Fortinet black logo

New Features

Disable dedicated scanning on FortiAP F-Series profiles

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:718029
Download PDF

Disable dedicated scanning on FortiAP F-Series profiles

The FortiAP F-series product family supports two radios while a third radio performs dedicated scans at all times. However, due to wireless chipset limitations on the third radio, some of the data packets cannot be scanned, which may impact the detection capabilities for FortiPresence and other related solutions. You can disable dedicated scanning which then allows background scanning using WIDS profile to be enabled on Radios 1 and 2.

To disable dedicated scanning and enable background scanning - GUI:
  1. Go to WiFi & Switch Controller > FortiAP Profiles and select the FortiAP F-series profile you want to disable dedicated scanning for.
  2. Disable Dedicated scan.

    After you disable Dedicated scan, the WIDS profile option becomes available under Radio 1 and Radio 2 configuration.

  3. Set the Mode of the Radio to Access Point.
  4. Enable WIDS profile and select a WIDS profile to perform background scanning.
  5. Go to Dashboard > WiFi > Rogue APs to verify that the Rogue AP list is on the same channel as the Radio you configured.

To disable dedicated scanning and enable background scanning - CLI:
Note

When you create a new FortiAP F-series profile, dedicated scanning is automatically enabled.

  1. Disable dedicated scanning and assign a WIDS profile:

    config wireless-controller wtp-profile 
      edit 433F
        config platform 
          set type 433F 
          set ddscan disable
        end
        set handoff-sta-thresh 55
        config radio-1
          set band 802.11ax,n,g-only
          set wids-profile "default-wids-apscan-enabled"
        end
        config radio-2
          set band 802.11ax-5G
          set wids-profile "default-wids-apscan-enabled"
        end
        config radio-3
          set mode disabled
        end
      next
    end
  2. Configure the WIDS profile to enable background scan:

    config wireless-controller wids-profile
      edit "default-wids-apscan-enabled"
        set ap-scan enable
        set ap-bgscan-period 60
        set ap-bgscan-intv 1
        set ap-bgscan-duration 20
        set ap-bgscan-idle 0
      next
    end
  3. Assign the wtp-profile to a managed FortiAP:

    config wireless-controller wtp
      edit "FP433FTF20000002"
        set uuid e3beadf4-6fdf-51ec-d2ed-cd489ee341cb
        set admin enable
        set wtp-profile "433F"
        config radio-1
        end
        config radio-2
        end
      next
    end
  4. Check managed FortiAP Channel and background scan status:

    FortiGate-80E-POE # diag wire wlac -c wtp FP433FTF20000002
    -------------------------------WTP    1----------------------------
    WTP vd               : root
        vfid             : 0
        id               : FP433FTF20000002
        ...
      Radio 1            : AP
        ...
        bgscan oper    : enabled
          bgscan period  : oper 60 cfg 60
          bgscan intv    : 1
          bgscan dur     : 20
          bgscan idle    : 0
          bgscan rptintv : 30
        ...
      Radio 2            : AP
        ...
        bgscan oper    : enabled
          bgscan period  : oper 60 cfg 60
          bgscan intv    : 1
          bgscan dur     : 20
          bgscan idle    : 0
          bgscan rptintv : 30
        ...
    -------------------------------Total    1 WTPs---------------------------- 
  5. Check the Rogue AP list on FortiGate:

     FortiGate-80E-POE # diag wire wlac -c ap-rogue
    CMWP AP: vf                  bssid ssid             ch  rate  sec                  signal noise  age      sta mac                 wtp cnt     ici    bw sgi band                   
    UNNN AP: 0       08:5b:0e:17:91:1f fortinet-30d-... 11  130   WPA2 Personal           -39 -95    8        00:00:00:00:00:00       1   /1    56->0    20 0  11NGHT20               
     N                FP433FTF20000002 fortinet-30d-... 11  130   WPA2 Personal           -39 -95    8        10.43.1.18:25246-0  1
    UNNN AP: 0       08:5b:0e:4c:2b:6c fortinet         11  130   WPA2 Personal           -67 -95    18       00:00:00:00:00:00       1   /1    28->0    20 0  11NGHT20               
     N                FP433FTF20000002 fortinet         11  130   WPA2 Personal           -67 -95    18       10.43.1.18:25246-0  1
    ...
    C - Configured  (G:accept, B:rogue, S:suppress, U:unconfigured)
    M - AC managed  (V:vdom, C:AC, N:unmanaged)
    W - On wire     (Y:yes, N:no)
    P - Phishing    (F:fake, O:offending, N:no)
    Total Rogue-AP:34 Rogue-AP-WTP(displayed):34 Rogue-AP-WTP(total):34
    Total Entries: 34

Disable dedicated scanning on FortiAP F-Series profiles

The FortiAP F-series product family supports two radios while a third radio performs dedicated scans at all times. However, due to wireless chipset limitations on the third radio, some of the data packets cannot be scanned, which may impact the detection capabilities for FortiPresence and other related solutions. You can disable dedicated scanning which then allows background scanning using WIDS profile to be enabled on Radios 1 and 2.

To disable dedicated scanning and enable background scanning - GUI:
  1. Go to WiFi & Switch Controller > FortiAP Profiles and select the FortiAP F-series profile you want to disable dedicated scanning for.
  2. Disable Dedicated scan.

    After you disable Dedicated scan, the WIDS profile option becomes available under Radio 1 and Radio 2 configuration.

  3. Set the Mode of the Radio to Access Point.
  4. Enable WIDS profile and select a WIDS profile to perform background scanning.
  5. Go to Dashboard > WiFi > Rogue APs to verify that the Rogue AP list is on the same channel as the Radio you configured.

To disable dedicated scanning and enable background scanning - CLI:
Note

When you create a new FortiAP F-series profile, dedicated scanning is automatically enabled.

  1. Disable dedicated scanning and assign a WIDS profile:

    config wireless-controller wtp-profile 
      edit 433F
        config platform 
          set type 433F 
          set ddscan disable
        end
        set handoff-sta-thresh 55
        config radio-1
          set band 802.11ax,n,g-only
          set wids-profile "default-wids-apscan-enabled"
        end
        config radio-2
          set band 802.11ax-5G
          set wids-profile "default-wids-apscan-enabled"
        end
        config radio-3
          set mode disabled
        end
      next
    end
  2. Configure the WIDS profile to enable background scan:

    config wireless-controller wids-profile
      edit "default-wids-apscan-enabled"
        set ap-scan enable
        set ap-bgscan-period 60
        set ap-bgscan-intv 1
        set ap-bgscan-duration 20
        set ap-bgscan-idle 0
      next
    end
  3. Assign the wtp-profile to a managed FortiAP:

    config wireless-controller wtp
      edit "FP433FTF20000002"
        set uuid e3beadf4-6fdf-51ec-d2ed-cd489ee341cb
        set admin enable
        set wtp-profile "433F"
        config radio-1
        end
        config radio-2
        end
      next
    end
  4. Check managed FortiAP Channel and background scan status:

    FortiGate-80E-POE # diag wire wlac -c wtp FP433FTF20000002
    -------------------------------WTP    1----------------------------
    WTP vd               : root
        vfid             : 0
        id               : FP433FTF20000002
        ...
      Radio 1            : AP
        ...
        bgscan oper    : enabled
          bgscan period  : oper 60 cfg 60
          bgscan intv    : 1
          bgscan dur     : 20
          bgscan idle    : 0
          bgscan rptintv : 30
        ...
      Radio 2            : AP
        ...
        bgscan oper    : enabled
          bgscan period  : oper 60 cfg 60
          bgscan intv    : 1
          bgscan dur     : 20
          bgscan idle    : 0
          bgscan rptintv : 30
        ...
    -------------------------------Total    1 WTPs---------------------------- 
  5. Check the Rogue AP list on FortiGate:

     FortiGate-80E-POE # diag wire wlac -c ap-rogue
    CMWP AP: vf                  bssid ssid             ch  rate  sec                  signal noise  age      sta mac                 wtp cnt     ici    bw sgi band                   
    UNNN AP: 0       08:5b:0e:17:91:1f fortinet-30d-... 11  130   WPA2 Personal           -39 -95    8        00:00:00:00:00:00       1   /1    56->0    20 0  11NGHT20               
     N                FP433FTF20000002 fortinet-30d-... 11  130   WPA2 Personal           -39 -95    8        10.43.1.18:25246-0  1
    UNNN AP: 0       08:5b:0e:4c:2b:6c fortinet         11  130   WPA2 Personal           -67 -95    18       00:00:00:00:00:00       1   /1    28->0    20 0  11NGHT20               
     N                FP433FTF20000002 fortinet         11  130   WPA2 Personal           -67 -95    18       10.43.1.18:25246-0  1
    ...
    C - Configured  (G:accept, B:rogue, S:suppress, U:unconfigured)
    M - AC managed  (V:vdom, C:AC, N:unmanaged)
    W - On wire     (Y:yes, N:no)
    P - Phishing    (F:fake, O:offending, N:no)
    Total Rogue-AP:34 Rogue-AP-WTP(displayed):34 Rogue-AP-WTP(total):34
    Total Entries: 34