Monitoring and suppressing rogue APs

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will learn how to monitor and suppress rogue access points (APs). A rogue AP is an unauthorized AP connected to your wired network (“on-wire”).

Before suppressing any AP, confirm that Rogue Suppression is compliant with the applicable laws and regulations of your region.

Discovered access points are listed in Monitor > Rogue AP Monitor. You can mark them as either Accepted or Rogue APs. While these designations help you track APs, they do not stop anyone from using these APs.

Other APs that are available in the same area as your APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. In general, you would only Mark as rogue the unauthorized APs that are on-wire.

For more information, refer to the FortiWiFi and FortiAP Configuration Guide.

PREP 1 mins      COOK 10 min      TOTAL 11 mins

1. Configuring rogue scanning

On the FortiGate, go to WiFi & Switch Controller > WIDS Profiles and edit the default profile.

Enable Rogue AP Detection as shown.

2. Monitoring rogue APs

Go to Monitor > Rogue AP Monitor and view the table of APs found during scanning.

You can identify interfering APs in the Signal Interference column, indicated by the  icon.

3. Suppressing rogue APs

To suppress a rogue AP, you must first mark the AP as rogue.

Right-click the desired entry and select Mark as rogue.

Once the AP is marked, suppress it by highlighting the entry and selecting Suppress AP.

4. Reverting a suppressed AP 

To revert a suppressed AP, highlight its entry and select Unsuppress AP as shown.

The AP will remain identified as rogue.

To revert the rogue designation, right-click the entry and select Mark as unclassified.
An unclassified AP should appear with the  icon in the State column.

5. Exempting an AP from rogue scanning

Go to WiFi & Switch Controller > WIDS Profiles and create a new WIDS profile that does not Enable Rogue AP Detection.

Go to WiFi & Switch Controller > FortiAP Profiles and select the desired FortiAP Profile.

Enable WIDS Profile, select the profile you just created, and click OK.

Rogue AP Monitor icons

The icons in the Rogue AP Monitor table are defined below:

Column Icon + Description
State

 AP is detected but not yet classified.
AP is accepted. 
AP is marked as rogue, but unsuppressed. 
AP is marked as rogue and suppressed.

Status

 AP is online and active.
 AP is inactive.

Signal Interference

 AP signal interferes with a managed AP.  

 
AP signal interference ranges from low (green) to high (red), measured in dBm.

On Wire

 AP is a suspected rogue. 
 AP is not a suspected rogue. 

 

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux

Latest posts by Keith Leroux (see all)

  • Was this helpful?
  • Yes   No
All times listed are approximations.
Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points through which they communicate. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.
Mouse-over the icon to see which managed AP the interfering AP impacts.
In the example, the interfering AP may not pose a security threat; it is suppressed purely for demonstration.
The FortiAP Profile assigned to the AP that you wish to exempt from rogue scanning.
Use this status for APs that are an authorized part of your network or are neighboring APs that are not a security threat.

To see accepted APs in the list, select Show Accepted.

Use this status for unauthorized APs that On Wire status indicates are attached to your wired network(s).
Mouse-over the icon to see which managed AP.
Based on the ‘on-wire’ detection technique.
Based on the ‘on-wire’ detection technique.