Fortinet white logo
Fortinet white logo

Administration Guide

Rules

Rules

Device profiling rules are used by the device profiler feature to categorize rogue hosts that connect to the network. As a rogue connects to the network and receives an IP address its information is compared to all methods within each enabled rule in turn until a match is found. The rogue device can be managed in a variety of ways depending on the configuration of the rule.

Any of the following scenarios could result from a match.

  • The rogue matches a rule and is placed in the Topology as a device. It cannot be seen in the Profiled Devices window and cannot be managed by a Device manager. Future rules cannot be run against this device unless it is deleted from the system and becomes a rogue again when it connects to the network.
  • The rogue matches a rule and is registered. It is displayed in the Host View as a registered host and can be seen in the Profiled Devices window. It remains associated with the matching rule and can be managed by a Device manager. Future rules cannot be run against this device unless it is deleted from the system and becomes a rogue again when it connects to the network.
  • The rogue matches a rule and is registered. It is displayed in the Host View as a registered host and is associated with a specific user, thus creating an identity for that device. It is removed from the Profiled Devices window and cannot be managed by a Device manager. Future rules cannot be run against this device unless it is deleted from the system and becomes a rogue again when it connects to the network.
  • The rogue matches a rule, but the rule is not configured to place the device in Topology or Host View. The device remains a rogue, but is associated with the rule. Future rules can be run against this device as long as it remains unregistered. The device can be seen in the Profiled Devices window. If Notify Sponsor is enabled, the Device manager receives an e-mail that there was a match. The device can be managed by the Device manager. The Device manager can register the device which places it in the Host View or can delete the device. An administrator can access the device in the Host View and change it to a device if it needs to be in Topology.

    Device profiler does not see devices that are no longer rogues and cannot match those devices with new or modified rules.

In summary, Devices placed in the Topology only cannot be seen in the Profiled Devices window. Devices placed in the Host View display in the Profiled Devices window until the device is associated with a user. Devices placed in both Host and Topology display in the Profiled Devices window until the device is associated with a user.

Host view vs. Topology

Device profiling rules can be used to place rogue devices in the Host View, the Topology or both. There are certain advantages to each option that should be kept in mind when determining where to place a device.

Devices that are kept in the Host View have a connection history and can be associated with a user. Devices that are placed in the Topology can be polled for their connection status. Devices that are not connected display in red on the Topology. If the connection to the device fails, events and alarms can be configured to notify you that the device is no longer communicating.

Rules

Rules

Device profiling rules are used by the device profiler feature to categorize rogue hosts that connect to the network. As a rogue connects to the network and receives an IP address its information is compared to all methods within each enabled rule in turn until a match is found. The rogue device can be managed in a variety of ways depending on the configuration of the rule.

Any of the following scenarios could result from a match.

  • The rogue matches a rule and is placed in the Topology as a device. It cannot be seen in the Profiled Devices window and cannot be managed by a Device manager. Future rules cannot be run against this device unless it is deleted from the system and becomes a rogue again when it connects to the network.
  • The rogue matches a rule and is registered. It is displayed in the Host View as a registered host and can be seen in the Profiled Devices window. It remains associated with the matching rule and can be managed by a Device manager. Future rules cannot be run against this device unless it is deleted from the system and becomes a rogue again when it connects to the network.
  • The rogue matches a rule and is registered. It is displayed in the Host View as a registered host and is associated with a specific user, thus creating an identity for that device. It is removed from the Profiled Devices window and cannot be managed by a Device manager. Future rules cannot be run against this device unless it is deleted from the system and becomes a rogue again when it connects to the network.
  • The rogue matches a rule, but the rule is not configured to place the device in Topology or Host View. The device remains a rogue, but is associated with the rule. Future rules can be run against this device as long as it remains unregistered. The device can be seen in the Profiled Devices window. If Notify Sponsor is enabled, the Device manager receives an e-mail that there was a match. The device can be managed by the Device manager. The Device manager can register the device which places it in the Host View or can delete the device. An administrator can access the device in the Host View and change it to a device if it needs to be in Topology.

    Device profiler does not see devices that are no longer rogues and cannot match those devices with new or modified rules.

In summary, Devices placed in the Topology only cannot be seen in the Profiled Devices window. Devices placed in the Host View display in the Profiled Devices window until the device is associated with a user. Devices placed in both Host and Topology display in the Profiled Devices window until the device is associated with a user.

Host view vs. Topology

Device profiling rules can be used to place rogue devices in the Host View, the Topology or both. There are certain advantages to each option that should be kept in mind when determining where to place a device.

Devices that are kept in the Host View have a connection history and can be associated with a user. Devices that are placed in the Topology can be polled for their connection status. Devices that are not connected display in red on the Topology. If the connection to the device fails, events and alarms can be configured to notify you that the device is no longer communicating.