Disable dedicated scanning on FortiAP F-Series profiles
The FortiAP F-series product family supports two radios while a third radio performs dedicated scans at all times. However, due to wireless chipset limitations on the third radio, some of the data packets cannot be scanned which may impact the detection capabilities for FortiPresence and other related solutions. You can disable dedicated scan which will allow background scanning using WIDS profile to be enabled on Radios 1 and 2.
To disable dedicated scanning and enable background scanning - GUI
- Go to WiFi & Switch Controller > FortiAP Profiles and select the FortiAP F-series profile you want to disable dedicated scanning for.
-
Disable Dedicated scan.
After you disable Dedicated scan, the WIDS profile option becomes available under Radio 1 and Radio 2 configuration.
- Set the Mode of the Radio to Access Point.
- Enable WIDS profile and select a WIDS profile to perform background scanning.
-
Go to Dashboard > WiFi > Rogue APs to verify that the Rogue AP list is on the same channel as the Radio you configured.
To disable dedicated scanning and enable background scanning - CLI
|
When you create a new FortiAP F-series profile, dedicated scanning is automatically enabled. |
-
Disable dedicated scanning and assign a WIDS profile:
config wireless-controller wtp-profile edit 433F config platform set type 433F set ddscan disable end set handoff-sta-thresh 55 config radio-1 set band 802.11ax,n,g-only set wids-profile "default-wids-apscan-enabled" end config radio-2 set band 802.11ax-5G set wids-profile "default-wids-apscan-enabled" end config radio-3 set mode disabled end next end -
Configure the WIDS profile to enable background scan:
config wireless-controller wids-profile edit "default-wids-apscan-enabled" set ap-scan enable set ap-bgscan-period 60 set ap-bgscan-intv 1 set ap-bgscan-duration 20 set ap-bgscan-idle 0 next end -
Assign the wtp-profile to a managed FortiAP:
config wireless-controller wtp edit "FP433FTF20000002" set uuid e3beadf4-6fdf-51ec-d2ed-cd489ee341cb set admin enable set wtp-profile "433F" config radio-1 end config radio-2 end next end -
Check managed FortiAP Channel and background scan status:
FortiGate-80E-POE # diag wire wlac -c wtp FP433FTF20000002 -------------------------------WTP 1---------------------------- WTP vd : root vfid : 0 id : FP433FTF20000002 ... Radio 1 : AP ... bgscan oper : enabled bgscan period : oper 60 cfg 60 bgscan intv : 1 bgscan dur : 20 bgscan idle : 0 bgscan rptintv : 30 ... Radio 2 : AP ... bgscan oper : enabled bgscan period : oper 60 cfg 60 bgscan intv : 1 bgscan dur : 20 bgscan idle : 0 bgscan rptintv : 30 ... -------------------------------Total 1 WTPs---------------------------- -
Check the Rogue AP list on FortiGate:
FortiGate-80E-POE # diag wire wlac -c ap-rogue CMWP AP: vf bssid ssid ch rate sec signal noise age sta mac wtp cnt ici bw sgi band UNNN AP: 0 08:5b:0e:17:91:1f fortinet-30d-... 11 130 WPA2 Personal -39 -95 8 00:00:00:00:00:00 1 /1 56->0 20 0 11NGHT20 N FP433FTF20000002 fortinet-30d-... 11 130 WPA2 Personal -39 -95 8 10.43.1.18:25246-0 1 UNNN AP: 0 08:5b:0e:4c:2b:6c fortinet 11 130 WPA2 Personal -67 -95 18 00:00:00:00:00:00 1 /1 28->0 20 0 11NGHT20 N FP433FTF20000002 fortinet 11 130 WPA2 Personal -67 -95 18 10.43.1.18:25246-0 1 ... C - Configured (G:accept, B:rogue, S:suppress, U:unconfigured) M - AC managed (V:vdom, C:AC, N:unmanaged) W - On wire (Y:yes, N:no) P - Phishing (F:fake, O:offending, N:no) Total Rogue-AP:34 Rogue-AP-WTP(displayed):34 Rogue-AP-WTP(total):34 Total Entries: 34