Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 7.6.0 FortiWiFi and FortiAP Configuration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Suppressing phishing SSID

    Suppressing phishing SSID

    You can enable FortiAPs to log and suppress phishing SSIDs. Phishing SSIDs are defined as:

    • An SSID defined on FortiGate that is broadcast from an uncontrolled AP.
    • A pre-defined pattern for an offending SSID pattern. For example, you can define any SSID that contains your company name to be a phishing SSID.
    To configure phishing SSID functions:

    config wireless-controller setting

    set phishing-ssid-detect enable|disable

    set fake-ssid-action log|suppress

    config offending-ssid

    edit 1

    set ssid-pattern "OFFENDING*"

    set action log|suppress

    next

    end

    end

    set phishing-ssid-detect enable|disable

    		Enable or disable the phishing SSID detection function. The default is enable.

    set fake-ssid-action log|suppress

    		Specify the FortiGate action after detecting a fake SSID. The default is log and can be set to either one or both.

    set ssid-pattern "OFFENDING*"

    		Specify the criteria to match an offending SSID. This example shows all SSID names with a leading string OFFENDING (not case-sensitive).

    set action log|suppress

    		Specify the FortiGate action after detecting the offending SSID pattern entry. The default setting is log and can be set to either one or both.

    Log examples

    WiFi event log sample for fake SSID detection

    The following is a sample of the log that is generated when a fake SSID is first detected:

    1: date=2019-03-01 time=14:53:23 logid="0104043567" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Fake AP detected" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Fake AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

    The following is a sample of the log that is periodically generated when a fake SSID is continuously detected:

    1: date=2019-03-01 time=14:58:53 logid="0104043568" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551481133 logdesc="Fake AP on air" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-on-air" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173728 age=330 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Fake AP On-air CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173728 age 330"

    WiFi event log sample for fake SSID suppression

    The following is a sample of the log that is generated when a fake SSID is suppressed:

    1: date=2019-03-01 time=14:53:23 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Rogue AP suppressed" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

    WiFi event log sample for offending SSID detection

    The following a sample of the log that is generated when an offending SSID is first detected:

    1: date=2019-03-01 time=14:53:33 logid="0104043619" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Offending AP detected" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="offending-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Offending AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

    The following is a sample of a log that is periodically generated when an offending SSID is continuously detected:

    1: date=2019-03-01 time=14:55:54 logid="0104043620" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480952 logdesc="Offending AP on air" ssid="OFFENDING_SSID_TEST" bssid="9a:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="offending-ap-on-air" manuf="N/A" security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173548 age=150 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Offending AP On-air OFFENDING_SSID_TEST 9a:5b:0e:18:1b:d0 chan 149 live 173548 age 150"

    WiFi event log sample for offending SSID suppression

    The following is a sample of the log that is generated when an offending SSID is suppressed:

    1: date=2019-03-01 time=14:53:33 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Rogue AP suppressed" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

    Previous
    Next

    Suppressing phishing SSID

    Suppressing phishing SSID

    You can enable FortiAPs to log and suppress phishing SSIDs. Phishing SSIDs are defined as:

    • An SSID defined on FortiGate that is broadcast from an uncontrolled AP.
    • A pre-defined pattern for an offending SSID pattern. For example, you can define any SSID that contains your company name to be a phishing SSID.
    To configure phishing SSID functions:

    config wireless-controller setting

    set phishing-ssid-detect enable|disable

    set fake-ssid-action log|suppress

    config offending-ssid

    edit 1

    set ssid-pattern "OFFENDING*"

    set action log|suppress

    next

    end

    end

    set phishing-ssid-detect enable|disable

    		Enable or disable the phishing SSID detection function. The default is enable.

    set fake-ssid-action log|suppress

    		Specify the FortiGate action after detecting a fake SSID. The default is log and can be set to either one or both.

    set ssid-pattern "OFFENDING*"

    		Specify the criteria to match an offending SSID. This example shows all SSID names with a leading string OFFENDING (not case-sensitive).

    set action log|suppress

    		Specify the FortiGate action after detecting the offending SSID pattern entry. The default setting is log and can be set to either one or both.

    Log examples

    WiFi event log sample for fake SSID detection

    The following is a sample of the log that is generated when a fake SSID is first detected:

    1: date=2019-03-01 time=14:53:23 logid="0104043567" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Fake AP detected" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Fake AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

    The following is a sample of the log that is periodically generated when a fake SSID is continuously detected:

    1: date=2019-03-01 time=14:58:53 logid="0104043568" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551481133 logdesc="Fake AP on air" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-on-air" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173728 age=330 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Fake AP On-air CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173728 age 330"

    WiFi event log sample for fake SSID suppression

    The following is a sample of the log that is generated when a fake SSID is suppressed:

    1: date=2019-03-01 time=14:53:23 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Rogue AP suppressed" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

    WiFi event log sample for offending SSID detection

    The following a sample of the log that is generated when an offending SSID is first detected:

    1: date=2019-03-01 time=14:53:33 logid="0104043619" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Offending AP detected" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="offending-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Offending AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

    The following is a sample of a log that is periodically generated when an offending SSID is continuously detected:

    1: date=2019-03-01 time=14:55:54 logid="0104043620" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480952 logdesc="Offending AP on air" ssid="OFFENDING_SSID_TEST" bssid="9a:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="offending-ap-on-air" manuf="N/A" security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173548 age=150 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Offending AP On-air OFFENDING_SSID_TEST 9a:5b:0e:18:1b:d0 chan 149 live 173548 age 150"

    WiFi event log sample for offending SSID suppression

    The following is a sample of the log that is generated when an offending SSID is suppressed:

    1: date=2019-03-01 time=14:53:33 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Rogue AP suppressed" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

    Previous
    Next