FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Stephen_G
Moderator
Moderator
Article Id 251968
Description This article explains how to automatically suppress rogue APs detected by FortiAP.
Scope FortiGate and FortiAP.
Solution

It was previously necessary to manage and control a FortiAP with FortiWLC in order to automatically suppress rogue APs. For instructions on how to suppress rogue APs with FortiWLC, see the following links:

- https://community.fortinet.com/t5/Wireless-Controller/Meru-Technical-Note-Configuring-Rogue-AP-Detec...

- https://community.fortinet.com/t5/Wireless-Controller/Meru-Technical-Note-How-does-the-Meru-WLAN-per...

 

The automated stitches feature in FortiGate now makes it possible to automatically suppress detected rogue APs.

 

View the currently suppressed rogue APs with the following command:

 

# show wireless-controller ap-status

config wireless-controller ap-status

end

 

In the above example, the result shows that no rogue APs have currently been suppressed.

 

Create a trigger

 

In the Event Log in FortiGate, select a desired rogue AP event to trigger suppression in response to:

 

Stephen_G_0-1681203496021.png

 

To do this in the CLI:

 

# config system automation-trigger

edit "Trigger-Rogue-AP"

set event-type event-log

set logid 43563 43521 43571 43564 43566 43565 43525 43582

next

end

 

Action

 

Next, supply a suppression action in the CLI script.

 

When FortiAP scans for a rogue AP, it scans the BSSID of the wireless devices. The BSSID is a unique identifier assigned to each access point (AP) in a wireless network, which means the BSSID must be supplied for each automated suppression action.

 

To add new entries whenever rogue ap detected, use 'edit 0'. When FortiAP discovers a new BSSID, it will insert it into the %%bssid%% variable. The status of the rogue AP can be set to suppressed.

 

Stephen_G_1-1681203496025.png

 

To do this in the CLI:

 

# config system automation-action

edit "Action for Rogue AP"

set description "Suppress all the detected rogue AP"

set action-type cli-script

set script "config wireless-controller ap-status

edit 0

set bssid %%bssid%%

set status suppressed

end

set accprofile "super_admin"

next

end

 

Stitches

 

Set up an automated stitch in the FortiGate UI with the following configuration:

 

bijay_fix1.png

 

To do this in the CLI, run the following command:

 

# config system automation-stitch

    edit "Suppress Rouge AP"

        set trigger "Trigger-Rogue-AP"

        config actions

            edit 1

                set action "Action for Rogue AP"

                set required enable

            next

        end

    next

end

 

After the automation stitches have been configured, view the results and logs in the following ways:

 

In the GUI:

 

Go to the Dashboard and view all detected rogue APs, along with each one's status, under WiFi -> Rogue APs.

 

Stephen_G_3-1681203496041.png

 

In the CLI:

 

# sh wireless-controller ap-status

# config wireless-controller ap-status

    edit 1

        set bssid 04:20:84:4c:0b:7e

        set status suppressed

    next

    edit 2

        set bssid 04:75:f9:0d:6b:19

        set status suppressed

    next

    edit 3

        set bssid c4:6e:1f:79:9d:12

        set status suppressed

    next

  (Repeat for each)

 edit 19

        set bssid 5c:8c:30:62:d4:b9

        set status suppressed

    next

end

 

A raw log of wireless rogue APs detected and suppressed can be viewed under System Events -> WiFi Events.

 

Stephen_G_4-1681203496059.png

 

Optionally, configure an alert message in the Action field. 

 

An email alert message will notify the administrator of suppressed APs and provide reasons for each. In the example below, the reason provided was 'Rogue AP status configured as unclassified':

 

bijay_fix2.png

Related documents:

 

Refer to the following links for information about monitoring and suppressing rogue APs with the FortiGate Integrated Controller:

 

- https://docs.fortinet.com/document/fortiap/7.2.4/fortiwifi-and-fortiap-configuration-guide/501673/mo...

- https://docs.fortinet.com/document/fortiap/7.2.4/fortiwifi-and-fortiap-configuration-guide/684604/su...

- https://community.fortinet.com/t5/FortiAP/Technical-Tip-Difference-between-age-and-live-fields-in-ro...

- https://community.fortinet.com/t5/FortiAP/Troubleshooting-Tip-Add-Interfering-FortiAP-threshold-valu...