Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
lpetit_FTNT
Staff
Staff

Created on ‎03-20-2013 11:13 AM

Article Id 189851

Technical Note: How to reject CAPWAP discovery request coming from an unknown Access Point

Purpose

The purpose of this document is to explain how to reject CAPWAP discovery requests coming from an unknown AP.


Scope
By default, the FortiGate will reject unknown Access Points to be discovered by the Wireless Controller. However, an attacker could spoof some elements of the CAPWAP Discovery Request and make them reach a FortiGate. In this case, the unknown AP might appear in the list of "Managed FortiAP" from the Wifi Controller.

In order to make sure this unknown AP is not added to the list of Managed FortiAP, the solution is to create a local-in-policy and to deny this incoming CAPWAP request.

Expectations, Requirements
.
Configuration
A custom service must be configured for the CAPWAP discovery port:
 
config firewall service custom
    edit "CAPWAPCtrl"
        set udp-portrange 5246
    next
end
An IP address can be configured to block a specific source or range:
config firewall address
  edit "IPtoblock"
        set subnet 10.10.10.219 255.255.255.255
 next
end
 

 
Last step is to create a local-in-policy to avoid the FortiGate responding to the Discovery Request
config firewall local-in-policy
    edit 1
        set intf "internal"
        set srcaddr "IPtoblock"
        set dstaddr "all"
        set service "CAPWAPCtrl"
        set schedule "always"
    next
end
The default action is "deny"
 
It is also possible to block any traffic coming from on a specific interface:
config firewall local-in-policy
    edit 1
        set intf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set service "CAPWAPCtrl"
        set schedule "always"
    next
end

Verification
Without the local-in-policy:
 
FGT60Cxxxxxxxxxx # diagnose sniffer packet any "port 5246" 4
interfaces=[any]
filters=[port 5246]
32.318290 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
32.319864 internal out 10.10.10.25.5246 -> 10.10.10.219.5246: udp 138     ---> the FortiGate responds to the Discovery request and adds the AP to the Managed FortiAP list
 
With the local-in-policy:
99.317608 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
100.317569 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
102.317553 internal in 10.10.10.219.5246 -> 10.10.10.25.5246: udp 234
The FortiGate does not respond to the AP discovery requests.

Labels:
9459
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.