Monitor and Suppress Phishing SSID
In addition to rogue AP detection, wireless administrators should also be concerned about phishing SSIDs, which are defined as either:
- An SSID defined on FortiGate that is broadcast from an uncontrolled AP
- A pre-defined pattern for an offending SSID pattern
For example, you could define any SSID that contains your company name to be a phishing SSID.
This new feature enables FortiAP to monitor and report these SSIDs in logs and to optionally suppress them.
You can only configure this feature by using the CLI:
config wireless-controller setting
set phishing-ssid-detect enable|disable
set fake-ssid-action log|suppress
config offending-ssid
edit 1
set ssid-pattern "OFFENDING*"
set action log|suppress
next
end
end
The set phishing-ssid-detect enable|disable
option enables or disables the phishing SSID detection feature. The default setting is enable
.
The set fake-ssid-action log|suppress
option defines what action FortiGate takes after detecting a fake SSID. The default setting is log
, and can be set to either one or both.
The set ssid-pattern OFFENDING*
option defines what criteria which will be used to match an offending SSID. In this case, it means all SSID names with leading string OFFENDING
, which is not case-sensitive.
The set action log|suppress
defines what action FortiGate takes after detecting the corresponding offending SSID pattern entry. The default setting is log
and can be set to either one or both.
Log examples
WiFi event log sample for fake SSID detection
Following is a sample of the log that is generated when a fake SSID is first detected:
1: date=2019-03-01 time=14:53:23 logid="0104043567" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Fake AP detected" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Fake AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"
Following is a sample of the log that is periodically generated when a fake SSID is continuously detected:
1: date=2019-03-01 time=14:58:53 logid="0104043568" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551481133 logdesc="Fake AP on air" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="fake-ap-on-air" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173728 age=330 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Fake AP On-air CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173728 age 330"
WiFi event log sample for fake SSID suppression
Following is a sample of the log that is generated when a fake SSID is suppressed:
1: date=2019-03-01 time=14:53:23 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480803 logdesc="Rogue AP suppressed" ssid="CORP_WIFI_ACCESS" bssid="08:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173397 age=0 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP CORP_WIFI_ACCESS 08:5b:0e:18:1b:d0 chan 149 live 173397 age 0"
WiFi event log sample for offending SSID detection
Following a sample of the log that is generated when an offending SSID is first detected:
1: date=2019-03-01 time=14:53:33 logid="0104043619" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Offending AP detected" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="offending-ap-detected" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="FP321C3X15001615" radioiddetected=1 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Detected Offending AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"
Following is a sample of a log that is periodically generated when an offending SSID is continuously detected:
1: date=2019-03-01 time=14:55:54 logid="0104043620" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480952 logdesc="Offending AP on air" ssid="OFFENDING_SSID_TEST" bssid="9a:5b:0e:18:1b:d0" aptype=0 rate=130 radioband="802.11n-5G" channel=149 action="offending-ap-on-air" manuf="N/A" security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173548 age=150 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="Offending AP On-air OFFENDING_SSID_TEST 9a:5b:0e:18:1b:d0 chan 149 live 173548 age 150"
WiFi event log sample for offending SSID suppression
Following is a sample of the log that is generated when an offending SSID is suppressed:
1: date=2019-03-01 time=14:53:33 logid="0104043569" type="event" subtype="wireless" level="warning" vd="root" eventtime=1551480811 logdesc="Rogue AP suppressed" ssid="OFFENDING_SSID" bssid="1a:5b:0e:b5:f3:bf" aptype=0 rate=130 radioband="802.11n-5G" channel=153 action="rogue-ap-suppressed" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-41 noise=-95 live=173406 age=8 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetected="N/A" radioiddetected=0 stacount=0 snclosest="FP321C3X15001615" radioidclosest=1 apstatus=0 msg="AP OFFENDING_SSID 1a:5b:0e:b5:f3:bf chan 153 live 173406 age 8"