WIDS profiles
The WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected, a log message is recorded. When you create AP profiles, you can select a WIDS profile.
To view WIDS profiles:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to AP Manager > Protection Profiles > WIDS Profiles.
The following options are available in the toolbar and right-click menu:
Create New
Create a new WIDS profile.
Edit
Edit the selected WIDS profile.
Delete
Delete the selected WIDS profile.
Clone
Clone the selected WIDS profile.
Where Used
Displays the ADOM where the profile is used as well as the Policy Package/Block.
Import
Import WIDS profiles from a connected FortiGate (toolbar only).
To create a new WIDS profile:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to AP Manager > Protection Profiles > WIDS Profiles.
- In the toolbar, click Create New.
The Create New WIDS Profile pane opens.
- Enter the following information, and click OK to create the WIDS profile:
Name
Enter a name for the profile.
Comments
Optionally, enter comments.
Sensor Mode
Enable Rogue AP Detection
Select to enable rogue AP detection.
Background Scan Every
Enter the number of seconds between background scans.
Enable Passive Scan Mode
Enable/disable passive scan mode.
Auto Suppress Rouge APs in Foreground Scan
Enable/disable automatically suppressing rogue APs in foreground scans.
This options is only available when the sensor mode is not disabled.
Disable Background Scan During Specified Time
Enable/disable background scanning during the specified time. Specify the days of week, and the start and end times.
Intrusion Type
The intrusion types that can be detected. See Intrusion types.
Enable
Select to enable the intrusion type.
Threshold
If applicable, enter a threshold for reporting the intrusion, in seconds except where specified.
Interval (Seconds)
If applicable, enter the interval for reporting the intrusion, in seconds.
Advanced Options
ap-bgscan-duration
Listening time on a scanning channel, in milliseconds (10 - 1000, default = 20).
ap-bgscan-idle
Waiting time for channel inactivity before scanning this channel, in milliseconds (0 - 1000, default = 0).
ap-bgscan-intv
Period of time between scanning two channels, in seconds (1 - 600, default = 1).
ap-bgscan-report-intv
Period of time between background scan reports, in seconds (15 - 600, default = 30).
ap-fgscan-report-intv
Period of time between foreground scan reports, in seconds (15 - 600, default = 15).
deauth-broadcast
Enable/disable broadcasting deauthentication detection (default = disable).
deauth-unknown-src-thresh
Threshold value per second to deauthenticate unknown sources for DoS attacks, in seconds (0 - 65535, 0 = no limit, default = 10).
invalid-mac-oui
Enable/disable invalid MAC OUI detection (default = disable).
You can edit, delete, clone and import existing profiles, as well as see where the profile is being used.
To edit a profile:
- Select the profile to edit.
- In the toolbar, click Edit.
Alternatively, you can right-click the profile and select Edit, or double-click a profile.
- Edit the settings as required.
- Click OK to apply your changes.
To delete profiles:
- Select the profile(s) to be deleted.
- In the toolbar, click Delete.
Alternatively, right-click the profile and select Delete.
- Click OK.
To clone a profile:
- Select a profile in the list.
- In the toolbar, click Clone.
Alternatively, right-click a profile and select Clone.
- Edit the name of the profile, then edit the remaining settings as required.
- Click OK to clone the profile.
To import a profile:
- In the toolbar, click Import.
The Import dialog opens.
- From the FortiGate dropdown, select a device. The list will include all of the devices in the current ADOM.
- From the Profiles dropdown, select a profile.
- Click OK.
To view where a profile is used:
- Select the profile.
- In the toolbar, click More > Where Used.
Alternatively, you can right-click the profile and select Where Used.
The Where <profile name> is used pane opens.
- Click Close.
Intrusion types
Intrusion Type |
Description |
---|---|
Asleap Attack |
ASLEAP is a tool used to perform attacks against LEAP authentication. |
Association Frame Flooding |
A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds. |
Authentication Frame Flooding |
A Denial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds. |
Broadcasting Deauthentication |
This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP. |
EAPOL Packet Flooding (to AP) |
Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets can be detected:
|
Invalid MAC OUI |
Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged. |
Long Duration Attack |
To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200µ. |
Null SSID Probe Response |
When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding. |
Premature EAPOL Packet Flooding (to client) |
Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the client with these packets can be a denial of service attack. Two types of EAPOL packets can be detected:
|
Spoofed Deauthentication |
Spoofed de-authentication frames form the basis for most denial of service attacks. |
Weak WEP IV Detection |
A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic. |
Wireless Bridge |
WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network. |