FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Article Id 286229

This article describes that Rogue suppression is a method to counter de-auth attacks by management frames from Rogue APs. FortiAP has the capability to address client disconnection issues if it is happening due to a Denial-of-Service/Rogue AP attack.

For this to work, FortiAP radio needs to be configured in MONITOR mode. It is not necessary to configure all radios to monitor mode. 

Scope FortiAP.


For suppression, make sure the below conditions are satisfied:

  1. FortiAP should be able to detect this rogue FortiAP (BSSID).
  2.  FortiGate pushed suppression FortiAP list to FortiAP.
  3. FortiAP detects sta connected to this BSSID.
  4. FortiAP radio is working in monitor mode.
  5. The rogue AP (BSSID) has not enabled Protected Management Frames (PMF).



For the configuration part, refer to the cookbook at the following location.

Enabling rogue AP suppression

Suppressing rogue APs


  1. How to verify if suppressed BSSID has been pushed to the FortiAP:
  • Login to FortiGate CLI and execute the following command:


show wireless-controller ap-status


Sample example:


config wireless-controller ap-status
    edit 1
        set bssid aa:bb:dd:ee:xx:xx
        set ssid "test"
        set status suppressed


  1. Login to FortiAP SSH CLI and execute the following command:


cw_diag -c ap-suppress


Sample example:

Suppressed FortiAP list:




n the above example, aa:bb:dd:ee:xx:xx is not part of the suppressed FortiAP list as it is possible to see from output of 'cw_diag -c ap-suppress' command from FortiAP sh CLI. So the condition fails and Rogue suppression will NOT work.


  1. Confirm that FortiAP has been able to detect the client under test with suppression BSSID. To verify this, check 'stascan' output in AP CLI as shown in the example below.


FortiAP-431F # stascan

sta mac           bssid             chan live  age suppressed
18:65:90:cb:cc:bb 84:39:8f:1f:12:04 48   11562  1  0


  1. How to check deauth packet in OTA (Over-The-Air) capture when Rogue suppression is happening.
  • Take OTA capture using MacBook or any other sniffing tool on the same channel the client is trying to connect to Rogue AP.

Refer to the article at the KB below for doing OTA using MACBook:

How to Sniff Packets & Capture Packet Trace in Mac OS X the Easy Way


Once the PCAP file is available, open it on Wireshark and put a filter to get deauth packet, and check the Source and Destination MAC Address. Verify that the packets match the MAC addresses of the participating devices.


Filters on wireshark.

For Filtering Deauthentication Frames, the filter is:


(wlan.fc.type == 0) && (wlan.fc.type_subtype == 0x0c)




(wlan.fc.type eq 0) && (wlan.fc.type_subtype eq 0x0c)




(wlan.fc.type eq 0) && (wlan.fc.type_subtype eq 12)


Related document:

Analyzing Deauthentication Packets with Wireshark


Known issue:

There are some 11AX clients, that are not being scanned and hence cannnot be suppressed, this is a known issue at this moment.

This is because FortiAP radio cannot scan HE wireless clients when the issue appears mostly for clients like legacy 11ac iPad, Mac book pro, iPad 11 pro, Pixel7, and Mac MINI.