SonicPoint_wlanSonicPointIdsView
Advanced Intrusion Detection and Prevention (IDP) is used to monitor the radio spectrum for presence of unauthorized access points (intrusion detection) and to automatically take countermeasures (intrusion prevention). When Advanced IDP is enabled on a SonicPoint, the SonicPoint’s radio functions as a dedicated IDP sensor.
Caution When Advanced IDP is enabled on a SonicPoint radio, its access point functions are disabled and any wireless clients will be disconnected.
Configuring Advanced IDP is a two-part process:
• Enabling Advanced IDP on a SonicPoint Profile
Enabling Advanced IDP on a SonicPoint Profile
To enable Advanced IDP scanning on a SonicPoint profile, perform the following tasks:
Step 1 Navigate to the SonicPoint > SonicPoints page.
Step 2 Click the configure icon for the appropriate SonicPoint profile.
Step 3 Click on the Sensor tab.
Step 4 Select the Enable WIDP Sensor checkbox.
Step 5 In the pulldown menu, select the appropriate schedule for IDP scanning, or select Create new schedule to create a custom schedule.
Caution Remember that when Advanced IDP scanning is enabled on a SonicPoint radio, its access point functions are disabled and any wireless clients will be disconnected.
To configure Advanced IDP, perform the following tasks:
Step 1 Navigate to the SonicPoint > Advanced IDP page.
Step 2 Select the Enable Wireless Intrusion Detection and Prevention checkbox.
Step 3 For Authorized Access Points, select the Address Object Group that authorized Access Points will be assigned to. By default, this is set to All Authorized Access Points.
Step 4 For Rogue Access Points, select the Address Object Group that unauthorized Access Points will be assigned to. By default, this is set to All Roge Access Points.
Step 5 Select one of the following two options to determine which APs are considered rogue (only one can be enabled at a time):
• Add any unauthorized AP into Rogue AP list automatically assigns all detected unauthorized APs–regardless if they are connected to your network–to the Rogue list.
• Add connected unauthorized AP into Rogue AP list assigns unauthorized APs to the Rogue list only if they are connected to your network. The following options determine how IDP detects connected rogue APs:
– Enable ARP cache search to detect connected rogue AP – Advanced IDP searches the ARP cache for clients’ MAC addresses. When one is found and the AP it is connected to is not authorized, the AP is classified as rogue.
– Enable active probe to detect connected rogue AP – The SonicPoint will connect to the suspect AP and send probe to all LAN, DMZ and WLAN interfaces of the firewall. If the firewall receives any of these probes, the AP is classified as rogue.
• Select Add evil twin into Rogue AP list to add APs to the rogue list when they are not in the authorized list but have the same SSID as a managed SonicPoint.
• Select Block rogue AP and its clients' traffic to drop all incoming traffic that has a source IP address that matches the rogue list.
• Select Disassociate rogue AP and its clients to send de-authentication messages to clients of rogue AP to stop communication between them.