Access Point Airspace Monitoring Report

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP330, AP332CR, AP430CR, AP432)

The Airspace Monitoring report shows detected malicious access points on your wireless network such as Rogue, Suspected Rogue, and Evil Twin access points.

You must enable Airspace Monitoring for an access point to scan the network and report on wireless threats. For more information, go to Access Point Airspace Monitoring.

When WatchGuard Cloud detects a malicious access point, you can generate an alert notification so that you can take action to investigate, identify, and remove the threat. For more information on how to create an alert notification for Airspace Monitoring events, go to Airspace Monitoring Alerts.

Airspace Monitoring and ThreatSync

You can integrate Airspace Monitoring alerts with ThreatSync. ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard devices and products. You can receive alerts within ThreatSync when Airspace Monitoring detects malicious access points such as Rogue and Evil Twin access points. For more information, go to About ThreatSync.

ThreatSync currently only detects and reports on wireless threats. ThreatSync does not remediate wireless threat incidents to prevent connections to the malicious access point or disconnect wireless clients that have already associated to a malicious access point.

To view the Airspace Monitoring report, in WatchGuard Cloud:

  1. Select Monitor > Devices.
  2. Select a folder that contains your access points.

You must select a device folder that contains your access points to view the Airspace Monitoring report because WatchGuard Cloud uses all access points to detect malicious access points.

  1. From the Devices menu, select Access Points > Airspace Monitoring.

When you first enable Airspace Monitoring, it might take several minutes to scan the wired and wireless networks. No data appears until WatchGuard Cloud detects security threats.

Screenshot of the Airspace Monitoring Report

  • To select the report date range, click .
  • From the Access Point drop-down list, select a specific Access Point to view, or select All Access Points.
  • Click to download a CSV version of the report.

For information on how to schedule a report, go to Schedule WatchGuard Cloud Reports.

Airspace Monitoring Report Details

The Airspace Monitoring report includes a bar graph of detected Rogue, Suspected Rogue, and Evil Twin access points.

The table includes this data:

  • Threat MAC Address — The MAC address of the wireless or wired interfaces of the detected threat device. An icon indicates if the MAC address is a wired or wireless interface. There might be additional MAC addresses that correspond to a wireless BSSID.
  • Type — The type of malicious access point detected, such as Rogue AP, Suspected Rogue AP, or Evil Twin. For more information, go to About Malicious Access Point Threat Types.
  • Threat Reason — Indicates the reason why a device was classified as a malicious access point based on the signature status.
  • None — This status appears for Rogue or Suspected Rogue access points that have been detected by wired and wireless MAC address correlation instead of Evil Twin signature detection.
  • No signature detected — No signature detected from the device. This device is not a valid WatchGuard device managed by WatchGuard Cloud or a trusted device.
  • Invalid signature detected — An invalid signature is detected on the device. This indicates the signature is corrupted or might have been tampered with.
  • A signature is detected, but has an invalid time stamp — A signature is detected on the device, but there are inconsistencies in the time stamp that indicate the signature might have been tampered with and is considered invalid. This might also indicate discrepancies with NTP server communications. Make sure all your access points use a reliable, regional NTP server to synchronize the time for all your devices.
  • Threat IP Address — The IP address of the detected threat device. A threat IP address only appears for Rogue and Suspected Rogue access points. Evil Twin access points are identified by the BSSID MAC addresses of the wireless interfaces.
  • First Detected Time — The date and time when the threat device was first detected on the network.
  • Last Detected Time — The date and time when the threat device was last detected on the network.
  • Threat Device SSID — The SSID broadcast by the detected threat device.
  • Threat Device Security — The security mode used by the detected threat device, such as WPA2 Personal.
  • RSSI (Received Signal Strength Indicator) — The signal strength of the detected threat access point in dBm. The closer the value is to 0 dBm, the stronger the signal. For example, -60 dBm is a better signal strength than -75 dBm. Use the detected threat device RSSI from the access points that detected the device to estimate the threat location.
    The RSSI value corresponds to these approximate distances:
  • RSSI between 0 dBm to -39 dBm = 1 to 10 feet, 1 to 3 meters
  • RSSI between -40 dBm and -50 dBm = 10 to 20 feet, 3 to 6 meters
  • RSSI between -50 dBm and -55 dBm = 15 to 25 feet, 4 to 8 meters
  • RSSI between -55 dBm and -60 dBm = 25 to 35 feet, 7 to 10 meters
  • RSSI between -60 dBm and -65 dBm = 30 to 45 feet, 9 to 14 meters
  • RSSI between -65 dBm and -70 dBm = 40 to 60 feet, 12 to 18 meters
  • RSSI between -70 dBm and -75 dBm = 55 to 80 feet, 16 to 25 meters
  • Below -75 dBm = Greater than 70 feet, Greater than 21 meters
  • Threat Device Protocol — The wireless protocol used by the detected threat device, such as 802.11ax.
  • Detected by Device Name — The name of the WatchGuard access point that detected the threat device.
  • Detected by MAC Address — The MAC address of the WatchGuard access point that detected the threat device.
  • Detected by Serial Number — The serial number of the WatchGuard access point that detected the threat device.

About Malicious Access Point Threat Types

A malicious access point can be one of these types:

Rogue Access Point

A Rogue access point is an unauthorized access point that is physically connected to your wired network and broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs.

  • The Rogue access point might have been connected by an unauthorized user.
  • The Rogue access point might have been connected to your network by someone inside your organization without consent, or it could be a device set up for testing. These access points are security risks to your networks if they are misconfigured or do not have required security features enabled.
  • Use the detected RSSI (signal strength) and the location of your access points that detected the threat to approximate the location of the device. This information is included in the Airspace Monitoring report and the device alarm alert notification. For more information, go to Access Point Airspace Monitoring Report or Airspace Monitoring Alerts.
  • You can also disable switch ports or use MAC address blocking on your network switch to isolate the Rogue access point from the network if you cannot find the device.

Suspected Rogue Access Point

A Suspected Rogue access point might be an unauthorized access point connected to your wired network that broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs.

The device might also be a legitimate device on your network that is not configured on your trusted access point list.

  • The device might have been connected to your network by someone inside your organization without consent, or it could be a device set up for testing. These access points are security risks to your networks if they are misconfigured or do not have required security features enabled.
  • If the access point is unauthorized, disconnect it from the network.
  • If the device is a legitimate access point, make sure you add the MAC address of the wired LAN interface and any wireless BSSID addresses of the device to your Trusted Access Points list. For more information about Trusted Access Points, go to Access Point Airspace Monitoring.

Evil Twin

An Evil Twin is an access point operating in your airspace that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network.

  • Alert your users to the existence of the Evil Twin access point. Wireless clients might connect to the Evil Twin access point and communicate vulnerable data.
  • Use the detected RSSI (signal strength) and the location of your access points that detected the threat to approximate the location of the device. This information is included in the Airspace Monitoring report and the device alarm alert notification. For more information, go to Access Point Airspace Monitoring Report or Airspace Monitoring Alerts.

Related Topics

Access Point Airspace Monitoring

Airspace Monitoring Alerts

Configure Access Point Advanced Device Settings

About ThreatSync