FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191702



This article describes Rogue Access Point Detection in FortiOS 5.0 & 4.0.





FortiGate v4.0,FortiGate v5.0





FortiOS v5.00: This is a new feature for both FortiOS 4.0 and FortiOS 5.0 on FortiWifi and FortiAP.

FortiOS Wireless options are contained in System Wireless - Settings and AP Menu or
Wifi Controller -> Wifi Network


Mode can be configured using the following:

• FWF50B3G07503140 # config system wireless settings
• FWF50B3G07503140 (settings) # set mode scan
• FWF50B3G07503140 (settings) # end
• FWF50B3G07503140 (settings) # set mode
• FWF50B3G07503140 (settings) # set mode


Network details for each AP detected include:
• Time and date of detection
• Signal strength
•  a/b/g/n parameters
• MAC address
• NB however when running RF scanning it is not possible for the unit to run either as an AP or client device
• This solution is intended to protect the system from casual deployment of unofficial wireless access points.
• Each AP will either be listed as either authorised or unauthorised.
Administrators will then decide which AP’s can be authorised or unauthorised.
• In dedicated scan mode the FortiWiFi is reserved for Radio Scan.
• The FortiWiFi cannot be used as an AP or a Wireless Client.
• The wireless interface is hidden to the user when dedicated scan mode is activated.
• The FortiWiFi then scans the radio channel continuously.
• Under System/Wireless/Rogue AP by default all AP’s are unauthorised. 
Background scan mode
• Background Scan mode can be enabled when the FortiWiFi is configured as an AP.
• Radio scanning starts when the radio channels are idle.
• The spec indicates despite giving the FortiWiFi greater flexibility scheduling for scanning could take longer and could have an influence on the performance of the unit.

To enable background scan mode,
# config system wireless settings
set mode AP
    set bgscan enable
    set bgscan-interval 120
    set bgscan-idle 250

SNMP and logging
• SNMP can be configured and a trap ‘Rogue Access Point detected’.
• No AP specific details will be sent however in this trap
• A new log message must be generated upon detection, this log will contain details of the SSID/BSSID causing the alert


On v5.0 It may be helpful to check the list of Rogue access point with the following CLI command:
# diagnose wireless-controller wlac -c ap-rogue
# diagnose wireless-controller wlac -c sta-rogue
and clean the list with the following:

# diagnose wireless-controller wlac scanclr
# diagnose wireless-controller wlac scanstaclr