Distributed Automatic Radio Resource Provisioning (DARRP) support (283501)

Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. The distributed ARRP feature allows FortiAP units to select their channel so that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges. Furthermore, Fortinet’s implementation of DARRP simplifies operations by removing dependency on client software or hardware.

By default, DARRP optimization occurs at a fixed interval of 1800 seconds. Optionally, you can now schedule optimization for a fixed time. This enables you to confine DARRP activity to a low-traffic period. Setting darrp- optimize to 0, makes darrp-day and darrp-time available. For example, here’s how to set DARRP optimization for 3:00am every day:

 

config wireless-controller timers set darrp-optimize 0

set darrp-day sunday monday tuesday wednesday thursday friday saturday set darrp-time 03:00

end

Both darrp-day and darrp-time can accept multiple entries.

 

The FAP-320C, 320B and 112B second WAN port can be configured as a LAN bridge (261415)

This change makes FortiAP models 320C, 320B and 112B work more like other FortiAP models with LAN ports. The LAN port can be

• bridged to the incoming WAN interface
• bridged to one of the WiFi SSIDs that the FortiAP unit carries
• connected by NAT to the incoming WAN interface

 

The LAN port is labeled LAN2. The port labeled LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or to FortiCloud. By default, LAN2 is bridged to LAN1. Access to other modes of LAN2 operation must be enabled in the CLI:

 

config wireless-controller wtp-profile edit <profile_name>

set wan-port-mode wan-lan end

By default wan-port-mode is set to wan-only. By default wan-port-mode is set to wan-only.

When wan-port-mode is set to wan-lan, LAN2 Port options are available in the FortiAP Profile, the same as other FortiAP models with LAN ports, such as 11C and 14C. In the GUI, see the LAN Port settings in Wireless Controller > FortiAP Profiles. In the CLI, use the config lan subcommand of config wireless- controller wtp-profile. LAN Port settings can be overridden on individual FortiAPs.

 

SSID Groups (264010)

SSID groups have SSIDs as members and can be used just like an individual SSID. To create an SSID group go to WiFi Controller > SSID and select Create New > SSID Group. An SSID can belong to multiple groups.

 

GUI improvements (205523 278771 278898)

• Managed FortiAP pages now show WTP Mode, either Normal or Remote. WTP Mode is an optional column in the Managed FortiAPs list.
• WIDS Profile is an optional column in the FortiAP Profiles list.
• If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings.

 

CAPWAP Protected Management Frames (PMF) support (244510)

Protected Management Frames protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

PMF is configurable only in the CLI.

 

config wireless-controller vap edit <vap_name>

set pmf {disable | enable | optional}

set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer> set okc {disable | enable}

next end

 

optional Enable PMF and allow clients without PMF.

pmf-assoc-comeback-timeout Protected Management Frames (PMF) maximum timeout for comeback (1-

20 seconds).

 

pmf-sa-query-retry-timeout Protected Management Frames (PMF) sa query retry timeout interval (in

100 ms), from 100 to 500. Integer value from 1 to 5.

 

okc enable or disable Opportunistic Key Caching (OKC).

 

Opportunistic Key Caching Support (244510)

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

OKC is configurable only in the CLI.

 

config wireless-controller vap edit <vap_name>

set okc {disable | enable}

next end

 

FortiPresence push REST API (273954)

When the FortiGate is located on a private IP network, the FortiPresence server cannot poll the FortiGate for information. Instead, the FortiGate must be configured to push the information to the FortiPresence server.

The configuration parameters are:

fortipresence-server              FortiPresence server IP address

 

fortipresence-port                  FortiPresence server UDP listening port (the default is 3000)

 

fortipresence-secret              FortiPresence secret password (8 characters maximum)

 

fortipresence-project             FortiPresence project name (16 characters maximum)

 

fortipresence-frequency        FortiPresence report transmit frequency (Range 5 to 65535 seconds. Default = 30)

 

fortipresence-rogue               Enable/disable FortiPresence reporting of Rogue APs

 

fortipresence-unassoc           Enable/disable FortiPresence reporting of unassociated devices

 

For example,

 

config wireless-controller wtp-profile edit “FP223B-GuestWiFi”

config lbs

set fortipresence enable

set fortipresence-server 10.10.0.1 set fortipresence-port 3000

set fortipresence-secret “hardtoguess” set fortipresence-project fortipresence set fortipresence-frequency 30

set fortipresence-rogue : disable set fortipresence-unassoc: disable

end

 

More detailed information will be provided in FortiPresence documentation.