Option to disable automatic registration of unknown FortiAPs (272368)
By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator’s authorization. Optionally, you can disable this automatic registration function. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface. Disable automatic registration in the CLI like this:
config system interface edit port15
set ap-discover disable end
Automatic authorization of extension devices
To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually. This feature is available only on network interfaces designated as Dedicated to Extension Device.
To enable automatic authorization on all dedicated interfaces
config system global
set auto-auth-extension-device enable end
To enable automatic authorization per-interface
config system interface edit port15
set auto-auth-extension-device enable end
In the GUI, the Automatically authorize devices option is available when Addressing Mode is set to
Dedicated to Extension Device.
Control WIDS client deauthentication rate for DoS attack (285674 278771)
As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A new WIDS Profile option in the CLI limits the deauthentication rate.
config wireless-controller wids-profile edit default
set deauth-unknown-src-thresh 10 end
The range is 1 to 65,535 deathorizations per second. 0 means no limit. The default is 10.
Prevent DHCP starvation (285521)
The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from depleting the DHCP address pool by making multiple requests. Add this option as follows:
config wireless-controller vap edit “wifi”
append broadcast-suppression dhcp-starvation end
Prevent ARP Poisoning (285674)
The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from spoofing ARP messages. Add this option as follows:
config wireless-controller vap edit “wifi”
append broadcast-suppression arp-poison end
Suppress all other multicast/broadcast packets (282404)
The SSID broadcast-suppression field in the CLI contains several options for specific multicast and broadcast packet types. Two new options suppress multicast (mc) and broadcast (bc) packets that are not covered by any of the specific options.
config wireless-controller vap edit “wifi”
append broadcast-suppression all-other-mc all-other-bc end
A new configurable timer flushes the wireless station presence cache (283218)
The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit.
The timer is one of the wireless controller timers and it can be set in the CLI. For example:
config wireless-controller timers set sta-locate-timer 1800
end
The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 seconds) because that could cause duplicate logs to be generated.