FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdecesare
Staff
Staff
Article Id 191702

Description

 

This article describes Rogue Access Point Detection in FortiOS 5.0 & 4.0.

 

 

Scope

 

FortiGate v4.0,FortiGate v5.0

 

 

Solution

 

FortiOS v5.00: This is a new feature for both FortiOS 4.0 and FortiOS 5.0 on FortiWifi and FortiAP.

FortiOS Wireless options are contained in System Wireless - Settings and AP Menu or
Wifi Controller -> Wifi Network

 
FortiOS CLI

Mode can be configured using the following:

• FWF50B3G07503140 # config system wireless settings
• FWF50B3G07503140 (settings) # set mode scan
• FWF50B3G07503140 (settings) # end
• FWF50B3G07503140 (settings) # set mode
• AP AP
• CLIENT CLIENT
• SCAN SCAN
• FWF50B3G07503140 (settings) # set mode

 

Network details for each AP detected include:
• Time and date of detection
• Signal strength
•  a/b/g/n parameters
• SSID/BSSID
• MAC address
• NB however when running RF scanning it is not possible for the unit to run either as an AP or client device
• This solution is intended to protect the system from casual deployment of unofficial wireless access points.
• Each AP will either be listed as either authorised or unauthorised.
 
Administrators will then decide which AP’s can be authorised or unauthorised.
 
• In dedicated scan mode the FortiWiFi is reserved for Radio Scan.
• The FortiWiFi cannot be used as an AP or a Wireless Client.
• The wireless interface is hidden to the user when dedicated scan mode is activated.
• The FortiWiFi then scans the radio channel continuously.
• Under System/Wireless/Rogue AP by default all AP’s are unauthorised. 
 
Background scan mode
 
• Background Scan mode can be enabled when the FortiWiFi is configured as an AP.
• Radio scanning starts when the radio channels are idle.
• The spec indicates despite giving the FortiWiFi greater flexibility scheduling for scanning could take longer and could have an influence on the performance of the unit.

To enable background scan mode,
 
# config system wireless settings
set mode AP
    set bgscan enable
    set bgscan-interval 120
    set bgscan-idle 250
end

SNMP and logging
 
• SNMP can be configured and a trap ‘Rogue Access Point detected’.
• No AP specific details will be sent however in this trap
• A new log message must be generated upon detection, this log will contain details of the SSID/BSSID causing the alert

Troubleshooting

On v5.0 It may be helpful to check the list of Rogue access point with the following CLI command:
 
# diagnose wireless-controller wlac -c ap-rogue
# diagnose wireless-controller wlac -c sta-rogue
 
and clean the list with the following:

# diagnose wireless-controller wlac scanclr
# diagnose wireless-controller wlac scanstaclr

 

Contributors