 Help 

Click here
sign-up
Forums  Knowledge Base  Community Groups  Blogs

FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi
technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as
802.11n, 802.11AX , and the demand for plug and play deployment.

This Board Search here

Fortinet Community  Knowledge Base  FortiAP  Technical Tip: Automatically suppress rogue APs de...

Stephen_G Created on Edited on By Article Id

Moderator ‎04-11-2023 02:25 AM ‎07-14-2024 09:05 PM Anthony_E 251968

Technical Tip: Automatically suppress rogue APs detected by FortiAP

with FortiGate

Description This article explains how to automatically suppress rogue APs detected by FortiAP.
Scope FortiGate and FortiAP.
Solution It was previously necessary to manage and control a FortiAP with FortiWLC in order to
automatically suppress rogue APs. For instructions on how to suppress rogue APs with
FortiWLC, see the following links:
Meru Technical Note - Configuring Rogue AP Detection and Mitigation
Meru Technical Note - How does the Meru WLAN perform rogue detection?

The automated stitches feature in FortiGate now makes it possible to automatically

suppress detected rogue APs.

View the currently suppressed rogue APs with the following command:

show wireless-controller ap-status

config wireless-controller ap-status
end

In the above example, the result shows that no rogue APs have currently been
suppressed.

Create a trigger:
In the Event Log in FortiGate, select a desired rogue AP event to trigger suppression
in response to:

To do this in the CLI:

config system automation-trigger

edit "Trigger-Rogue-AP"
set event-type event-log
set logid 43563 43521 43571 43564 43566 43565 43525 43582
next
end

Action:
Supply a suppression action in the CLI script.

When FortiAP scans for a rogue AP, it scans the BSSID of the wireless devices. The
BSSID is a unique identifier assigned to each access point (AP) in a wireless network,
which means the BSSID must be supplied for each automated suppression action.

To add new entries whenever rogue ap detected, use 'edit 0'. When FortiAP discovers
a new BSSID, it will insert it into the %%bssid%% variable. The status of the
rogue AP can be set to suppressed.
To do this in the CLI:

config system automation-action

edit "Action for Rogue AP"
set description "Suppress all the detected rogue AP"
set action-type cli-script
set script "config wireless-controller ap-status
edit 0
set bssid %%bssid%%
set status suppressed
end"
set accprofile "super_admin"
next
end

Stitches:
Set up an automated stitch in the FortiGate UI with the following configuration:

To do this in the CLI, run the following command:

config system automation-stitch

edit "Suppress Rouge AP"
set trigger "Trigger-Rogue-AP"
config actions
edit 1
 set action "Action for Rogue AP"
set required enable
next
end
next
end

After the automation stitches have been configured, view the results and logs in the
following ways:

In the GUI:
Go to the Dashboard and view all detected rogue APs, along with each one's status,
under WiFi -> Rogue APs.

In the CLI:

sh wireless-controller ap-status
config wireless-controller ap-status
edit 1
set bssid 04:20:84:4c:0b:7e
set status suppressed
next
edit 2
set bssid 04:75:f9:0d:6b:19
set status suppressed
next
edit 3
set bssid c4:6e:1f:79:9d:12
set status suppressed
next
(Repeat for each)
edit 19
set bssid 5c:8c:30:62:d4:b9
set status suppressed
next
end

A raw log of wireless rogue APs detected and suppressed can be viewed under
System Events -> WiFi Events.
 Optionally, configure an alert message in the Action field.

An email alert message will notify the administrator of suppressed APs and provide
reasons for each. In the example below, the reason provided was 'Rogue AP status
configured as unclassified':

Related documents:
Monitoring rogue APs
Suppressing rogue APs
Technical Tip: Difference between 'age' and 'live' fields in rogue FortiAP detect log
Troubleshooting Tip: Add Interfering FortiAP threshold value for rogue FortiAP
detection

FortiAP FortiGate Rogue APs

2385 0 Submit Article Idea

Contributors

 Bjay_Prakash_Ghising

 Nickesh_k

Stephen_G

Anthony_E
 GeorgeZhong

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide
comprehensive cybersecurity protection for all users, devices, and applications and across all network
edges.

Social Media

SECURITY RESEARCH COMPANY NEWS & ARTICLES

Threat Research About Us News Releases

FortiGuard Labs Security Fabric News Articles

Threat Map Exec. Mgmt Trademarks

Threat Briefs Careers

CONTACT US
Ransomware Certifications

Getting Started Resources Events Corporate

Industry Awards Community

Social Responsibility

Copyright 2024 Fortinet, Inc. All Rights Reserved.

Terms of Service Privacy Policy GDPR Cookie Settings