FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdash_FTNT
Staff
Staff
Article Id 191840

Description

 
This article describes the steps to enable and disable the broadcast of SSID of the access points. Broadcasting the SSID enables clients to connect to a wireless network without first knowing the SSID.

Sometimes it may be required to disable the broadcast of the SSID of a wireless unit or to hide the SSID of the wireless in the FortiWiFi or the FortiAP which connects to the FortiGate unit.


Scope

 
FortiGate, FortiWiFi, FortiAP.


Solution

 
For some environments, it may be necessary to disable the broadcast SSID (Service Set Identifier) which is shared by all users in the wireless network or to hide the SSID from an unknown attack in FortiGate v5.0 and above.  The following CLI command can be used to turn on or off the SSID broadcasting.
 
config wireless-controller vap
    edit <vap_name>
        set broadcast-ssid {enable | disable}
    next
end
 
where: <vap_name> is the name for this Virtual Access Point.

For example:
 
FGT # config wireless-controller vap
FGT (vap) # edit TAC24AP <vap_name>
FGT (TAC24AP) # set broadcast-ssid disable  ---> Disable to hide the SSID. It will be enabled by default.
FGT (TAC24AP) # end
 
Enabling broadcast will allow users to see the SSID when scanning the network for wireless connection. Broadcasting the SSID enables clients to connect to the wireless network without first knowing the SSID.  For better security, do not broadcast the SSID.

Disabling the same will stop broadcasting the SSID. This does not mean that users cannot connect to that SSID. A user who knows the SSID name and the password will still be able to join if they try to enter the SSID details manually on the client machine.

By disabling the SSID broadcast the client will not be able to detect the SSID by scanning the wireless network.

The above commands will work regardless of the traffic mode or even if the VAP is part of a software switch wherein the wireless is bridged with the local LAN network.

Note: The same can also be done from GUI under WiFi & Switch Controller -> SSID, but the broadcast SSID option will only be available if the traffic mode is ‘tunnel’.  If the traffic mode is ‘Local Bridge’ it will have to be enabled/disabled from the CLI.  By default, SSID broadcast is enabled.