Fortinet Document Library

Version:


Table of Contents

FortiWiFi and FortiAP Cookbook

6.4.0
Download PDF
Copy Link

Monitoring and suppressing phishing SSID

In addition to rogue AP detection, another concern is phishing SSIDs, which are defined as:

  • An SSID defined on FortiGate that is broadcast from an uncontrolled AP.
  • A pre-defined pattern for an offending SSID pattern. For example, you can define any SSID that contains your company name to be a phishing SSID.

This function enables FortiAP to monitor and report these SSIDs in logs with the option to suppress them. You can only configure this function using the CLI.

To configure phishing SSID functions:

config wireless-controller setting

set phishing-ssid-detect enable|disable

set fake-ssid-action log|suppress

config offending-ssid

edit 1

set ssid-pattern "OFFENDING*"

set action log|suppress

next

end

end

set phishing-ssid-detect enable|disable

Enable or disable the phishing SSID detection function. The default is enable.

set fake-ssid-action log|suppress

Specify the FortiGate action after detecting a fake SSID. The default is log and can be set to either one or both.

set ssid-pattern "OFFENDING*"

Specify the criteria to match an offending SSID. This example shows all SSID names with a leading string OFFENDING (not case-sensitive).

set action log|suppress

Specify the FortiGate action after detecting the offending SSID pattern entry. The default setting is log and can be set to either one or both.

Log examples

WiFi event log sample for fake SSID detection

Following is a sample of the log that is generated when a fake SSID is first detected:

1: date=2019-03-01 time=14:53:23 logid="0104043567" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Fake AP detected" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Fake AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

Following is a sample of the log that is periodically generated when a fake SSID is continuously detected:

1: date=2019-03-01 time=14:58:53 logid="0104043568" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551481133 logdesc="Fake AP on air" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-on-air" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173728 age=330 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Fake AP On-air CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173728 age 330"

WiFi event log sample for fake SSID suppression

Following is a sample of the log that is generated when a fake SSID is suppressed:

1: date=2019-03-01 time=14:53:23 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Rogue AP suppressed" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

WiFi event log sample for offending SSID detection

Following a sample of the log that is generated when an offending SSID is first detected:

1: date=2019-03-01 time=14:53:33 logid="0104043619" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Offending AP detected" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="offending-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Offending AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

Following is a sample of a log that is periodically generated when an offending SSID is continuously detected:

1: date=2019-03-01 time=14:55:54 logid="0104043620" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480952 logdesc="Offending AP on air" ssid="OFFENDING_SSID_TEST" bssid="9a:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="offending-ap-on-air" manuf="N/A" security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173548 age=150 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Offending AP On-air OFFENDING_SSID_TEST 9a:5b:0e:18:1b:d0 chan 149 live 173548 age 150"

WiFi event log sample for offending SSID suppression

Following is a sample of the log that is generated when an offending SSID is suppressed:

1: date=2019-03-01 time=14:53:33 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Rogue AP suppressed" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

Monitoring and suppressing phishing SSID

In addition to rogue AP detection, another concern is phishing SSIDs, which are defined as:

  • An SSID defined on FortiGate that is broadcast from an uncontrolled AP.
  • A pre-defined pattern for an offending SSID pattern. For example, you can define any SSID that contains your company name to be a phishing SSID.

This function enables FortiAP to monitor and report these SSIDs in logs with the option to suppress them. You can only configure this function using the CLI.

To configure phishing SSID functions:

config wireless-controller setting

set phishing-ssid-detect enable|disable

set fake-ssid-action log|suppress

config offending-ssid

edit 1

set ssid-pattern "OFFENDING*"

set action log|suppress

next

end

end

set phishing-ssid-detect enable|disable

Enable or disable the phishing SSID detection function. The default is enable.

set fake-ssid-action log|suppress

Specify the FortiGate action after detecting a fake SSID. The default is log and can be set to either one or both.

set ssid-pattern "OFFENDING*"

Specify the criteria to match an offending SSID. This example shows all SSID names with a leading string OFFENDING (not case-sensitive).

set action log|suppress

Specify the FortiGate action after detecting the offending SSID pattern entry. The default setting is log and can be set to either one or both.

Log examples

WiFi event log sample for fake SSID detection

Following is a sample of the log that is generated when a fake SSID is first detected:

1: date=2019-03-01 time=14:53:23 logid="0104043567" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Fake AP detected" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Fake AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

Following is a sample of the log that is periodically generated when a fake SSID is continuously detected:

1: date=2019-03-01 time=14:58:53 logid="0104043568" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551481133 logdesc="Fake AP on air" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-on-air" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173728 age=330 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Fake AP On-air CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173728 age 330"

WiFi event log sample for fake SSID suppression

Following is a sample of the log that is generated when a fake SSID is suppressed:

1: date=2019-03-01 time=14:53:23 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Rogue AP suppressed" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

WiFi event log sample for offending SSID detection

Following a sample of the log that is generated when an offending SSID is first detected:

1: date=2019-03-01 time=14:53:33 logid="0104043619" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Offending AP detected" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="offending-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Offending AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

Following is a sample of a log that is periodically generated when an offending SSID is continuously detected:

1: date=2019-03-01 time=14:55:54 logid="0104043620" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480952 logdesc="Offending AP on air" ssid="OFFENDING_SSID_TEST" bssid="9a:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="offending-ap-on-air" manuf="N/A" security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173548 age=150 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Offending AP On-air OFFENDING_SSID_TEST 9a:5b:0e:18:1b:d0 chan 149 live 173548 age 150"

WiFi event log sample for offending SSID suppression

Following is a sample of the log that is generated when an offending SSID is suppressed:

1: date=2019-03-01 time=14:53:33 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Rogue AP suppressed" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"