Fortinet white logo
Fortinet white logo

CLI Reference

wireless-controller wids-profile

wireless-controller wids-profile

Use this command to configured Wireless Intrusion Detection (WIDS) profiles.

config wireless-controller wids-profile
    edit {name}
    # Configure wireless intrusion detection system (WIDS) profiles.
        set name {string}   WIDS profile name. size[35]
        set comment {string}   Comment. size[63]
        set sensor-mode {disable | foreign | both}   Scan WiFi nearby stations (default = disable).
                disable  Disable the scan.
                foreign  Enable the scan and monitor foreign channels. Foreign channels are all other available channels than the current operating channel.
                both     Enable the scan and monitor both foreign and home channels. Select this option to monitor all WiFi channels.
        set ap-scan {disable | enable}   Enable/disable rogue AP detection.
        set ap-bgscan-period {integer}   Period of time between background scans (60 - 3600 sec, default = 600). range[60-3600]
        set ap-bgscan-intv {integer}   Period of time between scanning two channels (1 - 600 sec, default = 1). range[1-600]
        set ap-bgscan-duration {integer}   Listening time on a scanning channel (10 - 1000 msec, default = 20). range[10-1000]
        set ap-bgscan-idle {integer}   Waiting time for channel inactivity before scanning this channel (0 - 1000 msec, default = 0). range[0-1000]
        set ap-bgscan-report-intv {integer}   Period of time between background scan reports (15 - 600 sec, default = 30). range[15-600]
        set ap-bgscan-disable-day {option}   Optionally turn off scanning for one or more days of the week. Separate the days with a space. By default, no days are set.
                sunday     Sunday.
                monday     Monday.
                tuesday    Tuesday.
                wednesday  Wednesday.
                thursday   Thursday.
                friday     Friday.
                saturday   Saturday.
        set ap-bgscan-disable-start {string}   Start time, using a 24-hour clock in the format of hh:mm, for disabling background scanning (default = 00:00).
        set ap-bgscan-disable-end {string}   End time, using a 24-hour clock in the format of hh:mm, for disabling background scanning (default = 00:00).
        set ap-fgscan-report-intv {integer}   Period of time between foreground scan reports (15 - 600 sec, default = 15). range[15-600]
        set ap-scan-passive {enable | disable}   Enable/disable passive scanning. Enable means do not send probe request on any channels (default = disable).
        set ap-auto-suppress {enable | disable}   Enable/disable on-wire rogue AP auto-suppression (default = disable).
        set wireless-bridge {enable | disable}   Enable/disable wireless bridge detection (default = disable).
        set deauth-broadcast {enable | disable}   Enable/disable broadcasting de-authentication detection (default = disable).
        set null-ssid-probe-resp {enable | disable}   Enable/disable null SSID probe response detection (default = disable).
        set long-duration-attack {enable | disable}   Enable/disable long duration attack detection based on user configured threshold (default = disable).
        set long-duration-thresh {integer}   Threshold value for long duration attack detection (1000 - 32767 usec, default = 8200). range[1000-32767]
        set invalid-mac-oui {enable | disable}   Enable/disable invalid MAC OUI detection.
        set weak-wep-iv {enable | disable}   Enable/disable weak WEP IV (Initialization Vector) detection (default = disable).
        set auth-frame-flood {enable | disable}   Enable/disable authentication frame flooding detection (default = disable).
        set auth-flood-time {integer}   Number of seconds after which a station is considered not connected. range[5-120]
        set auth-flood-thresh {integer}   The threshold value for authentication frame flooding. range[1-100]
        set assoc-frame-flood {enable | disable}   Enable/disable association frame flooding detection (default = disable).
        set assoc-flood-time {integer}   Number of seconds after which a station is considered not connected. range[5-120]
        set assoc-flood-thresh {integer}   The threshold value for association frame flooding. range[1-100]
        set spoofed-deauth {enable | disable}   Enable/disable spoofed de-authentication attack detection (default = disable).
        set asleap-attack {enable | disable}   Enable/disable asleap attack detection (default = disable).
        set eapol-start-flood {enable | disable}   Enable/disable EAPOL-Start flooding (to AP) detection (default = disable).
        set eapol-start-thresh {integer}   The threshold value for EAPOL-Start flooding in specified interval. range[2-100]
        set eapol-start-intv {integer}   The detection interval for EAPOL-Start flooding (1 - 3600 sec). range[1-3600]
        set eapol-logoff-flood {enable | disable}   Enable/disable EAPOL-Logoff flooding (to AP) detection (default = disable).
        set eapol-logoff-thresh {integer}   The threshold value for EAPOL-Logoff flooding in specified interval. range[2-100]
        set eapol-logoff-intv {integer}   The detection interval for EAPOL-Logoff flooding (1 - 3600 sec). range[1-3600]
        set eapol-succ-flood {enable | disable}   Enable/disable EAPOL-Success flooding (to AP) detection (default = disable).
        set eapol-succ-thresh {integer}   The threshold value for EAPOL-Success flooding in specified interval. range[2-100]
        set eapol-succ-intv {integer}   The detection interval for EAPOL-Success flooding (1 - 3600 sec). range[1-3600]
        set eapol-fail-flood {enable | disable}   Enable/disable EAPOL-Failure flooding (to AP) detection (default = disable).
        set eapol-fail-thresh {integer}   The threshold value for EAPOL-Failure flooding in specified interval. range[2-100]
        set eapol-fail-intv {integer}   The detection interval for EAPOL-Failure flooding (1 - 3600 sec). range[1-3600]
        set eapol-pre-succ-flood {enable | disable}   Enable/disable premature EAPOL-Success flooding (to STA) detection (default = disable).
        set eapol-pre-succ-thresh {integer}   The threshold value for premature EAPOL-Success flooding in specified interval. range[2-100]
        set eapol-pre-succ-intv {integer}   The detection interval for premature EAPOL-Success flooding (1 - 3600 sec). range[1-3600]
        set eapol-pre-fail-flood {enable | disable}   Enable/disable premature EAPOL-Failure flooding (to STA) detection (default = disable).
        set eapol-pre-fail-thresh {integer}   The threshold value for premature EAPOL-Failure flooding in specified interval. range[2-100]
        set eapol-pre-fail-intv {integer}   The detection interval for premature EAPOL-Failure flooding (1 - 3600 sec). range[1-3600]
        set deauth-unknown-src-thresh {integer}   Threshold value per second to deauth unknown src for DoS attack (0: no limit). range[0-65535]
    next
end

Additional information

The following section is for those options that require additional explanation.

comment [string]

Optional comments.

sensor-mode {enable | disable}

Enable or disable (by default) radio sensor mode.

ap-scan {enable | disable}

Enable or disable (by default) rogue AP scanning. Once enabled, configure a series of AP scanning options (see entries below).

ap-bgscan-period <seconds>

Note: This entry is only available when ap-scan is set to enable. Period of time in seconds between background scans. Set the value between 60-3600 (or one minute to one hour). The default is set to 600 (or ten minutes).

ap-bgscan-intv <seconds>

Note: This entry is only available when ap-scan is set to enable. Period of time in seconds between two scanning channels. Set the value between 1-600 (or one seconds to ten minutes). The default is set to 1.

ap-bgscan-duration <milliseconds>

Note: This entry is only available when ap-scan is set to enable. Listening time in milliseconds on a scanning channel. Set the value between 10-1000. The default is set to 20.

ap-bgscan-idle <milliseconds>

Note: This entry is only available when ap-scan is set to enable. Period of idle-time in milliseconds before channel scanning. Set the value between 0-1000. The default is set to 0.

ap-bgscan-report-intv <seconds>

Note: This entry is only available when ap-scan is set to enable. Period of time in seconds between background scan reports. Set the value between 15-600 (or 15 seconds to ten minutes). The default is set to 30.

ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

Note: This entry is only available when ap-scan is set to enable. Days of the week when background scanning is disabled. By default, no days are set. When this entry is set (to any number of days), use the ap-bgscan-disable-start and ap-bgscan-disable-end entries to determine start and end times; the period between these two times is when background scanning is disabled.

ap-bgscan-disable-start <hh:mm>

Note: This entry is only available when ap-bgscan-disable-day is configured. Start time, in the format of hh:mm, for disabling background scanning. The default is set to 00:00.

ap-bgscan-disable-end <hh:mm>

Note: This entry is only available when ap-bgscan-disable-day is configured. End time, in the format of hh:mm, for disabling background scanning. The default is set to 00:00.

ap-fgscan-report-intv <seconds>

Note: This entry is only available when ap-scan is set to enable. Period of time in seconds between foreground scan reports. Set the value between 15-600 (or 15 seconds to ten minutes). The default is set to 15.

ap-scan-passive {enable | disable}

Note: This entry is only available when ap-scan is set to enable. Enable or disable (by default) passive scanning on all channels.

rogue-scan {enable | disable}

Note: This entry is only available when ap-scan is set to enable. Enable or disable (by default) rogue AP on-wire scan.

wireless-bridge {enable | disable}

Enable or disable (by default)

deauth-broadcast {enable | disable}

Enable or disable (by default) detection of wireless bridge operation, used to raise awareness if your network doesn't use a wireless bridge.

null-ssid-probe-resp {enable | disable}

Enable or disable (by default) null SSID probe response detection.

long-duration-attack {enable | disable}

Enable or disable (by default) long-duration attack detection. When enabled, use the long-duration-thresh entry to define the threshold.

long-duration-thresh <milliseconds>

Duration of time in milliseconds for long-duration attack detection. Set the value between 1000-32767 (or one second to over 32 seconds). The default is set to 8200 (or just over eight seconds).

invalid-mac-oui {enable | disable}

Enable or disable (by default) detection of spoofed MAC addresses. The first three bytes should indicate a known manufacturer.

weak-wep-iv {enable | disable}

Enable or disable (by default) detection of APs using weak WEP encryption.

auth-frame-flood {enable | disable}

Enable or disable (by default) detection of authentication frame flood attacks.

assoc-frame-flood {enable | disable}

Enable or disable (by default) detection of association frame flood attacks.

spoofed-deauth {enable | disable}

Enable or disable (by default) detection of spoofed deauthentication packets.

asleap-attack {enable | disable}

Enable or disable (by default) detection of asleap attacks, attempts to crack Lightweight Extensible Authentication Protocol (LEAP) security. LEAP is a wireless LAN authentication method that allows clients to re-authenticate frequently, giving the client a new WEP key each time. Enable or disable (by default) detection of asleap attacks, attempts to crack Lightweight Extensible Authentication Protocol (LEAP) security. LEAP is a wireless LAN authentication method that allows clients to re-authenticate frequently, giving the client a new WEP key each time.

eapol-start-flood {enable | disable}

Enable or disable (by default) detection of Extensible Authentication Protocol (EAP) over LAN (EAPoL) START flood attacks.

eapol-logoff-flood {enable | disable}

Enable or disable (by default) detection of EAPoL LOGOFF flood attacks.

eapol-succ-flood {enable | disable}

Enable or disable (by default) detection of EAPoL SUCC flood attacks.

eapol-fail-flood {enable | disable}

Enable or disable (by default) detection of EAPoL FAIL flood attacks. When enabled, use the eapol-fail-intv entry to define the detection interval.

eapol-fail-thresh <threshold>

Note: This entry is only available when eapol-fail-flood is set to enable. The EAPoL FAIL detection threshold interval. Set the value between 2-100. The default is set to 10.

eapol-fail-intv <seconds>

Note: This entry is only available when eapol-fail-flood is set to enable. Interval of time in seconds between EAP FAIL detection. Set the value between 1-3600 (or one second to one hour). The default is set to 1.

eapol-pre-succ-flood {enable | disable}

Enable or disable (by default) detection of EAPoL premature SUCC flood attacks.

eapol-pre-fail-flood {enable | disable}

Enable or disable (by default) detection of EAPoL premature FAIL flood attacks.

deauth-unknown-src-thresh <seconds>

Threshold value per second to deauthenticate unknown sources for DoS attacks. The default is set to 10. Set to 0 for no limitation.

wireless-controller wids-profile

wireless-controller wids-profile

Use this command to configured Wireless Intrusion Detection (WIDS) profiles.

config wireless-controller wids-profile
    edit {name}
    # Configure wireless intrusion detection system (WIDS) profiles.
        set name {string}   WIDS profile name. size[35]
        set comment {string}   Comment. size[63]
        set sensor-mode {disable | foreign | both}   Scan WiFi nearby stations (default = disable).
                disable  Disable the scan.
                foreign  Enable the scan and monitor foreign channels. Foreign channels are all other available channels than the current operating channel.
                both     Enable the scan and monitor both foreign and home channels. Select this option to monitor all WiFi channels.
        set ap-scan {disable | enable}   Enable/disable rogue AP detection.
        set ap-bgscan-period {integer}   Period of time between background scans (60 - 3600 sec, default = 600). range[60-3600]
        set ap-bgscan-intv {integer}   Period of time between scanning two channels (1 - 600 sec, default = 1). range[1-600]
        set ap-bgscan-duration {integer}   Listening time on a scanning channel (10 - 1000 msec, default = 20). range[10-1000]
        set ap-bgscan-idle {integer}   Waiting time for channel inactivity before scanning this channel (0 - 1000 msec, default = 0). range[0-1000]
        set ap-bgscan-report-intv {integer}   Period of time between background scan reports (15 - 600 sec, default = 30). range[15-600]
        set ap-bgscan-disable-day {option}   Optionally turn off scanning for one or more days of the week. Separate the days with a space. By default, no days are set.
                sunday     Sunday.
                monday     Monday.
                tuesday    Tuesday.
                wednesday  Wednesday.
                thursday   Thursday.
                friday     Friday.
                saturday   Saturday.
        set ap-bgscan-disable-start {string}   Start time, using a 24-hour clock in the format of hh:mm, for disabling background scanning (default = 00:00).
        set ap-bgscan-disable-end {string}   End time, using a 24-hour clock in the format of hh:mm, for disabling background scanning (default = 00:00).
        set ap-fgscan-report-intv {integer}   Period of time between foreground scan reports (15 - 600 sec, default = 15). range[15-600]
        set ap-scan-passive {enable | disable}   Enable/disable passive scanning. Enable means do not send probe request on any channels (default = disable).
        set ap-auto-suppress {enable | disable}   Enable/disable on-wire rogue AP auto-suppression (default = disable).
        set wireless-bridge {enable | disable}   Enable/disable wireless bridge detection (default = disable).
        set deauth-broadcast {enable | disable}   Enable/disable broadcasting de-authentication detection (default = disable).
        set null-ssid-probe-resp {enable | disable}   Enable/disable null SSID probe response detection (default = disable).
        set long-duration-attack {enable | disable}   Enable/disable long duration attack detection based on user configured threshold (default = disable).
        set long-duration-thresh {integer}   Threshold value for long duration attack detection (1000 - 32767 usec, default = 8200). range[1000-32767]
        set invalid-mac-oui {enable | disable}   Enable/disable invalid MAC OUI detection.
        set weak-wep-iv {enable | disable}   Enable/disable weak WEP IV (Initialization Vector) detection (default = disable).
        set auth-frame-flood {enable | disable}   Enable/disable authentication frame flooding detection (default = disable).
        set auth-flood-time {integer}   Number of seconds after which a station is considered not connected. range[5-120]
        set auth-flood-thresh {integer}   The threshold value for authentication frame flooding. range[1-100]
        set assoc-frame-flood {enable | disable}   Enable/disable association frame flooding detection (default = disable).
        set assoc-flood-time {integer}   Number of seconds after which a station is considered not connected. range[5-120]
        set assoc-flood-thresh {integer}   The threshold value for association frame flooding. range[1-100]
        set spoofed-deauth {enable | disable}   Enable/disable spoofed de-authentication attack detection (default = disable).
        set asleap-attack {enable | disable}   Enable/disable asleap attack detection (default = disable).
        set eapol-start-flood {enable | disable}   Enable/disable EAPOL-Start flooding (to AP) detection (default = disable).
        set eapol-start-thresh {integer}   The threshold value for EAPOL-Start flooding in specified interval. range[2-100]
        set eapol-start-intv {integer}   The detection interval for EAPOL-Start flooding (1 - 3600 sec). range[1-3600]
        set eapol-logoff-flood {enable | disable}   Enable/disable EAPOL-Logoff flooding (to AP) detection (default = disable).
        set eapol-logoff-thresh {integer}   The threshold value for EAPOL-Logoff flooding in specified interval. range[2-100]
        set eapol-logoff-intv {integer}   The detection interval for EAPOL-Logoff flooding (1 - 3600 sec). range[1-3600]
        set eapol-succ-flood {enable | disable}   Enable/disable EAPOL-Success flooding (to AP) detection (default = disable).
        set eapol-succ-thresh {integer}   The threshold value for EAPOL-Success flooding in specified interval. range[2-100]
        set eapol-succ-intv {integer}   The detection interval for EAPOL-Success flooding (1 - 3600 sec). range[1-3600]
        set eapol-fail-flood {enable | disable}   Enable/disable EAPOL-Failure flooding (to AP) detection (default = disable).
        set eapol-fail-thresh {integer}   The threshold value for EAPOL-Failure flooding in specified interval. range[2-100]
        set eapol-fail-intv {integer}   The detection interval for EAPOL-Failure flooding (1 - 3600 sec). range[1-3600]
        set eapol-pre-succ-flood {enable | disable}   Enable/disable premature EAPOL-Success flooding (to STA) detection (default = disable).
        set eapol-pre-succ-thresh {integer}   The threshold value for premature EAPOL-Success flooding in specified interval. range[2-100]
        set eapol-pre-succ-intv {integer}   The detection interval for premature EAPOL-Success flooding (1 - 3600 sec). range[1-3600]
        set eapol-pre-fail-flood {enable | disable}   Enable/disable premature EAPOL-Failure flooding (to STA) detection (default = disable).
        set eapol-pre-fail-thresh {integer}   The threshold value for premature EAPOL-Failure flooding in specified interval. range[2-100]
        set eapol-pre-fail-intv {integer}   The detection interval for premature EAPOL-Failure flooding (1 - 3600 sec). range[1-3600]
        set deauth-unknown-src-thresh {integer}   Threshold value per second to deauth unknown src for DoS attack (0: no limit). range[0-65535]
    next
end

Additional information

The following section is for those options that require additional explanation.

comment [string]

Optional comments.

sensor-mode {enable | disable}

Enable or disable (by default) radio sensor mode.

ap-scan {enable | disable}

Enable or disable (by default) rogue AP scanning. Once enabled, configure a series of AP scanning options (see entries below).

ap-bgscan-period <seconds>

Note: This entry is only available when ap-scan is set to enable. Period of time in seconds between background scans. Set the value between 60-3600 (or one minute to one hour). The default is set to 600 (or ten minutes).

ap-bgscan-intv <seconds>

Note: This entry is only available when ap-scan is set to enable. Period of time in seconds between two scanning channels. Set the value between 1-600 (or one seconds to ten minutes). The default is set to 1.

ap-bgscan-duration <milliseconds>

Note: This entry is only available when ap-scan is set to enable. Listening time in milliseconds on a scanning channel. Set the value between 10-1000. The default is set to 20.

ap-bgscan-idle <milliseconds>

Note: This entry is only available when ap-scan is set to enable. Period of idle-time in milliseconds before channel scanning. Set the value between 0-1000. The default is set to 0.

ap-bgscan-report-intv <seconds>

Note: This entry is only available when ap-scan is set to enable. Period of time in seconds between background scan reports. Set the value between 15-600 (or 15 seconds to ten minutes). The default is set to 30.

ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

Note: This entry is only available when ap-scan is set to enable. Days of the week when background scanning is disabled. By default, no days are set. When this entry is set (to any number of days), use the ap-bgscan-disable-start and ap-bgscan-disable-end entries to determine start and end times; the period between these two times is when background scanning is disabled.

ap-bgscan-disable-start <hh:mm>

Note: This entry is only available when ap-bgscan-disable-day is configured. Start time, in the format of hh:mm, for disabling background scanning. The default is set to 00:00.

ap-bgscan-disable-end <hh:mm>

Note: This entry is only available when ap-bgscan-disable-day is configured. End time, in the format of hh:mm, for disabling background scanning. The default is set to 00:00.

ap-fgscan-report-intv <seconds>

Note: This entry is only available when ap-scan is set to enable. Period of time in seconds between foreground scan reports. Set the value between 15-600 (or 15 seconds to ten minutes). The default is set to 15.

ap-scan-passive {enable | disable}

Note: This entry is only available when ap-scan is set to enable. Enable or disable (by default) passive scanning on all channels.

rogue-scan {enable | disable}

Note: This entry is only available when ap-scan is set to enable. Enable or disable (by default) rogue AP on-wire scan.

wireless-bridge {enable | disable}

Enable or disable (by default)

deauth-broadcast {enable | disable}

Enable or disable (by default) detection of wireless bridge operation, used to raise awareness if your network doesn't use a wireless bridge.

null-ssid-probe-resp {enable | disable}

Enable or disable (by default) null SSID probe response detection.

long-duration-attack {enable | disable}

Enable or disable (by default) long-duration attack detection. When enabled, use the long-duration-thresh entry to define the threshold.

long-duration-thresh <milliseconds>

Duration of time in milliseconds for long-duration attack detection. Set the value between 1000-32767 (or one second to over 32 seconds). The default is set to 8200 (or just over eight seconds).

invalid-mac-oui {enable | disable}

Enable or disable (by default) detection of spoofed MAC addresses. The first three bytes should indicate a known manufacturer.

weak-wep-iv {enable | disable}

Enable or disable (by default) detection of APs using weak WEP encryption.

auth-frame-flood {enable | disable}

Enable or disable (by default) detection of authentication frame flood attacks.

assoc-frame-flood {enable | disable}

Enable or disable (by default) detection of association frame flood attacks.

spoofed-deauth {enable | disable}

Enable or disable (by default) detection of spoofed deauthentication packets.

asleap-attack {enable | disable}

Enable or disable (by default) detection of asleap attacks, attempts to crack Lightweight Extensible Authentication Protocol (LEAP) security. LEAP is a wireless LAN authentication method that allows clients to re-authenticate frequently, giving the client a new WEP key each time. Enable or disable (by default) detection of asleap attacks, attempts to crack Lightweight Extensible Authentication Protocol (LEAP) security. LEAP is a wireless LAN authentication method that allows clients to re-authenticate frequently, giving the client a new WEP key each time.

eapol-start-flood {enable | disable}

Enable or disable (by default) detection of Extensible Authentication Protocol (EAP) over LAN (EAPoL) START flood attacks.

eapol-logoff-flood {enable | disable}

Enable or disable (by default) detection of EAPoL LOGOFF flood attacks.

eapol-succ-flood {enable | disable}

Enable or disable (by default) detection of EAPoL SUCC flood attacks.

eapol-fail-flood {enable | disable}

Enable or disable (by default) detection of EAPoL FAIL flood attacks. When enabled, use the eapol-fail-intv entry to define the detection interval.

eapol-fail-thresh <threshold>

Note: This entry is only available when eapol-fail-flood is set to enable. The EAPoL FAIL detection threshold interval. Set the value between 2-100. The default is set to 10.

eapol-fail-intv <seconds>

Note: This entry is only available when eapol-fail-flood is set to enable. Interval of time in seconds between EAP FAIL detection. Set the value between 1-3600 (or one second to one hour). The default is set to 1.

eapol-pre-succ-flood {enable | disable}

Enable or disable (by default) detection of EAPoL premature SUCC flood attacks.

eapol-pre-fail-flood {enable | disable}

Enable or disable (by default) detection of EAPoL premature FAIL flood attacks.

deauth-unknown-src-thresh <seconds>

Threshold value per second to deauthenticate unknown sources for DoS attacks. The default is set to 10. Set to 0 for no limitation.