Enabling AP scan channel lists to optimize foreground scanning
You can use AP scan channel lists to optimize wireless foreground scanning by limiting the number of radio channels scanned. When DAARP, location-based services (LBS) for FortiPresence, or rogue AP monitoring are configured, you can select which channels to run a wireless foreground scan on based on frequency bands. With fewer channels to scan, the overall dwell cycle time is reduced while the frequency of the reporting interval is increased.
Under the Wireless Intrusion Detection System (WIDS) profile, use the following CLI commands to configure select channels:
config wireless-controller wids-profile
edit < WIDS_profile_name >
set ap-scan enable
set ap-scan-channel-list-2G-5G < channel-1 > < channel-2 > ... < channel-x >
set ap-scan-channel-list-6G < channel-1 > < channel-2 > ... < channel-y >
next
end
|
|
Add the 2.4G and 5G band AP channels you want to scan. |
|
|
Add the 6G band AP channels you want to scan. |
To create a WIDS profile to scan for specific radio channels:
-
Create a WIDS profile and add the selected channels to the appropriate AP scan channel list:
config wireless-controller wids-profile edit "wids.test" set sensor-mode both set ap-scan enable set ap-scan-channel-list-2G-5G "1" "6" "149" "161" set ap-scan-channel-list-6G "109" "201" "217" next end
To scan specified 2.4G and 5G channels:
-
From the FortiAP profile, enable dedicated scanning and set Radio 3 to monitor mode with the WIDS profile applied.
config wireless-controller wtp-profile edit "FAP431G.ddscan" config platform set type 431G set ddscan enable end set handoff-sta-thresh 55 config radio-1 set band 802.11ax,n,g-only end config radio-2 set band 802.11ax-5G end config radio-3 set mode monitor set wids-profile "wids.test" end next endRadio 3 will scan the 2.4G and 5G channels specified in
ap-scan-channel-list-2G-5G. -
Verify that the scan is only run on the specified 2.4G and 5G channels.
FortiGate-40F # diag wireless-controller wlac -c ap-rogue CMWP AP: vf bssid ssid ch rate sec signal noise age sta mac wtp cnt ici bw sgi band freq(MHz) UNNN AP: 0 04:d5:90:4a:19:b1 FOS_test_001_... 161 260 WPA3 OWE -55 -95 562 00:00:00:00:00:00 1 /1 none 20 0 11ACVHT20 (wave2) 5805 N FP431GTY22003576 FOS_test_001_... 161 260 WPA3 OWE -55 -95 562 172.20.1.29:5246 -2 11 UNNN AP: 0 06:18:d6:67:29:42 6 144 WPA2 Personal -85 -95 958 00:00:00:00:00:00 1 /1 none 20 1 11NGHT20 2437 N FP431GTY22003576 6 144 WPA2 Personal -85 -95 958 172.20.1.29:5246 -2 11 UNNN AP: 0 06:93:7c:65:49:f8 1 1181 WPA2 Personal -87 -95 688 00:00:00:00:00:00 1 /1 none 20 1 11AXGHE20 2412 N FP431GTY22003576 1 1181 WPA2 Personal -87 -95 688 172.20.1.29:5246 -2 11 UNNN AP: 0 90:6c:ac:45:5b:8a Example_001_test 149 130 WPA2 Personal -69 -95 51438 00:00:00:00:00:00 1 /1 none 20 0 11NAHT20 (wave2) 5745 N FP431GTY22003576 Example_001_test 149 130 WPA2 Personal -69 -95 51438 172.20.1.29:5246 -2 11
To scan specified 6G channels:
-
From the FortiAP profile, do not enable dedicated scanning. Set Radio 3 to monitor mode with the WIDS profile applied.
config wireless-controller wtp-profile edit "FAP431G.noddscan" config platform set type 431G end set handoff-sta-thresh 55 config radio-1 set band 802.11ax,n,g-only end config radio-2 set band 802.11ax-5G end config radio-3 set mode monitor set wids-profile "wids.test" end next endRadio 3 will scan the 6G channels specified in
ap-scan-channel-list-6G. -
Verify that the scan is only run on the specified 6G channels.
FortiGate-40F # diag wireless-controller wlac -c ap-rogue CMWP AP: vf bssid ssid ch rate sec signal noise age sta mac wtp cnt ici bw sgi band freq(MHz) UNNN AP: 0 84:39:8f:1f:0e:c8 test01-GUI-SS... 109 1147 WPA3 SAE -80 -95 6 00:00:00:00:00:00 1 /1 none 20 0 11AX6HE20-6G 6495 N FP431GTY22003576 test01-GUI-SS... 109 1147 WPA3 SAE -80 -95 6 172.20.1.29:5246 -2 17