Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Suppressing rogue APs

Copy Link
Copy Doc ID 89ea0dba-bc2e-11ec-9fd1-fa163e15d75b:684604
Download PDF

Suppressing rogue APs

In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.

Caution

Before enabling this feature, verify that operation of Rogue Suppression is compliant with the applicable laws and regulations of your region.

To enable rogue AP suppression, you must enable monitoring of rogue APs with the on‑wire detection technique (see Configuring rogue scanning). The monitoring radio must be in the Dedicated Monitor mode.

To activate AP suppression against a rogue AP
  1. Go to Dashboard > WiFi > Rogue APs.
  2. In the table of rogue APs, select the AP you want to suppress and hover your mouse over the State column.
  3. Click the Edit icon and select Suppressed Rogue AP.
  4. Click Apply.
To deactivate AP suppression
  1. Go to Dashboard > WiFi > Rogue APs.
  2. In the table of rogue APs, select the AP you want to suppress and hover your mouse over the State column.
  3. Click the Edit icon and select another state.
  4. Click Apply.
Note

You can change the state of multiple APs by selecting multiple rows.

To activate AP suppression against a rogue AP - CLI
config wireless-controller ap-status
  edit 1
    set bssid 90:6c:ac:da:a7:f1
    set ssid "example-SSID"
    set status suppressed
  next
end

Suppressing rogue APs

In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.

Caution

Before enabling this feature, verify that operation of Rogue Suppression is compliant with the applicable laws and regulations of your region.

To enable rogue AP suppression, you must enable monitoring of rogue APs with the on‑wire detection technique (see Configuring rogue scanning). The monitoring radio must be in the Dedicated Monitor mode.

To activate AP suppression against a rogue AP
  1. Go to Dashboard > WiFi > Rogue APs.
  2. In the table of rogue APs, select the AP you want to suppress and hover your mouse over the State column.
  3. Click the Edit icon and select Suppressed Rogue AP.
  4. Click Apply.
To deactivate AP suppression
  1. Go to Dashboard > WiFi > Rogue APs.
  2. In the table of rogue APs, select the AP you want to suppress and hover your mouse over the State column.
  3. Click the Edit icon and select another state.
  4. Click Apply.
Note

You can change the state of multiple APs by selecting multiple rows.

To activate AP suppression against a rogue AP - CLI
config wireless-controller ap-status
  edit 1
    set bssid 90:6c:ac:da:a7:f1
    set ssid "example-SSID"
    set status suppressed
  next
end