What detection methods does FortiGate use to identify OT devices?

FortiGate uses multiple detection mechanisms including MAC address identification, analysis of residual traffic like ARP and DHCP requests, FortiGuard database lookups, and application control signatures. Enabling SSL certificate inspection provides additional device intelligence from security headers.

Can the Purdue model device categorization be customized?

Yes, while the FortiGate automatically assigns devices to Purdue model levels based on device type and network interface, administrators can manually reassign devices in the asset identity center to match their actual environment deployment.

Discovering OT Assets and Vulnerabilities with FortiGate

Name: Discovering OT Assets and Vulnerabilities with FortiGate
Uploaded: 2026-05-08T19:18:16-04:00
Duration: 5 min 51 s
Description: Understanding what devices you have in your environment is the first step on any security journey. Industrial environments that operate for decades grow over time with plenty of hidden devices...

Fortinet

05/08/2026

0 (0%)

Report Like Favorite

Transcript

OT environments operate for years and sometimes grow organically as new devices are added to the network. That can introduce security risks when you have vulnerable or outdated components. Gaining visibility into the devices in your environment is something that we can tackle with a FortiGate firewall. FortiGates are the core of an OT protection platform, securing cyber-physical systems across the entire OT and into the IT environment. I'm Matt Bullock, Technical Marketing Engineer with Fortinet. Today we're going to look at a FortiGate firewall with the OT security service used as a CPS protection platform. We'll be using a large simulated environment full of industrial components at all levels of the Purdue model. These represent many types of devices from different vendors and generations. Some even include unpatched vulnerabilities. Let's see what we can discover. In our lab topology, we have a single FortiGate firewall paired with a FortiSwitch, which connects to our simulated OT environment with multiple VLANs representing different levels of the Purdue model. The switch is integrated and managed by the FortiGate using the FortiLink interface, letting the switch act as an extension of the firewall. The switch is online and we can see the VLANs deployed for process, control, monitoring, and operation. Taking a look at the port configuration, we see that we have connections to the lower levels in our environment through those VLANs. If we take a look at the FortiGate interfaces, we see those same VLANs on our FortiLink connection to the FortiSwitch. Let's take a closer look at the operations VLAN. Beyond the basic IP and DHCP configuration, you can see that we have device detection selected. This is the capability that allows the FortiGate to detect devices on this VLAN through a variety of mechanisms. Let's go back to our FortiLink interface and take a look at the process network to make sure we also have device detection enabled. That allows us to detect devices at both the process and operation levels of the Purdue model. If we jump over to our asset identity center, we'll see that we haven't detected anything beyond our FortiGate and FortiSwitch yet. And our Purdue model asset view is pretty empty. Let's enable some devices that we can detect. Let's look at new devices we're seeing. We're seeing a Windows device on the operation network. We're also seeing a new Schneider industrial device on the process network that we already know a lot about. At this stage, detection is based on MAC address, residual traffic like ARP and DHCP, as well as lookup queries to our FortiGuard database. We can switch back and forth between the asset identity list and OT views where the FortiGate is starting to map devices to the Purdue model. We can reassign devices later to match how our CPS environment is actually deployed. We're continuing to learn about more devices in the environment, but there's a lot of detail missing. The CPS will build a profile of devices it discovers using whatever information it can gather. Let's give it some more information in the form of application control signatures. Back in our firewall policies, we have a rule for traffic between our monitoring level and our out-of-band management server. We currently have no security profiles enabled here. Opening it up, we can enable a default application control profile that monitors all categories of applications, including OT-specific applications. We'll enable the same application inspection between our monitoring and control networks. Let's also enable SSL certificate inspection so we can analyze SSL security headers, and I'll go back and enable it on the first policy because I forgot to the first time. Let's head back over to the asset identity center and we'll see what we found. We've now filled in more detail about this device than we had before. Using application control, we now know about potential vulnerabilities. We can see that this hardware and software combination has a known command injection and a buffer error vulnerabilities. You can see the CVEs here and even get more information on each CVE by drilling down to these links. We started simulating more devices here, so if we refresh the asset identity list, we'll see quite a few more assets pop up. Here you can see we have a Windows CE device from Rockwell, along with another device from Rugged.com and a Windows CE device from Beckhoff. Let's take a look at the OT view now. Here we can see those same devices arranged in the Purdue model. Based already on what we know about the type of device and the interfaces that we're seeing those devices on. This is a pretty good guess by the CPS, but you can always rearrange devices if this doesn't exactly match your environment. As you can see, the asset identity capabilities of a FortiGate firewall are impressive. While there are many vendors that specialize in device discovery, FortiGates are unique in that they combine discovery with the leading industrial security appliance in the FortiGate firewall. Not only can you discover devices in your OT environment, but you can provide tight security controls and even virtual patching. But that's a subject for another video. Thanks for watching.

TL;DR

FortiGate firewalls can discover OT devices using MAC addresses, network traffic analysis, and FortiGuard database lookups without requiring additional discovery tools.
Device detection is enabled at the interface level and works across VLANs representing different Purdue model levels in industrial environments.
Enabling application control profiles adds vulnerability intelligence, automatically identifying CVEs associated with discovered hardware and software combinations.
The asset identity center provides both list and Purdue model views, with automatic device categorization that can be manually adjusted to match actual deployments.

OT Asset Discovery Challenges and FortiGate's Approach

Industrial control system environments present unique visibility challenges as they evolve organically over years or decades, accumulating devices from multiple vendors and generations—some with unpatched vulnerabilities. This demonstration walks through FortiGate's device detection capabilities in a simulated OT environment spanning multiple levels of the Purdue model. The setup pairs a FortiGate firewall with a FortiSwitch managed via FortiLink, creating VLANs for process, control, monitoring, and operations networks. Device detection is enabled at the interface level, allowing the firewall to identify assets through MAC addresses, residual traffic like ARP and DHCP, and FortiGuard database lookups.

Building Device Profiles with Application Control

The demonstration shows how enabling application control profiles on firewall policies significantly enriches device intelligence. By applying OT-specific application signatures and SSL certificate inspection, the FortiGate identifies not just device types but also known vulnerabilities—including specific CVEs for command injection and buffer errors on discovered hardware. The asset identity center displays devices arranged in a Purdue model view, automatically categorizing them by type and network location while allowing manual reassignment. Fortinet positions this combined discovery and security capability as a differentiator, noting that while specialized discovery tools exist, FortiGate uniquely integrates asset identification with industrial firewall controls and virtual patching capabilities.

Chapters

0:00 - OT Visibility Challenges
0:55 - Lab Topology Overview
1:37 - Configuring Device Detection
2:14 - Initial Device Discovery
3:25 - Adding Application Control
4:10 - Vulnerability Identification
5:00 - Purdue Model Asset View

Key Quotes

0:17 "Gaining visibility into the devices in your environment is something that we can tackle with a FortiGate firewall."
1:06 "The switch is integrated and managed by the FortiGate using the FortiLink interface, letting the switch act as an extension of the firewall."
4:26 "Using application control, we now know about potential vulnerabilities. We can see that this hardware and software combination has a known command injection and a buffer error vulnerabilities."
5:24 "While there are many vendors that specialize in device discovery, FortiGates are unique in that they combine discovery with the leading industrial security appliance in the FortiGate firewall."

Categories:

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

06/23/2026

01:00 PM

06/23/2026

The AI-Powered VMware Alternative

https://www.truthinit.com/index.php/channel/2009/the-ai-powered-vmware-alternative/
06/24/2026

11:00 AM

06/24/2026

Accelerating Through AI: A Dynamic Webinar Series

https://www.truthinit.com/index.php/channel/2012/accelerating-through-ai-a-dynamic-webinar-series/
06/25/2026

01:00 PM

06/25/2026

Generative AI Security: Preventing AI from Becoming a Data Breach Multiplier

https://www.truthinit.com/index.php/channel/1998/generative-ai-security-preventing-ai-from-becoming-a-data-breach-multiplier/
06/30/2026

01:00 PM

06/30/2026

Mastering Active Directory Certificate Services for Long-Term Success

https://www.truthinit.com/index.php/channel/2018/mastering-active-directory-certificate-services-for-long-term-success/
07/01/2026

04:00 AM

07/01/2026

Integrating Security in AI: Automated Red Teaming Strategies for Private Models

https://www.truthinit.com/index.php/channel/1969/integrating-security-in-ai-automated-red-teaming-strategies-for-private-models/
07/01/2026

04:00 AM

07/01/2026

Schutz von KI in Anwendungen, Agenten und APIs.

https://www.truthinit.com/index.php/channel/2008/schutz-von-ki-in-anwendungen-agenten-und-apis/
07/01/2026

01:00 PM

07/01/2026

Preventing Your AI from Turning Against You: Essential Strategies

https://www.truthinit.com/index.php/channel/2021/preventing-your-ai-from-turning-against-you-essential-strategies/
07/02/2026

10:00 AM

07/02/2026

When the cloud goes dark: Resilience lessons from hybrid threats

https://www.truthinit.com/index.php/channel/2011/resilience-insights-from-hybrid-threats-when-the-cloud-faces-challenges/
07/07/2026

01:00 PM

07/07/2026

A Comprehensive Demonstration of DLP Solutions and Strategies

https://www.truthinit.com/index.php/channel/2030/a-comprehensive-demonstration-of-dlp-solutions-and-strategies/
07/09/2026

01:00 PM

07/09/2026

The HUMAN Experience: Empowering Trust Through Action and Engagement

https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-trust-through-action-and-engagement/
07/14/2026

01:00 PM

07/14/2026

Crafting a Championship-Quality Security Team for Unmatched Defense

https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-quality-security-team-for-unmatched-defense/
07/21/2026

04:00 AM

07/21/2026

Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
07/21/2026

01:00 PM

07/21/2026

HUMAN Dialogue: Insights from Attackers Revealed at the FIFA World Cup

https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-revealed-at-the-fifa-world-cup/
07/22/2026

06:30 AM

07/22/2026

Understanding the Dynamics of Data Privacy and Protection Regulations

https://www.truthinit.com/index.php/channel/2000/understanding-the-dynamics-of-data-privacy-and-protection-regulations/
07/28/2026

01:00 PM

07/28/2026

Illumio + Netskope: Zero Trust in the Age of AI Autonomy

https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
07/29/2026

04:00 AM

07/29/2026

Real-Time Strategies for Safeguarding Against Prompt Injections

https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
09/30/2026

04:00 AM

09/30/2026

AI Command Center: Optimizing Visibility and Control in Your Operations

https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/