Protecting the WiFi Network

Protected Management Frames support

Protected Management Frames protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.


Use of PMF on an SSID is configurable only in the CLI.


config wireless-controller vap edit <vap_name>

set pmf {disable | enable | optional}

set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer> set okc {disable | enable}

next end


pmf PMF status


disable PMF not used.


enable PMF required.


optional Enable PMF, but allow clients that do not use PMF.


pmf-assoc-comeback-timeout Protected Management Frames (PMF) maximum timeout for comeback

(1-20 seconds).


pmf-sa-query-retry-timeout Protected Management Frames (PMF) sa query retry timeout interval

(in 100 ms), from 100 to 500. Integer value from 1 to 5.


okc enable or disable Opportunistic Key Caching (OKC).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.