Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.2.5 Administration Guide
    7.2.5
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    WIDS profiles

    WIDS profiles

    The WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected, a log message is recorded. When you create AP profiles, you can select a WIDS profile.

    To view WIDS profiles:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to AP Manager > WiFi Profiles > Protection Profiles > WIDS Profile.

      The following options are available in the toolbar and right-click menu:

      Create New

      Create a new WIDS profile.

      Edit

      Edit the selected WIDS profile.

      Delete

      Delete the selected WIDS profile.

      Clone

      Clone the selected WIDS profile.

      Where Used

      Displays the ADOM where the profile is used as well as the Policy Package/Block.

      Import

      Import WIDS profiles from a connected FortiGate (toolbar only).

    To create a new WIDS profile:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to AP Manager > WiFi Profiles > Protection Profiles > WIDS Profile.
    3. In the toolbar, click Create New.

      The Create New WIDS Profile pane opens.

    4. Enter the following information, and click OK to create the WIDS profile:

      Name

      Enter a name for the profile.

      Comments

      Optionally, enter comments.

      Sensor Mode

      Enable Rogue AP Detection

      Select to enable rogue AP detection.

      Background Scan Every

      Enter the number of seconds between background scans.

      Enable Passive Scan Mode

      Enable/disable passive scan mode.

      Auto Suppress Rouge APs in Foreground Scan

      Enable/disable automatically suppressing rogue APs in foreground scans.

      This options is only available when the sensor mode is not disabled.

      Disable Background Scan During Specified Time

      Enable/disable background scanning during the specified time. Specify the days of week, and the start and end times.

      Intrusion Type

      The intrusion types that can be detected.

      Enable

      Select to enable the intrusion type.

      Threshold

      If applicable, enter a threshold for reporting the intrusion, in seconds except where specified.

      Interval (Seconds)

      If applicable, enter the interval for reporting the intrusion, in seconds.

      Advanced Options

      ap-bgscan-duration

      Listening time on a scanning channel, in milliseconds (10 - 1000, default = 20).

      ap-bgscan-idle

      Waiting time for channel inactivity before scanning this channel, in milliseconds (0 - 1000, default = 0).

      ap-bgscan-intv

      Period of time between scanning two channels, in seconds (1 - 600, default = 1).

      ap-bgscan-report-intv

      Period of time between background scan reports, in seconds (15 - 600, default = 30).

      ap-fgscan-report-intv

      Period of time between foreground scan reports, in seconds (15 - 600, default = 15).

      deauth-broadcast

      Enable/disable broadcasting deauthentication detection (default = disable).

      deauth-unknown-src-thresh

      Threshold value per second to deauthenticate unknown sources for DoS attacks, in seconds (0 - 65535, 0 = no limit, default = 10).

      invalid-mac-oui

      Enable/disable invalid MAC OUI detection (default = disable).

    Intrusion types

    Intrusion Type

    Description

    Asleap Attack

    ASLEAP is a tool used to perform attacks against LEAP authentication.

    Association Frame Flooding

    A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.

    Authentication Frame Flooding

    A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.

    Broadcasting Deauthentication

    This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.

    EAPOL Packet Flooding (to AP)

    Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack.

    Several types of EAPOL packets can be detected:

    • EAPOL-FAIL
    • EAPOL-LOGOFF
    • EAPOL-START
    • EAPOL-SUCC

    Invalid MAC OUI

    Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.

    Long Duration Attack

    To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200µ.

    Null SSID Probe Response

    When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.

    Premature EAPOL Packet Flooding (to client)

    Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the client with these packets can be a denial of service attack.

    Two types of EAPOL packets can be detected:

    • EAPOL-FAIL
    • EAPOL-SUCC

    Spoofed Deauthentication

    Spoofed de-authentication frames form the basis for most denial of service attacks.

    Weak WEP IV Detection

    A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.

    Wireless Bridge

    WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.
    To edit a WIDS profile:
    1. Select the profile to edit.
    2. In the toolbar, click Edit.

      Alternatively, you can right-click the profile and select Edit, or double-click a profile.

      The Edit WIDS dialog opens.

    3. Edit the settings as required.
    4. Click OK to apply your changes.
    To delete WIDS profiles:
    1. Select the profile or profiles to be deleted from the profile list.
    2. In the toolbar click Delete.

      Alternatively, right-click and select Delete.

      The Delete WIDS Profile(s) dialog opens.

    3. Click OK.
    To clone a WIDS profile:
    1. Select a profile to clone.
    2. In the toolbar click Clone.

      Alternatively, right-click and select Clone.

    3. Edit the name of the profile, then edit the remaining settings as required.
    4. Click OK.
    To import a WIDS profile:
    1. In the toolbar, click Import.

      The Import dialog opens.

    2. From the FortiGate dropdown, select a device. The list will include all of the devices in the current ADOM.
    3. From the Profiles dropdown, select the profile(s).
    4. Click OK.
    Previous
    Next

    WIDS profiles

    WIDS profiles

    The WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected, a log message is recorded. When you create AP profiles, you can select a WIDS profile.

    To view WIDS profiles:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to AP Manager > WiFi Profiles > Protection Profiles > WIDS Profile.

      The following options are available in the toolbar and right-click menu:

      Create New

      Create a new WIDS profile.

      Edit

      Edit the selected WIDS profile.

      Delete

      Delete the selected WIDS profile.

      Clone

      Clone the selected WIDS profile.

      Where Used

      Displays the ADOM where the profile is used as well as the Policy Package/Block.

      Import

      Import WIDS profiles from a connected FortiGate (toolbar only).

    To create a new WIDS profile:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to AP Manager > WiFi Profiles > Protection Profiles > WIDS Profile.
    3. In the toolbar, click Create New.

      The Create New WIDS Profile pane opens.

    4. Enter the following information, and click OK to create the WIDS profile:

      Name

      Enter a name for the profile.

      Comments

      Optionally, enter comments.

      Sensor Mode

      Enable Rogue AP Detection

      Select to enable rogue AP detection.

      Background Scan Every

      Enter the number of seconds between background scans.

      Enable Passive Scan Mode

      Enable/disable passive scan mode.

      Auto Suppress Rouge APs in Foreground Scan

      Enable/disable automatically suppressing rogue APs in foreground scans.

      This options is only available when the sensor mode is not disabled.

      Disable Background Scan During Specified Time

      Enable/disable background scanning during the specified time. Specify the days of week, and the start and end times.

      Intrusion Type

      The intrusion types that can be detected.

      Enable

      Select to enable the intrusion type.

      Threshold

      If applicable, enter a threshold for reporting the intrusion, in seconds except where specified.

      Interval (Seconds)

      If applicable, enter the interval for reporting the intrusion, in seconds.

      Advanced Options

      ap-bgscan-duration

      Listening time on a scanning channel, in milliseconds (10 - 1000, default = 20).

      ap-bgscan-idle

      Waiting time for channel inactivity before scanning this channel, in milliseconds (0 - 1000, default = 0).

      ap-bgscan-intv

      Period of time between scanning two channels, in seconds (1 - 600, default = 1).

      ap-bgscan-report-intv

      Period of time between background scan reports, in seconds (15 - 600, default = 30).

      ap-fgscan-report-intv

      Period of time between foreground scan reports, in seconds (15 - 600, default = 15).

      deauth-broadcast

      Enable/disable broadcasting deauthentication detection (default = disable).

      deauth-unknown-src-thresh

      Threshold value per second to deauthenticate unknown sources for DoS attacks, in seconds (0 - 65535, 0 = no limit, default = 10).

      invalid-mac-oui

      Enable/disable invalid MAC OUI detection (default = disable).

    Intrusion types

    Intrusion Type

    Description

    Asleap Attack

    ASLEAP is a tool used to perform attacks against LEAP authentication.

    Association Frame Flooding

    A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.

    Authentication Frame Flooding

    A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds.

    Broadcasting Deauthentication

    This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.

    EAPOL Packet Flooding (to AP)

    Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack.

    Several types of EAPOL packets can be detected:

    • EAPOL-FAIL
    • EAPOL-LOGOFF
    • EAPOL-START
    • EAPOL-SUCC

    Invalid MAC OUI

    Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.

    Long Duration Attack

    To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200µ.

    Null SSID Probe Response

    When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.

    Premature EAPOL Packet Flooding (to client)

    Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the client with these packets can be a denial of service attack.

    Two types of EAPOL packets can be detected:

    • EAPOL-FAIL
    • EAPOL-SUCC

    Spoofed Deauthentication

    Spoofed de-authentication frames form the basis for most denial of service attacks.

    Weak WEP IV Detection

    A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.

    Wireless Bridge

    WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.
    To edit a WIDS profile:
    1. Select the profile to edit.
    2. In the toolbar, click Edit.

      Alternatively, you can right-click the profile and select Edit, or double-click a profile.

      The Edit WIDS dialog opens.

    3. Edit the settings as required.
    4. Click OK to apply your changes.
    To delete WIDS profiles:
    1. Select the profile or profiles to be deleted from the profile list.
    2. In the toolbar click Delete.

      Alternatively, right-click and select Delete.

      The Delete WIDS Profile(s) dialog opens.

    3. Click OK.
    To clone a WIDS profile:
    1. Select a profile to clone.
    2. In the toolbar click Clone.

      Alternatively, right-click and select Clone.

    3. Edit the name of the profile, then edit the remaining settings as required.
    4. Click OK.
    To import a WIDS profile:
    1. In the toolbar, click Import.

      The Import dialog opens.

    2. From the FortiGate dropdown, select a device. The list will include all of the devices in the current ADOM.
    3. From the Profiles dropdown, select the profile(s).
    4. Click OK.
    Previous
    Next