FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff
Article Id 196336

Description

 

This article describes an issue where there is frequent Layer 3 Polling when Device Profiling Rules are configured.
 

Scope

 

All supported versions of FortiNAC.


Solution

 

This is normal behavior. Device Profiling rules that require hosts to have an IP address can trigger frequent Layer 3 polling of network infrastructure. 
If no ARP entry is found for a host, configured Layer 3 devices will be re-polled.
The Device Profiler will attempt to find an up-to-date IP address for a particular host for 30 minutes before giving up if one cannot be found.
A host having an IP address on record does not exempt it from this process. The purpose is to ensure that the IP address is current before confirming the host meets the profiling criteria. The IP address on record could be the last known IP address the host had and may not necessarily be what the host has for an IP address at the given moment.
 
To lessen the frequency of L3 polling, validate that all Layer 3 capable devices with ARP tables are configured for Layer 3 polling. It is possible an ARP entry is not being located for all hosts that Device Profiling rules apply to.
 
To perform this action, leverage the L3 identification process.

This is a process that reads from configured Network Devices and attempts to determine if they support L3 routing.

The scan may be started from either the Network -> Inventory view or the Network -> L3 Polling view by selecting 'Start L3 Identification'.

 

StartL3_ident.png

Select 'Open View' in the drop-down menu at the top-right to view the results:

 

L3_identification.png

 

For each device, a score of the likelihood that the device supports L3 is calculated within a range of 0 to 100. Once the scan of all devices is complete, the results may be viewed using the L3 Identification Results task.

If the Score is at least 66, FortiNAC will suggest adding to the L3 group. If the Score is less than 33, FortiNAC will suggest removing from the L3 group.

To check if a device is part of a group, right-click it in Inventory view and select 'Group Membership'.

 

In the L3 results tab, it is possible to manually change the suggested action for each device by selecting an option from the drop-down menu for each entry:

View_results_L3.png

Pressing OK will submit the changes and will either remove or add the device from the L3 polling group based on the chosen action in the drop-down menu.

 

To further improve L3 polling performance in the environment, administrators should also consider taking the following steps:

 

  1. Set L3 polling priority to High in L3 devices where a large amount of traffic is expected.

 

PriorityL3.png

 

  1. For FortiGate devices, configure the REST API read-only administrator account to improve L2/L3 Polling performance.

 

FortiGate-FortiNAC integrations provide the ability to improve and optimize polling by using a REST API. The API key allows FortiNAC to bypass the need to authenticate every time it connects, improving performance.

Check section 'c.3. Polling network devices' in Technical Tip: Comprehensive guide for a simple FortiNAC deployment.

 

  1. Verify the overall FortiNAC performance and perform fine-tuning according to Technical Tip: Performance issues and some general recommendations.

 

Related documentation:

L3 polling - FortiNAC administration guide.

Configure L3 polling settings - FortiNAC documentation.

Best practices - FortiNAC administration guide.