FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdecesare
Staff
Staff
Description

FortiOS v5.00: This is a new feature for both FortiOS 4.0 and FortiOS 5.0 on FortiWifi and FortiAP.

FortiOS Wireless options are contained in System Wireless - Settings and AP Menu or
Wifi Controller -> Wifi Network
 
FortiOS CLI

Mode can be configured using the following:

• FWF50B3G07503140 # config system wireless settings
• FWF50B3G07503140 (settings) # set mode scan
• FWF50B3G07503140 (settings) # end
• FWF50B3G07503140 (settings) # set mode
• AP AP
• CLIENT CLIENT
• SCAN SCAN
• FWF50B3G07503140 (settings) # set mode

Network details for each AP detected include:
• Time and date of detection
• Signal strength
•  a/b/g/n parameters
• SSID/BSSID
• MAC address
• NB however when running RF scanning it is not possible for the unit to run either as an AP or client device
• This solution is intended to protect the system from casual deployment of unofficial wireless access points.
• Each AP will either be listed as either authorised or unauthorised.
 
Administrators will then decide which AP’s can be authorised or unauthorised
 
• In dedicated scan mode the FortiWiFi is reserved for Radio Scan.
• The FortiWiFi cannot be used as an AP or a Wireless Client.
• The wireless interface is hidden to the user when dedicated scan mode is activated.
• The FortiWiFi then scans the radio channel continuously
• Under System/Wireless/Rogue AP by default all AP’s are unauthorised. 
 
Background scan mode
 
• Background Scan mode can be enabled when the FortiWiFi is configured as an AP
• Radio scanning starts when the radio channels are idle
• The spec indicates despite giving the FortiWiFi greater flexibility scheduling for scanning could take longer, and could have an influence on the performance of the unit

To enable background scan mode,
config system wireless settings
set mode AP
set bgscan enable
set bgscan-interval 120
set bgscan-idle 250
end
SNMP and logging
 
• SNMP can be configured and a trap ‘Rogue Access Point detected’.
• No AP specific details will be sent however in this trap
• A new log message must be generated upon detection, this log will contain details of the SSID/BSSID causing the alert

Troubleshooting:

On v5.0 It may be helpful to check the list of Rogue access point with the following CLI command:

diagnose wireless-controller wlac -c ap-rogue
diagnose wireless-controller wlac -c sta-rogue

and clean the list with the following:

diagnose wireless-controller wlac scanclr
diagnose wireless-controller wlac scanstaclr


Contributors