Fortinet black logo

New Features

Monitor and Suppress Phishing SSID

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:278827
Download PDF

Monitor and Suppress Phishing SSID

In addition to rogue AP detection, wireless administrators should also be concerned about phishing SSIDs, which are defined as either:

  • An SSID defined on FortiGate that is broadcast from an uncontrolled AP
  • A pre-defined pattern for an offending SSID pattern

    For example, you could define any SSID that contains your company name to be a phishing SSID.

This new feature enables FortiAP to monitor and report these SSIDs in logs and to optionally suppress them.

You can only configure this feature by using the CLI:

config wireless-controller setting

set phishing-ssid-detect enable|disable

set fake-ssid-action log|suppress

config offending-ssid

edit 1

set ssid-pattern "OFFENDING*"

set action log|suppress

next

end

end

The set phishing-ssid-detect enable|disable option enables or disables the phishing SSID detection feature. The default setting is enable.

The set fake-ssid-action log|suppress option defines what action FortiGate takes after detecting a fake SSID. The default setting is log, and can be set to either one or both.

The set ssid-pattern OFFENDING* option defines what criteria which will be used to match an offending SSID. In this case, it means all SSID names with leading string OFFENDING, which is not case-sensitive.

The set action log|suppress defines what action FortiGate takes after detecting the corresponding offending SSID pattern entry. The default setting is log and can be set to either one or both.

Log examples

WiFi event log sample for fake SSID detection

Following is a sample of the log that is generated when a fake SSID is first detected:

1: date=2019-03-01 time=14:53:23 logid="0104043567" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Fake AP detected" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Fake AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

Following is a sample of the log that is periodically generated when a fake SSID is continuously detected:

1: date=2019-03-01 time=14:58:53 logid="0104043568" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551481133 logdesc="Fake AP on air" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-on-air" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173728 age=330 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Fake AP On-air CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173728 age 330"

WiFi event log sample for fake SSID suppression

Following is a sample of the log that is generated when a fake SSID is suppressed:

1: date=2019-03-01 time=14:53:23 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Rogue AP suppressed" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

WiFi event log sample for offending SSID detection

Following a sample of the log that is generated when an offending SSID is first detected:

1: date=2019-03-01 time=14:53:33 logid="0104043619" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Offending AP detected" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="offending-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Offending AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

Following is a sample of a log that is periodically generated when an offending SSID is continuously detected:

1: date=2019-03-01 time=14:55:54 logid="0104043620" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480952 logdesc="Offending AP on air" ssid="OFFENDING_SSID_TEST" bssid="9a:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="offending-ap-on-air" manuf="N/A" security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173548 age=150 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Offending AP On-air OFFENDING_SSID_TEST 9a:5b:0e:18:1b:d0 chan 149 live 173548 age 150"

WiFi event log sample for offending SSID suppression

Following is a sample of the log that is generated when an offending SSID is suppressed:

1: date=2019-03-01 time=14:53:33 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Rogue AP suppressed" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

Monitor and Suppress Phishing SSID

In addition to rogue AP detection, wireless administrators should also be concerned about phishing SSIDs, which are defined as either:

  • An SSID defined on FortiGate that is broadcast from an uncontrolled AP
  • A pre-defined pattern for an offending SSID pattern

    For example, you could define any SSID that contains your company name to be a phishing SSID.

This new feature enables FortiAP to monitor and report these SSIDs in logs and to optionally suppress them.

You can only configure this feature by using the CLI:

config wireless-controller setting

set phishing-ssid-detect enable|disable

set fake-ssid-action log|suppress

config offending-ssid

edit 1

set ssid-pattern "OFFENDING*"

set action log|suppress

next

end

end

The set phishing-ssid-detect enable|disable option enables or disables the phishing SSID detection feature. The default setting is enable.

The set fake-ssid-action log|suppress option defines what action FortiGate takes after detecting a fake SSID. The default setting is log, and can be set to either one or both.

The set ssid-pattern OFFENDING* option defines what criteria which will be used to match an offending SSID. In this case, it means all SSID names with leading string OFFENDING, which is not case-sensitive.

The set action log|suppress defines what action FortiGate takes after detecting the corresponding offending SSID pattern entry. The default setting is log and can be set to either one or both.

Log examples

WiFi event log sample for fake SSID detection

Following is a sample of the log that is generated when a fake SSID is first detected:

1: date=2019-03-01 time=14:53:23 logid="0104043567" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Fake AP detected" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Fake AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

Following is a sample of the log that is periodically generated when a fake SSID is continuously detected:

1: date=2019-03-01 time=14:58:53 logid="0104043568" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551481133 logdesc="Fake AP on air" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-on-air" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173728 age=330 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Fake AP On-air CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173728 age 330"

WiFi event log sample for fake SSID suppression

Following is a sample of the log that is generated when a fake SSID is suppressed:

1: date=2019-03-01 time=14:53:23 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Rogue AP suppressed" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"

WiFi event log sample for offending SSID detection

Following a sample of the log that is generated when an offending SSID is first detected:

1: date=2019-03-01 time=14:53:33 logid="0104043619" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Offending AP detected" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="offending-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Offending AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"

Following is a sample of a log that is periodically generated when an offending SSID is continuously detected:

1: date=2019-03-01 time=14:55:54 logid="0104043620" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480952 logdesc="Offending AP on air" ssid="OFFENDING_SSID_TEST" bssid="9a:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="offending-ap-on-air" manuf="N/A" security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173548 age=150 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Offending AP On-air OFFENDING_SSID_TEST 9a:5b:0e:18:1b:d0 chan 149 live 173548 age 150"

WiFi event log sample for offending SSID suppression

Following is a sample of the log that is generated when an offending SSID is suppressed:

1: date=2019-03-01 time=14:53:33 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Rogue AP suppressed" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"