Managing “bring your own device”

FortiOS can control network access for different types of personal mobile devices that your employees bring onto your premises. You can:

• identify and monitor the types of devices connecting to your networks, wireless or wired l use MAC address based access control to allow or deny individual devices l create security policies that specify device types
• enforce endpoint control on devices that can run FortiClient Endpoint Control software This chapter contains the following sections:

Device monitoring

Device groups

Controlling access with a MAC Address Access Control List Security policies for devices

Device monitoring

The FortiGate unit can monitor your networks and gather information about the devices operating on those networks. Collected information includes: l MAC address l IP address l operating system l hostname l user name

l how long ago the device was detected and on which FortiGate interface

You can go to User & Device > Device Inventory to view this information. Mouse-over the Device column for more details.

Depending on the information available, the Device column lists the Alias or the MAC address of the device. For ease in identifying devices, Fortinet recommends that you assign each device an Alias.

Device monitoring is enabled separately on each interface. Device detection is intended for devices directly connected to your LAN ports. If enabled on a WAN port, device detection may be unable to determine the Device monitoring operating system on some devices. Hosts whose device type cannot be determined passively can be found by enabling active scanning on the interface.

You can also manually add devices. This enables you to ensure that a device with multiple interfaces is displayed as a single device.

To configure device monitoring

1. Go to Network > Interfaces.
2. Edit the interface that you want to monitor devices on.
3. In Networked Devices, turn on Device Detection and optionally turn on Active Scanning.
4. Select OK.
5. Repeat steps 2 through 4 for each interface that will monitor devices.

To assign an alias to a detected device or change device information

1. Go to User & Device > Device Inventory and edit the device entry.
2. Enter an Alias such as the user’s name to identify the device.
3. Change other information as needed.
4. Select OK.

To add a device manually

1. Go to User & Device > Custom Devices & Groups.
2. Select Create New > Device.
3. Enter the following information:
   • Alias (required) l MAC address
   • Additional MACs (other interfaces of this device) l Device Type l Optionally, add the device to Custom Groups. l Optionally, enter Comments.

3. Select OK.