Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC 9.4.0 Administration Guide
    9.4.0
    9.4.0
    9.2.0
    9.1.0
    8.8.0
    8.7.0
    8.6.0
    8.5.2
    8.3.0

    Endpoint Fingerprints

    Endpoint Fingerprints

    FortiNAC continuously collects identity records as hosts connect to the network. These records are used to rapidly identify and categorize new devices as they connect to the network. A list of these device identity matches are displayed on the Endpoint Fingerprint view. A separate record is added every time a new fingerprint is heard for a MAC. For example, if the adapter on a host is moved from a registration VLAN to a production VLAN and as a result requests a new IP address this creates a new record. If two records are displayed for the same MAC and port, but with different OSs, the host is most likely a dual-boot host. This generates the Device Fingerprint Changed event. The following information can be found for each fingerprint.

    Information

    Field

    Definition

    Physical Address

    MAC address of the device.

    Device Type

    Indicates the type of hardware detected.

    Operating System

    Operating system of the host. If more than one record is displayed with different operating systems, this host may be dual boot.

    IP Address

    IP address of the device.

    Host Name

    The name for this host extracted from the DHCP packet.

    Vendor

    Manufacturer of the host. This is based on the vendor OUI.

    Vendor OUI

    First 3 octets of a device’s Physical Address.

    Source

    Method used to identify the device. Sources can be ranked through Set Source Rank.

    Rule Name

    Name of the Device Profiling Rule that was a match for this device.

    Device Registered

    Specifies whether the device is registered in the FortiNAC Database or is a rogue device. The number of devices registered or rogue will display above the table header.

    Last Heard

    The last time FortiNAC matched this fingerprint for this host.

    Creation Time

    The first time FortiNAC matched this fingerprint for this host.

    The information displayed on the table can be configured by hovering over the table's header to reveal a settings icon on the left side of the header.

    Along the top of the Endpoint Fingerprint view, interactable charts can be displayed for Device Types, Operating System, Vendor, Vendor OUI, and Source. Hovering over the charts will reveal a settings icon at the top left of the view. Clicking it will provide the option to customize the charts. Charts can be reordered by dragging and dropping the chart to its desired location along the top. Selecting a slice of a chart will filter the fingerprints by that attribute. To remove the filter, click the filter icon to the top right of the chart.

    Right-Click Options

    Option

    Description
    Delete Deletes the selected fingerprint(s).
    Show Attributes

    Displays the Fingerprint Attributes information.
    Show Adapters Displays the adapter information associated with the device.
    Register as Device See Register a host as a device
    Confirm Rule Confirms the device still matches their associated rule.
    Enable Host Enables the host. See Enable or disable hosts
    Disable Host Disables the host. See Enable or disable hosts.
    Create Device Profiling Rule Displays a window to Add a Device Profiling Rule. See Adding a rule.
    Run FortiGuard IoT Scan

    Runs a FortiGuard IoT Scan.

    Test Device Profiling Rule

    Tests the selected device profiling rule against the selected host(s).
    Fingerprint Attributes

    Attribute

    Description
    Active

    OUTPUT

    Output of the Nmap command.

    PORTS

    Open ports discovered during the Nmap scan.
    Agent
    UUID

    UUID for this host.
    HWTYPE

    Hardware type for this host.
    SERIAL

    Serial number for this host.
    ASSET_TAG

    Asset tag for this host.
    SSID

    Service Set Identifier for this adapter.
    BSSID

    Basic Service Set Identifier for this adapter.
    MEDIA

    Media type for this adapter.
    IFDESC

    Interface Description for this adapter.
    OPERSTATUS

    The Operational Status for this adapter.
    DHCP
    PARAMLIST

    Combination of parameters contained in the DHCP packet that allows FortiNAC to infer the operating system for this host.
    OPTIONLIST Displays a list of option numbers from the DHCP packet used to provide information about the host.
    VENDORCLASS

    Vendor Class Identifier extracted from the DHCP packet. Allows the DHCP server to return specific information based on the host's hardware type.
    MSGTYPE

    DHCP message type, including

    • Discover: Host broadcast initial DHCP request for an IP address.
    • Request : DHCP server has responded. Host requests an IP address from a specific DHCP server.
    • Passive: Generated when something about the DHCP fingerprint has changed since the last message, such as a different operating system.
    FortiGuard
    CONFIDENCE How confident FortiGuard is in this host classification.
    CAT Category for this host.
    SUBCAT Subcategory for this host.
    OS Operating system for this host.
    SUBOS Sub operating system for this host.
    VENDOR Vendor of this host.
    MODEL Model of this host.
    HTTP/HTTPS
    OUTPUT HTTP(S) response to the web request.
    ONVIF
    UUID Reported UUID from the ONVIF scan.
    HWTYPE Reported hardware type from the ONVIF scan.
    OUTPUT Raw output of the ONVIF scan.

    RADIUS

    Calling-Station-Id Phone number of the user calling
    Called-Station-Id Phone number of the user called
    User-Name Name of the user to be authenticated
    NAS-IP-Address IP address of the NAS originating the Access-Request
    NAS-Identifier String identifying the NAS originating the Access-Request
    TLS-Client-Cert-Subject-Alt-Name-Upn TLS Client Certificate Subject Alternative Name
    TLS-Client-Cert-Common-Name TLS Client Certificate Common Name
    Fortinet-Vdom-Name FortiGate Virtual Domain Name
    FortiNAC-Deny
    FortiNAC-Nas-Src-Ip Source IP of the RADIUS Access-Request
    Cleartext-Password
    EAP-Type EAP Type number
    EAP-Type-Name EAP Type name
    User-Password Password used for authentication. If present, will display as ***
    Script
    OUTPUT

    Raw output of the executed script.
    EXITVALUE

    Exit value of the executed script.
    SNMP
    RESPONSE

    Response from querying the requested OID.
    OID

    Requested OID.
    SSH
    OUTPUT

    Raw output of the SSH command.
    TCP
    PORTS

    List of detected open TCP ports.
    Telnet
    OUTPUT

    Raw output of the Telnet command.
    UDP
    PORTS

    List of detected open UDP ports.
    Vendor OUI
    VENDOR

    Vendor Name of the host.
    OUI

    Vendor OUI of the host.
    ALIAS

    Vendor Alias for the host.
    WinRM
    OUTPUT
    Windows Profile
    UUID

    UUID for the host.
    HWTYPE

    Hardware Type for the host.
    ASSET_TAG

    Asset tag for the host.
    SERIAL

    Serial number for the host.
    SUMMARY

    Summary description of the host.
    OUTPUT

    Raw output.
    DOMAIN

    Domain the host belongs to.
    PRODUCT_TYPE

    Product type of the host.
    Previous
    Next

    Endpoint Fingerprints

    Endpoint Fingerprints

    FortiNAC continuously collects identity records as hosts connect to the network. These records are used to rapidly identify and categorize new devices as they connect to the network. A list of these device identity matches are displayed on the Endpoint Fingerprint view. A separate record is added every time a new fingerprint is heard for a MAC. For example, if the adapter on a host is moved from a registration VLAN to a production VLAN and as a result requests a new IP address this creates a new record. If two records are displayed for the same MAC and port, but with different OSs, the host is most likely a dual-boot host. This generates the Device Fingerprint Changed event. The following information can be found for each fingerprint.

    Information

    Field

    Definition

    Physical Address

    MAC address of the device.

    Device Type

    Indicates the type of hardware detected.

    Operating System

    Operating system of the host. If more than one record is displayed with different operating systems, this host may be dual boot.

    IP Address

    IP address of the device.

    Host Name

    The name for this host extracted from the DHCP packet.

    Vendor

    Manufacturer of the host. This is based on the vendor OUI.

    Vendor OUI

    First 3 octets of a device’s Physical Address.

    Source

    Method used to identify the device. Sources can be ranked through Set Source Rank.

    Rule Name

    Name of the Device Profiling Rule that was a match for this device.

    Device Registered

    Specifies whether the device is registered in the FortiNAC Database or is a rogue device. The number of devices registered or rogue will display above the table header.

    Last Heard

    The last time FortiNAC matched this fingerprint for this host.

    Creation Time

    The first time FortiNAC matched this fingerprint for this host.

    The information displayed on the table can be configured by hovering over the table's header to reveal a settings icon on the left side of the header.

    Along the top of the Endpoint Fingerprint view, interactable charts can be displayed for Device Types, Operating System, Vendor, Vendor OUI, and Source. Hovering over the charts will reveal a settings icon at the top left of the view. Clicking it will provide the option to customize the charts. Charts can be reordered by dragging and dropping the chart to its desired location along the top. Selecting a slice of a chart will filter the fingerprints by that attribute. To remove the filter, click the filter icon to the top right of the chart.

    Right-Click Options

    Option

    Description
    Delete Deletes the selected fingerprint(s).
    Show Attributes

    Displays the Fingerprint Attributes information.
    Show Adapters Displays the adapter information associated with the device.
    Register as Device See Register a host as a device
    Confirm Rule Confirms the device still matches their associated rule.
    Enable Host Enables the host. See Enable or disable hosts
    Disable Host Disables the host. See Enable or disable hosts.
    Create Device Profiling Rule Displays a window to Add a Device Profiling Rule. See Adding a rule.
    Run FortiGuard IoT Scan

    Runs a FortiGuard IoT Scan.

    Test Device Profiling Rule

    Tests the selected device profiling rule against the selected host(s).
    Fingerprint Attributes

    Attribute

    Description
    Active

    OUTPUT

    Output of the Nmap command.

    PORTS

    Open ports discovered during the Nmap scan.
    Agent
    UUID

    UUID for this host.
    HWTYPE

    Hardware type for this host.
    SERIAL

    Serial number for this host.
    ASSET_TAG

    Asset tag for this host.
    SSID

    Service Set Identifier for this adapter.
    BSSID

    Basic Service Set Identifier for this adapter.
    MEDIA

    Media type for this adapter.
    IFDESC

    Interface Description for this adapter.
    OPERSTATUS

    The Operational Status for this adapter.
    DHCP
    PARAMLIST

    Combination of parameters contained in the DHCP packet that allows FortiNAC to infer the operating system for this host.
    OPTIONLIST Displays a list of option numbers from the DHCP packet used to provide information about the host.
    VENDORCLASS

    Vendor Class Identifier extracted from the DHCP packet. Allows the DHCP server to return specific information based on the host's hardware type.
    MSGTYPE

    DHCP message type, including

    • Discover: Host broadcast initial DHCP request for an IP address.
    • Request : DHCP server has responded. Host requests an IP address from a specific DHCP server.
    • Passive: Generated when something about the DHCP fingerprint has changed since the last message, such as a different operating system.
    FortiGuard
    CONFIDENCE How confident FortiGuard is in this host classification.
    CAT Category for this host.
    SUBCAT Subcategory for this host.
    OS Operating system for this host.
    SUBOS Sub operating system for this host.
    VENDOR Vendor of this host.
    MODEL Model of this host.
    HTTP/HTTPS
    OUTPUT HTTP(S) response to the web request.
    ONVIF
    UUID Reported UUID from the ONVIF scan.
    HWTYPE Reported hardware type from the ONVIF scan.
    OUTPUT Raw output of the ONVIF scan.

    RADIUS

    Calling-Station-Id Phone number of the user calling
    Called-Station-Id Phone number of the user called
    User-Name Name of the user to be authenticated
    NAS-IP-Address IP address of the NAS originating the Access-Request
    NAS-Identifier String identifying the NAS originating the Access-Request
    TLS-Client-Cert-Subject-Alt-Name-Upn TLS Client Certificate Subject Alternative Name
    TLS-Client-Cert-Common-Name TLS Client Certificate Common Name
    Fortinet-Vdom-Name FortiGate Virtual Domain Name
    FortiNAC-Deny
    FortiNAC-Nas-Src-Ip Source IP of the RADIUS Access-Request
    Cleartext-Password
    EAP-Type EAP Type number
    EAP-Type-Name EAP Type name
    User-Password Password used for authentication. If present, will display as ***
    Script
    OUTPUT

    Raw output of the executed script.
    EXITVALUE

    Exit value of the executed script.
    SNMP
    RESPONSE

    Response from querying the requested OID.
    OID

    Requested OID.
    SSH
    OUTPUT

    Raw output of the SSH command.
    TCP
    PORTS

    List of detected open TCP ports.
    Telnet
    OUTPUT

    Raw output of the Telnet command.
    UDP
    PORTS

    List of detected open UDP ports.
    Vendor OUI
    VENDOR

    Vendor Name of the host.
    OUI

    Vendor OUI of the host.
    ALIAS

    Vendor Alias for the host.
    WinRM
    OUTPUT
    Windows Profile
    UUID

    UUID for the host.
    HWTYPE

    Hardware Type for the host.
    ASSET_TAG

    Asset tag for the host.
    SERIAL

    Serial number for the host.
    SUMMARY

    Summary description of the host.
    OUTPUT

    Raw output.
    DOMAIN

    Domain the host belongs to.
    PRODUCT_TYPE

    Product type of the host.
    Previous
    Next