Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

WIDS profiles

The WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected, a log message is recorded.

To view WIDS profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Profiles, and select WIDS Profile in the tree menu.

The following options are available in the toolbar and right-click menu:

Create New

Create a new WIDS profile.

Edit

Edit the selected WIDS profile.

Delete

Delete the selected WIDS profile.

Clone

Clone the selected WIDS profile.

Import

Import WIDS profiles from a connected FortiGate (toolbar only).

To create a new WIDS profile:
  1. On the WIDS Profile pane, click Create New in the toolbar, or select it from the right-click menu. The Create New WIDS Profile window opens.

  2. Enter the following information, then click OK to create the new WIDS profile:

    Name

    Enter a name for the profile.

    Comments

    Optionally, enter comments.

    Sensor Mode

     

    Enable Rogue AP Detection

    Select to enable rogue AP detection.

     

    Background Scan Every

    Enter the number of seconds between background scans.

     

    Enable Passive Scan Mode

    Enable/disable passive scan mode.

     

    Auto Suppress Rouge APs in Foreground Scan

    Enable/disable automatically suppressing rogue APs in foreground scans.

    This options is only available when the sensor mode is not disabled.

     

    Disable Background Scan During Specified Time

    Enable/disable background scanning during the specified time. Specify the days of week, and the start and end times.

    Intrusion Type

    The intrusion types that can be detected.

    Enable

    Select to enable the intrusion type.

    Threshold

    If applicable, enter a threshold for reporting the intrusion, in seconds except where specified.

    Interval (Seconds)

    If applicable, enter the interval for reporting the intrusion, in seconds.

    Advanced Options

     

     

    ap-bgscan-duration

    Listening time on a scanning channel, in milliseconds (10 - 1000, default = 20).

     

    ap-bgscan-idle

    Waiting time for channel inactivity before scanning this channel, in milliseconds (0 - 1000, default = 0).

     

    ap-bgscan-intv

    Period of time between scanning two channels, in seconds (1 - 600, default = 1).

     

    ap-bgscan-report-intv

    Period of time between background scan reports, in seconds (15 - 600, default = 30).

     

    ap-fgscan-report-intv

    Period of time between foreground scan reports, in seconds (15 - 600, default = 15).

     

    deauth-broadcast

    Enable/disable broadcasting deauthentication detection (default = disable).

     

    deauth-unknown-src-thresh

    Threshold value per second to deauthenticate unknown sources for DoS attacks, in seconds (0 - 65535, 0 = no limit, default = 10).

     

    invalid-mac-oui

    Enable/disable invalid MAC OUI detection (default = disable).

Intrusion types

Intrusion Type

Description

Asleap Attack

ASLEAP is a tool used to perform attacks against LEAP authentication.

Association Frame Flooding

A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.

Authentication Frame Flooding

A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.

Broadcasting Deauthentication

This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.

EAPOL Packet Flooding (to AP)

Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack.

Several types of EAPOL packets can be detected:

  • EAPOL-FAIL
  • EAPOL-LOGOFF
  • EAPOL-START
  • EAPOL-SUCC

Invalid MAC OUI

Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.

Long Duration Attack

To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200µ.

Null SSID Probe Response

When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.

Premature EAPOL Packet Flooding (to client)

Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the client with these packets can be a denial of service attack.

Two types of EAPOL packets can be detected:

  • EAPOL-FAIL
  • EAPOL-SUCC

Spoofed Deauthentication

Spoofed de-authentication frames form the basis for most denial of service attacks.

Weak WEP IV Detection

A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.

Wireless Bridge

WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

To edit a WIDS profile:
  1. Either double-click on a profile name, select a profile and then click Edit in the toolbar, or right-click on the name then select Edit from the menu. The Edit WIDS window opens.
  2. Edit the settings as required.
  3. Click OK to apply your changes.
To delete WIDS profiles:
  1. Select the profile or profiles that will be deleted from the profile list.
  2. Either click Delete from the toolbar, or right-click then select Delete.
  3. Click OK in the confirmation dialog box to delete the profile or profiles.
To clone a WIDS profile:
  1. Either select a profile and click Clone in the toolbar, or right-click a profile and select Clone. The Clone WIDS pane opens.
  2. Edit the name of the profile, then edit the remaining settings as required.
  3. Click OK to clone the profile.
To import a WIDS profile:
  1. Click Import in the toolbar. The Import dialog box opens.
  2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
  3. Select the profile or profiles to be imported from the dropdown list.
  4. Click OK to import the profile or profiles.

WIDS profiles

The WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected, a log message is recorded.

To view WIDS profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Profiles, and select WIDS Profile in the tree menu.

The following options are available in the toolbar and right-click menu:

Create New

Create a new WIDS profile.

Edit

Edit the selected WIDS profile.

Delete

Delete the selected WIDS profile.

Clone

Clone the selected WIDS profile.

Import

Import WIDS profiles from a connected FortiGate (toolbar only).

To create a new WIDS profile:
  1. On the WIDS Profile pane, click Create New in the toolbar, or select it from the right-click menu. The Create New WIDS Profile window opens.

  2. Enter the following information, then click OK to create the new WIDS profile:

    Name

    Enter a name for the profile.

    Comments

    Optionally, enter comments.

    Sensor Mode

     

    Enable Rogue AP Detection

    Select to enable rogue AP detection.

     

    Background Scan Every

    Enter the number of seconds between background scans.

     

    Enable Passive Scan Mode

    Enable/disable passive scan mode.

     

    Auto Suppress Rouge APs in Foreground Scan

    Enable/disable automatically suppressing rogue APs in foreground scans.

    This options is only available when the sensor mode is not disabled.

     

    Disable Background Scan During Specified Time

    Enable/disable background scanning during the specified time. Specify the days of week, and the start and end times.

    Intrusion Type

    The intrusion types that can be detected.

    Enable

    Select to enable the intrusion type.

    Threshold

    If applicable, enter a threshold for reporting the intrusion, in seconds except where specified.

    Interval (Seconds)

    If applicable, enter the interval for reporting the intrusion, in seconds.

    Advanced Options

     

     

    ap-bgscan-duration

    Listening time on a scanning channel, in milliseconds (10 - 1000, default = 20).

     

    ap-bgscan-idle

    Waiting time for channel inactivity before scanning this channel, in milliseconds (0 - 1000, default = 0).

     

    ap-bgscan-intv

    Period of time between scanning two channels, in seconds (1 - 600, default = 1).

     

    ap-bgscan-report-intv

    Period of time between background scan reports, in seconds (15 - 600, default = 30).

     

    ap-fgscan-report-intv

    Period of time between foreground scan reports, in seconds (15 - 600, default = 15).

     

    deauth-broadcast

    Enable/disable broadcasting deauthentication detection (default = disable).

     

    deauth-unknown-src-thresh

    Threshold value per second to deauthenticate unknown sources for DoS attacks, in seconds (0 - 65535, 0 = no limit, default = 10).

     

    invalid-mac-oui

    Enable/disable invalid MAC OUI detection (default = disable).

Intrusion types

Intrusion Type

Description

Asleap Attack

ASLEAP is a tool used to perform attacks against LEAP authentication.

Association Frame Flooding

A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.

Authentication Frame Flooding

A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.

Broadcasting Deauthentication

This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.

EAPOL Packet Flooding (to AP)

Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack.

Several types of EAPOL packets can be detected:

  • EAPOL-FAIL
  • EAPOL-LOGOFF
  • EAPOL-START
  • EAPOL-SUCC

Invalid MAC OUI

Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.

Long Duration Attack

To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200µ.

Null SSID Probe Response

When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.

Premature EAPOL Packet Flooding (to client)

Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the client with these packets can be a denial of service attack.

Two types of EAPOL packets can be detected:

  • EAPOL-FAIL
  • EAPOL-SUCC

Spoofed Deauthentication

Spoofed de-authentication frames form the basis for most denial of service attacks.

Weak WEP IV Detection

A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.

Wireless Bridge

WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

To edit a WIDS profile:
  1. Either double-click on a profile name, select a profile and then click Edit in the toolbar, or right-click on the name then select Edit from the menu. The Edit WIDS window opens.
  2. Edit the settings as required.
  3. Click OK to apply your changes.
To delete WIDS profiles:
  1. Select the profile or profiles that will be deleted from the profile list.
  2. Either click Delete from the toolbar, or right-click then select Delete.
  3. Click OK in the confirmation dialog box to delete the profile or profiles.
To clone a WIDS profile:
  1. Either select a profile and click Clone in the toolbar, or right-click a profile and select Clone. The Clone WIDS pane opens.
  2. Edit the name of the profile, then edit the remaining settings as required.
  3. Click OK to clone the profile.
To import a WIDS profile:
  1. Click Import in the toolbar. The Import dialog box opens.
  2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
  3. Select the profile or profiles to be imported from the dropdown list.
  4. Click OK to import the profile or profiles.