Fortinet black logo

Administration Guide

Adding a rule

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:29753
Download PDF

Adding a rule

  1. Go to Users & Hosts > Device Profiling Rules.
  2. Click Add.
  3. In the General tab, select Enabled.
  4. Enter a Name, Description, and Note.
  5. (Optional) Select Notify Sponsor. If selected, administrators with permission to manage devices associated with this rule are notified when a new device matches the rule.
  6. Use the table below to configure Registration Settings:

    Registration

    Automatic: The device is registered immediately if the Register as option is selected.

    Manual: The device is registered manually from Profiled Devices. Register as must be selected in order to manually register the device.

    Type

    Select the device category in which a device matching this rule is placed.

    To create a new type, click .

    Role

    If you are using role-based access for hosts and devices managed in Inventory, select the role that controls access to the network for this device. If you are not using role-based access, select NAC-Default.

    To create a new role, click .

    Register as

    Select where the registered device is placed. Options include:

    • Device in Host View
    • Device in Topology (if you select this option, select the Container)
    • Device in Host View and Topology (if you select this option, select the Container)
    • Host to User (if you select this option, enter the User ID)
    • Host to Logged In User (If Present)

    If the device is an access point and you register it in Host View, it is removed from Host View and moved to Inventory after the first poll. It is also removed from the concurrent license count once it is recognized as an access point.

    Add to Group

    Select this option to add the device to a group. This option is not available if Register as is set to Device in Topology.

    To create a new group, click .

    Access Availability

    Determine when devices that match this rule are permitted to access the network. You can either select Always or specify a time.

  7. Select the appropriate Rule Confirmation Settings:
    • Confirm Device Rule On Connect: Check that a previously profiled device still matches the rule every time it connects.
    • Confirm Device Rule On Interval: Check that a previously profiled device still matches the rule at regular time intervals. You can set the interval for a set number of minutes, hours, or days.
    • Disable Device If Rule No Longer Matches Device: Disable a previously profiled device if it no longer matches the rule.
  8. In the Methods tab, select one or more methods to use for device identification. The device must meet the criteria established for all of the methods selected to match the rule.

    Use the table below to select the method(s):

    Active

    Select a method to determine rule matching:

    • Match Type
    • Match Custom

    If you select Match Custom, enter either an exact string or regular expression to match.

    DHCP Fingerprinting

    It is recommended to set up IP helper addresses for DHCP on routers when using DHCP fingerprinting.

    When evaluating a host using the DHCP fingerprint method, FortiNAC compares the last DHCP packet received. Previous entries evaluated are considered historical.

    Select a method to determine rule matching with DHCP:

    • Match Type

    • Match Custom Attributes

      • Fields left blank are ignored.

      • For best performance, it is recommended to make custom strings only as specific as necessary to match appropriately:

        1. Define a parameter list. Avoid wildcarding the parameter list (example: 1,3,252,42,*).

        2. If criteria is not specific enough to match properly, add hostname or vendor class second.

        3. If criteria is not specific enough to match properly with parameter list and hostname or vendor class, add "Option List" or "Message Type".

    HTTP/HTTPS

    Determine rule matching by sending an HTTP/HTTPS request. Select the Protocol, Port, and Path used to send requests to the device.

    If required, select Authentication and enter user credentials.

    (Optional) Select Match and enter a response message. If you enter multiple response values, the device matches if any of the values are found.

    IP Range

    Click Add and enter an IP range to match.

    Examples:

    Starting IP: 10.10.124.140
    Ending IP: 10.10.124.180

    Wilcard examples:

    Starting IP: 10.10.124.*
    Ending IP: 10.10.125.*

    Starting IP: 10.10.*.140
    Ending IP: 10.10.*.180

    Starting IP: *.*.*.140
    Ending IP: *.*.*.180

    Location

    Click Add and select the container(s) to match.

    Passive

    Select a Match Type to use with passive fingerprinting.

    Persistent Agent

    Set Match Type to an operating system. To use this method, devices must have a FortiNAC agent installed.

    To register hosts running the Persistent Agent using this method, you must disable registration under Persistent Agent Properties. For more information, see Credential configuration.

    SNMP

    Determine rule matching by sending an SNMP GET request for the OID specified.

    • OID: Enter OID to be queried (required) Example: 1.3.6.1.2.1.1.1.0

    • Port: Enter the port used for SNMP (required - Default is 161)

    • Under SNMP V1/V2c and/or SNMP V3 (required): Click Add and enter security credentials. If multiple credentials are entered, the device matches if any of the credentials are found.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    SSH

    Determine rule matching by sending an SSH client session request.

    Credentials: Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Commands: Click Add and enter commands for the request. The possible commands are:

    • expect: A regular expression string that matches the response from the device.
    • send: A string sent to the device that has two keywords, %USERNAME% and %PASSWORD%.

    A series of commands can be configured as an automated way to interact with the CLI on the device. The commands are executed in order, starting from the top.

    Only a single command can be executed at a time. Multiple commands cannot be chained together (pipes "|" are not supported).

    Example
    expect: User Name:
    send: %USERNAME%\n
    expect: Password:
    send: %PASSWORD%\n
    expect: Dell-3324#
    send: show system\n

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    TCP

    Click Add and enter a TCP port to match. You can enter multiple ports, separated by commas, or a port range using a hyphen. If you enter multiple ports, all ports must match.

    Telnet

    Determine rule matching by sending a telnet client session request.

    (Optional) Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Click Add and enter commands for the request. The possible commands are:

    • expect: A regular expression string that matches the response from the device.
    • send: A string sent to the device that has two keywords, %USERNAME% and %PASSWORD%.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    UDP

    Click Add and enter a UDP port to match. You can enter multiple ports, separated by commas, or a port range using a hyphen. If you enter multiple ports, all ports must match.

    Vendor OUI

    Determine rule matching using the vendor OUI.

    Click Add to configure an OUI. You can add the following field types:

    • Vendor Code: To use a vendor code, enter the first characters in the code, then select a code from the available list.
    • Vendor Name: To use a vendor name, enter the first characters in the name, then select a code from the available list. You can use a wildcard (*) at the beginning and end of the vendor name.
    • Vendor Alias: Enter a vendor alias that exists in the FortiNAC vendor database. You can use a wildcard (*) at the beginning and end of the vendor alias.
    • Device Type: Select a device type. If you select this option, the device type associated with the connecting device must match the device type for the vendor in the FortiNAC database.

    For more information, see Vendor OUIs.

    Note: Invalid Physical Addresses: If the MAC address matches a rule, the host will be registered regardless if vendor OUI is in the database. Device Profiler does not check to determine if the MAC address is valid.

    WinRM

    Determine rule matching by sending a WinRM client session request.

    Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Click Add and enter commands for the request.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    For more information on requirements and setup, see WinRM Device Profile Requirements and Setup.

    WMI Profile

    Determine rule matching by sending a WinRM or SSH client session request and creating a WMI profile.

    Set Protocol to WinRM or SSH and enter the Port.

    Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Additional options allow you to match specific versions of Microsoft Windows, installed applications, Windows Service statuses, running processes, serial numbers, and asset tags (with wildcard matching).

    For more information on requirements and setup, see WinRM Device Profile Requirements and Setup.

    Network Traffic

    Determine rule matching using network flow.

    Set Protocol to TCP, UDP, or Other.

    Enter the Destination Port.

    (Optional) Enable Apply Destination as Source Device and enter the Destination IP.

    You must configure firewall session polling to use this method. For more information, see Firewall session polling.

    FortiGate

    Select a method to determine rule matching using information from firewall sessions:

    • Match Type
    • Match Custom

    If you select Match Custom, enter either an exact string match or regular expression to match.

    You must configure firewall session polling to use this method. For more information, see Firewall session polling.

    ONVIF

    Determine rule matching using ONVIF.

    • Select Add to define the ONVIF profiles that the device must support.
      • Profile A – For products used in an electronic access control system
      • Profile C - For door control and event management systems.
      • Profile G - For IP-based video systems. A Profile G device (e.g., an IP network camera or video encoder).
      • Profile Q - For IP-based video systems and its aim is to provide quick discovery and basic configuration of Profile Q conformant products (e.g., network camera, network switch, network monitor) on a network.
      • Profile S - For IP-based video systems. A Profile S device (e.g., an IP network camera or video encoder)
      • Profile T - For IP-based video systems. Profile T supports video streaming features such as the use of H.264 and H.265 encoding formats.
    • (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    FortiGuard

    This method pulls IoT device information from the FortiGuard IoT Service based on the MAC address.

    Note:

    • Requires FortiCare support contract to enable FortiGuard IoT Service. Otherwise, the checkbox will not be selectable.
    • IoT service responses are enhanced when the "FortiGuard Collect Service" is enabled in Users & Hosts > Settings > Device Profiler

    Match Type

    • The Fortinet IoT query service is used to determine the OS of the device. Matches if the device type selected corresponds to the Operating System of the device being profiled.

    Match Custom Attributes

    • Category
    • Subcategory
    • Vendor
    • Model
    • Operating System
    • Sub Operating System

    Script

    Execute one of the command line scripts located in /home/cm/scripts. These command line scripts are for advanced use, such as administrator-created Perl scripts. MAC address and IP Address are passed to the script as arguments. Matches if the exit status of the script is zero.

    Note: If separate Control Server and Application Server appliances, command line scripts must be located in /home/cm/scripts of the Application Server.

  9. Click OK.

Adding a rule

  1. Go to Users & Hosts > Device Profiling Rules.
  2. Click Add.
  3. In the General tab, select Enabled.
  4. Enter a Name, Description, and Note.
  5. (Optional) Select Notify Sponsor. If selected, administrators with permission to manage devices associated with this rule are notified when a new device matches the rule.
  6. Use the table below to configure Registration Settings:

    Registration

    Automatic: The device is registered immediately if the Register as option is selected.

    Manual: The device is registered manually from Profiled Devices. Register as must be selected in order to manually register the device.

    Type

    Select the device category in which a device matching this rule is placed.

    To create a new type, click .

    Role

    If you are using role-based access for hosts and devices managed in Inventory, select the role that controls access to the network for this device. If you are not using role-based access, select NAC-Default.

    To create a new role, click .

    Register as

    Select where the registered device is placed. Options include:

    • Device in Host View
    • Device in Topology (if you select this option, select the Container)
    • Device in Host View and Topology (if you select this option, select the Container)
    • Host to User (if you select this option, enter the User ID)
    • Host to Logged In User (If Present)

    If the device is an access point and you register it in Host View, it is removed from Host View and moved to Inventory after the first poll. It is also removed from the concurrent license count once it is recognized as an access point.

    Add to Group

    Select this option to add the device to a group. This option is not available if Register as is set to Device in Topology.

    To create a new group, click .

    Access Availability

    Determine when devices that match this rule are permitted to access the network. You can either select Always or specify a time.

  7. Select the appropriate Rule Confirmation Settings:
    • Confirm Device Rule On Connect: Check that a previously profiled device still matches the rule every time it connects.
    • Confirm Device Rule On Interval: Check that a previously profiled device still matches the rule at regular time intervals. You can set the interval for a set number of minutes, hours, or days.
    • Disable Device If Rule No Longer Matches Device: Disable a previously profiled device if it no longer matches the rule.
  8. In the Methods tab, select one or more methods to use for device identification. The device must meet the criteria established for all of the methods selected to match the rule.

    Use the table below to select the method(s):

    Active

    Select a method to determine rule matching:

    • Match Type
    • Match Custom

    If you select Match Custom, enter either an exact string or regular expression to match.

    DHCP Fingerprinting

    It is recommended to set up IP helper addresses for DHCP on routers when using DHCP fingerprinting.

    When evaluating a host using the DHCP fingerprint method, FortiNAC compares the last DHCP packet received. Previous entries evaluated are considered historical.

    Select a method to determine rule matching with DHCP:

    • Match Type

    • Match Custom Attributes

      • Fields left blank are ignored.

      • For best performance, it is recommended to make custom strings only as specific as necessary to match appropriately:

        1. Define a parameter list. Avoid wildcarding the parameter list (example: 1,3,252,42,*).

        2. If criteria is not specific enough to match properly, add hostname or vendor class second.

        3. If criteria is not specific enough to match properly with parameter list and hostname or vendor class, add "Option List" or "Message Type".

    HTTP/HTTPS

    Determine rule matching by sending an HTTP/HTTPS request. Select the Protocol, Port, and Path used to send requests to the device.

    If required, select Authentication and enter user credentials.

    (Optional) Select Match and enter a response message. If you enter multiple response values, the device matches if any of the values are found.

    IP Range

    Click Add and enter an IP range to match.

    Examples:

    Starting IP: 10.10.124.140
    Ending IP: 10.10.124.180

    Wilcard examples:

    Starting IP: 10.10.124.*
    Ending IP: 10.10.125.*

    Starting IP: 10.10.*.140
    Ending IP: 10.10.*.180

    Starting IP: *.*.*.140
    Ending IP: *.*.*.180

    Location

    Click Add and select the container(s) to match.

    Passive

    Select a Match Type to use with passive fingerprinting.

    Persistent Agent

    Set Match Type to an operating system. To use this method, devices must have a FortiNAC agent installed.

    To register hosts running the Persistent Agent using this method, you must disable registration under Persistent Agent Properties. For more information, see Credential configuration.

    SNMP

    Determine rule matching by sending an SNMP GET request for the OID specified.

    • OID: Enter OID to be queried (required) Example: 1.3.6.1.2.1.1.1.0

    • Port: Enter the port used for SNMP (required - Default is 161)

    • Under SNMP V1/V2c and/or SNMP V3 (required): Click Add and enter security credentials. If multiple credentials are entered, the device matches if any of the credentials are found.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    SSH

    Determine rule matching by sending an SSH client session request.

    Credentials: Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Commands: Click Add and enter commands for the request. The possible commands are:

    • expect: A regular expression string that matches the response from the device.
    • send: A string sent to the device that has two keywords, %USERNAME% and %PASSWORD%.

    A series of commands can be configured as an automated way to interact with the CLI on the device. The commands are executed in order, starting from the top.

    Only a single command can be executed at a time. Multiple commands cannot be chained together (pipes "|" are not supported).

    Example
    expect: User Name:
    send: %USERNAME%\n
    expect: Password:
    send: %PASSWORD%\n
    expect: Dell-3324#
    send: show system\n

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    TCP

    Click Add and enter a TCP port to match. You can enter multiple ports, separated by commas, or a port range using a hyphen. If you enter multiple ports, all ports must match.

    Telnet

    Determine rule matching by sending a telnet client session request.

    (Optional) Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Click Add and enter commands for the request. The possible commands are:

    • expect: A regular expression string that matches the response from the device.
    • send: A string sent to the device that has two keywords, %USERNAME% and %PASSWORD%.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    UDP

    Click Add and enter a UDP port to match. You can enter multiple ports, separated by commas, or a port range using a hyphen. If you enter multiple ports, all ports must match.

    Vendor OUI

    Determine rule matching using the vendor OUI.

    Click Add to configure an OUI. You can add the following field types:

    • Vendor Code: To use a vendor code, enter the first characters in the code, then select a code from the available list.
    • Vendor Name: To use a vendor name, enter the first characters in the name, then select a code from the available list. You can use a wildcard (*) at the beginning and end of the vendor name.
    • Vendor Alias: Enter a vendor alias that exists in the FortiNAC vendor database. You can use a wildcard (*) at the beginning and end of the vendor alias.
    • Device Type: Select a device type. If you select this option, the device type associated with the connecting device must match the device type for the vendor in the FortiNAC database.

    For more information, see Vendor OUIs.

    Note: Invalid Physical Addresses: If the MAC address matches a rule, the host will be registered regardless if vendor OUI is in the database. Device Profiler does not check to determine if the MAC address is valid.

    WinRM

    Determine rule matching by sending a WinRM client session request.

    Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Click Add and enter commands for the request.

    (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    For more information on requirements and setup, see WinRM Device Profile Requirements and Setup.

    WMI Profile

    Determine rule matching by sending a WinRM or SSH client session request and creating a WMI profile.

    Set Protocol to WinRM or SSH and enter the Port.

    Click Add and enter user credentials. If you enter multiple credentials, the device matches if any of the credentials are found.

    Additional options allow you to match specific versions of Microsoft Windows, installed applications, Windows Service statuses, running processes, serial numbers, and asset tags (with wildcard matching).

    For more information on requirements and setup, see WinRM Device Profile Requirements and Setup.

    Network Traffic

    Determine rule matching using network flow.

    Set Protocol to TCP, UDP, or Other.

    Enter the Destination Port.

    (Optional) Enable Apply Destination as Source Device and enter the Destination IP.

    You must configure firewall session polling to use this method. For more information, see Firewall session polling.

    FortiGate

    Select a method to determine rule matching using information from firewall sessions:

    • Match Type
    • Match Custom

    If you select Match Custom, enter either an exact string match or regular expression to match.

    You must configure firewall session polling to use this method. For more information, see Firewall session polling.

    ONVIF

    Determine rule matching using ONVIF.

    • Select Add to define the ONVIF profiles that the device must support.
      • Profile A – For products used in an electronic access control system
      • Profile C - For door control and event management systems.
      • Profile G - For IP-based video systems. A Profile G device (e.g., an IP network camera or video encoder).
      • Profile Q - For IP-based video systems and its aim is to provide quick discovery and basic configuration of Profile Q conformant products (e.g., network camera, network switch, network monitor) on a network.
      • Profile S - For IP-based video systems. A Profile S device (e.g., an IP network camera or video encoder)
      • Profile T - For IP-based video systems. Profile T supports video streaming features such as the use of H.264 and H.265 encoding formats.
    • (Optional) Select Match and enter a response string. If you enter multiple string values, the device matches if any of the values are found.

    FortiGuard

    This method pulls IoT device information from the FortiGuard IoT Service based on the MAC address.

    Note:

    • Requires FortiCare support contract to enable FortiGuard IoT Service. Otherwise, the checkbox will not be selectable.
    • IoT service responses are enhanced when the "FortiGuard Collect Service" is enabled in Users & Hosts > Settings > Device Profiler

    Match Type

    • The Fortinet IoT query service is used to determine the OS of the device. Matches if the device type selected corresponds to the Operating System of the device being profiled.

    Match Custom Attributes

    • Category
    • Subcategory
    • Vendor
    • Model
    • Operating System
    • Sub Operating System

    Script

    Execute one of the command line scripts located in /home/cm/scripts. These command line scripts are for advanced use, such as administrator-created Perl scripts. MAC address and IP Address are passed to the script as arguments. Matches if the exit status of the script is zero.

    Note: If separate Control Server and Application Server appliances, command line scripts must be located in /home/cm/scripts of the Application Server.

  9. Click OK.