Reference

Reference

This chapter provides some reference information pertaining to wireless networks.

FortiAP web-based manager

Wireless radio channels

WiFi event types

FortiAP CLI

FortiAP web-based manager

FortiAP web-based manager

You can access the FortiAP unit’s built-in web-based manager. This is useful to adjust settings that are not available through the FortiGate unit’s WiFi Controller. Logging into the FortiAP web-based manager is similar to logging into the FortiGate web-based manager.

System Information

Status

The Status section provides information about the FortiAP unit.

You can:

  • Select Change to change the Host Name. l Select Update in Firmware Version to upload a new FortiAP firmware file from your computer.
  • Select Change Password to change the administrator password. l Select Backup to save the current FortiAP configuration as a file on your computer. l Select Restore to load a configuration into your FortiAP unit from a file on your computer.

Network Configuration

Select DHCP or select Static and specify the IP address, netmask, and gateway IP address. Administrative Access settings affect access after the FortiAP has been authorized. By default, HTTP access needed to access the FortiAP web-based manager is enabled, but Telnet access is not enabled.

Connectivity

These settings determine how the FortiAP unit connects to the FortiGate WiFi controller.

FortiAP web-based manager

Uplink Ethernet – wired connection to the FortiGate unit (default)

Mesh – WiFi mesh connection

Ethernet with mesh backup support

Mesh AP SSID Enter the SSID of the mesh root. Default: fortinet.mesh.root
Mesh AP Password Enter password for the mesh SSID.
Ethernet Bridge Bridge the mesh SSID to the FortiAP Ethernet port.

This is available only whe Uplink is Mesh.

WTP Configuration

AC Discovery Type settings affect how the FortiAP unit discovers a FortiGate WiFi controller. By default, this is set to Auto which causes the FortiAP unit to cycle through all of the discovery methods until successful. For more information see Controller discovery methods.

AC Discovery Type Static, DHCP, DNS, Broadcast, Multicast, Auto
AC Control Port Default port is 5246.
AC IP Address 1

AC IP Address 2

AC IP Address 3

You enter up to three WiFi controller IP addresses for static discovery. Routing must be properly configured in both directions.
AC Host Name 1

AC Host Name 2

AC Host Name 3

As an alternetive to AC IP addresses, you can enter their fully qualified domain names (FQDNs).
AC Discovery

Multicast

Address

224.0.1.140
AC Discovery

DHCP Option

Code

When using DHCP discovery, you can configure the DHCP server to provide the controller address. By default the FortiAP unit expects this in option 138.

AC Data Channel Security by default accepts either DTLS-encrypted or clear text data communication with the WiFi controller. You can change this setting to require encryption or to use clear text only.

Wireless Information

The Wireless Information page provides current information about the operation of the radios and the type Uplink in use.

Wireless radio channels

Wireless radio channels

IEEE 802.11a/n channels

The following table lists the channels supported on FortiWiFi products that support the IEEE 802.11a and 802.11n wireless standards. 802.11a is available on FortiWiFi models 60B and higher. 802.11n is available on FortiWiFi models 80CM and higher.

All channels are restricted to indoor usage except in the Americas, where both indoor and outdoor use is permitted on channels 52 through 64 in the United States.

IEEE 802.11a/n (5-GHz Band) channel numbers

Channel number Frequency (MHz) Regulatory Areas

Americas Europe

Taiwan Singapore Japan
34 5170
36 5180          •               •
38 5190
40 5200          •               •           •                •
42 5210
44 5220          •               •           •                •
46 5230
48 5240          •               •           •                •
149 5745
153 5765
157 5785
161 5805
165 5825

IEEE 802.11b/g/n channel numbers

The following table lists IEEE 802.11b/g/n channels. All FortiWiFi units support 802.11b and 802.11g. Newer models also support 802.11n.

Wireless radio channels

Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.

IEEE 802.11b/g/n (2.4-GHz Band) channel numbers
Channel number Frequency (MHz) Regulatory Areas

Americas EMEA

Israel Japan
1 2412          •                   • indoor
2 2417          •                   • indoor
3 2422          •                   • indoor
4 2427          •                   • indoor
5 2432          •                   •
6 2437          •                   •
7 2442          •                   •
8 2447          •                   •
9 2452          •                   •
10 2457          •                   •
11 2462          •                   •
12 2467
13 2472
14 2484 b only

View all Country & Regcodes/Regulatory Domains

The following CLI command can be entered to view a list of the Country & Regcodes/Regulatory Domains supported by Fortinet:

cw_diag -c all-countries

Below is a table showing a sample of the list displayed by entering this command:

Country-code Region-code Domain ISO-name Name
0                      A                    FCC3 & FCCA                      NA             NO_COUNTRY_SET

WiFi event types

Country-code Region-code Domain ISO-name Name
8                        W                   NULL1 & WORLD AL              ALBANIA
12                      W                   NULL1 & WORLD DZ              ALGERIA
16                      A                    FCC3 & FCCA AS              AMERICAN SAMOA
              …                    …                               …         …                             …

WiFi event types

Event type Description
rogue-ap-detected A rogue AP has been detected (generic).
rogue-ap-off-air A rogue AP is no longer detected on the RF side.
rogue-ap-on-wire A rogue AP has been detected on wire side (connected to AP or controller L2 network).
rogue-ap-off-wire A rogue AP is no longer detected on wire.
rogue-ap-on-air A rogue AP has been detected on the RF side.
fake-ap-detected A rogue AP broadcasting on the same SSIDs that you have in your managed APs has been detected.
fake-ap-on-air The above fake AP was detected on the RF side.

FortiAP CLI

The FortiAP CLI controls radio and network operation through the use of variables manipulated with the cfg command. There are also diagnostic commands.

The cfg command include the following

cfg -s List variables.
cfg -a var=value Add or change a variable value.
cfg -c Commit the change to flash.
cfg -x Reset settings to factory defaults.

 

cfg -r var Remove variable.
cfg -e Export variables.
cfg -h Display help for all commands.

The configuration variables are:

Var Description and Values
AC_CTL_PORT WiFi Controller control (CAPWAP) port. Default 5246.
AC_DATA_CHAN_SEC Data channel security.

0 – Clear text

1 – DTLS (encrypted)

2 – Accept either DTLS or clear text (default)

AC_DISCOVERY_TYPE 1 – Static. Specify WiFi Controllers

2 – DHCP

3 – DNS

5 – Broadcast

6 – Multicast

0 – Cycle through all of the discovery types until successful.

AP_IPADDR

AP_NETMASK

IPGW

These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC.

Default 192.168.1.2 255.255.255.0, gateway 192.168.1.1.

AC_HOSTNAME_1

AC_HOSTNAME_2

AC_HOSTNAME_3

WiFi Controller host names for static discovery.
AC_IPADDR_1

AC_IPADDR_2

AC_IPADDR_3

WiFi Controller IP addresses for static discovery.
AC_DISCOVERY_DHCP_OPTION_CODE Option code for DHCP server. Default 138.
AC_DISCOVERY_MC_ADDR Multicast address for controller discovery. Default 224.0.1.140.

 

Var Description and Values
ADDR_MODE How the FortiAP unit obtains its IP address and netmask.

DHCP – FortiGate interface assigns address.

STATIC – Specify in AP_IPADDR and AP_NETMASK.

Default is DHCP.

ADMIN_TIMEOUT Administrative timeout in minutes. Applies to Telnet and web-based manager sessions. Default is 5 minutes.
AP_MGMT_VLAN_ID Non-zero value applies VLAN ID for unit management.

Default: 0.

AP_MODE FortiAP operating mode.

0 – Thin AP (default)

2 – Unmanaged Site Survey mode. See SURVEY variables.

BAUD_RATE Console data rate: 9600, 19200, 38400, 57600, or 115200 baud.
DNS_SERVER DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned.
FIRMWARE_UPGRADE Default is 0.
HTTP_ALLOW Access to FortiAP web-based manager 1 – Yes (default), 0 – No.
LED_STATE Enable/disable status LEDs.

0 – LEDs enabled, 1 – LEDs disabled, 2 – follow AC setting.

LOGIN_PASSWD Administrator login password. By default this is empty.
STP_MODE Spanning Tree Protocol. 0 is off. 1 is on.
TELNET_ALLOW By default (value 0), Telnet access is closed when the FortiAP unit is authorized. Set value to 1 to keep Telnet always available.
WTP_LOCATION Optional string describing AP location.
Mesh variables

 

Var Description and Values
MESH_AP_BGSCAN Enable or disable background mesh root AP scan.

0 – Disabled

1 – Enabled

MESH_AP_BGSCAN_RSSI If the root AP’s signal is weak, and lower than the received signal strength indicator (RSSI) threshold, the WiFi driver will immediately start a new round scan and ignore the configured MESH_AP_BGSCAN_PERIOD delays. Set the value between 0-127.

After the new round scan is finished, a scan done event is passed to wtp daemon to trigger roaming.

MESH_AP_BGSCAN_PERIOD Time in seconds that a delay period occurs between scans. Set the value between 1-3600.
MESH_AP_BGSCAN_IDLE Time in milliseconds. Set the value between 0-1000.
MESH_AP_BGSCAN_INTV Time in milliseconds between channel scans. Set the value between 200-16000.
MESH_AP_BGSCAN_DUR Time in milliseconds that the radio will continue scanning the channel. Set the value between 10-200.
MESH_AP_SCANCHANLIST Specify those channels to be scanned.
MESH_AP_TYPE Type of communication for backhaul to controller:

0 – Ethernet (default)

1 – WiFi mesh

2 – Ethernet with mesh backup support

MESH_AP_SSID SSID for mesh backhaul. Default: fortinet.mesh.root
MESH_AP_BSSID WiFi MAC address
MESH_AP_PASSWD Pre-shared key for mesh backhaul.
MESH_ETH_BRIDGE 1 – Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1.

0 – No WiFi-Ethernet bridge (default).

Var                                                                 Description and Values
MESH_MAX_HOPS                      Maximum number of times packets can be passed from node to node on the mesh. Default is 4.
The following factors are summed and the FortiAP associates with the lowest scoring mesh AP.
MESH_SCORE_HOP_WEIGHT                Multiplier for number of mesh hops from root. Default 50.
MESH_SCORE_CHAN_WEIGHT              AP total RSSI multiplier. Default 1.
MESH_SCORE_RATE_WEIGHT              Beacon data rate multiplier. Default 1.
 Band weight (0 for 2.4GHz, 1 for 5GHz) multiplier. Default

MESH_SCORE_BAND_WEIGHT

100.

MESH_SCORE_RSSI_WEIGHT              AP channel RSSI multiplier. Default 100.
Survey variables
SURVEY_SSID                        SSID to broadcast in site survey mode (AP_MODE=2).
SURVEY_TX_POWER                     Transmitter power in site survey mode (AP_MODE=2).
SURVEY_CH_24                        Site survey transmit channel for the 2.4Ghz band (default

6).

Site survey transmit channel for the 5Ghz band (default

SURVEY_CH_50

36).

SURVEY_BEACON_INTV                  Site survey beacon interval. Default 100msec.
cw_diag help Display help for all diagnose commands.
cw_diag uptime Show daemon uptime.
cw_diag –tlog <on|off> Turn on/off telnet log message.
cw_diag –clog <on|off> Turn on/off console log message.
cw_diag 38400 | baudrate [9600 | 19200 | 57600 | 115200] Set the console baud rate.

Previously, FortiAP accepted Telnet and HTTP connection to any virtual interfaces that have an IP address. For security reasons, Telnet and HTTP access are now limited to br0 or br.vlan for AP_MGMT_VLAN_ID.

Diagnose commands include:

 

cw_diag plain-ctl [0|1] Show or change current plain control setting.
cw_diag sniff-cfg ip port Set sniff server ip and port.
cw_diag sniff [0|1|2] Enable/disable sniff packet.
cw_diag stats wl_intf Show wl_intf status.
cw_diag admin-timeout [30] Set shell idle timeout in minutes.
cw_diag -c wtp-cfg Show current wtp config parameters in control plane.
cw_diag -c radio-cfg Show current radio config parameters in control plane.
cw_diag -c vap-cfg Show current vaps in control plane.
cw_diag -c ap-rogue Show rogue APs pushed by AC for on-wire scan.
cw_diag -c sta-rogue Show rogue STAs pushed by AC for on-wire scan.
cw_diag -c arp-req Show scanned arp requests.
cw_diag -c ap-scan Show scanned APs.
cw_diag -c sta-scan Show scanned STAs.
cw_diag -c sta-cap Show scanned STA capabilities.
cw_diag -c wids Show scanned WIDS detections.
cw_diag -c darrp Show darrp radio channel.
cw_diag -c mesh Show mesh status.
cw_diag -c mesh-veth-acinfo Show mesh veth ac info, and mesh ether type.
cw_diag -c mesh-veth-vap Show mesh veth vap.
cw_diag -c mesh-veth-host Show mesh veth host.
cw_diag -c mesh-ap Show mesh ap candidates.
cw_diag -c scan-clr-all Flush all scanned AP/STA/ARPs.
cw_diag -c ap-suppress Show suppressed APs.
cw_diag -c sta-deauth De-authenticate an STA.

Link aggregation can also be set in the CLI. Link aggregation is used to combine multiple network connections in parallel in order to increase throughput beyond what a single connection could sustain.

  • FortiAP 320B and 320C models are supported. l FortiAP 112B and 112D models cannot support link aggregation.
  • NPI FAP-S3xxCR and “wave2” FAP/FAP-S models will have link aggregation feature via synchronization with regular FortiAP trunk build.
This entry was posted in Administration Guides, FortiAP, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.