| Description | This article explains how to automatically suppress rogue APs detected by FortiAP. |
| Scope | FortiGate and FortiAP. |
| Solution |
It was previously necessary to manage and control a FortiAP with FortiWLC in order to automatically suppress rogue APs. For instructions on how to suppress rogue APs with FortiWLC, see the following links: Meru Technical Note - How does the Meru WLAN perform rogue detection?
The automated stitches feature in FortiGate now makes it possible to automatically suppress detected rogue APs.
View the currently suppressed rogue APs with the following command:
show wireless-controller ap-status config wireless-controller ap-status end
In the above example, the result shows that no rogue APs have currently been suppressed.
Create a trigger: In the Event Log in FortiGate, select a desired rogue AP event to trigger suppression in response to:
To do this in the CLI:
config system automation-trigger edit "Trigger-Rogue-AP" set event-type event-log set logid 43563 43521 43571 43564 43566 43565 43525 43582 next end
Action: Supply a suppression action in the CLI script.
When FortiAP scans for a rogue AP, it scans the BSSID of the wireless devices. The BSSID is a unique identifier assigned to each access point (AP) in a wireless network, which means the BSSID must be supplied for each automated suppression action.
To add new entries whenever rogue ap detected, use 'edit 0'. When FortiAP discovers a new BSSID, it will insert it into the %%bssid%% variable. The status of the rogue AP can be set to suppressed.
To do this in the CLI:
config system automation-action edit "Action for Rogue AP" set description "Suppress all the detected rogue AP" set action-type cli-script set script "config wireless-controller ap-status edit 0 set bssid %%bssid%% set status suppressed end" set accprofile "super_admin" next end
Stitches: Set up an automated stitch in the FortiGate UI with the following configuration:
To do this in the CLI, run the following command:
config system automation-stitch edit "Suppress Rouge AP" set trigger "Trigger-Rogue-AP" config actions edit 1 set action "Action for Rogue AP" set required enable next end next end
After the automation stitches have been configured, view the results and logs in the following ways:
In the GUI: Go to the Dashboard and view all detected rogue APs, along with each one's status, under WiFi -> Rogue APs.
In the CLI:
sh wireless-controller ap-status config wireless-controller ap-status edit 1 set bssid 04:20:84:4c:0b:7e set status suppressed next edit 2 set bssid 04:75:f9:0d:6b:19 set status suppressed next edit 3 set bssid c4:6e:1f:79:9d:12 set status suppressed next (Repeat for each) edit 19 set bssid 5c:8c:30:62:d4:b9 set status suppressed next end
A raw log of wireless rogue APs detected and suppressed can be viewed under System Events -> WiFi Events.
Optionally, configure an alert message in the Action field.
An email alert message will notify the administrator of suppressed APs and provide reasons for each. In the example below, the reason provided was 'Rogue AP status configured as unclassified':
Related documents: Technical Tip: Difference between 'age' and 'live' fields in rogue FortiAP detect logTroubleshooting Tip: Add Interfering FortiAP threshold value for rogue FortiAP detection |
