Device Rule On Interval: Check that a previously profiled device still matches the rule at regular time intervals. You can set the interval for a set number of minutes, hours, or days.
    • Disable Device If Rule No Longer Matches Device: Disable a previously profiled device if it no longer matches the rule.
  8. In the Methods tab, select one or more methods to use for device identification. The device must meet the criteria established for all of the methods selected to match the rule.

    Use the table below to select the method(s):

    Active

    Select a method to determine rule matching:

    • Match Type
    • Match Custom

    If you select Match Custom, enter either an exact string or regular expression to match.

    DHCP Fingerprinting

    Select a method to determine rule matching with DHCP:

    • Match Type
    • Match Custom Attributes

    If you select Match Custom Attributes, fields left blank are ignored.

    It is recommended that you set up IP helper addresses for DHCP on your routers when using DHCP fingerprinting.

    HTTP/HTTPS

    Determine rule matching by sending an HTTP/HTTPS request. Select the Protocol, Port, and Path used to send requests to the device.

    If required, select Authentication and enter user credentials.

    (Optional) Select Match and enter a response message. If you enter multiple response values, the device matches if any of the values are found.

    IP Range

    Click Add and enter an IP range to match.

    Location

    Click Add and select the container(s) to match.

    Passive

    Select a Match Type to use with passive fingerprinting.

    Persistent Agent

    Set Match Type to an operating system. To use this method, devices must have a FortiNAC agent installed.

    To register hosts running the Persistent Agent using this method, you must disable registration under Persistent Agent Properties. For more information, see Credential configuration.

    SNMP

    Determine rule matching by sending an SNMP GET request for the OID specified.

    Click Add and enter security credentials for SNMP V1/V2c and/or SNMP V3. If you enter multiple credentials, the device matches if any of the credentials are found.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    SSH

    Determine rule matching by sending an SSH client session request.

    Credentials: Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Commands: Click Add and enter commands for the request. The possible commands are:

    • expect: A regular expression string that matches the response from the device.
    • send: A string sent to the device that has two keywords, %USERNAME% and %PASSWORD%.

    A series of commands can be configured as an automated way to interact with the CLI on the device. The commands are executed in order, starting from the top.

    Only a single command can be executed at a time. Multiple commands cannot be chained together (pipes "|" are not supported).

    Example
    expect: User Name:
    send: %USERNAME%\n
    expect: Password:
    send: %PASSWORD%\n
    expect: Dell-3324#
    send: show system\n

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    TCP

    Click Add and enter a TCP port to match. You can enter multiple ports, separated by commas, or a port range using a hyphen. If you enter multiple ports, all ports must match.

    Telnet

    Determine rule matching by sending a telnet client session request.

    (Optional) Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Click Add and enter commands for the request. The possible commands are:

    • expect: A regular expression string that matches the response from the device.
    • send: A string sent to the device that has two keywords, %USERNAME% and %PASSWORD%.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    UDP

    Click Add and enter a UDP port to match. You can enter multiple ports, separated by commas, or a port range using a hyphen. If you enter multiple ports, all ports must match.

    Vendor OUI

    Determine rule matching using the vendor OUI.

    Click Add to configure an OUI. You can add the following field types:

    • Vendor Code: To use a vendor code, enter the first characters in the code, then select a code from the available list.
    • Vendor Name: To use a vendor name, enter the first characters in the name, then select a code from the available list. You can use a wildcard (*) at the beginning and end of the vendor name.
    • Vendor Alias: Enter a vendor alias that exists in the FortiNAC vendor database. You can use a wildcard (*) at the beginning and end of the vendor alias.
    • Device Type: Select a device type. If you select this option, the device type associated with the connecting device must match the device type for the vendor in the FortiNAC database.

    For more information, see Vendor OUIs.

    WinRM

    Determine rule matching by sending a WinRM client session request.

    Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Click Add and enter commands for the request.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    For more information on requirements and setup, see WinRM Device Profile Requirements and Setup.

    WMI Profile

    Determine rule matching by sending a WinRM or SSH client session request and creating a WMI profile.

    Set Protocol to WinRM or SSH and enter the Port.

    Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Additional options allow you to match specific versions of Microsoft Windows, installed applications, Windows Service statuses, running processes, serial numbers, and asset tags (with wildcard matching).

    For more information on requirements and setup, see WinRM Device Profile Requirements and Setup.

    Network Traffic

    Determine rule matching using network flow.

    Set Protocol to TCP, UDP, or Other.

    Enter the Destination Port.

    (Optional) Enable Apply Destination as Source Device and enter the Destination IP.

    You must configure firewall session polling to use this method. For more information, see Firewall session polling.

    FortiGate

    Select a method to determine rule matching using information from firewall sessions:

    • Match Type
    • Match Custom

    If you select Match Custom, enter either an exact string match or regular expression to match.

    You must configure firewall session polling to use this method. For more information, see Firewall session polling.

    ONVIF

    Determine rule matching using ONVIF.

    • Select Add to define the ONVIF profiles that the device must support.
      • Profile A – For products used in an electronic access control system
      • Profile C - For door control and event management systems.
      • Profile G - For IP-based video systems. A Profile G device (e.g., an IP network camera or video encoder).
      • Profile Q - For IP-based video systems and its aim is to provide quick discovery and basic configuration of Profile Q conformant products (e.g., network camera, network switch, network monitor) on a network.
      • Profile S - For IP-based video systems. A Profile S device (e.g., an IP network camera or video encoder)
      • Profile T - For IP-based video systems. Profile T supports video streaming features such as the use of H.264 and H.265 encoding formats.
    • (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.
  9. Click OK.