WIFI Statistics – WiFi client monitor

Statistics

WiFi client monitor

The following shows a simple network topology when using FortiAPs with FortiGate:

To view connected WiFi clients on the FortiGate unit, go to Monitor> WiFi Client Monitor. The following columns display:

Column   Description
SSID   SSID that the client connected to, such as the tunnel, bridge, or mesh.
FortiAP   Serial number of the FortiAP unit that the client connected to.
User   Username if using WPA enterprise authentication.
IP   IP address assigned to the wireless client.
Device   Wireless client device type.
Channel   FortiAP operation channel.
Auth   Authentication type used.
Channel   WiFi radio channel in use.
Column Description
Bandwidth Tx/Rx Client received and transmitted bandwidth in Kbps.
Signal Strength/Noise Signal-to-noise ratio in decibels calculated from signal strength and noise level.
Association Time How long the client has been connected to this AP.
Device OS Wireless device OS.
Manufacturer Wireless device manufacturer.
MIMO Wireless device MIMO information.

WiFi health monitor

The following shows a simple network topology when using FortiAPs with FortiGate:

The Monitor> WiFi Health Monitor page displays the following charts: l Active Clients: Currently active clients on each FortiAP

  • AP Status: APs by status, sorted by those that have been up for over 24 hours, rebooted in the past 24 hours, and down/missing
  • Channel Utilization: Allow users to view 10-20 most and least utilized channels for each AP radio and a third histogram view showing utilization counts
  • Client Count: Shows client count overtime. Can view forthe past hour, day, or30 days.
  • Login Failures: Time, SSID, hostname, and username forfailed login attempts. The widget also displays the AP name and group of FortiAP units with failed login attempts.
  • Top Wireless Interference: Separate widgets for2.4 GHz and 5 GHz bands. This requires spectrum analysis to be enabled on the radios.

WiFi maps

WiFi maps allow you to place FortiAP units on a map, such as an office floor plan. This allows you to know where the FortiAPs are and get their operating statuses at a glance.

To configure WiFi maps on the FortiOS GUI:

  1. Create a WiFi map:
    1. In FortiOS, go to WiFi & Switch Controller> WiFi Maps.
    2. Click the Add Map
    3. Specify the desired map name.
    4. Upload the image file.
    5. If desired, enable the Image grayscale
    6. Set the Image opacity.
  2. Place the FortiAP units on the map:
    1. Unlock the map by clicking the lock icon in the top left corner.
    2. Click Unplaced AP(s) beside the lock icon. This displays a list of candidate APs.
    3. Drag and drop the candidate FortiAPs from the list to the map as desired.
    4. Once all desired FortiAPs have been placed on the map, lock the map.
  3. Hover the cursor over a FortiAP icon to view the operating data per FortiAP unit.
  4. To configure AP settings, click the FortiAP icon for that unit.
  5. You can show numerical operating data on the FortiAP icons such as the client count, channel, operating TX power, and channel utilization using the options in the dropdown list above the map.

To configure WiFi maps using the FortiOS CLI:

You can only upload the WiFi map image file using the FortiOS CLI.

config wireless-controller region edit <MAP_NAME> set grayscale enable|disable set opacity 100 <0-100>

next

end

config wireless-controller wtp edit <FAP_SN> set region <MAP_NAME set region-x “0.419911” <0-1> set region-y “0.349466” <0-1>

next

end

Fortinet Security Fabric

The following shows a simple network topology when using FortiAP as part of the Security Fabric:

The Security Fabric > Settings page on the root FortiGate lists all FortiAP devices on the CSF root and leaf.

The Security Fabric > Physical Topology view on the root FortiGate shows the devices in the Security Fabric and the devices they are connected to.

Wireless security

Enabling rogue AP scan

The guide provides simple configuration instructions for enabling ap-scan on FortiAP. The steps include creating a WIDS profile and selecting the WIDS profile on the managed FortiAP.

To enable rogue AP scan on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. Enable Enable Rogue AP Detection.
    3. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Enable WIDS Profile. Select the profile created in step 1. Click OK.

To enable rogue AP scan using the FortiOS CLI:

  1. Create a WIDS profile:

config wireless-controller wids-profile edit “example-wids-profile” set ap-scan enable

next

end

  1. Select the WIDS profile for the managed FortiAP:

config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>

end

set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n

set wids-profile “example-wids-profile” set vap-all disable

end config radio-2 set band 802.11ac set vap-all disable

end

next

end

Enabling rogue AP suppression

The guide provides simple configuration instructions for suppressing rogue APs on FortiAP. The steps include creating a WIDS profile and suppressing rogue APs.

To enable rogue AP suppression on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. For SensorMode, select Foreign and Home Channels.
    3. Enable Enable Rogue AP Detection.
    4. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP. The monitoring radio must be in Dedicated Monitor mode:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Select Dedicated Monitor on Radio 1 or Radio 2.
    4. Enable WIDS Profile. Select the profile created in step 1. Click OK.
  3. Suppress FortiAP:
    1. Go to Monitor> Rogue AP Monitor.
    2. Right-click the desired SSID, then select Mark as Rogue.
    3. Right-click the SSID again, then select Suppress AP.

To enable rogue AP scan using the FortiOS CLI:

  1. Create a WIDS profile:

config wireless-controller wids-profile edit “example-wids-profile” set sensor-mode both set ap-scan enable

next

end

  1. Select the WIDS profile for the managed FortiAP:

config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>

end config radio-1 set mode monitor

set wids-profile “example-wids-profile”

end

next

end

  1. Suppress FortiAP:

config wireless-controller ap-status edit 1 set bssid 90:6c:ac:da:a7:f1 set ssid “example-SSID” set status suppressed

next

end

Wireless Intrusion Detection System

The guide provides simple configuration instructions for enabling a Wireless Intrusion Detection System (WIDS) profile on FortiAP.

To enable a WIDS profile on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. In the Name field, enter the desired name.
    3. Under Intrusion Detection Settings, enable all intrusion types as desired.
    4. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Enable WIDS Profile. Select the profile created in step 1. Click OK.

To enable a WIDS profile using the FortiOS CLI:

config wireless-controller wtp-profile edit “example-FAP-profile”

config platform set type <FAP-model-number>

end

set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n

set wids-profile “example-wids-profile” set vap-all disable

end config radio-2 set band 802.11ac

set wids-profile “example-wids-profile” set vap-all disable

end

next

end

This entry was posted in Administration Guides, FortiAP, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.