Chapter 19 – Managing Devices

Chapter 19 – Managing Devices

What’s New in FortiOS 5.4

Managing “bring your own device” Device monitoring

Device Groups

Controlling access with a MAC Address Access Control List

Security policies for devices

This handbook chapter contains the following sections:

Managing “bring your own device” describes device monitoring, devices, device groups, and device policies. The administrator can monitor all types of devices and control their access to network resources.

 

Whats New in FortiOS 5.4

 

802.1x Mac Authentication Bypass (197218)

Some FortiGate models contain a hardware switch. On the hardware switch interface, 802.1X authentication is available. You might want to bypass 802.1X authentication for devices such as printers that cannot authenticate, identifying them by their MAC address.

 

In the CLI, enable MAC authentication bypass on the interface:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end

The devices that bypass authentication have entries in the RADIUS database with their MAC address in the User- Name and User-Password attributes instead of user credentials.

 

Vulnerability Scan status change(293156)

The FortiGate will no longer function as a vulnerability scanner, even in CLI mode. Vulnerability scans / assessments will handled by the FortiClient software.

 

FortiFone devices are now identified by FortiOS (289921)

FortiFone devices are now identified by FortiOS as Fortinet FON.

 

Support for MAC Authentication Bypass (MAB) (197218)

MAC Authentication Bypass allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

 

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set vlanforward enable

set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end end

 

MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

 

config wireless-controller vap edit “office-ssid”

set security wpa2-only-enterprise set auth usergroup

set usergroup “staff”

set radius-mac-auth enable

set radius-mac-auth-server “ourRadius” end

end

 

Active device identification (279278)

Hosts whose device type cannot be determined passively are actively scanned using the same techniques as the vulnerability scan. This active scanning is enabled by default on models that support vulnerability scanning. You can turn off Active Scanning on any interface. In the GUI, go to the interface’s page in Network > Interfaces.

 

CLI Syntax:

config system interface edit port1

set device-identification enable

set device-identification-active-scan disable end

 

Device Page Improvements (Detected and custom devices) (280271)

Devices are now in two lists on the User & Device menu. Detected devices are listed in the Device List where you can list them alphabetically, by type, or by interface. On the Custom Devices and Groups page you can

  • create custom device groups
  • predefine a device, assigning its device type and adding it to custom device groups

 

Device offline timeout is adjustable (269104)

A device is considered offline if it has not sent any packets during the timeout period. Prior to FortiOS 5.4, the timeout value was fixed at 90 seconds. Now the timeout can be set to any value from 30 to 31 536 000 seconds (365 days). The default value is 300 seconds (5 minutes). The timer is in the CLI:

config system global

set device-idle-timeout 300 end

 

Improved detection of FortiOS-VM devices (272929)

A FortiGate-VM device is an instance of FortiOS running on a virtual machine (VM). The host computer does not have the Fortinet MAC addresses usually used to detect FortiGate units. Device detection now has two additional ways to detect FortiGate-VMs:

  • the FortiGate vendor ID in FortiOS IKE messages
  • the FortiGate device ID in FortiGuard web filter and spamfilter requests

 

Custom avatars for custom devices (299795)

You can upload an avatar for a custom device. The avatar is then displayed in the GUI wherever the device is listed, such as FortiView, log viewer, or policy configuration. To upload an avatar image,click Upload Image on the New Device or Edit Device page of User & Device > Custom Devices & Groups. The image can be in any format your browser supports and will be automatically sized to 36 x 36 pixels for use in the FortiGate GUI.

 

This entry was posted in FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.