Fortinet white logo
Fortinet white logo

Administration Guide

Device properties

Device properties

The Properties view for devices has Element, System, Polling and Notes tabs. Use these tabs to maintain information about the device and to change settings for the device.

Element view

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Right-click on the device and select Properties.
  4. Click the Element tab.
  5. Click OK to save the changes to this window.

If you have selected a Pingable device instead of a switch or a router, refer to Add or modify a pingable device for Settings.

Settings

Field

Definition

Name

Name of the device.

Type

Type of device, such as a switch. May include model information. This information is derived by FortiNAC based on information received from the device.

Physical Address

Only displays for devices that do not have an IP address, such as, some wireless access points that are Layer 2 only.

Has IP address

Only displays for devices that do not have an IP address, such as, some wireless access points that are Layer 2 only. If the check box is enabled, then the IP address field can be edited and validated. For devices that do not have an IP address, this box should remain unchecked and no validation will be done when the record is saved.

IP address

IP address of the device.

Vendor / Version

Vendor / Version specific information. This cannot be edited.

VLAN Switching

Enable or Disable. If Disabled, VLAN switching is not performed on the device.

PA Optimization

If enabled, the Persistent Agent requests the new IP address for its host when the host is moved to a new VLAN. Actions taken by FortiNAC via the switch to request a new IP address for a host, such as blacklisting or shutting down the port, are disabled. Enabling PA Optimization minimizes the amount of time required to renew the host's IP address. This option applies only to hosts with a Persistent Agent.

If PA Optimization is disabled, both methods are used to request a new IP address when moving a host to a new VLAN.

Hosts with no Persistent Agent are subject to the actions taken by FortiNAC via the switch to supply the host with a new IP address after a VLAN change.

MAC Filtering

Enable or Disable. If enabled, MAC Filtering is performed on the device. For devices which support Secure/Static ports.

Description

Description of the device.

Role

Role for this device. Select a role from the drop-down list.

Incoming Events

  • Not Applicable
  • Syslog
  • Security Events
    Available when ATR is enabled.
Note

The availability of this field is dependent upon the type of SNMP device.

When Syslog is selected, the following security applicances appear:

  • FireEye IPS
  • FortiOS 4.0
  • FortiOS 5.0
  • PaloAlto Firewall
  • Sourcefire IPS
  • StoneGate IPS
  • TippingPoint SMS
  • TopLayer IPS

When Security Events is selected, the following security appliances appear:

  • FireEye
  • FortiOS 4.0
  • FortiOS 5.0
  • PaloAlto
  • Sourcefire
  • StoneGate
  • TippingPoint SMS
  • TopLayer

Advanced

Manage as a Generic SNMP Device

Allows FortiNAC to manage an unknown SNMP device where no vendor specific information is available.

Use SNMP To Read L2/L3 Data From The Device

This option displays only for Cisco devices. It allows FortiNAC to read L2 and L3 data and the current VLAN from the device via SNMP instead of the CLI.

The check box is not selected by default. However, if you create a device without CLI credentials, the management of the device will default to using SNMP.

When using SNMP, full read/write privileges are not required to collect read only L2 and L3 information. However, if you enable SNMP to collect ARP information, duplicate ARP entries cannot be differentiated by time, which results in FortiNAC having outdated IP addresses.

Override Network Device Type

When selected, this option allows you to override the current Network Device Type icon with either a Switch or a Router icon.

This does not affect the functionality of the device.

Buttons

Group Membership

View Device Groups. Add the device to a group or remove the device from a group by checking or unchecking the box next to the group name.

System view

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Right-click on the device and select Properties.
  4. Click the System tab.
  5. Click OK to save the changes to this window.
Note

If the correct Read/Write SNMP credential is specified in the Element tab, the name, contact, and location values will be written to the device when you click Apply.

The information in the table below is obtained from the SNMP System MIB:

Settings

Field

Definition

MIB Attribute

Name

The name of the device.

sysName

Contact

The contact person for the device

sysContact

Location

The location of the device (for example, Res Hall A, Equipment Closet 1st Floor, Rack 2, Unit 3)

sysLocation

Uptime

The length of time the device has been running

sysUpTime

Description

Description of the device derived by FortiNAC based on information from the device.

sysDescr

Polling view

The Polling tab is where you configure if/when polling will occur, how often, and what will be polled. You can also manually poll the device.

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Right-click on the device and select Properties.
  4. Click the Polling tab.
  5. Click OK to save the changes to this window.
Settings

Field

Definition

Contact Status

Polling

Enable or disable contact status polling for the selected device.

Poll Interval

Determines how often the device should be polled for communication status. Time is stored in minutes.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Poll Now

Polls the device immediately for contact status.

L2 (hosts) information

Polling

Enable or disable polling for hosts connected to the device.

Poll Interval

Determines how often the device should be polled for new host connection information. Time is stored in minutes. Wired device default is 60 minutes. Wireless device default is 10 minutes.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Poll Now

Polls the device immediately for host connections.

L3 (IP-->MAC) information

Polling

Indicates whether L3 Polling for this device is enabled or disabled.

Poll Interval

Indicates how often the device should be polled for IP information used in IP to MAC address identification.

Priority

Indicates the priority for polling this device. Devices are polled in batches from High priority to Low priority until the required information is found.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Cisco Discovery information

Global Polling

Indicates whether the global setting for Cisco Discovery Protocol is enabled or disabled. If the global setting is disabled, the feature is disabled for all devices regardless of the setting in the polling field. To change the global setting see Network device.

Polling

Indicates whether the Cisco Discovery option for this device is enabled or disabled. Default = Disabled

Poll Interval

Indicates how often the device should be polled for information stored about other connected devices on the network.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Note

If the device you have selected is not capable of L2 polling (polls host connections), L3 polling (polls to do IP to MAC address conversions) or Cisco Discovery, those options are not displayed.

L2 Polling information can also be configured using the L2 Polling window. To access this window select Network Devices > L2 Polling (Resync Hosts). See L2 polling for additional information.

L3 Polling information is configured using the L3 Polling window. To access this window select Network Devices > L3 Polling (IP-->MAC). See L3 polling for additional information.

Credentials view

Configure or update the credentials to allow FortiNACto talk to the device. Credentials match the settings on the device.

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Right-click on the device and select Properties.
  4. Click the Credentials tab.
  5. Click OK to save the changes to this window.

The options vary depending on the SNMP protocol selected.

Settings

Field

Description

Validate Credentials

Click to test the CLI and SNMP credentials entered.

SNMP Settings

SNMP Protocol

Select SNMPv1 or SNMPv3. This option is not available for all types of devices.

SNMPv1

Security Strings

Click Add to add a security string for the device into the FortiNAC database. This must be the read/write security string.

Click Remove. On the window displayed, select and remove security strings for this device from the FortiNAC database.

This field displays a list of security strings used during Discovery. The security string most recently used for read/write access is listed first. Also known as the SNMP Community string.

SNMPv3

User Name

User Name for access to the device. Recommended but not required.

Authentication protocol

Authentication
Password

Enter the password you configured on the device.

Privacy Protocol

Available options are DES and AES-128. Used only for AuthPriv.

Privacy Password

Enter the password you configured on the device. Used only for AuthPriv.

Clear Cached Engine ID

Clears the Engine ID cached for this device and forces the re-establishment of a new Engine ID. If you have replaced one device with another and reused the IP address, you may need to clear this cache.

If you have deleted the original device and then try to add a new device with the same IP address you may need to clear this cached ID. Since the device is not successfully added, you cannot access the device properties to use the Clear Cached Engine ID button. Instead, log into the CLI for the FortiNAC Server or Control Server, navigate to the /bin directory and use the ClearEngineID tool as follows:

ClearEngineID -ip <device IP address>

Example:

ClearEngineID -ip 192.168.15.25

CLI settings

User Name

The user name used to log on to the device for configuration. This is for CLI access.

The user account must have the appropriate permissions configured on the device.

Password

The password required to configure the device. This is for CLI access.

Enable Password

The enable password for the device. This is for CLI access.

Protocol Types

Telnet - Use to log on to the device for configuration.

SSH1 - Use to log on to the device for configuration.

SSH2 - Use to log on to the device for configuration.

Device properties

Device properties

The Properties view for devices has Element, System, Polling and Notes tabs. Use these tabs to maintain information about the device and to change settings for the device.

Element view

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Right-click on the device and select Properties.
  4. Click the Element tab.
  5. Click OK to save the changes to this window.

If you have selected a Pingable device instead of a switch or a router, refer to Add or modify a pingable device for Settings.

Settings

Field

Definition

Name

Name of the device.

Type

Type of device, such as a switch. May include model information. This information is derived by FortiNAC based on information received from the device.

Physical Address

Only displays for devices that do not have an IP address, such as, some wireless access points that are Layer 2 only.

Has IP address

Only displays for devices that do not have an IP address, such as, some wireless access points that are Layer 2 only. If the check box is enabled, then the IP address field can be edited and validated. For devices that do not have an IP address, this box should remain unchecked and no validation will be done when the record is saved.

IP address

IP address of the device.

Vendor / Version

Vendor / Version specific information. This cannot be edited.

VLAN Switching

Enable or Disable. If Disabled, VLAN switching is not performed on the device.

PA Optimization

If enabled, the Persistent Agent requests the new IP address for its host when the host is moved to a new VLAN. Actions taken by FortiNAC via the switch to request a new IP address for a host, such as blacklisting or shutting down the port, are disabled. Enabling PA Optimization minimizes the amount of time required to renew the host's IP address. This option applies only to hosts with a Persistent Agent.

If PA Optimization is disabled, both methods are used to request a new IP address when moving a host to a new VLAN.

Hosts with no Persistent Agent are subject to the actions taken by FortiNAC via the switch to supply the host with a new IP address after a VLAN change.

MAC Filtering

Enable or Disable. If enabled, MAC Filtering is performed on the device. For devices which support Secure/Static ports.

Description

Description of the device.

Role

Role for this device. Select a role from the drop-down list.

Incoming Events

  • Not Applicable
  • Syslog
  • Security Events
    Available when ATR is enabled.
Note

The availability of this field is dependent upon the type of SNMP device.

When Syslog is selected, the following security applicances appear:

  • FireEye IPS
  • FortiOS 4.0
  • FortiOS 5.0
  • PaloAlto Firewall
  • Sourcefire IPS
  • StoneGate IPS
  • TippingPoint SMS
  • TopLayer IPS

When Security Events is selected, the following security appliances appear:

  • FireEye
  • FortiOS 4.0
  • FortiOS 5.0
  • PaloAlto
  • Sourcefire
  • StoneGate
  • TippingPoint SMS
  • TopLayer

Advanced

Manage as a Generic SNMP Device

Allows FortiNAC to manage an unknown SNMP device where no vendor specific information is available.

Use SNMP To Read L2/L3 Data From The Device

This option displays only for Cisco devices. It allows FortiNAC to read L2 and L3 data and the current VLAN from the device via SNMP instead of the CLI.

The check box is not selected by default. However, if you create a device without CLI credentials, the management of the device will default to using SNMP.

When using SNMP, full read/write privileges are not required to collect read only L2 and L3 information. However, if you enable SNMP to collect ARP information, duplicate ARP entries cannot be differentiated by time, which results in FortiNAC having outdated IP addresses.

Override Network Device Type

When selected, this option allows you to override the current Network Device Type icon with either a Switch or a Router icon.

This does not affect the functionality of the device.

Buttons

Group Membership

View Device Groups. Add the device to a group or remove the device from a group by checking or unchecking the box next to the group name.

System view

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Right-click on the device and select Properties.
  4. Click the System tab.
  5. Click OK to save the changes to this window.
Note

If the correct Read/Write SNMP credential is specified in the Element tab, the name, contact, and location values will be written to the device when you click Apply.

The information in the table below is obtained from the SNMP System MIB:

Settings

Field

Definition

MIB Attribute

Name

The name of the device.

sysName

Contact

The contact person for the device

sysContact

Location

The location of the device (for example, Res Hall A, Equipment Closet 1st Floor, Rack 2, Unit 3)

sysLocation

Uptime

The length of time the device has been running

sysUpTime

Description

Description of the device derived by FortiNAC based on information from the device.

sysDescr

Polling view

The Polling tab is where you configure if/when polling will occur, how often, and what will be polled. You can also manually poll the device.

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Right-click on the device and select Properties.
  4. Click the Polling tab.
  5. Click OK to save the changes to this window.
Settings

Field

Definition

Contact Status

Polling

Enable or disable contact status polling for the selected device.

Poll Interval

Determines how often the device should be polled for communication status. Time is stored in minutes.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Poll Now

Polls the device immediately for contact status.

L2 (hosts) information

Polling

Enable or disable polling for hosts connected to the device.

Poll Interval

Determines how often the device should be polled for new host connection information. Time is stored in minutes. Wired device default is 60 minutes. Wireless device default is 10 minutes.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Poll Now

Polls the device immediately for host connections.

L3 (IP-->MAC) information

Polling

Indicates whether L3 Polling for this device is enabled or disabled.

Poll Interval

Indicates how often the device should be polled for IP information used in IP to MAC address identification.

Priority

Indicates the priority for polling this device. Devices are polled in batches from High priority to Low priority until the required information is found.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Cisco Discovery information

Global Polling

Indicates whether the global setting for Cisco Discovery Protocol is enabled or disabled. If the global setting is disabled, the feature is disabled for all devices regardless of the setting in the polling field. To change the global setting see Network device.

Polling

Indicates whether the Cisco Discovery option for this device is enabled or disabled. Default = Disabled

Poll Interval

Indicates how often the device should be polled for information stored about other connected devices on the network.

Last Successful Poll

Date and time that the device was last polled successfully.

Last Attempted Poll

Date and time that the device was last polled.

Note

If the device you have selected is not capable of L2 polling (polls host connections), L3 polling (polls to do IP to MAC address conversions) or Cisco Discovery, those options are not displayed.

L2 Polling information can also be configured using the L2 Polling window. To access this window select Network Devices > L2 Polling (Resync Hosts). See L2 polling for additional information.

L3 Polling information is configured using the L3 Polling window. To access this window select Network Devices > L3 Polling (IP-->MAC). See L3 polling for additional information.

Credentials view

Configure or update the credentials to allow FortiNACto talk to the device. Credentials match the settings on the device.

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Right-click on the device and select Properties.
  4. Click the Credentials tab.
  5. Click OK to save the changes to this window.

The options vary depending on the SNMP protocol selected.

Settings

Field

Description

Validate Credentials

Click to test the CLI and SNMP credentials entered.

SNMP Settings

SNMP Protocol

Select SNMPv1 or SNMPv3. This option is not available for all types of devices.

SNMPv1

Security Strings

Click Add to add a security string for the device into the FortiNAC database. This must be the read/write security string.

Click Remove. On the window displayed, select and remove security strings for this device from the FortiNAC database.

This field displays a list of security strings used during Discovery. The security string most recently used for read/write access is listed first. Also known as the SNMP Community string.

SNMPv3

User Name

User Name for access to the device. Recommended but not required.

Authentication protocol

Authentication
Password

Enter the password you configured on the device.

Privacy Protocol

Available options are DES and AES-128. Used only for AuthPriv.

Privacy Password

Enter the password you configured on the device. Used only for AuthPriv.

Clear Cached Engine ID

Clears the Engine ID cached for this device and forces the re-establishment of a new Engine ID. If you have replaced one device with another and reused the IP address, you may need to clear this cache.

If you have deleted the original device and then try to add a new device with the same IP address you may need to clear this cached ID. Since the device is not successfully added, you cannot access the device properties to use the Clear Cached Engine ID button. Instead, log into the CLI for the FortiNAC Server or Control Server, navigate to the /bin directory and use the ClearEngineID tool as follows:

ClearEngineID -ip <device IP address>

Example:

ClearEngineID -ip 192.168.15.25

CLI settings

User Name

The user name used to log on to the device for configuration. This is for CLI access.

The user account must have the appropriate permissions configured on the device.

Password

The password required to configure the device. This is for CLI access.

Enable Password

The enable password for the device. This is for CLI access.

Protocol Types

Telnet - Use to log on to the device for configuration.

SSH1 - Use to log on to the device for configuration.

SSH2 - Use to log on to the device for configuration.