Fortinet black logo

Administration Guide

USB detection

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:814147
Download PDF

USB detection

The USB Detection view allows you to configure FortiNAC to be notified in the event that a USB device was plugged into a host on the network. When a USB drive is detected, FortiNAC events can be mapped to alarms to specify an action based on the host where the USB drive is connected. You can also indicate which drives should be ignored by the system, regardless of the hosts they are connected to.

This feature requires Agent 3.3 or higher. This feature is only supported on Windows hosts.

Settings

Icon/field

Definition

Enable USB Detection

When enabled, if a USB drive is plugged into a host, the agent will detect the USB drive and notify FortiNAC.

Prevent Detection on Host Group

Select the host group where you wish to prevent USB detection. If the USB connects to a host within the selected host group, the USB is ignored and no event is generated. Click the Add icon to add a group. Click the Modify icon to modify the selected group.

Event to alarm mappings

USB Drive Detected

Allows user to configure an event to alarm mapping for when the USB drive is present when the agent is started.

USB Drive Added

Allows user to configure an event to alarm mapping for when the USB drive is added while the agent is running.

USB Drive Removed

Allows user to configure an event to alarm mapping for when the USB drive is removed while the agent is running.

Allow USB drives

Name

The name of the USB drive.

Device ID

The Device ID for the USB drive from the registry key.

Device Class

The Device Class for the USB drive from the registry key.

Friendly Name

The Friendly Name for the USB drive from the registry key.

Right click options

Delete

Deletes the selected USB drive.

Modify

Opens the Modify Allowed USB Drive dialog.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Save Settings

Click to save the USB detection settings.

Add/modify an allowed USB drive

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select USB Detection from the tree.
  4. Click Add or select an existing USB drive and click Modify.
  5. Enter the name for FortiNAC to use to identify the USB drive that is being allowed.

  6. Run regedit.exe to access the registry key.

  7. Expand HKEY_LOCAL_MACHINE>SYSTEM>
    CurrentControlSet>Enum>USBSTOR

    If CurrentControlSet is not available, you can also find USBSTOR in ControlSet001.

  8. Expand the folder for the device containing the information you wish to add or modify, and click the key.

    The key values appear.

    The asterisk (*) wildcard can be used at the beginning and end of all values you enter.

  9. Enter the following values from the registry key:

    • Device ID: The first value from the Hardware ID key as defined in the Registry entry for the USB device in: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Enum>USBSTOR (e.g., UBSTOR\DiskStaples_Relay_UFD_______1.18).
    • Device Class: The value from the Class key as defined in the Registry entry for the USB device in HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Enum>USBSTOR

      If the class value is empty or is not present in the registry, leave the Class field blank. Otherwise, the rule will not match and an event will be generated.

    • Friendly Name: The value from the friendly name key as defined in the registry entry for the USB device in HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Enum>USBSTOR
  10. Click OK.

Import allowed USB drives

You can import multiple USB drives at a time to the list of Allowed USB drives.

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select USB Detection from the tree.
  4. Click Import.

  5. Enter the Name, Device ID, Device Class, and Friendly Name for each USB drive you wish to import in the specified format.
  6. Click OK.

Delete an allowed USB drive

  1. Select System> Settings.
  2. Expand the Persistent Agent folder.
  3. Select USB Detection from the tree.
  4. Select a USB drive in the Allowed USB Drives list, and click Delete.
  5. A confirmation message is displayed. Click Yes to continue.

USB detection

The USB Detection view allows you to configure FortiNAC to be notified in the event that a USB device was plugged into a host on the network. When a USB drive is detected, FortiNAC events can be mapped to alarms to specify an action based on the host where the USB drive is connected. You can also indicate which drives should be ignored by the system, regardless of the hosts they are connected to.

This feature requires Agent 3.3 or higher. This feature is only supported on Windows hosts.

Settings

Icon/field

Definition

Enable USB Detection

When enabled, if a USB drive is plugged into a host, the agent will detect the USB drive and notify FortiNAC.

Prevent Detection on Host Group

Select the host group where you wish to prevent USB detection. If the USB connects to a host within the selected host group, the USB is ignored and no event is generated. Click the Add icon to add a group. Click the Modify icon to modify the selected group.

Event to alarm mappings

USB Drive Detected

Allows user to configure an event to alarm mapping for when the USB drive is present when the agent is started.

USB Drive Added

Allows user to configure an event to alarm mapping for when the USB drive is added while the agent is running.

USB Drive Removed

Allows user to configure an event to alarm mapping for when the USB drive is removed while the agent is running.

Allow USB drives

Name

The name of the USB drive.

Device ID

The Device ID for the USB drive from the registry key.

Device Class

The Device Class for the USB drive from the registry key.

Friendly Name

The Friendly Name for the USB drive from the registry key.

Right click options

Delete

Deletes the selected USB drive.

Modify

Opens the Modify Allowed USB Drive dialog.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Save Settings

Click to save the USB detection settings.

Add/modify an allowed USB drive

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select USB Detection from the tree.
  4. Click Add or select an existing USB drive and click Modify.
  5. Enter the name for FortiNAC to use to identify the USB drive that is being allowed.

  6. Run regedit.exe to access the registry key.

  7. Expand HKEY_LOCAL_MACHINE>SYSTEM>
    CurrentControlSet>Enum>USBSTOR

    If CurrentControlSet is not available, you can also find USBSTOR in ControlSet001.

  8. Expand the folder for the device containing the information you wish to add or modify, and click the key.

    The key values appear.

    The asterisk (*) wildcard can be used at the beginning and end of all values you enter.

  9. Enter the following values from the registry key:

    • Device ID: The first value from the Hardware ID key as defined in the Registry entry for the USB device in: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Enum>USBSTOR (e.g., UBSTOR\DiskStaples_Relay_UFD_______1.18).
    • Device Class: The value from the Class key as defined in the Registry entry for the USB device in HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Enum>USBSTOR

      If the class value is empty or is not present in the registry, leave the Class field blank. Otherwise, the rule will not match and an event will be generated.

    • Friendly Name: The value from the friendly name key as defined in the registry entry for the USB device in HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Enum>USBSTOR
  10. Click OK.

Import allowed USB drives

You can import multiple USB drives at a time to the list of Allowed USB drives.

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select USB Detection from the tree.
  4. Click Import.

  5. Enter the Name, Device ID, Device Class, and Friendly Name for each USB drive you wish to import in the specified format.
  6. Click OK.

Delete an allowed USB drive

  1. Select System> Settings.
  2. Expand the Persistent Agent folder.
  3. Select USB Detection from the tree.
  4. Select a USB drive in the Allowed USB Drives list, and click Delete.
  5. A confirmation message is displayed. Click Yes to continue.