Created on 04-11-2023 02:25 AM Edited on 05-17-2023 01:08 AM
Description | This article explains how to automatically suppress rogue APs detected by FortiAP. |
Scope | FortiGate and FortiAP. |
Solution |
It was previously necessary to manage and control a FortiAP with FortiWLC in order to automatically suppress rogue APs. For instructions on how to suppress rogue APs with FortiWLC, see the following links:
The automated stitches feature in FortiGate now makes it possible to automatically suppress detected rogue APs.
View the currently suppressed rogue APs with the following command:
# show wireless-controller ap-status config wireless-controller ap-status end
In the above example, the result shows that no rogue APs have currently been suppressed.
Create a trigger
In the Event Log in FortiGate, select a desired rogue AP event to trigger suppression in response to:
To do this in the CLI:
# config system automation-trigger edit "Trigger-Rogue-AP" set event-type event-log set logid 43563 43521 43571 43564 43566 43565 43525 43582 next end
Action
Next, supply a suppression action in the CLI script.
When FortiAP scans for a rogue AP, it scans the BSSID of the wireless devices. The BSSID is a unique identifier assigned to each access point (AP) in a wireless network, which means the BSSID must be supplied for each automated suppression action.
To add new entries whenever rogue ap detected, use 'edit 0'. When FortiAP discovers a new BSSID, it will insert it into the %%bssid%% variable. The status of the rogue AP can be set to suppressed.
To do this in the CLI:
# config system automation-action edit "Action for Rogue AP" set description "Suppress all the detected rogue AP" set action-type cli-script set script "config wireless-controller ap-status edit 0 set bssid %%bssid%% set status suppressed end set accprofile "super_admin" next end
Stitches
Set up an automated stitch in the FortiGate UI with the following configuration:
To do this in the CLI, run the following command:
# config system automation-stitch edit "Suppress Rouge AP" set trigger "Trigger-Rogue-AP" config actions edit 1 set action "Action for Rogue AP" set required enable next end next end
After the automation stitches have been configured, view the results and logs in the following ways:
In the GUI:
Go to the Dashboard and view all detected rogue APs, along with each one's status, under WiFi -> Rogue APs.
In the CLI:
# sh wireless-controller ap-status # config wireless-controller ap-status edit 1 set bssid 04:20:84:4c:0b:7e set status suppressed next edit 2 set bssid 04:75:f9:0d:6b:19 set status suppressed next edit 3 set bssid c4:6e:1f:79:9d:12 set status suppressed next (Repeat for each) edit 19 set bssid 5c:8c:30:62:d4:b9 set status suppressed next end
A raw log of wireless rogue APs detected and suppressed can be viewed under System Events -> WiFi Events.
Optionally, configure an alert message in the Action field.
An email alert message will notify the administrator of suppressed APs and provide reasons for each. In the example below, the reason provided was 'Rogue AP status configured as unclassified':
Related documents:
Refer to the following links for information about monitoring and suppressing rogue APs with the FortiGate Integrated Controller:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.