Fortinet black logo

Administration Guide

Best practices

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:185068
Download PDF

Best practices

The configuration of Device Profiling rules should be considered carefully to optimize performance. The list below outlines concepts that should be taken into account when configuring rules.

  1. When a device or host connects to the network, the device profiling rules are checked in order starting with the rule ranked number 1. The order of the rules is important. For the best performance, it is recommended that you rank rules based on the Methods used to categorize devices and hosts as follows: OUI rules first, DHCP rules next and Active, TCP/UDP port, IP Range, Location rules last.

    In an environment where static IP addresses are used, DHCP rules should be at the end of the list. Devices with static IP addresses do not send out DHCP broadcast packets. Therefore, FortiNAC will never receive a DHCP fingerprint for those devices and the profiling process will not continue past the DHCP rules.

    It is recommended that you set up IP Helper addresses for DHCP on your routers when using DHCP fingerprinting. Use the IP address of eth0 on the FortiNAC Server or the Application Server. Do not use the IP address of the FortiNAC Control Server.

  2. The device information necessary to compare against a rule, must be available for device profiler to successfully move from one rule to the next. If the information required for a rule to be matched is unavailable, the evaluation of that device ends. For example, if the IP address of the device cannot be determined, device profiler cannot move past any rule that uses IP address as match criteria. The reason that the device profiler does not skip the rule and continue with the next one is that combinations of rules would not work. In the example below, if the device profiler skips the first rule because the TCP port cannot be found, the Apple iPhone will be miscategorized. If the device profiler does not skip the rule, Apple iPhone remains uncategorized and the user can either manually determine what the device is or can adjust the rules to catch it.

    Example:

    This example outlines how two rules can be used together to provide greater accuracy when profiling devices. Apple iPhone and MAC OS fingerprints tend to be almost identical, but the iPhone can be distinguished by a TCP port which can be used in a rule to identify that device. In this case, you can create two rules: the first to identify iPhones by scanning for the iPhone TCP port and the second to scan for MAC OS in general. The iPhone rule is more granular and will catch the phone before it is categorized by the MAC OS rule.

  3. OUI only rules are the quickest to process because no outside data is necessary.
  4. Rules that require an IP address take longer to process because the FortiNAC server may need to read the DHCP leases file or layer 3 tables from the routers.
  5. Device profiler uses the latest IP address from the IP-to-MAC cache, if the IP address exists. It does not rely on the IP address seen in the Adapter View because it may be stale. If the IP address does not exist in the cache, FortiNAC starts an IP –to-MAC lookup on all L3 devices. FortiNAC stops the lookup as soon as the address is found, therefore, in most cases every L3 device will not be polled. If the FortiNAC server is not properly configured to read layer 3 from the routers, it may cause Device Profiling rules that require an IP address to fail.

Best practices

The configuration of Device Profiling rules should be considered carefully to optimize performance. The list below outlines concepts that should be taken into account when configuring rules.

  1. When a device or host connects to the network, the device profiling rules are checked in order starting with the rule ranked number 1. The order of the rules is important. For the best performance, it is recommended that you rank rules based on the Methods used to categorize devices and hosts as follows: OUI rules first, DHCP rules next and Active, TCP/UDP port, IP Range, Location rules last.

    In an environment where static IP addresses are used, DHCP rules should be at the end of the list. Devices with static IP addresses do not send out DHCP broadcast packets. Therefore, FortiNAC will never receive a DHCP fingerprint for those devices and the profiling process will not continue past the DHCP rules.

    It is recommended that you set up IP Helper addresses for DHCP on your routers when using DHCP fingerprinting. Use the IP address of eth0 on the FortiNAC Server or the Application Server. Do not use the IP address of the FortiNAC Control Server.

  2. The device information necessary to compare against a rule, must be available for device profiler to successfully move from one rule to the next. If the information required for a rule to be matched is unavailable, the evaluation of that device ends. For example, if the IP address of the device cannot be determined, device profiler cannot move past any rule that uses IP address as match criteria. The reason that the device profiler does not skip the rule and continue with the next one is that combinations of rules would not work. In the example below, if the device profiler skips the first rule because the TCP port cannot be found, the Apple iPhone will be miscategorized. If the device profiler does not skip the rule, Apple iPhone remains uncategorized and the user can either manually determine what the device is or can adjust the rules to catch it.

    Example:

    This example outlines how two rules can be used together to provide greater accuracy when profiling devices. Apple iPhone and MAC OS fingerprints tend to be almost identical, but the iPhone can be distinguished by a TCP port which can be used in a rule to identify that device. In this case, you can create two rules: the first to identify iPhones by scanning for the iPhone TCP port and the second to scan for MAC OS in general. The iPhone rule is more granular and will catch the phone before it is categorized by the MAC OS rule.

  3. OUI only rules are the quickest to process because no outside data is necessary.
  4. Rules that require an IP address take longer to process because the FortiNAC server may need to read the DHCP leases file or layer 3 tables from the routers.
  5. Device profiler uses the latest IP address from the IP-to-MAC cache, if the IP address exists. It does not rely on the IP address seen in the Adapter View because it may be stale. If the IP address does not exist in the cache, FortiNAC starts an IP –to-MAC lookup on all L3 devices. FortiNAC stops the lookup as soon as the address is found, therefore, in most cases every L3 device will not be polled. If the FortiNAC server is not properly configured to read layer 3 from the routers, it may cause Device Profiling rules that require an IP address to fail.