Fortinet – Automatically Suppress APs detected as on-wire

In v5 firmware you can automatically suppress APs that are detected as “on-wire”. This means that the Fortigate detects a wireless BSSID whose value is adjacent to a MAC ID detected on the wired network.

The following needs to be configure at CLI:


config wireless-controller setting
    set ap-scan enable
    set on-wire-scan enable
    set ap-auto-suppress enable

One of the radios in the AP should be set to monitor and auto suppression also needs to be configured in the AP profile:

config wireless-controller wtp-profile
edit 221B 
 config radio-1
                set mode monitor
                set rogue-scan enable
                set ap-auto-suppress enable

Rogue APs that are detected on-wire should now be suppressed, note that they will not be shown as suppressed in the GUI:

Verify the AP will suppress by connecting to the AP and run the following command:

cw_diag -c ap-suppress

Suppressed AP list:

00:1b:11:cc:80:4a   <--- this one is the D-Link as seen above

Leave a Reply