Exact MAC address match
If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.
MAC adjacency
If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult. However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.
Limitations
On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.
Logging
Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.
Rogue AP scanning as a background activity
Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second a different channel is monitored for 20ms until all channels have been checked.
During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.
The following CLI example configures default background rogue scanning operation except that it sets ap- bgscan-idle to require 100ms of AP inactivity before scanning the next channel.
config wireless-controller wtp-profile edit ourprofile
config radio-1
set wids-profile ourwidsprofile set spectrum-analysis enable
end end
config wireless-controller wids-profile edit ourwidsprofile
set ap-scan enable
set rogue-scan enable
set ap-bgscan-period 300 set ap-bgscan-intv 1
set ap-bgscan-duration 20 set ap-bgscan-idle 100
end
Configuring rogue scanning
All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.