I had logged a support call with Fortinet a few years back (on previous firmware) as their device inventory returned the incorrect status. Fortinet’s final response was as below
"I was not able to reproduce the issue in lab.This issue seems expected per current design.
The only reliable mechanism is to have an agent, i.e. FortiClient, installed on the end user device.
All other methods can give incorrect results and should only be considered “as-is”.
There are several different methods to identify a device and the the operating system but none of them is reliable.
I cannot give much details about the techniques used as they are considered internal information.
Just as an example:
One common techniques is for example TCP Fingerprinting. There are many details i.e. on https://nmap.org/book/osdetect-methods.html which explain how this works.
This method examines packets and gives a conclusion about the used TCP/IP stack. It can for example detect if a device is using Linux or Windows, but can not differentiate well between versions.
Some systems might share the same stack like Apple Mac and Apple iPhones/Tablets.
The same applies for a FortiGate which uses part of the Linux kernel and therefore can be detected as Linux.
Packets of course can be modified by several network devices and cause false results.
Another example is looking at the http user agent which requires the client to actively browse to certain web sites.
This method is quite reliable but as user-agents can be spoofed this is not a fool proof method either.
If HTTP is used the browser agent detection can be used, similar for SMTP or other protocols where the banner can be extracted. Banners and user agents can be modifed of course.
This is pretty trustworthy but requires HTTP traffic.
There are several other ways, like looking at protocol specific fields: SIP user agents, Cisco Discovery Protocol, DHCP options, but again, none of them is absolutely reliable.
If DHCP is used then certain fields in the request can be examined and are unique for certain platforms but not for others.
You can also check the MAC address but this not very reliable and will not help differentiating an iPad from a Mac and it can be spoofed.
This issue is nearly impossible to debug as we would need network captures while the device in question connected the first time and subsequent captures to track the active scanning.
The output of “diagnose user device list” would also give more details plus a debug log of the scanning processes during the whole time of the scanning.
This all combined with a few other techniques looking for certain protocols (i.e. to detect the difference between iPhones and Mac which have same fingerprints) helps improving the detection.
The OS detection will only work reliably if the client is directly connected to the Fortigate and even then might not always be accurate.
The only really reliable way is using a FortiClient with end point control and device detection.
In your case the traffic was maybe modified by a FortiGate or the Cisco AP340 as it passed this device, so it appears to be coming from this operating system.
The command “diagnose user device list” would show a bit more information, i.e. if the detection is completed (reliable method was used) or still in progress (not enough information to be reliable).
To summarize, unless you have a FortiClient installed on the device the OS detection is not reliable and device detection can have false results per design.
Also I found few known issues with Fortios 5.4.1 but they are not related directly to your scenario. I would advise if you can wait for FortiOS 5.4.2/5.4.3."
I have not checked if the reliability and the device inventory detection has been improved in the latest releases of FortiOS, but shall have another glance to see if this is now more reliable.