FortiSIEM Configuring Wireless LANs

Leave a reply

Configuring Wireless LANs

AccelOps supports these wireless local area network devices for discovery and monitoring.

Aruba Networks Wireless LAN Configuration

Cisco Wireless LAN Configuration

Motorola WiNG WLAN AP Configuration Ruckus Wireless LAN Configuration

Aruba Networks Wireless LAN Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP V1/V2c

Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages Settings for Access Credentials

What is Discovered and Monitored

AccelOps uses SNMP and NMAP to discover the device and to collect logs and performance metrics. AccelOps communicates to the WLAN Controller only and discovers all information from the Controller. AccelOps does not communicate to the WLAN Access points directly.

Protocol Information Discovered Metrics collected Used for
SNMP Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points Controller Uptime, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Radio interface performance metrics Availability and

Performance

Monitoring
SNMP

Trap

 Controller device type All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health Availability,

Security and

Compliance

Event Types

In CMDB > Event Types, search for “aruba” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “aruba” in the Name column to see the reports associated with this device.

Configuration

SNMP V1/V2c

  1. Log in to your Aruba wireless controller with administrative privileges.
  2. Go to Configuration > Management > SNMP.
  3. For Read Community String, enter public.
  4. Select Enable Trap Generation.
  5. Next to Read Community String, click Add.
  6. Under Trap Receivers, click Add and enter the IP address of your AccelOps virtual appliance.

Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages

Settings for Access Credentials
Cisco Wireless LAN Configuration

 

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points Controller Uptime, Controller CPU and Memory utilization, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring
SNMP

Trap

 Controller device type All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health Availability,

Security and

Compliance

Event Types

In CMDB > Event Types, search for “cisco wireless” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP V1/V2c and SNMP Traps

  1. Log in to your Cisco wireless LAN controller with administrative privileges.
  2. Go to MANAGEMENT > SNMP > General.
  3. Set both SNMP v1 Mode and SNMP v2c Mode to Enable.
  4. Go to SNMP > Communities.
  5. Click New and create a public community string with Read-Only
  6. Click Apply.
  7. Go to SNMP > Trap Controls.
  8. Select the event traps you want to sent to AccelOps.
  9. Click Apply.
  10. Go to SNMP > Trap Receivers.
  11. Click New and enter the IP address of your AccelOps virtual appliance as a trap receiver.
  12. Click Apply.

Sample SNMP Trap

2008-06-09 08:59:50 192.168.20.9 [192.168.20.9]:SNMPv2-MIB::sysUpTime.0

= Timeticks: (86919800) 10 days, 1:26:38.00

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.14179.2.6.3.2

SNMPv2-SMI::enterprises.14179.2.6.2.35.0 = Hex-STRING: 00 21 55 4D 66 B0

SNMPv2-SMI::enterprises.14179.2.6.2.36.0 = INTEGER: 0

SNMPv2-SMI::enterprises.14179.2.6.2.37.0 = INTEGER: 1

SNMPv2-SMI::enterprises.14179.2.6.2.34.0 = Hex-STRING: 00 12 F0 0A 3F 15

2010-11-01 12:59:57 0.0.0.0(via UDP: [172.22.2.25]:32769) TRAP2, SNMP v2c, community 1n3t3ng . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9165100) 1 day, 1:27:31.00 SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.9.9.599.0.4

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 24 D7 36 A0

00  SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: “AP-2”

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 00 25 45 B7

66 70  SNMPv2-SMI::enterprises.9.9.513.1.2.1.1.1.0 = INTEGER: 0

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.22.4.54

SNMPv2-SMI::enterprises.9.9.599.1.2.1.0 = STRING: “IE\brouse”

SNMPv2-SMI::enterprises.9.9.599.1.2.2.0 = STRING: “IE”

2011-04-05 10:37:42 0.0.0.0(via UDP: [10.10.81.240]:32768) TRAP2, SNMP v2c, community AccelOps . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1672429600) 193 days, 13:38:16.00 SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.9.9.615.0.1

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 25 BC 80 E8

77  SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 6C 50 4D

7D AC 50  SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.9.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: “AP03-3.rdu2”

SNMPv2-SMI::enterprises.9.9.615.1.2.1.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.615.1.2.2.0 = INTEGER: 5000

SNMPv2-SMI::enterprises.9.9.615.1.2.3.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.615.1.2.4.0 = INTEGER: 31 SNMPv2-SMI::enterprises.9.9.615.1.2.5.0 = INTEGER: -60

SNMPv2-SMI::enterprises.9.9.615.1.2.6.0 = INTEGER: -90 SNMPv2-SMI::enterprises.9.9.615.1.2.7.0 = STRING:

“0,0,0,0,1,20,24,28,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0”

SNMPv2-SMI::enterprises.9.9.615.1.2.8.0 = INTEGER: 2 SNMPv2-SMI::enterprises.9.9.615.1.2.9.0 = STRING:

“6c:50:4d:7d:ac:50,e8:04:62:0b:b5:f0”

SNMPv2-SMI::enterprises.9.9.615.1.2.10.0 = STRING: “-83,-85”

SNMPv2-SMI::enterprises.9.9.615.1.2.11.0 = STRING: “1,1”

SNMPv2-SMI::enterprises.9.9.512.1.1.1.1.11.5 = INTEGER: 1

Settings for Access Credentials
Motorola WiNG WLAN AP Configuration
What is Discovered and Monitored
Protocol Information

Discovered

 Metrics collected Used for
Syslog   All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health Availability, Security and

Compliance

Event Types

Over 127 event types – In CMDB > Event Types, search for “Motorola-WiNG” to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure devices to send syslog to AccelOps – make sure that the version matches the format below

Ruckus Wireless LAN Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points Controller Uptime, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Controller

WLAN Statistics, Access Point Statistics, SSID performance Stats

 Availability

and

Performance

Monitoring
Event Types

PH_DEV_MON_RUCKUS_CONTROLLER_STAT

[PH_DEV_MON_RUCKUS_CONTROLLER_STAT]:[eventSeverity]=PHL_INFO,[fileN ame]=deviceRuckusWLAN.cpp,[lineNumber]=555,[hostName]=guest-zd-01,[ hostIpAddr]=172.17.0.250,[numAp]=41,[numWlanClient]=121,[newRogueAP ]=0,[knownRogueAP]=0,[wlanSentBytes]=0,[wlanRecvBytes]=0,[wlanSentB itsPerSec]=0.000000,[wlanRecvBitsPerSec]=0.000000,[lanSentBytes]=16 6848,[lanRecvBytes]=154704,[lanSentBitsPerSec]=7584.000000,[lanSent

BitsPerSec]=7032.000000,[phLogDetail]=

PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT

[PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT]:[eventSeverity]=PHL_INFO,[fil eName]=deviceRuckusWLAN.cpp,[lineNumber]=470,[hostName]=AP-10.20.30 .3,[hostIpAddr]=10.20.30.3,[description]=,[numRadio]=0,[numWlanClie nt]=0,[knownRogueAP]=0,[connMode]=layer3,[firstJoinTime]=1404672517 29776,[lastBootTime]=140467251729776,[lastUpgradeTime]=140467251729

776,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000,[recvBits

PerSec]=0.000000,[phLogDetail]=

PH_DEV_MON_RUCKUS_SSID_PERF

[PH_DEV_MON_RUCKUS_SSID_PERF]:[eventSeverity]=PHL_INFO,[fileName]=d eviceRuckusWLAN.cpp,[lineNumber]=807,[hostName]=c1cs-guestpoint-zd01,[hostIpAddr]=172.17.0.250,[wlanSsid]=GuestPoint,[description]=We lcome SSID for not yet authorized APs.,[wlanName]=Welcome SSID,[authenMethod]=open,[encryptAlgo]=none,[isGuest]=1,[srcVLAN]=5 98,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000,[recvBitsP erSec]=0.000000,[authSuccess]=0,[authFailure]=0,[assocSuccess]=0,[a ssocFailure]=0,[assocDeny]=0,[disassocAbnormal]=0,[disassocLeave]=0 ,[disassocMisc]=0,[phLogDetail]=

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the Controller so that AccelOps can connect to via SNMP.

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.