In v5 firmware you can automatically suppress APs that are detected as “on-wire”. This means that the Fortigate detects a wireless BSSID whose value is adjacent to a MAC ID detected on the wired network.
The following needs to be configure at CLI:
config wireless-controller setting set ap-scan enable set on-wire-scan enable set ap-auto-suppress enable end
One of the radios in the AP should be set to monitor and auto suppression also needs to be configured in the AP profile:
config wireless-controller wtp-profile edit 221B config radio-1 set mode monitor set rogue-scan enable set ap-auto-suppress enable end end
Rogue APs that are detected on-wire should now be suppressed, note that they will not be shown as suppressed in the GUI:
Verify the AP will suppress by connecting to the AP and run the following command:
cw_diag -c ap-suppress Suppressed AP list: bssid 08:5b:0e:0b:2a:23 00:1b:11:cc:80:4a <--- this one is the D-Link as seen above