Detecting Fake and Rogue Access Points
You can configure rules for automatic detection of fake and offending SSIDs. Additionally, it is also possible to configure actions and counter measures to be taken when these categories of threats are detected. FortiLAN Cloud actively scans and reports the neighbour APs to identify other access points in the area to know their potential impact on the FortiAPs managed by FortiLAN Cloud. You can define the policy to classify the detected neighbour access points Fake & Offending and Rogue & Accepted. Navigate to Wireless > Monitor > Neighbour APs.
Fake & Offending
Fake and Offending categories include phishing access points that lead clients to connect to fake/offending access points instead of getting connected to legitimate FortiAPs. A fake access point broadcasts the same SSID as the legitimate FortiAP and an offending access point broadcasts SSIDs that falsely represent the company/organization/department of the legitimate FortiAP.
You can configure the criteria for classifying the detected neighbour access points as fake or offending. FortiLAN Cloud compares the received neighbour access point data with the configured policy (SSID) and in case of a match, categorizes them and takes the action as per the configured policy parameters.
Rogue & Accepted
A neighbour access point that could potentially affect the performance of the FortiAPs managed by FortiLAN Cloud, is classified as rogue and a neighbour access point with no adverse impact or interference in the FortiAP wireless network operations are deemed acceptable.
You can configure a single or multiple parameters for the classification of FortiAPs as rogue or acceptable. FortiLAN Cloud compares the received neighbour access point data with the configured parameters and in case of a match, categorizes them and takes the action as per the configured policy parameters.
Notes:
- SSID and BSSID patterns allow up to one wildcard (*) character.
- You can create multiple configuration profiles and each configuration profile can specify only a single SSID/BSSID pattern.
- The specified SSID pattern is case-insensitive.