Hot!Registering unregistered devices

Author
AlexFeren
Gold Member
  • Total Posts : 171
  • Scores: 6
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
2015/06/28 17:37:43 (permalink)
0

Registering unregistered devices

Hi FortiManager admins,
reading FortiManager administration guide, I understand that Fortimanager's built-in FDS replies to FortiGuard update and query connections from devices registered within its Device Manager, however, it may be allow certain requests from unregistered devices.
What's unclear to me is - would the previously unregistered devices requesting above updates and queries become registered or remain unregistered, If the former, what's the functional difference between having "allow_register" enabled and "unreg_dev_opt" set to "add_allow_service"?
R's, Alex
 
post edited by AlexFeren - 2015/06/28 17:56:09
#1
scao_FTNT
optimizzz
  • Total Posts : 478
  • Scores: 27
  • Reward points: 0
  • Joined: 2012/08/27 11:39:44
  • Status: offline
Re: Registering unregistered devices 2015/07/06 18:22:31 (permalink)
0
they are still in unregistered device list and you need to manually add them into device manage
 
for FMG providing FGD service to FGTs, FMG works for added/registered FGT, and also can work for unregistered device
 
there are different ways for device be listed in unregistered device list like log triggered and  central management config triggered, you can also just config override server on FGT side to send FGD request to FMG, and this FGT can also be listed in FMG unregistered device list (you can see in CLI "diag device list", but GUI will hide this type of unreg device), and FMG also can provide service for this unreg device
 
the CLI you mentioned "set unreg_dev_opt  add_allow_service" which means FMG will add FGT in unreg list and provide service to these unreg device, the other option is FMG will add FGT in unreg list, but do NOT provide service until you add this FGT into device manager
 
for the other CLI you mentioned "allow_register" is a different FMG feature and you can set allow auto register FGT into device manager and also set a password (set register_passwd), and on FGT you can use CLI "exec central-mgmt register-device to auto add this device into FMG device manager (from unregistered device list)
 
Thanks
 
Simon
 
 
#2
AlexFeren
Gold Member
  • Total Posts : 171
  • Scores: 6
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Registering unregistered devices 2015/07/07 01:17:09 (permalink)
0
Simon
thanks for response.

scao_FTNT different ways for device be listed in unregistered device list like log triggered

Can you elaborate on log triggered?
 
central management config triggered

Is this Fortigate's "exec central-mgmt register-device"?
 
just config override server on FGT side to send FGD request to FMG

Is this Fortigate's "system central-management" "server-list"?
 
R's, Alex
#3
scao_FTNT
optimizzz
  • Total Posts : 478
  • Scores: 27
  • Reward points: 0
  • Joined: 2012/08/27 11:39:44
  • Status: offline
Re: Registering unregistered devices 2015/07/07 09:42:54 (permalink)
0
Hi, Alex, I am using FOS 5.2.3 as example
 
for 1, you can config FGT to send log FMG (but FMG need to enable FAZ features from System settings - dashboard - system information widget - bottom line "FortiAnalyzer Features")
 
config log fortianalyzer setting
    set status enable
    set server xx.xx.xx.xx
    set upload-option realtime
end


after FMG receive log from a FGT, FMG will list this device in FMG unregistered device list as "Logging Only" mode device
 
for 2,  you can find this on FGT GUI - admin - settings - "Central Management", you choose FMG and then click "Send Request", then FGT will be listed on FMG unregistered device as "Configuration & Logging" device
 
for 3, yes, this is FOS 5.2.3 CLI as below
 
config system central-management
        config server-list
            edit 1
                set server-type update rating
                set server-address 10.3.112.92
            next
        end
end


Thanks
 
Simon
#4
hklb
Gold Member
  • Total Posts : 239
  • Scores: 31
  • Reward points: 0
  • Joined: 2014/06/10 15:00:59
  • Status: offline
Re: Registering unregistered devices 2021/04/16 04:05:09 (permalink)
0
scao_FTNT
they are still in unregistered device list and you need to manually add them into device manage
 
for FMG providing FGD service to FGTs, FMG works for added/registered FGT, and also can work for unregistered device
 
there are different ways for device be listed in unregistered device list like log triggered and  central management config triggered, you can also just config override server on FGT side to send FGD request to FMG, and this FGT can also be listed in FMG unregistered device list (you can see in CLI "diag device list", but GUI will hide this type of unreg device), and FMG also can provide service for this unreg device
 
the CLI you mentioned "set unreg_dev_opt  add_allow_service" which means FMG will add FGT in unreg list and provide service to these unreg device, the other option is FMG will add FGT in unreg list, but do NOT provide service until you add this FGT into device manager
 
for the other CLI you mentioned "allow_register" is a different FMG feature and you can set allow auto register FGT into device manager and also set a password (set register_passwd), and on FGT you can use CLI "exec central-mgmt register-device to auto add this device into FMG device manager (from unregistered device list)
 
Thanks
 
Simon
 
 




Hi Simon,
 
Do you know the purpose of the value "svc-only" for the option "unreg-dev-option" ? What the FMG will do exactly?
 
(fds-setting)# set unreg-dev-option ?
add-service Add unregistered devices and allow update request.
ignore Ignore all unregistered devices.
svc-only Allow update requests without adding the device.

 
I didn't find any information in documentation.
 
Regards
 
Lucas
#5
Jump to:
© 2021 APG vNext Commercial Version 5.5