I find it hard to understand why a function as important as RF signature anomalies Detection and Prevention was taken out of the Threat Prevention Configuration. I went back through Client Auto-classification as well as the Intrusion Prevention tab located under Configuration to see if there was another way of preventing spoofed clients from joining Authorized AP. To the best of my understanding, there is no setting or configuration that can prevent spoofed clients. I understand the implementation of the marker packet technology and how it is utilized in the WIPS function of the AP. However, if I cannot dictate or control spoofed clients autonomously what's the point of WatchGuard's WIPS as a Threat Prevention Sensor.

By taking out the RF Signature Anomalies under WEPGuard, I have no access to reset clients RF Signature without deleting them.

I understand that WEP itself is an out of date encryption standard, and having that option removed makes sense. To remove the only option to prevent spoofed clients however does not make sense. Can you please help me understand how Watchguard can protect and prevent all my clients from spoofed malicious attacks.

Thanks,
MGS

An authorized WIPS client PC connects to the network via the Secure wifi SSID.
WIPS is disabled.

This morning the PC can’t connect to the secure SSID, but can connect to the open guest SSID.

So I log into Wi-Fi Cloud > Manage > Events to see what is happening with this client. All it says is “Client connected to Authorized Guest AP” and is categorized as “Misbehaving Client” because the Guest SSID is open. (I find this very annoying btw, but get why it happens) No quarantine (no WIPS running), no reason why it won’t connect.

So I open Discover > Monitor > Clients > click on the three dots of said client and choose the “Disable Auto-Prevention” thinking this would do the trick.

Nope.

Opening the Client Connection Logs in Discover, I see the entry “MAC Filtering The access point denied client authentication because client is not allowed to connect to the SSID.”
My question is How in the heck does one remove the blocked MAC from the SSID? I poked, prodded, pleaded (all the while my end user is standing in my office doorway glaring at me) and couldn’t find a way.

Eventually I ended up whitelisting the client MAC in Discover > Configure > WiFi > Secure SSID > SSID > Access Control > Blacklist and Whitelisting of WiFi Clients.

Now, because of my changes, this particular client is now immune to any WIPS security. Sorta defeating the purpose of WIPS

Is there a better way of handling this? And why was the client’s MAC blocked in the SSID? There were no event entries regarding this, and no suggestions on how to remedy the problem.

Or is it just me?

• Doug

Per the instructions prior to turning WIPS on, I monitored all the devices on my network and classified each AP and Client as Authorized, External, Guest etc………

Then in Discover > Configure > WIPS I followed the recommended settings for AP Auto-Classification and Client Auto-Classification.

My issue is with an HP MFP device that only connects to our network wirelessly. This device has been classified as Authorized, and connects to an Authorized AP on a secure network. When I turn WIPS on this device is labeled as Rogue and thrown into Quarantine, making it unusable. On HP’s newer MFP’s there is a Network Setting called WiFi Direct, which allows smart devices to connect and print without having to be on the network. WIPS thinks this is a MITM attack, which I understand, but even after disabling this feature and re-classifying the device as Authorized, WIPS still quarantines it.

I have pushed every button and link in both the Discover & Manage sites to solve this without any luck. Even now I still see this Event:

Authorized] client [HP23383E] is running a Soft Mobile Hotspot AP or a Windows 7 Virtual AP

Any ideas anyone?

IMHO, Watchguard has made this very confusing having two different sites (Discover & Manage) to administer your wireless network. Once can turn WIPS on and off in both sites, Classify AP’s and Clients in both sites, monitor events and security alerts in both sites and more. Does one site take precedence over the other?
Thanks!

• Doug