Fortinet black logo

Administration Guide

Endpoint Fingerprints

7.4.0
Copy Link
Copy Doc ID 5c5c1a78-d02f-11ee-8c42-fa163e15d75b:919798
Download PDF

Endpoint Fingerprints

FortiNAC continuously collects identity records as hosts connect to the network. These records are used to rapidly identify and categorize new devices as they connect to the network. A list of these device identity matches are displayed on the Endpoint Fingerprint view. A separate record is added every time a new fingerprint is heard for a MAC. For example, if the adapter on a host is moved from a registration VLAN to a production VLAN and as a result requests a new IP address this creates a new record. If two records are displayed for the same MAC and port, but with different OSs, the host is most likely a dual-boot host. This generates the Device Fingerprint Changed event. The information in this topic can be found for each fingerprint.

FortiNAC-OS Requirement: Certain Fingerprint Attributes require access to the applicable protocol to be enabled. The Fingerprint Attributes table below lists which option is required per attribute (if any). See Open ports for more details.

Information

Field

Definition

Physical Address

MAC address of the device.

Device Type

Indicates the type of hardware detected.

Operating System

Operating system of the host. If more than one record is displayed with different operating systems, this host may be dual boot.

IP Address

IP address of the device.

Host Name

The name for this host extracted from the DHCP packet.

Vendor

Manufacturer of the host. This is based on the vendor OUI.

Vendor OUI

First 3 octets of a device’s Physical Address.

Source

Method used to identify the device. Sources can be ranked through Set Source Rank.

Rule Name

Name of the Device Profiling Rule that was a match for this device.

Device Registered

Specifies whether the device is registered in the FortiNAC Database or is a rogue device. The number of devices registered or rogue will display above the table header.

Last Heard

The last time FortiNAC matched this fingerprint for this host.

Creation Time

The first time FortiNAC matched this fingerprint for this host.

The information displayed on the table can be configured by hovering over the table's header to reveal a settings icon on the left side of the header.

Along the top of the Endpoint Fingerprint view, interactable charts can be displayed for Device Types, Operating System, Vendor, Vendor OUI, and Source. Hovering over the charts will reveal a settings icon at the top left of the view. Clicking it will provide the option to customize the charts. Charts can be reordered by dragging and dropping the chart to its desired location along the top. Selecting a slice of a chart will filter the fingerprints by that attribute. To remove the filter, click the filter icon to the top right of the chart.

Right-Click Options

Option

Description

Delete Deletes the selected fingerprint(s).
Show Attributes

Displays the Fingerprint Attributes information.

Show Adapters Displays the adapter information associated with the device.
Register as Device See Register a host as a device
Confirm Rule Confirms the device still matches their associated rule.
Enable Host Enables the host. See Enable or disable hosts
Disable Host Disables the host. See Enable or disable hosts.
Create Device Profiling Rule Displays a window to Add a Device Profiling Rule. See Adding a rule.
Run FortiGuard IoT Scan

Runs a FortiGuard IoT Scan.

Test Device Profiling Rule

Tests the selected device profiling rule against the selected host(s).

Fingerprint Attributes

Attribute

Description

Active

OUTPUT

Output of the Nmap command.

PORTS

Open ports discovered during the Nmap scan.

Agent

FortiNAC-OS "set allowaccess" option: nac-agent

UUID

UUID for this host.

HWTYPE

Hardware type for this host.

SERIAL

Serial number for this host.

ASSET_TAG

Asset tag for this host.

SSID

Service Set Identifier for this adapter.

BSSID

Basic Service Set Identifier for this adapter.

MEDIA

Media type for this adapter.

IFDESC

Interface Description for this adapter.

OPERSTATUS

The Operational Status for this adapter.

DHCP

FortiNAC-OS "set allowaccess" option: dhcp

PARAMLIST

Combination of parameters contained in the DHCP packet that allows FortiNAC to infer the operating system for this host.

OPTIONLIST Displays a list of option numbers from the DHCP packet used to provide information about the host.
VENDORCLASS

Vendor Class Identifier extracted from the DHCP packet. Allows the DHCP server to return specific information based on the host's hardware type.

MSGTYPE

DHCP message type, including

  • Discover: Host broadcast initial DHCP request for an IP address.
  • Request : DHCP server has responded. Host requests an IP address from a specific DHCP server.
  • Passive: Generated when something about the DHCP fingerprint has changed since the last message, such as a different operating system.
FortiGuard
CONFIDENCE How confident FortiGuard is in this host classification.
CAT Category for this host.
SUBCAT Subcategory for this host.
OS Operating system for this host.
SUBOS Sub operating system for this host.
VENDOR Vendor of this host.
MODEL Model of this host.

HTTP/HTTPS

FortiNAC-OS "set allowaccess" option: http and/ or https

OUTPUT HTTP(S) response to the web request.
ONVIF
UUID Reported UUID from the ONVIF scan.
HWTYPE Reported hardware type from the ONVIF scan.
OUTPUT Raw output of the ONVIF scan.

RADIUS

FortiNAC-OS "set allowaccess" option: radius and/or radius-local

Calling-Station-Id Phone number of the user calling
Called-Station-Id Phone number of the user called
User-Name Name of the user to be authenticated
NAS-IP-Address IP address of the NAS originating the Access-Request
NAS-Identifier String identifying the NAS originating the Access-Request
TLS-Client-Cert-Subject-Alt-Name-Upn TLS Client Certificate Subject Alternative Name
TLS-Client-Cert-Common-Name TLS Client Certificate Common Name
Fortinet-Vdom-Name FortiGate Virtual Domain Name
FortiNAC-Deny
FortiNAC-Nas-Src-Ip Source IP of the RADIUS Access-Request
Cleartext-Password
EAP-Type EAP Type number
EAP-Type-Name EAP Type name
User-Password Password used for authentication. If present, will display as ***
Script
OUTPUT

Raw output of the executed script.

EXITVALUE

Exit value of the executed script.

SNMP

FortiNAC-OS "set allowaccess" option: snmp

RESPONSE

Response from querying the requested OID.

OID

Requested OID.

SSH

FortiNAC-OS "set allowaccess" option: ssh

OUTPUT

Raw output of the SSH command.

TCP
PORTS

List of detected open TCP ports.

Telnet
OUTPUT

Raw output of the Telnet command.

UDP
PORTS

List of detected open UDP ports.

Vendor OUI
VENDOR

Vendor Name of the host.

OUI

Vendor OUI of the host.

ALIAS

Vendor Alias for the host.

WinRM
OUTPUT
Windows Profile
UUID

UUID for the host.

HWTYPE

Hardware Type for the host.

ASSET_TAG

Asset tag for the host.

SERIAL

Serial number for the host.

SUMMARY

Summary description of the host.

OUTPUT

Raw output.

DOMAIN

Domain the host belongs to.

PRODUCT_TYPE

Product type of the host.

Endpoint Fingerprints

FortiNAC continuously collects identity records as hosts connect to the network. These records are used to rapidly identify and categorize new devices as they connect to the network. A list of these device identity matches are displayed on the Endpoint Fingerprint view. A separate record is added every time a new fingerprint is heard for a MAC. For example, if the adapter on a host is moved from a registration VLAN to a production VLAN and as a result requests a new IP address this creates a new record. If two records are displayed for the same MAC and port, but with different OSs, the host is most likely a dual-boot host. This generates the Device Fingerprint Changed event. The information in this topic can be found for each fingerprint.

FortiNAC-OS Requirement: Certain Fingerprint Attributes require access to the applicable protocol to be enabled. The Fingerprint Attributes table below lists which option is required per attribute (if any). See Open ports for more details.

Information

Field

Definition

Physical Address

MAC address of the device.

Device Type

Indicates the type of hardware detected.

Operating System

Operating system of the host. If more than one record is displayed with different operating systems, this host may be dual boot.

IP Address

IP address of the device.

Host Name

The name for this host extracted from the DHCP packet.

Vendor

Manufacturer of the host. This is based on the vendor OUI.

Vendor OUI

First 3 octets of a device’s Physical Address.

Source

Method used to identify the device. Sources can be ranked through Set Source Rank.

Rule Name

Name of the Device Profiling Rule that was a match for this device.

Device Registered

Specifies whether the device is registered in the FortiNAC Database or is a rogue device. The number of devices registered or rogue will display above the table header.

Last Heard

The last time FortiNAC matched this fingerprint for this host.

Creation Time

The first time FortiNAC matched this fingerprint for this host.

The information displayed on the table can be configured by hovering over the table's header to reveal a settings icon on the left side of the header.

Along the top of the Endpoint Fingerprint view, interactable charts can be displayed for Device Types, Operating System, Vendor, Vendor OUI, and Source. Hovering over the charts will reveal a settings icon at the top left of the view. Clicking it will provide the option to customize the charts. Charts can be reordered by dragging and dropping the chart to its desired location along the top. Selecting a slice of a chart will filter the fingerprints by that attribute. To remove the filter, click the filter icon to the top right of the chart.

Right-Click Options

Option

Description

Delete Deletes the selected fingerprint(s).
Show Attributes

Displays the Fingerprint Attributes information.

Show Adapters Displays the adapter information associated with the device.
Register as Device See Register a host as a device
Confirm Rule Confirms the device still matches their associated rule.
Enable Host Enables the host. See Enable or disable hosts
Disable Host Disables the host. See Enable or disable hosts.
Create Device Profiling Rule Displays a window to Add a Device Profiling Rule. See Adding a rule.
Run FortiGuard IoT Scan

Runs a FortiGuard IoT Scan.

Test Device Profiling Rule

Tests the selected device profiling rule against the selected host(s).

Fingerprint Attributes

Attribute

Description

Active

OUTPUT

Output of the Nmap command.

PORTS

Open ports discovered during the Nmap scan.

Agent

FortiNAC-OS "set allowaccess" option: nac-agent

UUID

UUID for this host.

HWTYPE

Hardware type for this host.

SERIAL

Serial number for this host.

ASSET_TAG

Asset tag for this host.

SSID

Service Set Identifier for this adapter.

BSSID

Basic Service Set Identifier for this adapter.

MEDIA

Media type for this adapter.

IFDESC

Interface Description for this adapter.

OPERSTATUS

The Operational Status for this adapter.

DHCP

FortiNAC-OS "set allowaccess" option: dhcp

PARAMLIST

Combination of parameters contained in the DHCP packet that allows FortiNAC to infer the operating system for this host.

OPTIONLIST Displays a list of option numbers from the DHCP packet used to provide information about the host.
VENDORCLASS

Vendor Class Identifier extracted from the DHCP packet. Allows the DHCP server to return specific information based on the host's hardware type.

MSGTYPE

DHCP message type, including

  • Discover: Host broadcast initial DHCP request for an IP address.
  • Request : DHCP server has responded. Host requests an IP address from a specific DHCP server.
  • Passive: Generated when something about the DHCP fingerprint has changed since the last message, such as a different operating system.
FortiGuard
CONFIDENCE How confident FortiGuard is in this host classification.
CAT Category for this host.
SUBCAT Subcategory for this host.
OS Operating system for this host.
SUBOS Sub operating system for this host.
VENDOR Vendor of this host.
MODEL Model of this host.

HTTP/HTTPS

FortiNAC-OS "set allowaccess" option: http and/ or https

OUTPUT HTTP(S) response to the web request.
ONVIF
UUID Reported UUID from the ONVIF scan.
HWTYPE Reported hardware type from the ONVIF scan.
OUTPUT Raw output of the ONVIF scan.

RADIUS

FortiNAC-OS "set allowaccess" option: radius and/or radius-local

Calling-Station-Id Phone number of the user calling
Called-Station-Id Phone number of the user called
User-Name Name of the user to be authenticated
NAS-IP-Address IP address of the NAS originating the Access-Request
NAS-Identifier String identifying the NAS originating the Access-Request
TLS-Client-Cert-Subject-Alt-Name-Upn TLS Client Certificate Subject Alternative Name
TLS-Client-Cert-Common-Name TLS Client Certificate Common Name
Fortinet-Vdom-Name FortiGate Virtual Domain Name
FortiNAC-Deny
FortiNAC-Nas-Src-Ip Source IP of the RADIUS Access-Request
Cleartext-Password
EAP-Type EAP Type number
EAP-Type-Name EAP Type name
User-Password Password used for authentication. If present, will display as ***
Script
OUTPUT

Raw output of the executed script.

EXITVALUE

Exit value of the executed script.

SNMP

FortiNAC-OS "set allowaccess" option: snmp

RESPONSE

Response from querying the requested OID.

OID

Requested OID.

SSH

FortiNAC-OS "set allowaccess" option: ssh

OUTPUT

Raw output of the SSH command.

TCP
PORTS

List of detected open TCP ports.

Telnet
OUTPUT

Raw output of the Telnet command.

UDP
PORTS

List of detected open UDP ports.

Vendor OUI
VENDOR

Vendor Name of the host.

OUI

Vendor OUI of the host.

ALIAS

Vendor Alias for the host.

WinRM
OUTPUT
Windows Profile
UUID

UUID for the host.

HWTYPE

Hardware Type for the host.

ASSET_TAG

Asset tag for the host.

SERIAL

Serial number for the host.

SUMMARY

Summary description of the host.

OUTPUT

Raw output.

DOMAIN

Domain the host belongs to.

PRODUCT_TYPE

Product type of the host.