Configuring rogue scanning
All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.
To enable rogue AP scanning with on-wire detection – web-based manager
- Go to WiFi & Switch Controller > WIDS Profiles.
On some models, the menu is WiFi & Switch Controller.
- Select an existing WIDS Profile and edit it, or select Create New.
- Make sure that Enable Rogue AP Detection is selected.
- Select Enable On-Wire Rogue AP Detection.
- Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
- Select OK.
To enable the rogue AP scanning feature in a custom AP profile – CLI
config wireless-controller wids-profile edit FAP220B-default set ap-scan enable set rogue-scan enable
end
Exempting an AP from rogue scanning
By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.
Monitoring
To exempt an AP from rogue scanning – web-based manager
- Go to WiFi & Switch Controller > Managed FortiAPs.
- Select which AP to edit.
- In Wireless Settings, enable Override Settings.
- Select Do not participate in Rogue AP Scanning and then select OK.
To exempt an AP from rogue scanning – CLI
This example shows how to exempt access point AP1 from rogue scanning.
config wireless-controller wtp edit AP1 set override-profile enable set ap-scan disable
end
MAC adjacency
You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether an suspect AP is a rogue.
To adjust MAC adjacency
For example, to change the adjacency to 8, enter
config wireless-controller global set rogue-scan-mac-adjacency 8 end
Monitoring rogue APs Wireless network monitoring