Technical Tip: How to reject a CAPWAP discovery request coming from an unknown Access Point
Description
This article describes how to reject CAPWAP discovery requests coming from an unknown AP.
Scope
By default, the FortiGate will reject unknown Access Points to be discovered by the Wireless Controller. However, an attacker could spoof some elements of the CAPWAP Discovery Request and make them reach a FortiGate. In this case, the unknown AP might appear in the list of 'Managed FortiAP' from the Wifi Controller.
In order to make sure this unknown AP is not added to the list of Managed FortiAP, the solution is to create a local-in-policy and to deny this incoming CAPWAP request.
In order to make sure this unknown AP is not added to the list of Managed FortiAP, the solution is to create a local-in-policy and to deny this incoming CAPWAP request.
Expectations, Requirements:
CAPWAP hardening:
As a best practice for security hardening, it is recommended to disable the CAPWAP (Security Fabric) service on all FortiGate interfaces that do not require it. Note the Security Fabric service is used for FortiGate to manage FortiExtender, FortiAP, and FortiSwitch devices.
config system interface
edit "wan1"
unselect allowaccess fabric
next
end
If it is necessary to receive CAPWAP traffic on a public interface such as a WAN port, it is strongly recommended to only allow CAPWAP traffic from specific IP addresses, and deny all other CAPWAP traffic:
config firewall addrgrp
edit "CAPWAP_DEVICES_IPs"
set member "allowed_addresses"
next
end
config firewall service custom
edit "CAPWAP-CONTROL"
set udp-portrange 5246-5249
next
end
config firewall local-in-policy
edit <index1>
set intf "wan1"
set srcaddr "CAPWAP_DEVICES_IPs"
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action accept
next
edit <index2>
set intf "wan1"
set srcaddr "all'
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action deny
next
end
set intf "wan1"
set srcaddr "CAPWAP_DEVICES_IPs"
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action accept
next
edit <index2>
set intf "wan1"
set srcaddr "all'
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action deny
next
end
Note: The following FortiOS versions have a known vulnerability in the daemon handling FortiAP CAPWAP traffic. See the PSIRT advisory Heap-based buffer overflow in cw_acd daemon.
- 7.6.0 through 7.6.3
- 7.4.0 through 7.4.8
- 7.2.0 through 7.2.11
- 7.0.0 through 7.0.17
- 6.4.0 through 6.4.16
Devices running affected firmware should be upgraded to an unaffected version, and must not have Security Fabric enabled on untrusted ports. If it is not possible to upgrade or disable security fabric access on interfaces immediately, configure local-in policies as above to allow receiving CAPWAP traffic only from intended IP addresses to provide partial mitigation of the vulnerability.
If a single known IP address or range of IP addresses should be blocked (for example, to block CAPWAP connection from a known access point that should be managed by a different controller), a local-in-policy can be configured to block a specific source or range:
config firewall address
edit "IPtoblock"
set subnet 10.10.10.219 255.255.255.255
next
end
config firewall local-in-policy
edit <index>
set intf "internal"
set srcaddr "IPtoblock"
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action deny
next
end
Verification
Without the local-in-policy:
diagnose sniffer packet any "port 5246" 4
interfaces=[any]
filters=[port 5246]
32.318290 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
32.319864 internal out 10.10.10.25.5246 -> 10.10.10.219.5246: udp 138 <----- The FortiGate responds to the Discovery request and adds the AP to the Managed FortiAP list.
interfaces=[any]
filters=[port 5246]
32.318290 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
32.319864 internal out 10.10.10.25.5246 -> 10.10.10.219.5246: udp 138 <----- The FortiGate responds to the Discovery request and adds the AP to the Managed FortiAP list.
With the local-in-policy:
99.317608 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
100.317569 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
102.317553 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
<----- The FortiGate does not respond to the AP discovery requests.
100.317569 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
102.317553 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
<----- The FortiGate does not respond to the AP discovery requests.