Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Wireless Intrusion Detection System

Wireless Intrusion Detection System

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

You can create a WIDS profile to enable these types of intrusion detection:

  • Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
  • Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
  • Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
  • Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.
  • EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
  • Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
  • Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200.
  • Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
  • Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
  • Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
  • Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable WIDS by enabling and selecting a WIDS Profile on a designated radio from a FortiAP profile.

To create a WIDS Profile - GUI
  1. Go to WiFi and Switch Controller > WIDS Profiles.
  2. Select a profile to edit or select Create New.
  3. Under Intrusion Detection Settings, enable the intrusion types you want protect against.
  4. When you are finished, click OK.

    Once you create a WIDS profile, you can enable WIDS Profile on a specified radio under a FortiAP profile.

To create a WIDS Profile - CLI
config wireless-controller wids-profile
  edit "example-wids-profile"
    set ap-scan enable
    ...
  next
end
To apply a WIDS Profile to a FortiAP - CLI
config wireless-controller wtp-profile
  edit "example-FAP-profile"
    config platform
      set type <FAP-model-number>
    end
    set handoff-sta-thresh 55
    set ap-country US
    config radio-1
      set band 802.11n
      set wids-profile "example-wids-profile"
      set vap-all disable
    end
    config radio-2
      set band 802.11ac
      set vap-all disable
    end
  next
end

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Monitoring rogue APs.

WIDS client de-authentication rate for DoS attacks

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends de-authentication packets to unknown clients. In an aggressive attack, this de-authentication activity can prevent the processing of packets from valid clients. A WIDS Profile option in the CLI limits the de-authentication rate.

config wireless-controller wids-profile

edit default

set deauth-unknown-src-thresh <1-65535>

end

The value set is a measure of the number of de-authorizations per second. 0 means no limit. The default is 10.

Wireless Intrusion Detection System

Wireless Intrusion Detection System

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

You can create a WIDS profile to enable these types of intrusion detection:

  • Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
  • Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
  • Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
  • Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.
  • EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
  • Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
  • Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200.
  • Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
  • Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
  • Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
  • Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable WIDS by enabling and selecting a WIDS Profile on a designated radio from a FortiAP profile.

To create a WIDS Profile - GUI
  1. Go to WiFi and Switch Controller > WIDS Profiles.
  2. Select a profile to edit or select Create New.
  3. Under Intrusion Detection Settings, enable the intrusion types you want protect against.
  4. When you are finished, click OK.

    Once you create a WIDS profile, you can enable WIDS Profile on a specified radio under a FortiAP profile.

To create a WIDS Profile - CLI
config wireless-controller wids-profile
  edit "example-wids-profile"
    set ap-scan enable
    ...
  next
end
To apply a WIDS Profile to a FortiAP - CLI
config wireless-controller wtp-profile
  edit "example-FAP-profile"
    config platform
      set type <FAP-model-number>
    end
    set handoff-sta-thresh 55
    set ap-country US
    config radio-1
      set band 802.11n
      set wids-profile "example-wids-profile"
      set vap-all disable
    end
    config radio-2
      set band 802.11ac
      set vap-all disable
    end
  next
end

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Monitoring rogue APs.

WIDS client de-authentication rate for DoS attacks

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends de-authentication packets to unknown clients. In an aggressive attack, this de-authentication activity can prevent the processing of packets from valid clients. A WIDS Profile option in the CLI limits the de-authentication rate.

config wireless-controller wids-profile

edit default

set deauth-unknown-src-thresh <1-65535>

end

The value set is a measure of the number of de-authorizations per second. 0 means no limit. The default is 10.