Wireless network monitoring
You can monitor both your wireless clients and other wireless networks that are available in your coverage area.
Monitoring wireless clients
Monitoring rogue APs
Suppressing rogue APs
Monitoring wireless network health
Monitoring wireless clients
To view connected clients on a FortiWiFi unit
- Go to Monitor > Client Monitor.
The following information is displayed:
| SSID | The SSID that the client connected to. |
| FortiAP | The serial number of the FortiAP unit to which the client connected. |
| User | User name |
| IP | The IP address assigned to the wireless client. |
| Device | |
| Auth | The type of authentication used. |
| Channel | WiFi radio channel in use. |
| Bandwidth Tx/Rx | Client received and transmitted bandwidth, in Kbps. |
| Signal Strength / Noise | The signal-to-noise ratio in deciBels calculated from signal strength and noise level. |
| Signal Strength | |
| Association Time | How long the client has been connected to this access point. |
Results can be filtered. Select the filter icon on the column you want to filter. Enter the values to include or select NOT if you want to exclude the specified values.
Monitoring rogue APs
The access point radio equipment can scan for other available access points, either as a dedicated monitor or in idle periods during AP operation.
Discovered access points are listed in Monitor > Rogue AP Monitor. You can then mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points.
It is also possible to suppress rogue APs. See Monitoring rogue APs on page 115.
On-wire rogue AP detection technique
Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the On-wire column in the Rogue AP Monitor list shows a green up-arrow on detected rogues.
Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.
There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.
Exact MAC address match
If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.
MAC adjacency
If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult.
However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.
Limitations
On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.
Logging
Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.
Rogue AP scanning as a background activity
Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second rogue APs
a different channel is monitored for 20ms until all channels have been checked.
During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.
The following CLI example configures default background rogue scanning operation except that it sets apbgscan-idle to require 100ms of AP inactivity before scanning the next channel.
config wireless-controller wtp-profile edit ourprofile config radio-1 set wids-profile ourwidsprofile set spectrum-analysis enable
end
end
config wireless-controller wids-profile edit ourwidsprofile set ap-scan enable set rogue-scan enable set ap-bgscan-period 300 set ap-bgscan-intv 1 set ap-bgscan-duration 20 set ap-bgscan-idle 100
end
Configuring rogue scanning
All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.
To enable rogue AP scanning with on-wire detection – web-based manager
- Go to WiFi & Switch Controller > WIDS Profiles.
On some models, the menu is WiFi & Switch Controller.
- Select an existing WIDS Profile and edit it, or select Create New.
- Make sure that Enable Rogue AP Detection is selected.
- Select Enable On-Wire Rogue AP Detection.
- Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
- Select OK.
To enable the rogue AP scanning feature in a custom AP profile – CLI
config wireless-controller wids-profile edit FAP220B-default set ap-scan enable set rogue-scan enable
end
Exempting an AP from rogue scanning
By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.
To exempt an AP from rogue scanning
- Go to WiFi & Switch Controller > WIDS Profiles.
- Create a new WIDS profile and disable Rogue AP detection.
- Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile you wish to exempt from rogue scanning.
- Assign the WIDS profile created in step 2.
MAC adjacency
You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether an suspect AP is a rogue.
To adjust MAC adjacency
For example, to change the adjacency to 8, enter
config wireless-controller global set rogue-scan-mac-adjacency 8 end
Using the Rogue AP Monitor
Go to Monitor > Rogue AP Monitor to view the list of other wireless access points that are receivable at your location.
| Information Columns
Actual columns displayed depends on Column Settings. |
| Rogue AP — Use this status for unauthorized APs that On-wire status indicates are attached to your wired networks.
Accepted AP — Use this status for APs that are an authorized part of your network or Stateare neighboring APs that are not a security threat. To see accepted APs in the list, select Show Accepted. Unclassified — This is the initial status of a discovered AP. You can change an AP back to unclassified if you have mistakenly marked it as Rogue or Accepted. |
| OnlineActive AP
Status Inactive AP Active ad-hoc WiFi device Inactive ad-hoc WiFi device |
| SSID The wireless service set identifier (SSID) or network name for the wireless interface. |
| Security The type of security currently being used. Type |
| Channel The wireless radio channel that the access point uses. |
| MAC The MAC address of the Wireless interface. Address |
| Vendor
The name of the vendor. Info |
| Signal The relative signal strength of the AP. Mouse over the symbol to view the signal-to-noise Strength ratio. |
| Detected
The name or serial number of the AP unit that detected the signal. By |
| On-wire A green up-arrow indicates a suspected rogue, based on the on-wire detection technique. A red down-arrow indicates AP is not a suspected rogue. |
| First Seen How long ago this AP was first detected. |
| Last Seen | How long ago this AP was last detected. |
| Rate | Data rate in bps. |
To change the Online Status of an AP, right-click it and select Mark Accepted or Mark Rogue.
Suppressing rogue APs
In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.
To enable rogue AP suppression, you must enable monitoring of rogue APs with the on-wire detection technique. See “Monitoring rogue APs”. The monitoring radio must be in the Dedicated Monitor mode.
To activate AP suppression against a rogue AP
- Go to Monitor > Rogue AP Monitor.
- When you see an AP listed that is a rogue detected “on-wire”, select it and then select Mark > Mark Rogue.
- To suppress an AP that is marked as a rogue, select it and then select Suppress AP.
To deactivate AP suppression
- Go to Monitor > Rogue AP Monitor.
- Select the suppressed rogue AP and then select Suppress AP > Unsuppress AP.
Monitoring wireless network health
To view the wireless health dashboard, go to Monitor > WiFi Health Monitor.
The wireless health dashboard provides a comprehensive view of the health of your network’s wireless infrastructure. The dashboard includes widgets to display: l AP Status
Active, Down or missing, up for over 24 hours, rebooted in past 24 hours l Client Count Over Time
Viewable for past hour, day, or 30 days l Top Client Count Per-AP
Separate widgets for 2.4GHz and 5GHz bands health
l Top Wireless Interference
Separate widgets for 2.4GHz and 5GHz bands, requires spectrum analysis to be enabled on the radios l Login Failures Information l WiFi Channel Utilization
Three views allowing users to view top 10-20 Most and Least utilized channels for each AP radio and a third histogram view showing counts for utilization
The list of active clients also shows MAC address entries (similar to the WiFi Client Monitor page), making client information easy to view when opening the Active Client widget.