Provisioning Templates – FortiManager 5.2

To create a new WIDS profile:

  1. From the WIDS profiles page, select Create New. The New Wireless Intrusion Detection System Profile window opens.
New WIDS profile

Enter the following information:

Name Type a name for the profile.
Comments Optionally, type comments.
Enable Rogue AP Detection Select to enable rogue AP detection.
Background Scan Every Second(s) Type a value in the text field.
Disable Background Scan During Specified Time When selected, select the day of week, start, and stop time.
Enable Passive Scan Mode Select to enable passive scan mode.
Enable On-Wire Rogue AP Detection Select to enable on-wire rogue AP detection. When enabled you can select to auto suppress rogue APs in foreground scan.
Intrusion Type The intrusion types that can be detected. See “Provisioning Templates” on page 236 for information on the available types.
Status Select the status of the intrusion type (enable it).
Threshold If applicable, type a threshold for reporting the intrusion, in seconds except where specified.
Interval (sec) If applicable, type the interval for reporting the intrusion, in seconds.
  1. Select OK to create the new WIDS profile.

Intrusion types provides a list of intrusion types and the description.

Intrusion types

Intrusion Type Description
Asleap Attack ASLEAP is a tool used to perform attacks against LEAP authentication.
Association Frame Flooding A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.
Authentication Frame Flooding A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.
Broadcasting De-authentication This is a type of Denial of Service attack. A flood of spoofed deauthentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.
EAPOL Packet Flooding

(to AP)

Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack.

Several types of EAPOL packets can be detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, and EAPOL-SUCC.

Invalid MAC OU Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
Long Duration Attack To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200.
Null SSID Probe Response When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
Premature EAPOL Packet

Flooding (to client)

Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the client with these packets can be a denial of service attack.

Two types of EAPOL packets can be detected: EAPOL-FAIL, and EAPOL-SUCC.

Intrusion Type Description
Spoofed De-authentication Spoofed de-authentication frames form the basis for most denial of service attacks.
Weak WEP IV Detection A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
Wireless Bridge WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.
This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.