3. 3
Overview Device Identity
Device Identification
Device & OS Fingerprinting
Device Classification & Management
Contextual Device Information
Device Based Policies
Policies using Device/Device Group
Identify device type to add into
contextual information for better
visibility
Enforce policies based on device
types or devices
Allow organization to embrace
BYOD environment securely
Device Group
List
4. 4
Overview
Securing BYOD environment
Identifying device/device types to apply appropriate policy
enforcements
Additional control beyond traditional Windows AD environment
Device Identity
Identity Policies
Device Identification Access Control Security Application
UTM Profiles
Awareness
Agentless
Agent based
5. 5
Identification Techniques
Agentless
» TCP Fingerprinting
» MAC address vendor codes
» Network discovery protocols, DHCPv6
etc
» Requires “direct” connectivity to
FortiGate
Agent Based
» Uses FortiClient
» Location & Infrastructure Independent
Device Identification Device Identity
INTERNETDMZ
FC
FC
Agentless
with Agent
6. 6
• Based on regularly
updated device/OS
signatures and MAC
address vendor lists DB
• Automatic detection &
categorization into
predefined device
groups
• Enabled per Device-
based Policy
• Force detect device by
HTTP communication
(HTTP User-Agent)
• Email collection/
Endpoint compliance
portal
• Agent captures systems
information and relay to
FortiGate, 100%
Accurate
• Allow device
identification on remote
networks
TCP Fingerprinting,
Network Discovery
& MAC Address
Vendor Code
Captive Portal Endpoint Agent
Device Identification Device Identity
7. 7
Additional device information detection
Hostname: Internal DHCP server, traffic
scan
Email address: Email collection Captive
portal
Username: Authentication services or
“device-user-identification enable” which
extracts info via traffic scanning (enable
default)
Device Identification Device Identity
8. 8
Device Detection
A webpage that should let the user send some traffic in order to detect the
device type
No replacement message when successful, user have to reload the webpage
If failed, a replacement message will be present
Email Collection
Collect an email address as a means of identifying the device user
When the email address has been verified, the device is added to the
Collected Emails device group
Endpoint Compliance
Acts as a quarantine for devices that are not protected by FortiClient
Provides links to obtain the FortiClient software
Device Captive Portals Device Identity
9. 9
Device Management Device Identity
Device Group
Management
Manual add/edit
Devices
Status
Connection
Information
User Information
Device Definition
Multiple MAC address
merge
10. 10
Device Management Device Identity
Device Groups
Device Group
Drill-down
Predefined group for
auto categorization
Manual defined
Custom group
12. 12
Contattaci Gratuitamente …
Certified experts in Fortimail and email
security
Certified experts in Fortiweb and web
application firewall protection
Certified experts in FortiAp, FortiWifi
and wireless security
CONTACTS
Tel. +39 049 8843198 DIGIT (5)
contacts@lanewan.it
www.lanewan.it
In questi anni di partnership con la casa madre,
Lan & Wan Solutions ha ottenuto tutte le
specializzazioni previste nei vari iter di certifica-
zione, raggiungendo la qualifica di Partner Of
Excellence.