Inside FortiOS: AntiVirus

Inside FortiOS: AntiVirus

AntiVirus uses a suite of integrated security technologies to provide against a variety of threats, including both known and unknown malicious codes (Malware), plus Advanced Targeted Attacks (ATA), also known as Advanced Persistent Threats (APT).

Advanced protection against malware and APTs

Malware and Advanced Persistent Threats can cause significant damages to today’s organizations. These malicious codes are commonly designed to steal valuable data, gain unauthorized access, or cause products to degrade. FortiOS’s AntiVirus is an industry-proven anti-malware security solution with robust features and deployment options

FortiOS offers the unique ability to implement both Flow- and Proxy-based AV concurrently, depending on traffic type, users, and locations. Flow-based AV offers higher throughput performance while proxy-based solutions are useful in mitigating stealthy malicious codes. The AV detection capabilities are further enhanced with complementary security features and external sandbox integration.

By utilizing the unique Content Pattern Recognition Language (CPRL) built into the FortiASIC Content Processor, FortiOS is able to deliver high performance and low latency anti-malware capabilities. This real-time protection is backed by a team of worldwide researchers.

Highlights

  • Certification from multiple industries for best-in-class security and capacity with proven coverage and high performance.
  • Multi-layered protection with extended AV components and external file analysis integration. l Comprehensive remediation actions such as file quarantine and knowledge tools.

Key Features & Benefits

Robust feature set Allows the flexibility to deploy appropriate protection according to security needs and infrastructure designs.
High performance utilizing FortiASIC and patented CPRL AV signatures Low latency and high capacity ensures that business applications are not affected while security is enforced.
Backed by FortiGuard Labs that deliver real-time protection Critical digital assets are covered by continuous protection against latest threats.

 

Features

Industry’s validated protection

FortiOS anti-malware components and FortiGuard AV signatures periodically undergo numerous authoritative certifications. These independent certifications demonstrate that the solution offered is of the highest standard in performance and accuracy, ensuring organizations are truly protected.

Fortinet has been consistently ranked among the top vendors for Virus Bulletin’s RAP (Reactive And Proactive) bimonthly tests. This test measures a product’s detection rates over the freshest samples available, as well as samples not seen until after product databases are frozen, thus reflecting both the vendor’s ability to handle the huge quantity of newly emerging malware and accurately detect previously unknown malware.

Real time protection

The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content-level threats via the experienced FortiGuard global network is backed by over 200 researchers. With the release of FortiOS 5.6, botnet protection is part of the FortiGuard AntiVirus contract.

FortiGuard AV service quick facts

l 95,000 malware programs neutralized per minute l 1.8 Million new and updated AV definitions per week l Hourly updates of the AV signature database l 190 TB of threat samples till date

Organizations can also engage the FortiGuard Premier Signature Service, which provides enhanced virus detection and threat analysis support. This service offers submissions for custom AntiVirus signatures on a daily basis, offering prioritized support with guaranteed response times. With the release of FortiOS 5.6, botnet protection is part of the FortiGuard AntiVirus contract.

Unique proxy- and flow-based AV

FortiOS offers organizations the flexibility to select the most appropriate inspection method for different network sessions. This can be implemented by defining policies that match specific source objects (IP, IP ranges, users, and devices), destination objects, applications, and schedules with different AV profiles.

 

Flow-based AV relies on IPS technology where packets are inspected in real-time and matched against the AV signature database. It offers lower latency and higher throughput than Proxy-based AV. Flow-based AV is recommended for inspecting traffic that requires spontaneous user experience or when serving as an additional AV protection layer.

FortiOS’s Proxy-based AV offers the most secure AV protection as it’s able to inspect more protocols and provides replacement messages on wider range of applications.

AV acceleration with Content Processor

The FortiASICS Content Processor (CP) accelerates content processing traditionally performed completely by the CPU. The CP reduces the resources required by the CPU when matching an incoming file against the signature database, thus improving system performance and stability.

Proactive protection using patented CPRL

Compact Pattern Recognition Language (CPRL) is a patented and proprietary programming language that allows for further inspection of common patterns to not only protect against threats and their variants but also to predict tomorrow’s zero-day malware. It allows FortiGuard analysts to describe entire families of malware with a single program, instead of the traditional signature- based “one signature, one variant” model used by other vendors. With fewer signatures to match, throughput performance and latency naturally improve.

Intelligent behavioral evaluation

Signature-based security alone is no longer sufficient; it is now critical to understand how devices on your network are behaving. Threat Weight scoring provides a cumulative security ranking of each client device on your network based on a range of behaviors. It provides specific, actionable information that helps identify compromised systems and potential zero-day attacks in real-time.

This unique system attaches predefined scores to various malicious network activities discovered by IPS, application control, URL filtering, etc., to determine the top suspicious users. Administrator can then further inspect these users to undercover unknown threats or APTs via FortiView.

External file analysis integration

FortiOS offers organizations the ability to adopt robust ATP (Advanced Threat Protection) framework that reaches mobile users and branch offices, detecting and preventing advanced attacks that may bypass traditional defenses by examining files from various vectors, including encrypted files. To detect unknown threats, zero-day, and targeted attacks, the FortiGate can engage external resources to perform additional file analysis. Files can be submitted to an on- premise appliance (FortiSandbox) or cloud-based service (FortiSandbox Cloud) after both proxy-based and flow- based AV processing.

It is also possible to configure the FortiGate to automatically receive dynamic signature updates from FortiSandbox and add the originating URL of any malicious file to a blocked URL list. In addition, if the organization deploys integrated endpoint control with FortiClient, an administrator can instruct an infected terminal to self-quarantine.

 

File filtering

File filtering using data leak prevention (DLP) on the FortiGate offers an effective ways to stop unwanted file transmission instantly. Administrators may implement granular file controls by defining protection profiles using filenames or nearly 50 different file types over mail, web, and file download protocols.

File quarantine

FortiOS offers sophisticated file quarantine capabilities that allow organizations to archive suspicious or blocked files for further examination or to release false positives.

Anti-bot

Organizations may prevent, uncover, and block botnet activities using FortiOS Anti-Bot traffic pattern detection and domain and IP reputation services supplied in real-time by FortiGuard threat experts.

User notification

User notifications are helpful in reducing administration and support burdens, as well as providing user education. FortiOS is able to automatically replace blocked attachments and downloads with detailed information sent to Email, FTP, or web users.

Monitoring, logging, and reporting

FortiOS empowers organizations to implement security best practices that require continuous examination of their threat status and adaptation to new requirements. The FortiView widgets provide useful analysis data with detailed and contextual session information, which can be filtered, ranked, and further inspected. System events can also be archived via logs, which in turn can generate useful trending and overview reports.

FortiOS also offers robust in-built E-mail and SMS alert systems, as well as integration with external threat management systems using SNMP and standard-based Syslogs.

Inside FortiOS: Application Control

Inside FortiOS: Application Control

Application control technologies detect and take action against network traffic based on the application that generated the traffic. Application control uses protocol decoders with signatures that analyze network traffic to detect application traffic, even if the traffic uses nonstandard ports or protocols.

Enhance control and network visibility

Controlling and monitoring applications on a network can seem like a daunting task due to the wide range of available applications. It is no longer an option to simply block or allow TCP and/or UDP ports since most applications do not map to individual ports. For example, controlling traffic on an HTTP or HTTPS port is futile against complex social networking sites and cloud applications.

FortiOS leverages its massive application database to identify applications and their activities while still providing a suitable and sufficient user experience, thanks to FortiASIC Content Processors (CPs), which boost CPU performance. Organizations can adopt more granular control, such as allowing logins but not chatting over selected sites. Traffic shaping may also be applied to the application traffic that is allowed. After applying control measures, continuous monitoring ensures that the measures are effective and allow for changes in application traffic patterns to be managed.

Highlights

  • Superior performance using the unique FortiASIC Content Processor that offloads heavy computation from the CPU.
  • Flexible implementation with robust deployment modes and granular controls. l Excellent visibility and management tools that help administrators improve security.
  • Application control is a standard part of any FortiCare support contract and the database for Application Control signatures is separate from the IPS database. Access to the database no longer requires a FortiGuard IPS subscription.
  • Supports detection for traffic using HTTP protocol (versions 1.0, 1.1, and 2.0).
  • Ability to configure application control by adding individual applications or application categories to security policies when operating in flow-based inspection and NGFW policy-based mode.

Key features & benefits

Identifies and controls application traffic Allows organization to strengthen security policies by controlling evasive application communications.

Inside FortiOS: Application Control

Leverages FortiGate’s hardware acceleration and software optimization Offers more security without compromising performance.
Granular control and integration with other FortiOS capabilities Provides administrators the ability to implement the most appropriate configuration for any given organization.

Features

NSS Labs “Recommend” rating for Next Generation Firewall

Fortinet’s entry into the NSS Labs Next Generation Firewall Group Test in 2013, 2014 and 2016 received the “Recommend” rating, placing it as one of the top performing systems. NSS Labs uses respectable real-world testing methodologies to measure Next Generation Firewall protection and performance, including application control.

Superior performance with unique hardware architecture

Unlike a traditional security gateway, which relies heavily on CPUs for packet inspection, the FortiGate’s unique hardware architecture allows FortiOS to automatically utilize appropriate hardware components to achieve optimal performance. This prevents the CPU from becoming a bottleneck as it performs various functions concurrently.

In support of application control, the Content Processor (CP) is a specialized ASIC chip that handles demanding cryptographic computation for SSL inspection and intensive signature matching. By offloading these processes from the CPU, the FortiGate is able to minimize performance degradation when administrators opt for greater security.

Robust deployment modes

FortiOS supports a wide array of network protocols and operating modes, allowing administrators to deploy the most appropriate security for their unique IT infrastructure. FortiOS also supports a variety of routing and switching protocols.

The FortiGate is able to operate in inline route and transparent mode. It can also operate in offline sniffer mode for passive monitoring of user activities. These different operating modes run concurrently by using virtual systems.

 

Protection at the edge

With today’s BYOD and mobile workforce environment, it is no longer wise to deploy control just at the Internet gateway. Through Fortinet Security Fabric, FortiOS unique wireless and switch controller feature allows organizations to implement better visibility and protection closer to internal devices. Moreover, with FortiClient, administrators can also apply similar policies when mobile users are outside of the protected networks.

Advanced application detection and control

By relying on the FortiOS 3rd Generation IPS engine, the FortiGate is able to inspect many of today’s encrypted and evasive traffic, as well as traffic running on new technologies, such as SPDY protocol. The inspection can be applied to both network and IPsec/SSL VPN traffic.

An application and its specific activity are identified using FortiGuard’s Application Control database of over 2,500 distinct signatures. These signatures are crafted by researchers across the globe to include applications that may be unique to platforms, regions, and/or languages. It also offers specific application activity identification, such as a Facebook posting or Dropbox file sync. The database is kept up to date via scheduled or manual downloads.

The application database is classified into 20 intuitive categories for ease of use. Administrators may also create specific application overrides that differ from the category settings. These specific applications can be filtered and selected by type of behavior, risk levels, technology type, application vendor and popularity.

Administrators may also apply advanced controls, such as setting up session TTLs for specific applications using CLI commands.

Traffic shaping

Organizations may better utilize bandwidth and protect critical applications by enforcing granular application usage with traffic shaping. Administrators can create various traffic shaping profiles by defining traffic priority and maximum or guaranteed bandwidth. These profiles can then be assigned to targeted applications.

User notification

User education is central to an effective security implementation. In response to this, FortiOS lets you provide user notification when blocking an unauthorized application. The notification appears as an HTML block page for web-based applications.

Advanced notification is possible by implementing Fortinet’s browser-embedded frame. And when “off-net” users are denied access, notifications appear via FortiClient’s notification pop-ups.

Deep inspection for cloud applications

The prevalence of cloud applications like Dropbox poses a security challenge to today’s organizations. Using

FortiOS’s deep inspection for popular cloud applications, administrators gain deep and useful insights, via FortiView and logs, into activities associated with these applications, such as user IDs, cloud actions, file names, and file sizes. For popular video sites, FortiOS will also be able to track video files viewed.

Inside FortiOS: Application Control

SSL inspection for encrypted traffic

SSL (Secure Sockets Layer) is a popular encryption standard used to protect Internet traffic but may also be used to evade traditional inspection. FortiOS enables organizations to adopt effective application control even when traffic is encrypted.

Unique hardware components and software optimizations can decrypt traffic with minimal performance impact. The inspection can easily omit sensitive communications, such as financial transaction (thereby complying with privacy policies), or bypass applications that forbid SSL inspection by using granular policy settings.

Monitoring, logging, and reporting

FortiOS empowers organization to implement security best practices that require continuous examination of threat statuses and the ability to adapt to new requirements.

The FortiView widgets provide useful analyses with detailed and contextual session information that can be filtered, ranked, and further inspected. For example, an administrator can instantly query the top applications that are currently consuming bandwidth and drill down to identify their users and help decide if such activities should be blocked.

Network, threat, and system events activities can be archived via syslogs. In turn, these logs can generate useful trending and overview reports.

Lastly, the FortiOS offers robust in-built email and SMS alert systems. Meanwhile, integration with external threat management systems can be achieved with SNMP and standard-based syslogs.

 

Recipes

Visit cookbook.fortinet.com for these and other recipes:

l NGFW policy-based mode

 

Inside FortiOS: Intrusion Prevention System (IPS)

Inside FortiOS: Intrusion Prevention System (IPS)

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

World class next generation IPS capabilities

Today, sophisticated and high volume attacks are the challenges that every organization must recognize. These attacks are evolving, infiltrating ever-increasing vectors and complex network environments. The result is an urgent need for network protection while maintaining the ability to efficiently provide demanding services and applications.

FortiOS’s IPS functionality is an industry-proven network security solution that scales up to over 200 Gbps of inline protection. Powered by purpose-built hardware and FortiASICs, FortiOS is able to achieve attractive TCO while meeting performance requirements. IPS is easy to set up, yet offers feature-rich capabilities, with contextual visibility and coverage. It is kept up-to-date by research teams that work 24 hours a day worldwide, in order to detect and deter the latest known threats as well as zero-day attacks.

Highlights

  • Validated best-in-class security and capacity with proven coverage and high performance.
  • Comprehensive protection provided by a signatures-based IPS engine, protocol anomaly scanning, and DDOS mitigation. l Flexible deployment options and actionable implementations for a wide array of network integration and operation requirements.

Key features & benefits

High Performance IPS, powered by FortiASIC Low latency and high capacity ensure business applications are not affected while security is enforced.
Best-in-class security with superior coverage Protects critical digital resources from both internal exploits and external cybercriminals, even if sophisticated attacks are crafted.
Backed by FortiGuard Labs that deliver real-time

protection

Maintains up-to-date and proactive protection against latest known threats and newly discovered hacking techniques while allowing time for organizations to patch vulnerable systems.

Features                                                                                      Inside FortiOS: Intrusion Prevention System (IPS)

Features

Tested and proven protection

Not only have FortiGates been deployed in some of the largest enterprises in the world since 2002, FortiOS IPS components and FortiGuard IPS signatures are periodically tested and certified by well-known external labs. For example, Fortinet’s FortiGate 3000D earned the highest ratings for Security Effectiveness, blocking 99.9 percent of exploits in the recent NSS Labs DCIPS test. These independent certifications ensure that solutions delivered to

customers are of the highest standards in performance, coverage, and accuracy.

Real-time & zero-day protection

The FortiGuard Intrusion Prevention Service (IPS) provides customers with the latest defenses against stealthy network-level threats through a constantly updated database of known threats and behavior-based signatures.

FortiGuard IPS service quick facts

l     Over 10,000 signatures consisting of 18,000 rules l Approximately 470,000 network intrusion attempts resisted per

minute

l     About 1,000 rules are updated or added per week l Over 300 Zero-day vulnerabilities discovered to date

This update service is backed by a team of threat experts and a close relationship with major application vendors. The best-in-class team also uncovers significant zero-day vulnerabilities continuously, providing FortiGate units with advanced protection ahead of vendor patches.

Uncompromised performance

The FortiASICS Content Processor (CP) accelerates content processing, which is traditionally done completely by the CPU. The CP reduces the resources required by the CPU when matching an incoming file against the signature database, thus improving system performance and stability.

Protocol decoders and anomaly detection

Protocol decoders are required to assemble the packets and detect suspicious, nonconforming sessions that resemble known attacks or are non-compliant to RFC or standard implementation.

FortiOS offers one of the most comprehensive arrays of protocol decoders in the industry, providing customers with significantly wide coverage in all kinds of environments.

Pattern & rate-based signatures

The pattern signature matching technique is essential in IPS implementation due to its high level of precision and accuracy. FortiOS offers administrators robust pattern signature selection using filters based on severity, target, operating system, application, and protocol. Each of the 10,000+ signatures has a direct link to its detailed entry on the threat encyclopedia and CVE-ID references. After selection, administrators are able to assign associated actions such as monitoring, blocking, or resetting the session.

Rate-based IPS signatures protect networks against application based DoS and brute force attacks.

Administrators can configure nearly 30 rate-based IPS signatures and tune them to their needs. Threshold (incidents per minute) and an action to take when the threshold is reached can be assigned to each signature. If the action is set to block, then a timeout period can be set so that the block is removed after a specified duration.

DoS and DDoS mitigation

DoS policies can help protect against DDoS attacks that aim to overwhelm server resources. In FortiOS, the DoS scans precede the policy engine at the incoming interfaces, thus eliminating unnecessary sessions from the firewall process and state table entry during a surge of attack traffic. This helps to safeguard the firewall from overloading and allows it to perform optimally.

FortiOS DoS policies can be configured to detect and block floodings, port scans, and sweeps. Administrators can set baselines for the amount of concurrent sessions from sources or to destinations. The settings utilize thresholds and can be applied to UDP, TCP, ICMP, IP, and SCTP.

Network interfaces associated with a port attached to a Network Processor (NP) can be configured to offload anomaly checking, further offloading the CPU for greater performance. Some of the anomaly traffic dropped includes LAND attacks, IP protocol with malformed options, and WinNukes.

Quarantine attacks

FortiOS offers sophisticated automatic attack quarantine capabilities which allow organizations to proactively prevent further attacks from known attackers over a predefined duration. Quarantining by duration can be used to protect potentially vulnerable servers until more permanent defense.

Packet logging

Administrators may choose to automatically perform IPS packet logging, which saves packets for detailed analysis when an IPS signature is matched. Saved packets can be viewed and analyzed on the FortiGate unit or by using third-party analysis tools. Packet logging is also useful in determining false positives.

Custom signatures

Custom IPS signatures can be created to further extend protection. For example, you can use custom IPS signatures to protect unusual or specialized applications, or even custom platforms from known and unknown attacks.

Organizations may use FortiConverter to easily convert Snort signatures for FortiOS use.

Resistant against evasions

Evasion techniques attempt to fool the protocol decoders in IPS products by crafting exotic network streams that would not be handled or reconstructed by the decoders, yet still be valid enough for the target recipient to process. Robust IPS engine is capable of handling both common evasions and sophisticated AETs (Advanced Evasion Techniques) deployed by hackers such as IP Packet Fragmentation, TCP Stream Segmentation, RPC Fragmentation, URL & HTML Obfuscation, and other protocol specific evasion techniques.

Intrusion detection mode

In out-of-band sniffer mode (or one-arm IPS mode), IPS operates as an Intrusion Detection System (IDS), detecting attacks and reporting them but not taking any action against them. In sniffer mode, the FortiGate unit does not process network traffic and instead is connected to a spanning or mirrored switch port, or a network tap. If an attack is detected, log messages can be recorded and alerts sent to system administrators.

Traffic bypass

Since most IPS deployments are in transparent inline mode, active traffic bypass is often desired until normal operation of the device resumes. Some FortiGates offer inbuilt active bypass interfaces while others may use external bypass devices such as the FortiBridge. Administrators are also offered with software fail-open option to tackle instances where the IPS engine fails.

Monitoring, logging, and reporting

FortiOS empowers organizations to implement security best practices that require continuous examination of their threat status and adaptation to new requirements. The FortiView query widgets provide useful analysis data with detailed and contextual session information, which can be filtered, ranked, and further inspected. System events can also be archived via logs, which in turn can generate useful trending and overview reports.

 

FortiWLC – Appendix

Appendix

Captive Portal and Fortinet Connect Deployment Recommendations

These are the deployment recommendations.

DNS Entry

It is mandatory to enter the DNS while creating internal DHCP profile.

External Portal IP Configuration

If a NAT device is located between the controller and the Fortinet Connect, the IP address with which Fortinet Connect sees the controller should be configured under Device > RADIUS Clients page in Fortinet Connect Admin portal (http://<fortinetconnect-ip-address>/admin) . Select the RADIUS client and enter the controller IP address in the Client tab. The Fortinet Connect Automatic Setup then configures the controller correctly and ensures that the correct controller IP address is configured on Fortinet Connect.

Remember Me settings

In the Portal Settings step of the Guest Portal configuration wizard, if you choose to enable

Remember Credentials, then select “Initially attempt to use a cookie, if this fails try the MAC address” option. This removes the dependency on the client’s browser and security settings.

SmartConnect Certificate download

In the Certificates step of the Smart Connect Profile Wizard, ensure that you select the complete certificate chain of your uploaded certificate. If all certificates in the chain (from root to server) have been uploaded, then selecting the server certificate will automatically select the entire certificate chain.

  • To upload the server certificates, go to Server > SSL Settings > Server Certificate
  • To upload rest of the chain, go to Server > SSL Settings > Trusted CA Certificates

Captive Portal and Fortinet Connect Deployment Recommendations

IP Prefix Validation

In a situation where a station with an IP address from a different subnet connects to the controller, it can result in various network issues including outage. A new field, IP Prefix Validation is added to the ESS Profile and Port Profile configuration page. When enabled, stations with different subnet are prevented from connecting to the controller. By default, IP Prefix Validation in ESS Profile is ON and in Port Profile it is OFF.

IP Prefix Validation must be disabled if the ESS profile is used for RAC.

IP Prefix Validation

A Glossary

This glossary contains a collection of terms and abbreviations used in this document. A B C D E F G H I J K L M N O P Q R S T U V W X Y

Numerals

10BaseT An IEEE standard (802.3) for operating 10 megabits per second (Mbps) Ethernet networks (LANs) over twisted pair cabling and using baseband transmission methods.
100baseT A Fast Ethernet standard (802.3u) that allows up to 100 Mbps and uses the CSMA/CD LAN access method.
3DES Triple Des. A Data Encryption Standard (DES) that uses three 64-bit encryption key, and therefore is three times longer than that used by DES.
802.11 802.11, or IEEE 802.11, is a radio technology specification used for Wireless Local Area Networks (WLANs). 802.11 defines the mobile (wireless) network access link layer, including 802.11 media access control (MAC) and different Physical (PHY) interfaces. This standard defines the protocol for communications between a wireless client and a base station as well as between two wireless clients.

The 802.11 specification, often called Wi-Fi, is composed of several standards operating in different radio frequencies, including the 2.4 GHz (802.11 b and g) and 5 GHz (802.11a) unlicensed spectrums. New standards are emerging within the 802.11 specification to define additional aspects of wireless networking.

802.11a A supplement to 802.11 that operates in the 5 GHz frequency range with a maximum 54 Mbps data transfer rate. The 802.11a specification offers more radio channels than the 802.11b and uses OFDM. The additional channels ease radio and microwave interference.
802.11b International standard for wireless networking that operates in the 2.4 GHz frequency range (2.4 GHz to 2.4835 GHz) and provides a throughput of up to 11 Mbps. This common frequency is also used by microwave ovens, cordless phones, medical and scientific equipment, as well as Bluetooth devices.

529

 

802.11e An IEEE specification for providing Quality of Service (QoS) in 802.11 WLANs. 802.11e is a supplement to the IEEE 802.11 and provides enhancements to the 802.11 MAC layer supplying a Time Division Multiple Access (TDMA) construct and error-correcting mechanisms that aid delay-sensitive applications such as  and video.
802.11g Similar to 802.11b, this standard operates in the 2.4 GHz frequency. It uses OFDM to provide a throughput of up to 54 Mbps.
802.11i Supports the 128-bit Advanced Encryption Standard (AES) and Temporal Key Integrity Protocol (TKIP) along with 802.1X authentication and key management features for increased WLAN security capabilities.
802.11j Provides enhancements to the current 802.11 standard to support the 4.9GHz – 5GHz band for operations in Japan.
802.11k Due for ratification in 2005, the 802.11k Radio Resource Management standard will provide measurement information for access points and switches to make Wireless LANs run more efficiently.
802.11n An emerging standard aimed at providing greater than 100 Mbps of throughput in a wireless environment.
802.11r A specification under development to improve a wireless client’s ability to roam across wireless networks.
802.16 A specification for fixed broadband wireless metropolitan access networks (MANs) that uses a point-to-multipoint architecture. The standard defines the use of bandwidth between the licensed 10GHz and 66GHz bands and between the 2GHZ and 11GHz (licensed and unlicensed) frequency ranges. 802.16 supports very high bit rates for a distance of approximately 30 miles.
802.1X

A

Wireless LAN security implementation that uses port-based authentication between an operating system and the network access device, meant to increase security in user authentication by using RADIUS, Extensible Authentication Protocol (EAP), and LDAP.
AAA authentication, authorization, and accounting (triple A). An IP-based system for providing services to ensure secure network connections for users. The system requires a server such as a RADIUS server to enforce these services.
access point A device that is managed by a controller and that allows stations such as cellular phones or laptops to communicate wirelessly with the Wireless LAN System.
accounting Services that track the resources a user session uses such as amount of time logged on, data transferred, resources, etc. Accounting services are typically used for billing, auditing, analysis, etc.

 

 

ACL Access Control List. A list kept by the controller to limit access of station to the WLAN. The ACL can be a permit, deny, or RADIUS Server list of MAC addresses of the NIC device within the station. An ACL is controller by the configured state, either enabled or disabled.
AES Advanced Encryption Standard. An encryption standard that uses a symmetric encryption algorithm (Rijndael). AES was chosen by the National Information and Standards Institute (NIST) as the Federal Information Processing Standard (FIPS).
Air Traffic

Control

Fortinet technology that exercises a high degree of control over all transmissions within a wireless network. Unlike superficially similar technologies from other vendors, Air Traffic Control technology coordinates uplink and downlink transmissions on a single 802.11 channel in such a manner that the effects of co-channel and adjacent channel interference are eliminated and all access points on a network can share a single radio channel. It also load balances traffic across channels when using Channel Layering, ensuring that each channel
ATS Access Transaction Station. Alternative term for access point.
attenuation The reduction of RF signal strength due to the presence of an obstacle, such as a wall or person. The amount of attenuation caused by a particular object will vary depending upon its composition.
authentication The process of identifying a user, usually based on a username and password, but can also be a MAC address.
authorization

B

The process of granting or denying a user access to network resources once the user has been authenticated through the username and password.
backbone The central part of a large network that links two or more subnetworks and is the primary path for data transmission for a large business or corporation. A network can have a wired backbone or a wireless backbone.
bandwidth The amount of transmission capacity that is available on a network at any point in time. Available bandwidth depends on several variables such as the rate of data transmission speed between networked devices, network overhead, number of users, and the type of device used to connect PCs to a network. It is similar to a pipeline in that capacity is determined by size: the wider the pipe, the more water can flow through it; the more bandwidth a network provides, the more data can flow through it. Standard 802.11b provides a bandwidth of 11 Mbps; 802.11a and 802.11g provide a bandwidth of 54 Mbps. These are the raw capabilities of the network. Many things conspire to reduce these values, including protocol overhead, collisions, and implementation inefficiencies.
base station A term in cellular networking that refers to a radio transmitter/receiver that maintains communications with mobile radiotelephone sets within a given range (typically a cell site).

 

bps bits per second. A measure of data transmission speed over communication lines based on the number of bits that can be sent or received per second. Bits per second-bps-is often confused with bytes per second-Bps. 8 bits make a byte, so if a wireless network is operating at a bandwidth of 11 megabits per second (11 Mbps or 11 Mbits/sec), it is sending data at 1.375 megabytes per second (1.375 MBps).
bridge A product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, wireless, Ethernet or token ring). Wireless bridges are commonly used to link buildings in campuses.
BSC Base Station Controller. Manages radio resources and controls handoff between cells. May also contain the transcoder for compressing/uncompressing  between cellular network and the Public Switched Telephone Network (PSTN).
BSSID

C

Basic Service Set Identifier is a means of uniquely identifying an access point, usually intended for machine use rather than human use. A 48-bit Ethernet MAC address is used to identify an 802.11 wireless service. In a Virtual Cell, all same-channel APs may appear to have the same BSSID, thus virtualizing the network from the client’s perspective. When Virtual Ports are used, each client sees a different BSSID, appearing to get its own private AP. See also ESSID.
Co-channel Interference Radio interference that occurs when two transmitters use the same frequency without being closely synchronized. Legacy wireless systems cannot achieve this kind of synchronization, so access points or cell towers that transmit on one channel must be spaced far apart. The result is coverage gaps that must be filled in with radios tuned to another channel, resulting in an inefficient and complex microcell architecture. Air Traffic Control technology avoids cochannel interference by tightly synchronizing access point transmissions, enabling that adjacent APs to use the same channel.
Channel Bonding The combination of two non-overlapping 20 MHz. channels into a single 40 MHz. channel, doubling the amount of data that can be transmitted in a given time but halving the number of available channels. Along with MIMO, it is a key innovation in the 802.11n standard.
Channel Layering Wireless LAN architecture in which several Virtual Cells are located in the same physical space but on non-overlapping channels, multiplying the available capacity. This additional capacity can be used for redundancy or to support higher data rates or user density. It can be enabled through multiple radios on one AP or by using multiple AP close together, so the total capacity is limited only be the number of non-overlapping channels available.
Channel Reuse A pattern in which different APs can use the same channel. In microcell networks, such APs need to be placed far apart to avoid co-channel interference, meaning that contiguous coverage requires multiple channels. In networks using Air Traffic Control technology, the same

channel can be reused throughout the network, meaning that only one channel is required and others are left free for other purposes.

CHAP Challenge Handshake Authentication Protocol. An authentication protocol that defines a three-way handshake to authenticate a user. CHAP uses the MD5 hash algorithm to generate a response to a challenge that can be checked by the authenticator.
CLI Command-line interpreter. On a controller and other units, this is similar to a command shell for giving instructions.
client Any computer connected to a network that requests services (files, print capability) from another member of the network.
client

devices

Clients are end users. Wi-Fi client devices include PC Cards that slide into laptop computers, mini-PCI modules embedded in laptop computers and mobile computing devices, as well as USB radios and PCI/ISA bus Wi-Fi radios. Client devices usually communicate with hub devices like access points and gateways.
collision avoidance A network node characteristic for proactively detecting that it can transmit a signal without risking a collision.
controller A device that is responsible for configuring and integrating the access points in a WLAN.
CSMA-CA CSMA/CA is the principle medium access method employed by IEEE 802.11 WLANs. It is a “listen before talk” method of minimizing (but not eliminating) collisions caused by simultaneous transmission by multiple radios. IEEE 802.11 states collision avoidance method rather than collision detection must be used, because the standard employs half duplex radiosradios capable of transmission or reception-but not both simultaneously.
CSMA/CD

D

A method of managing traffic and reducing noise on an Ethernet network. A network device transmits data after detecting that a channel is available. However, if two devices transmit data simultaneously, the sending devices detect a collision and retransmit after a random time delay.
dBm A measurement of relative power (decibel) related to 1 milliwatt (mW).
Denial of Service (DoS) A condition in which users are deliberately prevented from using network resources.
DES Data Encryption Standard. A symmetric encryption algorithm that always uses 56 bit keys. It is rapidly being replaced by its more secure successor, 3DES.
DHCP A utility that enables a server to dynamically assign IP addresses from a predefined list for a predefined time period, limiting their use time so that they can be reassigned. Without DHCP, IP addresses would have to be manually assigned to all computers on the network. When

DHCP is used, whenever a computer logs onto the network, it automatically is assigned an IP address.

DNS A program that translates URLs to IP addresses by accessing a database maintained on a collection of Internet servers. The program works behind the scenes to facilitate surfing the Web with alpha versus numeric addresses. A DNS server converts a name like mywebsite.com to a series of numbers like 107.22.55.26. Every website has its own specific IP address on the Internet.
DSL

E

Various technology protocols for high-speed data,  and video transmission over ordinary twisted-pair copper POTS (Plain Old Telephone Service) telephone wires.
EAP Extensible Authentication Protocol. An extension to PPP. EAP is a general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. IEEE 802.1x specifies how EAP should be encapsulated in LAN frames.
EAP-TLS Extensible Authentication Protocol with Transport Layer Security. EAP-TLS supports mutual authentication using digital certificates. When a client requests access, the authentication server responds with a server certificate. The client replies with its own certificate and also validates the server certificate. The certificate values are used to derive session encryption keys.
EAP – TTLS Extensible Authentication Protocol with Tunneled Transport Layer Security. EAP-TTLS uses a combination of certificates and password challenge and response for authentication within an 802.1X environment. TTLS supports authentication methods defined by EAP, as well as the older Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), Microsoft CHAP (MS-CHAP), and MS-CHAPV2.
encryption key An alphanumeric (letters and/or numbers) series that enables data to be encrypted and then decrypted so it can be safely shared among members of a network. WEP uses an encryption key that automatically encrypts outgoing wireless data. On the receiving side, the same encryption key enables the computer to automatically decrypt the information so it can be read.
enterprise A term that is often applied to large corporations and businesses. The enterprise market can incorporate office buildings, manufacturing plants, warehouses and R&D facilities, as well as large colleges and universities.
ESSID Extended Service Set Identifier (ID). The identifying name of an 802.11 wireless network, which is a string of up to 32 characters that is intended to be viewed by humans. When you specify an ESSID in your client setup, you ensure that you connect to your wireless network rather than another network in range.

A set of access points can share an ESSID. In this case, a station can roam among the access points.

Ethernet

F

International standard networking technology for wired implementations. Basic 10BaseT networks offer a bandwidth of about 10 Mbps. Fast Ethernet (100 Mbps) and Gigabit Ethernet (1000 Mbps) are becoming popular.
FCC Federal Communications Commission. The United States’ governing body for telecommunications law.
firewall A system that secures a network and prevents access by unauthorized users. Firewalls can be software, hardware or a combination of both. Firewalls can prevent unrestricted access into a network, as well as restrict data from flowing out of a network.
Fourth

Generation

G

Term coined by analyst firm Gartner to describe a wireless LAN system in which the controller governs handoffs, such as one utilizing Virtual Cells. This is contrasted with third generation (micro-cell architecture) systems, in which the controller is only responsible for managing access points and clients must decide for themselves when to initiate a handoff. Second generation systems lacked a controller altogether and were designed for standalone operation, whereas the first generation used proprietary, non-802.11 systems.
gain The ratio of the power output to the power input of an amplifier in dB. The gain is specified in the linear operating range of the amplifier where a 1 dB increase in input power gives rise to a 1 dB increase in output power.
gateway

H

In the wireless world, a gateway is an access point with additional software capabilities such as providing NAT and DHCP. Gateways may also provide VPN support, roaming, firewalls, various levels of security, etc.
Handoff The transfer of a link from one access point to another as a client moves through a network. In legacy microcell networks, Wi-Fi clients are responsible for handoff, meaning that the quality of the link and the overall network performance is dependent on each client’s implementation of 802.11 roaming algorithms. In Virtual Cell and Virtual Port networks, the network itself governs handoffs as clients remain connected to a single virtual AP.
hub A multiport device used to connect PCs to a network via Ethernet cabling or via Wi-Fi. Wired hubs can have numerous ports and can transmit data at speeds ranging from 10 Mbps to multigigabyte speeds per second. A hub transmits packets it receives to all the connected ports. A

small wired hub may only connect 4 computers; a large hub can connect 48 or more. Wireless hubs can connect hundreds.

Hz

I

The international unit for measuring frequency, equivalent to the older unit of cycles per second. One megahertz (MHz) is one million hertz. One gigahertz (GHz) is one billion hertz. The standard US electrical power frequency is 60 Hz, the AM broadcast radio frequency band is 535-1605 kHz, the FM broadcast radio frequency band is 88-108 MHz, and Wireless 802.11b LANs operate at 2.4 GHz.
IP number Also called an IP address. A 32-bit binary number that identifies senders and receivers of traffic across the Internet. It is usually expressed in the form nnn.nnn.nnn.nnn where nnn is a number from 0 to 256.
identitybased networking A concept whereby WLAN policies are assigned and enforced based upon a wireless client’s identity, as opposed to its physical location. With identity networking, wireless devices need only authenticate once with a WLAN system. Context information will follow the devices as they roam, ensuring seamless mobility.
IEEE Institute of Electrical and Electronics Engineers. (www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. It has more than 300,000 members and is involved with setting standards for computers and communications.
IEEE 802.11 A set of specifications for LANs from The Institute of Electrical and Electronics Engineers (IEEE). Most wired networks conform to 802.3, the specification for CSMA/CD based Ethernet networks or 802.5, the specification for token ring networks. 802.11 defines the standard for Wireless LANs encompassing three incompatible (non-interoperable) technologies: Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS) and Infrared. WECA’s focus is on 802.11b, an 11 Mbps high-rate DSSS standard for wireless networks.
infrastructure mode A client setting providing connectivity to an AP. As compared to Ad-Hoc mode, whereby PCs communicate directly with each other, clients set in Infrastructure Mode all pass data through a central AP. The AP not only mediates wireless network traffic in the immediate neighborhood, but also provides communication with the wired network. See Ad-Hoc and AP.
IP Internet Protocol. A set of rules used to send and receive messages at the Internet address level.
IP telephony Technology that supports , data and video transmission via IP-based LANs, WANs, and the Internet. This includes VoIP ( over IP).
IP address A 32-bit number that identifies each sender or receiver of information that is sent across the Internet. An IP address has two parts: an identifier of a particular network on the Internet and

an identifier of the particular device (which can be a server or a workstation) within that network.

IPSec                       IPSec is a security protocol from the Internet Engineering Task Force (IETF) that provides authentication and encryption. IPsec, which works at Layer 3, is widely used to secure VPNs and wireless users. Some vendors, like Airespace, have implemented special WLAN features that allow IPsec sessions to roam with clients for secure mobility.

ISDN A type of broadband Internet connection that provides digital service from the customer’s premises to the dial-up telephone network. ISDN uses standard POTS copper wiring to deliver , data or video.

ISO network A network model developed by the International Standards Organization (ISO) that consists of model seven different levels, or layers. By standardizing these layers, and the interfaces in between, different portions of a given protocol can be modified or changed as technologies advance or systems requirements are altered. The seven layers are:

  • Physical
  • Data Link Network
  • Transport
  • Session
  • Presentation
  • Application

The IEEE 802.11 Standard encompasses the physical layer (PHY) and the lower portion of the data link layer. The lower portion of the data link layer is often referred to as the Medium Access Controller (MAC) sublayer.

J

K

L

LAN                          Local Area Network. A system of connecting PCs and other devices within the same physical proximity for sharing resources such as an Internet connections, printers, files and drives. When Wi-Fi is used to connect the devices, the system is known as a Wireless LAN or WLAN.

LDAP Lightweight Directory Access Protocol. A set of protocols for accessing information directories conforming to the X.500 standard.

 

LWAPP

M

Lightweight Access Point Protocol. A proposed specification to the International Engineering Task Force (IETF) created to standardize the communications protocol between access points and WLAN system devices (switches, appliances, routers, etc.). Initial authors include Airespace and NTT DoCoMo. See CAPWAP
MAC Medium Access Control. This is the function of a network controller that determines who gets to transmit when. Each network adapter must be uniquely identified. Every wireless 802.11 device has its own specific MAC address hard-coded into it. This unique identifier can be used to provide security for wireless networks. When a network uses a MAC table, only the 802.11 radios that have had their MAC addresses added to that network’s MAC table will be able to get onto the network.
Man in Middle (MiM) An attack that results from the interception and possible modification of traffic passing between two communicating parties, such as a wireless client and Access Point. MIM attacks succeed if the systems can’t distinguish communications with an intended recipient from those with the intervening attacker.
Mbps Million bits (megabits) per second.
MIC Message Integrity Check. MIC is part of a draft standard from IEEE 802.11i working group. It is an additional 8 byte field which is placed between the data portion of an 802.11 (Wi-Fi) frame and the 4 byte ICV (Integrity Check Value) to protect both the payload and the header. The algorithm which implements the MIC is known as Michael.
Microcell Wireless architecture in which adjacent APs must be tuned to different, non-overlapping channels in an attempt to mitigate co-channel interference. This requires complex channel planning both before the network is built and whenever a change is made, and uses spectrum so inefficiently that some co-channel interference still occurs, especially at 2,4 GHz. Microcell architectures were common in 2G cell phone systems and legacy wireless LAN systems. They are not used in 3G cellular networks or in wireless LAN systems that use Air Traffic Control, as these allow all access points to share a single channel.
mobile professional A salesperson or a “road warrior” who travels frequently and requires the ability to regularly access his or her corporate networks, via the Internet, to post and retrieve files and data and to send and receive e-mail.
multipath

N

The process or condition in which radiation travels between source and receiver via more than one propagation path due to reflection, refraction, or scattering.
NAT NetwOrk Address Translation. A system for converting the IP numbers used in one network to the IP numbers used in another network. Usually one network is the internal network and one

network is the external network. Usually the internal IP numbers form a relatively large set of IP numbers, which must be compressed into a small set of IP numbers for the external network.

network name Identifies the wireless network for all the shared components. During the installation process for most wireless networks, you need to enter the network name or SSID. Different network names are used when setting up your individual computer, wired network or workgroup.
NIC

O

Network Interface Card. A type of PC adapter card that either works without wires (Wi-Fi) or attaches to a network cable to provide two-way communication between the computer and network devices such as a hub or switch. Most office wired NICs operate at 10 Mbps (Ethernet), 100 Mbps (Fast Ethernet) or 10/100 Mbps dual speed. High-speed Gigabit and 10 Gigabit NIC cards are also available. See PC Card.
OFDM Orthogonal Frequency Division Multiplexing. A modulation technique for transmitting large amounts of digital data over a radio wave. OFDM splits the radio signal into multiple smaller signals that are transmitted in parallel at different frequencies to the receiver. OFDM reduces the amount of crosstalk in signal transmissions. 802.11a uses OFDM.
Overlay Network

P

A dedicated network of radio sensors that are similar to access points but do not serve clients, scanning the airwaves full time for security or management issues. Overlay networks lack the flexibility of AP-based scanning, as radios cannot be redeployed between scanning and client access. They also lack deep integration with the main wireless network, necessary for realtime management and intrusion prevention.
Partitioning Virtualization technique in which a single resource is divided up into virtual resources that are then dedicated to a particular application. Examples include the virtual machines in server virtualization, virtual disk drives in SANs and Virtual Ports in Fortinet’s Wireless LAN Virtualization. The main advantages of partitioning are control and isolation: Each application or user can be given exactly the resources that it  needs, protecting them from each other and ensuring that none consumes more than its allocated share of resources. In a wireless context, it makes a wireless LAN behave more like a switched Ethernet port.
Pooling Virtualization technique in which multiple physical resources are combined into a single virtual resource. Examples include the multiple disk drives in a virtual storage array, the multiple CPUs in a modern server and the multiple access points in a Fortinet Virtual Cell. The main advantages of pooling are agility, simplified management and economies of scale: Resources can be moved  between applications on demand, reducing the need for over-provisioning and freeing applications or users from dependence on a single piece of limited infrastructure.

 

PC card A removable, credit-card-sized memory or I/O device that fits into a Type 2 PCMCIA standard slot, PC Cards are used primarily in PCs, portable computers, PDAs and laptops. PC Card peripherals include Wi-Fi cards, memory cards, modems, NICs, hard drives, etc.
PCI A high-performance I/O computer bus used internally on most computers. Other bus types include ISA and AGP. PCIs and other computer buses enable the addition of internal cards that provide services and features not supported by the motherboard or other connectors.
PDA Smaller than laptop computers but with many of the same computing and communication capabilities, PDAs range greatly in size, complexity and functionality. PDAs can provide wireless connectivity via embedded Wi-Fi Card radios, slide-in PC Card radios, or Compact Flash Wi-Fi radios.
PEAP Protected Extensible Authentication Protocol. An extension to the Extensible Authentication Protocol with Transport Layer Security (EAP-TLS), developed by Microsoft Corporation. TLS is used in PEAP Part 1 to authenticate the server only, and thus avoids having to distribute user certificates to every client. PEAP Part 2 performs mutual authentication between the EAP client and the server.
peer-to-peer network A wireless or wired computer network that has no server or central hub or router. All the networked PCs are equally able to act as a network server or client, and each client computer can talk to all the other wireless computers without having to go through an access point or hub. However, since there is no central base station to monitor traffic or provide Internet access, the various signals can collide with each other, reducing overall performance.
PHY The lowest layer within the OSI Network Model. It deals primarily with transmission of the raw bit stream over the PHYsical transport medium. In the case of Wireless LANs, the transport medium is free space. The PHY defines parameters such as data rates, modulation method, signaling parameters, transmitter/receiver synchronization, etc. Within an actual radio implementation, the PHY corresponds to the radio front end and baseband signal processing sections.
plenum The ceiling plenum is the volume defined by the area above the back of the ceiling tile, and below the bottom of the structural slab above. Within this plenum is usually found a combination of HVAC ducts, electrical and electronic conduits, water pipes, traditional masking sound speakers, etc. Networking equipment needs to be plenum rated to certify that it is suitable for deployment in this area.
PoE Power over Ethernet. A technology defined by the IEEE 802.3af standard to deliver dc power over twisted-pair Ethernet data cables rather than power cords. The electrical current, which enters the data cable at the power-supply end and comes out at the device end, is kept separate from the data signal so neither interferes with the other.
POTS Plain Old Telephone Service. Standard analog telephone service (an acronym for Plain Old Telephone Service).

 

proxy server Used in larger companies and organizations to improve network operations and security, a proxy server is able to prevent direct communication between two or more networks. The proxy server forwards allowable data requests to remote servers and/or responds to data requests directly from stored remote server data.
PSTN

Q

Public Switched Telephone Network. The usual way of making telephone calls in the late 20th century, designed around the idea of using wires and switches. Perhaps to be supplanted by  Over IP in the 21st century.
QoS

R

Quality of Service. A set of technologies for managing and allocating Internet bandwidth. Often used to ensure a level of service required to support the performance requirements of a specific application, user group, traffic flow, or other parameter. Defined within the service level are network service metrics that include network availability (uptime), latency and packet loss.
RADIUS Remote Authentication Dial-In User Service. A service that authorizes connecting users and allows them access to requested systems or services. The Microsoft ISA server is a RADIUS server.
range How far will your wireless network stretch? Most Wi-Fi systems will provide a range of a hundred feet or more. Depending on the environment and the type of antenna used, Wi-Fi signals can have a range of up to mile.
RC4 algorithm The RC4 algorithm uses an Initialization Vector (IV) and a secret key to generate a pseudorandom key stream with a high periodicity. Designed by RSA Security, RC4 is used in WEP and many other transmission protocols including SSL.
RF Radio Frequency. The type of transmission between a Wireless LAN access point and a wireless client (e.g., laptop, PDA, or phone). Wireless LANs can use RF spectrum at either 2.4 GHz (IEEE 802.11b or IEEE 802.11g) or 5 GHz (IEEE 802.11G).
RFID Radio Frequency ID. A device that picks up signals from and sends signals to a reader using radio frequency. Tags come in many forms, such as smart labels that are stuck on boxes; smart cards and key-chain wands for paying for things; and a box that you stick on your windshield to enable you to pay tolls without stopping. Most recently, active 802.11 RFID tags are being deployed in enterprise environments to provide more consistent tracking across farther distances than traditional passive devices.
RF fingerprinting In an enterprise WLAN scenario, RF fingerprinting refers to creating a blueprint of a building’s RF characteristics, taking into account specific wall and design characteristics such as attenuation and multipath. This information is compared to real-time information collected by APs for

802.11 location tracking. By taking RF characteristics into account, RF fingerprint is the most accurate method of wireless device tracking available today.

RF prediction The process of predicting WLAN characteristics, such as throughput and coverage area, based upon imported building characteristics and sample WLAN design configurations.
RF triangulation A common method used for 802.11 device tracking whereby 3 or more Access Points compare RSSI information to triangulate in on a device’s location. While easy to implement, RF triangulation does not account for multipath, attenuation, and other RF characteristics that may affect receive sensitivity, making it less accurate than RF fingerprinting.
roaming The process that takes places as a client moves between the coverage areas of different APs, necessitating a handoff. In microcell Wi-Fi networks, roaming can be a complex procedure that risks dropped connections and drags down network performance, as the client is forced to decide when to disconnect from one AP and search for another. In networks using Virtual Cell and Virtual Port technology, the infrastructure controls roaming, automatically connecting each client to the optimum AP.
rogue Access Point An AP that is not authorized to operate within a wireless network. Rogue APs subvert the security of an enterprise network by allowing potentially unchallenged access to the enterprise network by any wireless user (client) in the physical vicinity.
RJ-45 Standard connectors used in Ethernet networks. Even though they look very similar to standard RJ-11 telephone connectors, RJ-45 connectors can have up to eight wires, whereas telephone connectors have only four.
roaming Moving seamlessly from one AP coverage area to another with no loss in connectivity.
router A device that forwards data packets from one local area network (LAN) or wide area network (WAN) to another. Based on routing tables and routing protocols, routers can read the network address in each transmitted frame and make a decision on how to send it via the most efficient route based on traffic load, line costs, speed, bad connections, etc.
RSA A public-key algorithm developed in 1977 and named after its inventors, Rivest, Shamir, and Adleman. RSA, currently owned by RSA Data Security, Inc., is used for encryption, digital signatures, and key exchange.
RSN Robust Security Network. A new standard within IEEE 802.11i to provide security and privacy mechanisms in an 802.11 wireless network. RSN leverages 802.1x authentication with Extensible Authentication Protocol (EAP) and AES for encryption.
RSSI

S

Received Signal Strength Indication. The measured power of a received signal.
scanning The process of checking the airwaves for rogue access points or attackers.  Scanning APs are typically implemented as an Overlay Network, as most APs can not scan and serve traffic at

the same time. Fortinet’s APs are able to scan the airwaves and serve clients simultaneously, eliminating the need for an overlay.  Fortinet’s single-channel architecture improves accuracy when scanning for intruders, as all APs are able to detect signals from all clients.

server A computer that provides its resources to other computers and devices on a network. These include print servers, Internet servers and data servers. A server can also be combined with a hub or router.

Single Channel

Term sometimes used to describe a network in which all access points operate on the same channel, such as one using Virtual Cell technology. Single channel operation is more spectrally efficient than a microcell architecture and necessary for the use of Virtual Cells and network-controlled handoff. Single Channel improves security by making intrusion detection easier and location tracking more accurate, as every AP automatically receives transmissions from every client within range. It also enables the RF Barrier to function with as little as one radio, because only one channel needs to be blocked from outside access.

SIP Session Initiation Protocol. SIP is a protocol for finding users, usually human, and setting up multimedia communication among them, typically a VoIP phone call.
site survey The process whereby a wireless network installer inspects a location prior to putting in a wireless network. Site surveys are used to identify the radio- and client-use properties of a facility so that access points can be optimally placed. Wireless LAN System WLANs are optimized to not require a site survey.
spectral efficiency The ratio of data rate to radio spectrum usage. A Virtual Cell is much more spectrally efficient than a microcell architecture, as the microcells consume at least three non-overlapping channels to provide the coverage that a Virtual Cell offers with just one.
SSID A 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a name when a mobile device tries to connect to the BSS. (Also called ESSID.) The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet, it does not supply any security to the network. An SSID is also referred to as a Network Name because essentially it is a name that identifies a wireless network.
ssh Secure SHell. A terminal-emulation program that allows users to log onto a remote device and execute commands. It encrypts the traffic between the client and the host.
SSL Secure Socket Layer. Commonly used encryption scheme used by many online retail and banking sites to protect the financial integrity of transactions. When an SSL session begins, the server sends its public key to the browser. The browser then sends a randomly generated secret key back to the server in order to have a secret key exchange for that session.

 

station Devices such as cellular phones or laptops that need to communicate wirelessly with the Meru Wireless LAN System and do so through access points.
subnetwork or subnet Found in larger networks, these smaller networks are used to simplify addressing between numerous computers. Subnets connect to the central network through a router, hub or gateway. Each individual Wireless LAN will probably use the same subnet for all the local computers it talks to.
subnet mobility The ability of a wireless user to roam across Access Points deployed on different subnets using a single IP address.
supplicant A wireless client that is requesting access to a network.
switch

T

A type of hub that efficiently controls the way multiple devices use the same network so that each can operate at optimal performance. A switch acts as a networks traffic cop: rather than transmitting all the packets it receives to all ports as a hub does, a switch transmits packets to only the receiving port.
TCP Transmission Control Protocol. A protocol used along with the Internet Protocol (IP) to send data in the form of individual units (called packets) between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the packets that a message is divided into for efficient routing through the Internet. For example, when a web page is downloaded from a web server, the TCP program layer in that server divides the file into packets, numbers the packets, and then forwards them individually to the IP program layer. Although each packet has the same destination IP address, it may get routed differently through the network. At the other end, TCP reassembles the individual packets and waits until they have all arrived to forward them as a single file.
TCP/IP The underlying technology behind the Internet and communications between computers in a network. The first part, TCP, is the transport part, which matches the size of the messages on either end and guarantees that the correct message has been received. The IP part is the user’s computer address on a network. Every computer in a TCP/IP network has its own IP address that is either dynamically assigned at startup or permanently assigned. All TCP/IP messages contain the address of the destination network as well as the address of the destination station. This enables TCP/IP messages to be transmitted to multiple networks (subnets) within an organization or worldwide.
TKIP Temporal Key Integrity Protocol. An enhancement to the WEP encryption technique that uses a set of algorithms to rotate session keys for better protection. TKIP uses RC4 ciphering, but adds functions such as a 128-bit encryption key, a 48-bit initialization vector, a new message integrity code (MIC), and initialization vector (IV) sequencing rules.

U

USB A high-speed bidirectional serial connection between a PC and a peripheral that transmits data at the rate of 12 megabits per second. The new USB 2.0 specification provides a data rate of up to 480 Mbps, compared to standard USB at only 12 Mbps. 1394, FireWire and iLink all provide a bandwidth of up to 400 Mbps.
UTC

V

Universal Time Coordinated. Also known as Greenwich Mean Time. The time is not adjusted for time zones or for daylight savings time.
Virtual Cell Proprietary wireless LAN architecture in which multiple access points are pooled into a single, virtual resource. To the client, APs are indistinguishable because they all use the same BSSID and radio channel . Because clients remain connected to the same virtual AP as they move through a network, no client-initiated handoffs are necessary. Instead, the network itself automatically routes all radio connections through the most appropriate AP. This maximizes bandwidth, simplifies network management and conserves radio spectrum for scalability and redundancy.
Virtual Port An enhancement to the Virtual Cell architecture which partitions the network so that each client device has its own private network with a unique BSSID. From the client’s perspective, it gets its own dedicated AP to which it remains connected no matter where it travels in the network. Like a switched  Ethernet port, the Virtual Port eliminates latency, jitter and contention for bandwidth as there is only ever one client on each port. Unlike an Ethernet port, it can be personalized to fit each user or device, giving the network control over client behavior with no proprietary client-side software or extensions necessary.
VoFI ( over

Wi-Fi) or VoWLAN ( over Wireless

LAN)

 over IP links that run over a wireless network. VoIP does not usually require high data rates, but it stresses wireless networks in other ways by demanding low latencies and smooth handoffs. In addition, no 802.11n phones yet exist, as most handsets are too small to accommodate MIMO’s multiple antennas  spaced a wavelength apart. This means that 802.11n networks running VoFI must have a way to deal with 802.11b/g clients.
VLAN Virtual LAN. A logical grouping of devices that enables users on separate networks to communicate with one another as if they were on a single network.
VPN Virtual Private Network. A type of technology designed to increase the security of information transferred over the Internet. VPN can work with either wired or wireless networks, as well as with dial-up connections over POTS. VPN creates a private encrypted tunnel from the end user’s computer, through the local wireless network, through the Internet, all the way to the corporate servers and database.

W

WAN                        Wide Area Network. A communication system of connecting PCs and other computing

devices across a large local, regional, national or international geographic area. Also used to distinguish between phone-based data networks and Wi-Fi. Phone networks are considered WANs and Wi-Fi networks are considered Wireless Local Area Networks (WLANs).

WEP                          Wired Equivalent Privacy. Basic wireless security provided by Wi-Fi. In some instances, WEP

may be all a home or small-business user needs to protect wireless data. WEP is available in 40-bit (also called 64-bit), or in 104-bit (also called 128-bit) encryption modes. As 104-bit encryption provides a longer key that takes longer to decode, it can provide better security than basic 40-bit (64-bit) encryption.

Wi-Fi                        Brand name for wireless LANs based on various 802.11 specifications. All products bearing the Wi-Fi logo have been tested for interoperability by the Wi-Fi Alliance, an industry group composing every major 802.11 client and infrastructure vendor.

WLAN                      Wireless LAN. Also referred to as LAN. A type of local-area network that uses high-frequency radio waves rather than wires to communicate between nodes.

WME                        Wireless Multimedia Extension. The Wi-Fi Alliance’s standard for QoS based upon the Enhanced Distribution Coordination Function (EDCF), which is a subset of the IEEE 802.11e specification.

WNC                        Wireless Network Controller. Alternative term for controller.

WSM                        Wi-Fi Scheduled Media. The Wi-Fi Alliance’s emerging standard for QoS that is based upon the HCF portion of the 802.11e standard, which dedicates bandwidth segments to specific data types. WSM is going to have less of a focus in the enterprise space than its WME counterpart.

WPA                        Wi-Fi Protected Access. The Wi-Fi Alliance put together WPA as a data encryption method for 802.11 Wireless LANs. WPA is an industry-supported, pre-standard version of 802.11i utilizing the Temporal Key Integrity Protocol (TKIP). WPA will serve until the 802.11i standard is ratified in the third quarter of 2003.

X

X.509                         Created by the International Telecommunications Union Telecommunication Standardization

Sector (ITU-T), X.509 is the most widely used standard for defining digital certificates.

FortiWLC – Syslog Messages

Syslog Messages

This Appendix provides a brief listing of all Syslog messages currently implemented in FortiWLC (SD).

Controller Management

Controller Management

Event System Log Example Description Action
CONTROLLER REBOOT Oct 13 11:11:32 172.18.37.201 ALARM: 1255432836l | system | notice | NOT | Controller administrative reboot requested A controller reboot is requested.  

 

Event System Log Example Description Action
CONTROLLER BOOT

PROCESS

START

502

Oct 13 11:12:55 172.18.37.201 syslog: syslogd startup succeeded

Oct 13 11:12:55 172.18.37.201 syslog: klogd startup succeeded

Oct 13 11:12:58 172.18.37.201 sysctl: net.ipv4.ip_forward = 1

Oct 13 11:12:58 172.18.37.201 sysctl: net.ipv4.conf.default.rp_filter = 1

Oct 13 11:12:58 172.18.37.201 sysctl: kernel.sysrq = 0

Oct 13 11:12:58 172.18.37.201 sysctl: kernel.core_uses_pid = 1

Oct 13 11:12:58 172.18.37.201 network: Setting network parameters:  succeeded

Oct 13 11:12:58 172.18.37.201 network: Bringing up loopback interface:  succeeded

Oct 13 11:12:58 172.18.37.201 crond: crond startup succeeded

Oct 13 11:12:58 172.18.37.201 sshd:  succeeded

Oct 13 11:12:58 172.18.37.201 sshd[303]: Server listening on 0.0.0.0 port 22.

Oct 13 11:12:58 172.18.37.201 network: Bringing up interface eth0:  succeeded

Oct 13 11:12:59 172.18.37.201 xinetd: xinetd startup succeeded

Oct 13 11:12:59 172.18.37.201 root: Start WLAN Services …

Oct 13 11:13:01 172.18.37.201 meru: /etc/init.d/ceflog: / opt/meru/var/run/running-db/ceflog.conf: No such file or directory

Oct 13 11:13:01 172.18.37.201 meru: Setting up swapspace version 0, size = 43446272 bytes

Oct 13 11:13:01 172.18.37.201 meru: Using /lib/modules/

2.4.18-3-meruenabled/kernel/drivers/dump/dump.o

Oct 13 11:13:01 172.18.37.201 meru: Kernel data gathering phase complete

Oct 13 11:13:05 172.18.37.201 meru: Warning: loading / opt/meru/kernel/ipt_vlan_routing.mod will taint the kernel: non-GPL license – Proprietary

Oct 13 11:13:37 172.18.37.201 meru: Process RemoteUpgrade did not come up. Will retry again

Oct 13 11:13:37 172.18.37.201 root: Controller Up on Tue

Controller boot sequence showing different processes and WLAN services getting started.

Co

ntroller Management

 

Event System Log Example Description Action
CONTROLLER SHUTDOWN

PROCESS

STOP

Controller Managem

Oct 13 11:11:33 172.18.37.201 root: Stop WLAN Services

Oct 13 11:11:33 172.18.37.201 meru: icrd stopped.

Oct 13 11:11:33 172.18.37.201 meru: RIos stopped.

Oct 13 11:11:37 172.18.37.201 meru: discovery stopped.

Oct 13 11:11:37 172.18.37.201 meru: WncDhcpRelay stopped.

Oct 13 11:11:37 172.18.37.201 meru: nmsagent stopped.

Oct 13 11:11:38 172.18.37.201 meru: melfd stopped.

Oct 13 11:11:38 172.18.37.201 meru: igmp-snoop-daemon stopped.

Oct 13 11:11:44 172.18.37.201 meru: dfsd stopped.

Oct 13 11:11:45 172.18.37.201 meru: aeroscoutd stopped.

Oct 13 11:11:45 172.18.37.201 meru: snmp stopped. Oct 13 11:11:46 172.18.37.201 meru: cmdd stopped.

Oct 13 11:11:47 172.18.37.201 meru: rfsmgr stopped.

Oct 13 11:11:49 172.18.37.201 meru: wncclid stopped.

Oct 13 11:11:50 172.18.37.201 meru: sipfd stopped.

Oct 13 11:11:51 172.18.37.201 meru: rulefd stopped.

Oct 13 11:11:52 172.18.37.201 meru: watchdog stopped.

Oct 13 11:11:52 172.18.37.201 meru: oct_watchdog stopped.

Oct 13 11:11:52 172.18.37.201 meru: h323fd stopped.

Oct 13 11:11:53 172.18.37.201 meru: sccpfd stopped.

Oct 13 11:11:54 172.18.37.201 meru: coordinator stopped.

Oct 13 11:11:54 172.18.37.201 meru: security-mm stopped.

Oct 13 11:11:56 172.18.37.201 meru: hostapd stopped.

Oct 13 11:11:57 172.18.37.201 meru: rogueapd stopped.

Oct 13 11:11:58 172.18.37.201 meru: xems stopped.

Oct 13 11:11:58 172.18.37.201 meru: apache stopped.

Oct 13 11:12:01 172.18.37.201 meru: xclid stopped.

Oct 13 11:12:07 172.18.37.201 meru: wncagent stopped.

entOct 13 11:12:07 172.18.37.201 meru: Removed VLAN –

:vlan133:-

Oct 13 11:12:08 172.18.37.201 meru: vlan stopped.

Controller shutdown sequence, showing different processes and WLAN ser-

vices getting stopped.

503

 

 

Event System Log Example Description Action
  Oct 13 11:12:15 172.18.37.201 meru:

Oct 13 11:12:18 172.18.37.201 root: WLAN Services stopped

Oct 13 11:12:18 172.18.37.201 rc: Stopping meru:  succeeded

Oct 13 11:12:18 172.18.37.201 sshd[317]: Received signal 15; terminating.

Oct 13 11:12:18 172.18.37.201 sshd: sshd -TERM succeeded

Oct 13 11:12:18 172.18.37.201 xinetd: xinetd shutdown succeeded

Oct 13 11:12:18 172.18.37.201 crond: crond shutdown succeeded

Oct 13 11:12:19 172.18.37.201 syslog: klogd shutdown succeeded

   

 

 

Event System Log Example Description Action
SSH LOGIN SESSION Oct 13 11:13:58 172.18.37.201 sshd[4874]: PAM

_pam_init_handlers: no default config /etc/pam.d/other

Oct 13 11:14:00 172.18.37.201 sshd[4874]: PAM

_pam_init_handlers: no default config /etc/pam.d/other

Oct 13 11:14:00 172.18.37.201 sshd[4874]: Accepted password for admin from 172.18.37.12 port 1891 ssh2

Oct 13 11:14:00 172.18.37.201 sshd(pam_unix)[4876]: session opened for user admin by (uid=0)

Oct 13 11:14:00 172.18.37.201 PAM-env[4876]: Unable to open config file: No such file or directory

Oct 13 11:14:00 172.18.37.201 sshd[4876]: lastlog_perform_login: Couldn’t stat /var/log/lastlog: No such file or directory

Oct 13 11:14:00 172.18.37.201 sshd[4876]: lastlog_openseek: /var/log/lastlog is not a file or directory!

Apr 09 12:00:22 172.18.49.14  — admin[19814]: LOGIN ON pts/3 BY admin FROM xp.merunetworks.com

Apr 09 15:23:07 172.18.37.203 sshd(pam_unix)[23750]:

session closed for user admin

Apr 09 15:07:53 172.18.37.203 su(pam_unix)[28060]:

session opened for user root by admin(uid=0)

Apr 09 15:08:09 172.18.37.203 su(pam_unix)[28060]: session closed for user root

Apr 09 17:48:48 172.18.37.203 sshd[28588]: Received disconnect from 172.18.37.15: 11: Disconnect requested by Windows SSH Client.

A controller user logged in, using an SSH connection.  
WEB ADMIN LOGIN Oct 13 11:15:07 172.18.37.201 xems: 1255433051l | security | info | WAU | Controller Access User

admin@172.18.37.12 login to controller at time Tue Oct 13 11:24:11 2009 is OK

Admin logged in to controller GUI.  

 

Event System Log Example Description Action
NTP SERVER

NOT ACCESSIBLE

Apr 12 18:01:10 172.18.49.14 root: NTP server time.windows.com did not respond. NTP server is not accessible. Check to see if NTP server is down, or verify that the NTP server is correctly configured on the controller. If the configuration is wrong,

use the “Setup” command to

correct the configuration.

User Management: RADIUS request sent Mar 29 13:43:40 172.18.86.229 SecurityMM:

1269866620l | security | info | RBAC | Sending RADIUS

Access-Request message for user : pat

For RADIUS-

based controller user management, RADIUS access request is being sent to

RADIUS server.

 
User Management: Group ID not available Mar 29 13:46:32 172.18.86.229 xems: 1269866791l | security | info | RBAC | Group Id not available for Group Num 700 and User Id pat Group ID configured for controller user is not available. Create group with this group ID, or change the group ID for this user.
User Management: RADIUS

Success

Mar 29 13:49:18 172.18.86.229 SecurityMM:

1269866959l | security | info | RBAC | RADIUS Access succeed for user <pat>

For RADIUS-

based controller user management, RADIUS authentication succeeded.

 
User Management: Group Number

received from

RADIUS

Mar 29 13:49:18 172.18.86.229 SecurityMM:

1269866959l | security | info | RBAC | Group Num <700> received from RADIUS server for user <pat>

RADIUS server returned group number for user logged in.  

 

Event System Log Example Description Action
User Management: User Login Success Mar 29 13:49:18 172.18.86.229 xems: 1269866959l | security | info | WAU | Controller Access User

pat@172.18.45.17 login to controller at time Mon Mar 29 18:19:19 2010 is OK

Controller user logged in.  
User Management: RADIUS

Failure

Mar 29 13:50:42 172.18.86.229 SecurityMM:

1269867043l | security | info | RBAC | RADIUS Access failed for user <local1234>

RADIUS

authentication for controller user failed.

 
User Management: User Login Failure Mar 29 13:50:43 172.18.86.229 xems: 1269867043l | security | info | WAU | Controller Access User

local1234@172.18.45.17 login to controller at time Mon

Mar 29 18:20:43 2010 is FAILED

Controller user login failed.  
DUAL ETHERNET info NOT 10/08/2009 00:12:42 <00:90:0b:0a:81:b0> 1st interface link up. Controller’s first interface link is up.  
DUAL ETHERNET info NOT 10/08/2009 00:16:14 <00:90:0b:0a:81:b0> 1st interface link down. Controller’s first interface link is down.  
DUAL ETHERNET info NOT 10/08/2009 00:25:55 <00:90:0b:0a:81:af> 2nd interface link up. Controller’s second interface link is up.  
DUAL ETHERNET info NOT 10/08/2009 00:26:16 <00:90:0b:0a:81:af> 2nd interface link down. Controller’s second interface link is down.  
DUAL ETHERNET info NOT 10/08/2009 00:25:56 <00:90:0b:0a:81:af> switch to 2nd interface done. Controller is configured in redundant mode for dual Ethernet. The first interface went down, so the second interface has taken over.  

 

Event System Log Example Description Action
DUAL ETHERNET info NOT 10/08/2009 00:26:19 <00:90:0b:0a:81:af> switch to 1st interface done. Controller is configured in redundant mode for dual Ethernet. The second interface

went down, so

the first interface has taken over.

 
DUAL ETHER-

NET: STANDALONE MODE

EXAMPLE

info NOT 10/08/2009 00:12:42 <00:90:0b:0a:81:b0> 1st interface link up.

info NOT 10/08/2009 00:16:14 <00:90:0b:0a:81:b0> 1st interface link down.

Sequence

shown when the controller is configured in standalone mode, and the first interface goes down.

If first interface link down message is seen,

check the con-

nectivity to first interface.

 

 

Event System Log Example Description Action
DUAL ETHER-

NET: REDUN-

DANT MODE

EXAMPLE

info NOT 10/08/2009 00:24:26 <00:90:0b:0a:81:af> 1st interface link up.

info NOT 10/08/2009 00:25:52 <00:90:0b:0a:81:af> 1st interface link down.

info NOT 10/08/2009 00:25:55 <00:90:0b:0a:81:af> 2nd interface link up.

info NOT 10/08/2009 00:25:56 <00:90:0b:0a:81:af> switch to 2nd interface done.

info NOT 10/08/2009 00:26:16 <00:90:0b:0a:81:af> 2nd interface link down.

info NOT 10/08/2009 00:26:19 <00:90:0b:0a:81:af> 1st interface link up.

info NOT 10/08/2009 00:26:19 <00:90:0b:0a:81:af> switch to 1st interface done.

Sequence

shown when the controller is configured in redundant mode. When the first interface goes down, and the second interface takes over.

Check the connectivity on the interface that has gone down.
DUAL ETHER-

NET: ACTIVE

MODE EXAM-

PLE

info NOT 10/08/2009 00:37:29 <00:90:0b:0a:81:b0> 1st interface link up.

info NOT 10/08/2009 00:37:29 <00:90:0b:0a:81:af> 2nd interface link up.

info NOT 10/08/2009 00:38:34 <00:90:0b:0a:81:af> 2nd interface link down.

info NOT 10/08/2009 00:38:39 <00:90:0b:0a:81:b0> 1st interface link down.

info NOT 10/08/2009 00:38:43 <00:90:0b:0a:81:b0> 1st interface link up.

info NOT 10/08/2009 00:38:45 <00:90:0b:0a:81:af> 2nd interface link up.

Sequence

shown when the controller is configured in active mode.

Check the connectivity on the interface that has gone down.

 

AP System
Event System Log Example Description Action  
AP Down Mar 21 12:56:51 172.18.65.202 ALARM: 1206084411l | system | info | ALR | AP DOWN CRITICAL Access Point

Pat-AP300 (2) at time Fri Mar 21 07:26:51 2008

This message is generated when the controller detects an AP Down event.

An AP Down event can be reported for many reasons: AP upgrading

Power failure

Network failure, AP not accessible.

AP crash

If an AP crash is occurring due to an unknown

issue, contact Customer Support.

 
AP Up Mar 21 12:57:20 172.18.65.202 ALARM: 1206084440l | system | info | ALR | AP UP  Access Point Pat-AP300 (2) is up at time Fri Mar 21 07:27:20 2008 This message is generated when the controller detects an AP Up event.    
AP Software Version Mismatch Mar 21 15:19:05 172.18.65.202 ALARM: 1206092945l | system | info | ALR | AP SOFTWARE VERSION MISMATCH CRITICAL AP Pat-AP300 (2) – Software Version Mismatch : AP version is 3.4.SR3m-10 and Controller version is 3.6-40 This message is generated when the AP software version does not match the controller software version. If Auto-APUpgrade is enabled, the controller will automatically upgrade AP software to the same version.

Otherwise, manually upgrade the AP to the version same as the controller.

 
  Event System Log Example Description Action
  AP Upgrade Apr 09 12:41:18 172.18.37.203 ALARM: 1270817859l | system | notice | NOT | Software version of AP 4 is being changed from 4.0-86 to 4.0-89 The AP software

is being upgraded.

 
  Boot Image Version Mismatch Apr 28 14:03:35 172.18.65.202 ALARM: 1209371615l | system | info | ALR | AP BOOTIMAGE VERSION MISMATCH CRITICAL BootImage_Version_MisMatch_for_AP1 This message is generated when the AP has an incompatible boot image.  
  Boot Image Match Apr 28 14:03:51 172.18.65.202 ALARM: 1209371631l | system | info | ALR | AP BOOTIMAGE VERSION MISMATCH CLEAR BootImage_Version_Match_for_AP1 The message is generated when the AP’s incompatible boot image has been replaced by a compatible boot image.  
  AP Neighbor Loss Apr 28 14:01:12 172.18.65.202 ALARM: 1209371472l | system | info | ALR | AP NEIGHBOR LOSS CRITICAL Neighbor_Loss_for_AP1 This message is generated when an AP has lost its neighbor AP.  
  AP Neighbor Loss Cleared Apr 28 14:01:18 172.18.65.202 ALARM: 1209371478l | system | info | ALR | AP NEIGHBOR LOSS CLEAR

Neighbor_Loss_for_AP1

This message is generated when then the AP Neighbor loss alarm is cleared.  
  Hardware Diagnostics Error Mar 21 13:49:53 172.18.65.202 ALARM: 1206087593l | system | info | ALR | AP HARDWARE DIAGNOSTIC

ERROR CRITICAL HardwareDiagnostics

This message is generated when an AP has an incompatible

FPGA version.

 
  Hardware Diagnostics Error

Cleared

Mar 21 13:49:47 172.18.65.202 ALARM: 1206087587l | system | info | ALR | AP HARDWARE DIAGNOSTIC

ERROR CLEAR HardwareDiagnostics

This message is generated when an AP’s incompatible FPGA version is replaced with a compatible version.  

AP System

 

Event System Log Example Description Action  
Handoff Fail Apr 28 14:02:04 172.18.65.202 ALARM: 1209371524l | system | info | ALR | HAND OFF FAIL CRITICAL Hand-

Off_Fail_for_AP1

This message is generated when handoff fails.    
Handoff Fail Cleared Apr 28 14:02:21 172.18.65.202 ALARM: 1209371541l | system | info | ALR | HAND OFF FAIL CLEAR HandOff_-

Fail_Cleared_for_AP1

This message is generated when the handoff fail alarm is cleared.    
Resource

Threshold

Exceeded

Mar 21 13:56:27 172.18.65.202 ALARM: 1206087987l | system | info | ALR | RESOURCE THRESHOLD

EXCEED CRITICAL ResourceThreshold

This message is generated when

the resource (CPU & Mem-

ory) threshold is exceeded.

   
Resource

Threshold

Exceed Cleared

Mar 21 13:57:17 172.18.65.202 ALARM: 1206088037l | system | info | ALR | RESOURCE THRESHOLD

EXCEED CLEAR ResourceThreshold

This message is generated when the resource threshold exceed alarm is cleared.    
System Failure Mar 21 14:18:29 172.18.65.202 ALARM: 1206089309l | system | info | ALR | SYSTEM FAILURE CRITICAL SystemFailure This message is generated when the system.    
System Failure Cleared Mar 21 14:19:04 172.18.65.202 ALARM: 1206089344l | system | info | ALR | SYSTEM FAILURE CLEAR SystemFailure This message is generated when the system failure alarm is cleared.    
Watchdog Failure Mar 21 14:27:28 172.18.65.202 ALARM: 1206089848l | system | info | ALR | WATCHDOG FAILURE CRITICAL WatchDog_Failure This message is generated when the Watchdog process is terminated.    
Watchdog Failure Cleared Mar 21 14:27:59 172.18.65.202 ALARM: 1206089879l | system | info | ALR | WATCHDOG FAILURE CLEAR WatchDog_Failure This message is generated when the Watchdog process resumes.    
  Event System Log Example Description Action
  Certificate Error Mar 21 15:04:10 172.18.65.202 ALARM: 1206092050l | system | info | ALR | CERTIFICATE ERROR CRITICAL Certificare_Error This message is generated when

a certificate error occurs.

 
  Certificate Error

Cleared

Mar 21 15:04:38 172.18.65.202 ALARM: 1206092078l | system | info | ALR | CERTIFICATE ERROR CLEAR Certificate_Error This message is generated when

the certificate error alarm is cleared.

 
  AP Init Failure Apr 28 12:55:58 172.18.65.202 ALARM: 1209367557l | system | info | ALR | AP INIT FAILURE CRITICAL Init_Failure_for_AP1 This message is generated when an AP initialization fails.  
  AP Init Failure

Cleared

Apr 28 12:55:45 172.18.65.202 ALARM: 1209367545l | system | info | ALR | AP INIT FAILURE CLEAR Init_Failure_for_AP1 This message is generated when the AP initialization failure alarm is cleared.  
  AP Radio Card Failure Apr 28 13:01:00 172.18.65.202 ALARM: 1209367860l | system | info | ALR | AP RADIO CARD FAILURE CRITICAL Radio_Card_Failure_for_AP1 This message is generated when an AP radio card stops working.  
  AP Radio Card Failure Cleared Apr 28 13:01:08 172.18.65.202 ALARM: 1209367868l | system | info | ALR | AP RADIO CARD FAILURE CLEAR Radio_Card_Failure_for_AP1 This message is generated when an AP radio card failure alarm is cleared.  
  Primary

RADIUS Server

Restored

Mar 21 15:50:53 172.18.65.202 ALARM: 1206094852l | system | info | ALR | PRIMARY RADIUS SERVER RESTORED CRITICAL RADIUS_Server_Restored This message is generated when the primary

RADIUS server that was down is restored.

 

AP System

 

Event System Log Example Description Action
RADAR

Detected

Mar 21 15:12:08 172.18.65.202 ALARM: 1206092528l | system | info | ALR | RADAR DETECTED CRITICAL Radar Detected This message is generated when DFS Manager detects RADAR.  
MIC Counter Measure Activation Apr 28 13:57:36 172.18.65.202 ALARM: 1209371256l | system | info | ALR | MIC COUNTERMEASURE ACTIVATION CRITICAL MIC_CounterMeasure_Activation_for_AP1 This message is generated when there are two subsequent MIC failures.  
AP MIC Failure Apr 28 13:13:12 172.18.65.202 ALARM: 1209368592l | system | info | ALR | AP MIC FAILURE CRITICAL MIC_-

Failure_for_AP1

This message is generated when there is a MIC failure.  

 

802.11
Event System Log Example Description Action
Station Unassociated Apr 09 13:25:28 172.18.37.203 coordinator: Wireless

Associations, Unassociated for STA 00:1f:3b:6c:62:e7 in

BSSID 00:0c:e6:56:dd:3b ESS 4088clear AP_ID 1 at

Time Fri Apr  9 13:41:49 2010

802.11 station disassociation.  
Station Associated Apr 09 14:05:04 172.18.37.203 coordinator: Wireless

Associations, Associated for STA 00:1f:3b:6c:62:e7 in

BSSID 00:0c:e6:56:dd:3b ESS 4088clear AP_ID 1 at Time Fri Apr  9 14:21:25 2010

Mar 22 13:23:34 172.18.65.202 ALARM: 1206127090l | system | info | ALR | Station Info Update : MacAddress :

00:40:96:ae:20:7a, UserName : pat, AP-Id : 1, AP-Name : AP-1, BSSID : 00:0c:e6:8f:01:01, ESSID : pat, Ip-Type : dynamic dhcp, Ip-Address : 172.18.65.11, L2mode : clear, L3-mode : clear, Vlan-Name : VLAN-111, Vlan-Tag : 111

Apr 06 11:59:24 172.18.65.202 ALARM: 1270535364l | system | info | ALR | Station Disconnected : MacAddress :

00:40:96:ae:20:7a

802.11 station association.

Station connection.

Station disconnected.

 

802.11

 

Security System
Event System Log Example Description Action
RADIUS

ACCESS

REQUEST

Mar 29 13:14:06 172.18.98.221 RADIUSInfo: RADIUS Access-Request Message sent for Client (00:1e:37:0e:98:3e). RADIUS request message has been sent to RADIUS server.  
RADIUS

ACCESS

ACCEPT

Mar 29 13:14:06 172.18.98.221 RADIUSInfo: RADIUS Access-Accept message received for Client (00:1e:37:0e:98:3e). RADIUS server responded with Access-Accept

message for RADIUS

request (success scenario).

 
802.1X RADIUS

ACCESS

REQUEST

Apr 09 15:05:58 172.18.37.203 ALARM: 1270826539l | system | info | ALR | 802.1x Authentication Attempt INFO

RADIUS Access Attempt by station with MAC address

00:1f:3b:6c:62:e7 and user is NULL , AP Id: <1>

As part of 802.1X authentication, RADIUS request message has been sent to RADIUS server from controller.  
802.1X RADIUS

ACCESS

REJECT WITH

BAD USER-

NAME

Apr 13 19:48:23 172.18.48.151 ALARM: 1271169441l | system | info | ALR | 802.1X AUTHENTICATION FAILURE INFO Access Request rejected for User: <harsh>, NAS IP: <172.18.48.151>, SSID: <wpa2h>, Calling Station ID: <00:1f:3b:83:21:13>, Called Station ID: <00:90:0b:0a:82:48>, Authentication Type: <802.1X>,

Reason: <Bad Username or Password>, AP Id: <1>

As part of 802.1X authentication, RADIUS server has responded with Access-Reject message, with the reason “Username or password is not correct.” (Failure scenario). Check for correct username or password.

Security System

Event System Log Example Description Action
RADIUS SWI-

TCHOVER

FAILURE

Apr 09 15:07:54 172.18.37.203 ALARM: 1270826655l | system | info | ALR | RADIUS SERVER SWITCHOVER FAILED MAJOR Primary RADIUS Server <172.18.1.3> failed. No valid Secondary RADIUS Server present. Switchover FAILED for Profile <4089wpa2> During RADIUS authentication, primary RADIUS server was not accessible, and secondary RADIUS server is not configured. Check for connectivity to primary RADIUS server from controller.

If another

RADIUS server

is available, configure it as secondary server.

ACCOUNTING

RADIUS SWI-

TCHOVER

Mar 22 16:38:19 172.18.65.202 ALARM: 1206061018l | system | info | ALR | ACCOUNT RADIUS SERVER SWITCHOVER MAJOR Accounting RADIUS Server switches over from Primary <1.1.1.1> to Secondary <2.2.2.2> for Profile <WPA2> For accounting, primary RADIUS server is not accessible, and switchover to secondary RADIUS server is attempted. Check for connectivity

between primary RADIUS server and controller.

ACCOUNTING

RADIUS SWI-

TCHOVER

FAILURE

Mar 22 16:41:51 172.18.65.202 ALARM: 1206061230l | system | info | ALR | ACCOUNT RADIUS SERVER SWITCHOVER FAILED MAJOR Primary Accounting RADIUS

Server <1.1.1.1> failed. No valid Secondary Accounting

RADIUS Server present. Switchover FAILED for Profile

<WPA2>

For accounting, primary RADIUS server is not accessible, and switchover secondary RADIUS server is not configured. Check for connectivity to primary RADIUS server from controller.

If another

RADIUS server

is available,

configure it as secondary server.

MAC FILTERING: RADIUS

SWITCHOVER

Mar 21 16:38:57 172.18.65.202 ALARM: 1206097736l | system | info | ALR | RADIUS SERVER SWITCHOVER MAJOR RADIUS Server switched over from Primary <

1.1.1.1 > to Secondary < 172.18.1.7 > for Mac Filtering

For MAC filtering, primary

RADIUS server is not accessible, and switchover to secondary RADIUS is attempted.

Check for connectivity between configured primary RADIUS server and controller.

Security System

Captive Portal
Event System Log Example Description Action
Captive Portal Login Request Mar 29 14:11:53 172.18.98.221 xems: 1269867812l | security | info | CAP | Captive Portal

User(pat@172.18.98.41) login Request Received.

Login request for Captive Portal User has been received.  
Captive Portal:

RADIUS Login

Success

Mar 29 14:11:53 172.18.98.221 SecurityMM:

1269867812l | security | info | CAP | pat@172.18.98.41

StationMac[00:1b:77:af:dc:6e] RADIUS User logged in

OK

Captive Portal RADIUS user has successfully logged in.  
Captive Portal: Redirection Mar 29 13:39:16 172.18.86.229 xems: 1269866356l | security | info | CAP | Captive Portal User(172.18.86.14) Redirected. Sending login (https://secsol:8081/vpn/loginformWebAuth.html) Complete Captive Portal login.  

Captive Portal

Event System Log Example Description Action
Captive Portal:

Login Sequence

Mar 22 13:23:47 172.18.65.202 httpd: 1206127103l | 802.mobility | info | CAP | 172.18.111.11:8080 1 http:// www.google.com/webhp?complete=1&hl=en

Mar 22 13:23:47 172.18.65.202 xems: 1206127103l | 802.mobility | info | RED | 172.18.111.11:8080 1

Mar 22 13:23:47 172.18.65.202 xems: 1206127103l | 802.mobility | info | RED | 172.18.111.11:8080 2

Mar 22 13:23:47 172.18.65.202 httpd: 1206127103l | 802.mobility | info | CAP | 172.18.111.11:8080 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l |

802.mobility | info | CAP | 172.18.111.11:8081 1 http:// 172.18.111.211:8081/vpn/loginformWebAuth.html

Mar 22 13:23:49 172.18.65.202 xems: 1206127105l | 802.mobility | info | CNT | 172.18.111.11:8081 1

Mar 22 13:23:49 172.18.65.202 xems: 1206127105l | 802.mobility | info | CNT | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l | 802.mobility | info | CAP | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l |

802.mobility | info | CAP | 172.18.111.11:8081 1 http://

172.18.111.211:8081/vpn/Images.vpn/newlogo.gif

Mar 22 13:23:49 172.18.65.202 xems: 1206127105l | 802.mobility | info | CNT | 172.18.111.11:8081 1

Mar 22 13:23:49 172.18.65.202 xems: 1206127105l | 802.mobility | info | CNT | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l | 802.mobility | info | CAP | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l |

802.mobility | info | CAP | 172.18.111.11:8081 1 http:// 172.18.111.211:8081/favicon.ico

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l | 802.mobility | info | CAP | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l | 802.mobility | info | CAP | 172.18.111.11:8081 1 http://172.18.111.211:8081/favicon.ico

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l |

802.mobility | info | CAP | 172.18.111.11:8081 2

   

Captive Portal

Event System Log Example Description Action
  Mar 22 13:23:55 172.18.65.202 httpd: 1206127110l |

802.mobility | info | CAP | 172.18.111.11:8081 1 http:// 172.18.111.211:8081/vpn/loginUser

Mar 22 13:23:55 172.18.65.202 xems: 1206127110l | 802.mobility | info | LOG | 172.18.111.11:8081 1

Mar 22 13:23:55 172.18.65.202 xems: 1206127110l | security | info | CAP | ramesh@172.18.111.11 logged in OK

Mar 22 13:23:55 172.18.65.202 xems: 1206127110l | 802.mobility | info | LOG | 172.18.111.11:8081 2

Mar 22 13:23:55 172.18.65.202 httpd: 1206127110l |

802.mobility | info | CAP | 172.18.111.11:8081 2

   

Captive Portal

QoS
Event System Log Example Description Action
QoS: Action Drop  Apr 13 18:14:23 172.18.117.217 kernel: 1271193480 | system | info | ALR | Network Traffic, Flow of Traffic MAC:

00:40:96:ad:49:b0->MAC: 00:90:0b:0a:81:ae src_ip:172.18.117.27-> dst_ip:69.147.125.65:[dst_port:0], rule id: 23, action: Drop. AP MAC Address :

00:0c:e6:05:c5:14

This message is generated when packets match the QoS rule based on the configured parameters Packets are dropped.  
QoS: Action Forward  Apr 13 18:21:54 172.18.117.217 kernel: 1271193932 | system | info | ALR | Network Traffic, Flow of Traffic MAC:

00:14:a8:59:c8:80->MAC: 00:90:0b:0a:81:ae src_ip:172.18.117.1-> dst_ip:172.18.117.217:[dst_port:0], rule id: 23, action: Forward. AP MAC Address :

00:00:00:00:00:00

This message is generated when packets match the QoS rule based on the configured parameters. The packets that match the configured QoS rules are forwarded for further processing.  
QoS: Action Capture  Apr 13 18:30:47 172.18.117.217 kernel: 1271194465 | system | info | ALR | Network Traffic, Flow of Traffic MAC:

00:40:96:ad:49:b0->MAC: 00:90:0b:0a:81:ae src_ip:172.18.117.27-> dst_ip:172.18.122.122:[dst_port:5060], rule id: 3, action: Capture. AP MAC Address : 00:0c:e6:07:5d:71

This message is generated when packets match the QoS rule based on the configured parameters. The packets are captured and sent to respective Flow Detector for further processing.  

QoS

Event System Log Example Description Action
CAC Per BSSID > CAC Per AP info      ALR       05/04/2010 13:39:20        CAC LIMIT

REACHED MAJOR CAC/Global Bssid Limit Reached (1):

call Rejected for STA [00:03:2a:00:d8:55] on AP [00:0c:e6:07:5d:7e] in BSSID [00:0c:e6:de:a2:ef]

This message is generated when the CAC limit is reached (based on BSSID).

Calls will not go through.

 
CAC Per AP > CAC Per BSSID info      ALR       05/04/2010 14:42:39        CAC LIMIT

REACHED MAJOR CAC/AP Limit Reached (1): call

Rejected for STA [00:03:2a:00:d8:55] on AP [00:0c:e6:07:5d:7e]

This message is generated when the CAC limit is reached (based on AP). Calls will not go through.  
CAC Per AP = CAC Per BSSID info      ALR       05/04/2010 15:03:22        CAC LIMIT

REACHED MAJOR CAC/AP Limit Reached (1): call

Rejected for STA [00:03:2a:00:d8:55] on AP [00:0c:e6:07:5d:7e]

This message is generated when the CAC limit is reached (based on AP=BSSID). Calls will not go through.  
CAC PER Interference  info      ALR       05/04/2010 15:09:01        CAC LIMIT

REACHED MAJOR CAC/Interference Limit Reached (1):

call Rejected for STA [00:03:2a:00:d8:55] on AP [00:0c:e6:07:5d:7e]

This message is generated when the CAC limit is reached (based on CAC per interference region). Calls will not go through.  

QoS

Rogue AP
Event System Log Example Description Action
ROGUE AP DETECTED Oct 13 11:11:31 172.18.37.201 ALARM: 1255432835l | system | info | ALR | ROGUE AP DETECTED CRITICAL CONTROLLER (1:13)  ROGUE AP DETECTED. AP mac=00:1f:28:57:fa:b7 bss=00:1f:28:57:fa:b7 cch= 6 ess=Integral  by AP AP-204 (204) A rogue AP has been detected.  
ROGUE AP REMOVED Mar 29 13:12:43 172.18.86.229 ALARM: 1269864763l | system | info | ALR | ROGUE AP REMOVED  CONTROLLER (1:24490)  ROGUE AP DETECTED. AP      mac=00:12:f2:00:17:63 bss=00:12:f2:00:17:63 cch=161 ess=rogue-35 A rogue AP has been removed.  
Licensing
Event System Log Example Description Action
LICENSE

EXPIRE WARN-

ING

Mar 22 15:27:42 172.18.65.202 ALARM: 1205970893l | system | notice | NOT | controller license expires in 1 day Notification that license expires in one day. Install a license for the software.
LICENSE

EXPIRE WARN-

ING

Mar 22 15:33:46 172.18.65.202 ALARM: 1205971257l | system | notice | NOT | controller license expires tonight at midnight. Notification that license expires by midnight. Install a license for the software.
LICENSE EXPIRED Mar 22 15:42:17 172.18.65.202 ALARM: 1206057655l | system | info | ALR | SOFTWARE LICENSE EXPIRED MAJOR controller license has already expired. License has expired. Install a license for the software.
LICENSE

EXPIRED

ALARM CLEAR

Mar 22 15:52:23 172.18.65.202 ALARM: 1206058262l | system | info | ALR | SOFTWARE LICENSE EXPIRED CLEAR controller License alarm cleared.  

Rogue AP

N+1 Redundancy
Event System Log Example Description Action
MASTER CONTROLLER

DOWN

Apr 19 14:24:26 172.18.253.203 nplus1_Slave: ALERT:

Master Controller has timed out: Regression1 172.18.253.201

Slave detects that master controller is not reachable. Slave moves to active state. Diagnose the master controller.
PASSIVE TO

ACTIVE SLAVE

STATE TRANSITION

Apr 19 14:24:26 172.18.253.203 nplus1_Slave: Slave State: Passive->Active Passive slave in transition to becoming active slave.  
ACTIVE SLAVE May 15 16:07:49 172.18.32.201 nplus1_Slave: Slave State: Active Slave in active state.  
ACTIVE TO

PASSIVE

SLAVE TRANSITION

May 15 16:07:59 172.18.32.201 nplus1_Slave: Slave State: Active->Passive Slave detected that master controller is reachable, so slave becomes passive again.  
ACTIVE TO

PASSIVE

SLAVE TRANSITION

Apr 19 14:40:21 172.18.253.203 nplus1_Slave: NOTICE:

Active Slave Controller (Regression1 172.18.253.201) ->

Passive Slave  (RegressionSlave 172.18.253.203)

Slave detected that master controller is reachable, so slave becomes passive again.  
PASSIVE SLAVE Apr 19 14:40:21 172.18.253.203 nplus1_Slave: Slave State: Passive Slave in passive state.  
MASTER CON-

TROLLER

DOWN ALARM

May 15 16:07:49 172.18.32.201 ALARM: 1210847902l | system | info | ALR | MASTER CONTROLER DOWN INFO Master controller down alarm.  

N+1 Redundancy

Event System Log Example Description Action
MASTER CONTROLLER UP

ALARM

May 15 16:07:59 172.18.32.201 ALARM: 1210847912l | system | info | ALR | MASTER CONTROLER UP INFO Master controller up alarm.  
SLAVE CONFIG

SYNC

Apr 19 14:51:07 172.18.253.201 sshd[7465]: PAM

_pam_init_handlers: no default config /etc/pam.d/other

Apr 19 14:51:07 172.18.253.201 sshd[7465]: PAM

_pam_init_handlers: no default config /etc/pam.d/other

Apr 19 14:51:07 172.18.253.201 sshd[7465]: Accepted publickey for root from 172.18.253.203 port 34674 ssh2

Apr 19 14:51:07 172.18.253.201 PAM-env[7465]: Unable to open config file: No such file or directory

SSH system log messages are shown while slave is syncing certain configuration files with the master controller using scp.  

 

FortiWLC – Events

Events

Events are similar to alarms in that they indicate that a specific action has taken place. However, while alarms typically require some form of user intervention to resolve the problem, events simply provide an indication that a change has been made. As such, this tab provides a reference to actions on the system.

Figure 88: Events Table

The table below provides a brief description of the columns provided in the Events table. TABLE 36: Events Table Columns

Column Description
Event Name The name of the event triggered.
Severity The severity level; can range from Information, Minor, Major, Critical.
Source The type of device that triggered the event (controller, AP).
FDN The name of the device that triggered the event.
Raised At The date and time at which the event was triggered.
Detail Detailed information regarding the event, including identifying device details.
Modifying Event Definitions

While FortiWLC (SD) provides a list of pre-configured events, users can also customize the events to the needs of their environment via the Events > Definition tab.

Events

Figure 89: Event Definitions

As shown above, each event has a predetermined severity level, trigger condition, and threshold, but these values can be modified by clicking the small pencil icon next to the desired alarm. This will pop up the Alarm Configuration window, as seen in Figure 87 on page 491. Figure 90: Editing an Event

Events

Use the drop-downs provided in the window to tailor the event to the deployment’s needs and click Save when finished. If desired, the user can click Reload Default to reset the event’s configuration to its original values.

The Threshold field’s units will vary depending on the event selected—for example, when modifying Alarm History Reaches Threshold, the Threshold is measured in percentage of overall alarm table history (and defaults to 90%). However, in an event such as RADIUS Server Switchover, no threshold is needed at all, as it is a binary alarm (i.e., it is triggered when the RADIUS server is switched—there is no percentage involved).

Events