Reference
This chapter provides some reference information pertaining to wireless networks.
FortiAP web-based manager
Wireless radio channels
WiFi event types
FortiAP CLI
FortiAP web-based manager
FortiAP web-based manager
You can access the FortiAP unit’s built-in web-based manager. This is useful to adjust settings that are not available through the FortiGate unit’s WiFi Controller. Logging into the FortiAP web-based manager is similar to logging into the FortiGate web-based manager.
System Information
Status
The Status section provides information about the FortiAP unit.
You can:
- Select Change to change the Host Name. l Select Update in Firmware Version to upload a new FortiAP firmware file from your computer.
- Select Change Password to change the administrator password. l Select Backup to save the current FortiAP configuration as a file on your computer. l Select Restore to load a configuration into your FortiAP unit from a file on your computer.
Network Configuration
Select DHCP or select Static and specify the IP address, netmask, and gateway IP address. Administrative Access settings affect access after the FortiAP has been authorized. By default, HTTP access needed to access the FortiAP web-based manager is enabled, but Telnet access is not enabled.
Connectivity
These settings determine how the FortiAP unit connects to the FortiGate WiFi controller.
FortiAP web-based manager
| Uplink | Ethernet – wired connection to the FortiGate unit (default)
Mesh – WiFi mesh connection Ethernet with mesh backup support |
| Mesh AP SSID | Enter the SSID of the mesh root. Default: fortinet.mesh.root |
| Mesh AP Password | Enter password for the mesh SSID. |
| Ethernet Bridge | Bridge the mesh SSID to the FortiAP Ethernet port.
This is available only whe Uplink is Mesh. |
WTP Configuration
AC Discovery Type settings affect how the FortiAP unit discovers a FortiGate WiFi controller. By default, this is set to Auto which causes the FortiAP unit to cycle through all of the discovery methods until successful. For more information see Controller discovery methods.
| AC Discovery Type | Static, DHCP, DNS, Broadcast, Multicast, Auto |
| AC Control Port | Default port is 5246. |
| AC IP Address 1
AC IP Address 2 AC IP Address 3 |
You enter up to three WiFi controller IP addresses for static discovery. Routing must be properly configured in both directions. |
| AC Host Name 1
AC Host Name 2 AC Host Name 3 |
As an alternetive to AC IP addresses, you can enter their fully qualified domain names (FQDNs). |
| AC Discovery
Multicast Address |
224.0.1.140 |
| AC Discovery
DHCP Option Code |
When using DHCP discovery, you can configure the DHCP server to provide the controller address. By default the FortiAP unit expects this in option 138. |
AC Data Channel Security by default accepts either DTLS-encrypted or clear text data communication with the WiFi controller. You can change this setting to require encryption or to use clear text only.
Wireless Information
The Wireless Information page provides current information about the operation of the radios and the type Uplink in use.
Wireless radio channels
Wireless radio channels
IEEE 802.11a/n channels
The following table lists the channels supported on FortiWiFi products that support the IEEE 802.11a and 802.11n wireless standards. 802.11a is available on FortiWiFi models 60B and higher. 802.11n is available on FortiWiFi models 80CM and higher.
All channels are restricted to indoor usage except in the Americas, where both indoor and outdoor use is permitted on channels 52 through 64 in the United States.
IEEE 802.11a/n (5-GHz Band) channel numbers
| Channel number | Frequency (MHz) | Regulatory Areas
Americas Europe |
Taiwan | Singapore Japan |
| 34 | 5170 | • | ||
| 36 | 5180 | • • | • | |
| 38 | 5190 | |||
| 40 | 5200 | • • | • • | |
| 42 | 5210 | |||
| 44 | 5220 | • • | • • | |
| 46 | 5230 | |||
| 48 | 5240 | • • | • • | |
| 149 | 5745 | • | • | • |
| 153 | 5765 | • | • | • |
| 157 | 5785 | • | • | • |
| 161 | 5805 | • | • | • |
| 165 | 5825 | • | • |
IEEE 802.11b/g/n channel numbers
The following table lists IEEE 802.11b/g/n channels. All FortiWiFi units support 802.11b and 802.11g. Newer models also support 802.11n.
Wireless radio channels
Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.
IEEE 802.11b/g/n (2.4-GHz Band) channel numbers
| Channel number | Frequency (MHz) | Regulatory Areas
Americas EMEA |
Israel | Japan |
| 1 | 2412 | • • | indoor | • |
| 2 | 2417 | • • | indoor | • |
| 3 | 2422 | • • | indoor | • |
| 4 | 2427 | • • | indoor | • |
| 5 | 2432 | • • | • | • |
| 6 | 2437 | • • | • | • |
| 7 | 2442 | • • | • | • |
| 8 | 2447 | • • | • | • |
| 9 | 2452 | • • | • | • |
| 10 | 2457 | • • | • | • |
| 11 | 2462 | • • | • | • |
| 12 | 2467 | • | • | • |
| 13 | 2472 | • | • | • |
| 14 | 2484 | b only |
View all Country & Regcodes/Regulatory Domains
The following CLI command can be entered to view a list of the Country & Regcodes/Regulatory Domains supported by Fortinet:
cw_diag -c all-countries
Below is a table showing a sample of the list displayed by entering this command:
| Country-code Region-code Domain | ISO-name Name |
| 0 A FCC3 & FCCA | NA NO_COUNTRY_SET |
WiFi event types
| Country-code Region-code Domain | ISO-name Name |
| 8 W NULL1 & WORLD | AL ALBANIA |
| 12 W NULL1 & WORLD | DZ ALGERIA |
| 16 A FCC3 & FCCA | AS AMERICAN SAMOA |
| … … … | … … |
WiFi event types
| Event type | Description |
| rogue-ap-detected | A rogue AP has been detected (generic). |
| rogue-ap-off-air | A rogue AP is no longer detected on the RF side. |
| rogue-ap-on-wire | A rogue AP has been detected on wire side (connected to AP or controller L2 network). |
| rogue-ap-off-wire | A rogue AP is no longer detected on wire. |
| rogue-ap-on-air | A rogue AP has been detected on the RF side. |
| fake-ap-detected | A rogue AP broadcasting on the same SSIDs that you have in your managed APs has been detected. |
| fake-ap-on-air | The above fake AP was detected on the RF side. |
FortiAP CLI
The FortiAP CLI controls radio and network operation through the use of variables manipulated with the cfg command. There are also diagnostic commands.
The cfg command include the following
| cfg -s | List variables. | |
| cfg -a var=value | Add or change a variable value. | |
| cfg -c | Commit the change to flash. | |
| cfg -x | Reset settings to factory defaults. |
| cfg -r var | Remove variable. |
| cfg -e | Export variables. |
| cfg -h | Display help for all commands. |
The configuration variables are:
| Var | Description and Values |
| AC_CTL_PORT | WiFi Controller control (CAPWAP) port. Default 5246. |
| AC_DATA_CHAN_SEC | Data channel security.
0 – Clear text 1 – DTLS (encrypted) 2 – Accept either DTLS or clear text (default) |
| AC_DISCOVERY_TYPE | 1 – Static. Specify WiFi Controllers
2 – DHCP 3 – DNS 5 – Broadcast 6 – Multicast 0 – Cycle through all of the discovery types until successful. |
| AP_IPADDR
AP_NETMASK IPGW |
These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC.
Default 192.168.1.2 255.255.255.0, gateway 192.168.1.1. |
| AC_HOSTNAME_1
AC_HOSTNAME_2 AC_HOSTNAME_3 |
WiFi Controller host names for static discovery. |
| AC_IPADDR_1
AC_IPADDR_2 AC_IPADDR_3 |
WiFi Controller IP addresses for static discovery. |
| AC_DISCOVERY_DHCP_OPTION_CODE | Option code for DHCP server. Default 138. |
| AC_DISCOVERY_MC_ADDR | Multicast address for controller discovery. Default 224.0.1.140. |
| Var | Description and Values |
| ADDR_MODE | How the FortiAP unit obtains its IP address and netmask.
DHCP – FortiGate interface assigns address. STATIC – Specify in AP_IPADDR and AP_NETMASK. Default is DHCP. |
| ADMIN_TIMEOUT | Administrative timeout in minutes. Applies to Telnet and web-based manager sessions. Default is 5 minutes. |
| AP_MGMT_VLAN_ID | Non-zero value applies VLAN ID for unit management.
Default: 0. |
| AP_MODE | FortiAP operating mode.
0 – Thin AP (default) 2 – Unmanaged Site Survey mode. See SURVEY variables. |
| BAUD_RATE | Console data rate: 9600, 19200, 38400, 57600, or 115200 baud. |
| DNS_SERVER | DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned. |
| FIRMWARE_UPGRADE | Default is 0. |
| HTTP_ALLOW | Access to FortiAP web-based manager 1 – Yes (default), 0 – No. |
| LED_STATE | Enable/disable status LEDs.
0 – LEDs enabled, 1 – LEDs disabled, 2 – follow AC setting. |
| LOGIN_PASSWD | Administrator login password. By default this is empty. |
| STP_MODE | Spanning Tree Protocol. 0 is off. 1 is on. |
| TELNET_ALLOW | By default (value 0), Telnet access is closed when the FortiAP unit is authorized. Set value to 1 to keep Telnet always available. |
| WTP_LOCATION | Optional string describing AP location. |
| Mesh variables |
| Var | Description and Values |
| MESH_AP_BGSCAN | Enable or disable background mesh root AP scan.
0 – Disabled 1 – Enabled |
| MESH_AP_BGSCAN_RSSI | If the root AP’s signal is weak, and lower than the received signal strength indicator (RSSI) threshold, the WiFi driver will immediately start a new round scan and ignore the configured MESH_AP_BGSCAN_PERIOD delays. Set the value between 0-127.
After the new round scan is finished, a scan done event is passed to wtp daemon to trigger roaming. |
| MESH_AP_BGSCAN_PERIOD | Time in seconds that a delay period occurs between scans. Set the value between 1-3600. |
| MESH_AP_BGSCAN_IDLE | Time in milliseconds. Set the value between 0-1000. |
| MESH_AP_BGSCAN_INTV | Time in milliseconds between channel scans. Set the value between 200-16000. |
| MESH_AP_BGSCAN_DUR | Time in milliseconds that the radio will continue scanning the channel. Set the value between 10-200. |
| MESH_AP_SCANCHANLIST | Specify those channels to be scanned. |
| MESH_AP_TYPE | Type of communication for backhaul to controller:
0 – Ethernet (default) 1 – WiFi mesh 2 – Ethernet with mesh backup support |
| MESH_AP_SSID | SSID for mesh backhaul. Default: fortinet.mesh.root |
| MESH_AP_BSSID | WiFi MAC address |
| MESH_AP_PASSWD | Pre-shared key for mesh backhaul. |
| MESH_ETH_BRIDGE | 1 – Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1.
0 – No WiFi-Ethernet bridge (default). |
| Var Description and Values | |
| MESH_MAX_HOPS Maximum number of times packets can be passed from node to node on the mesh. Default is 4. | |
| The following factors are summed and the FortiAP associates with the lowest scoring mesh AP. | |
| MESH_SCORE_HOP_WEIGHT Multiplier for number of mesh hops from root. Default 50. | |
| MESH_SCORE_CHAN_WEIGHT AP total RSSI multiplier. Default 1. | |
| MESH_SCORE_RATE_WEIGHT Beacon data rate multiplier. Default 1. | |
| Band weight (0 for 2.4GHz, 1 for 5GHz) multiplier. Default
MESH_SCORE_BAND_WEIGHT 100. |
|
| MESH_SCORE_RSSI_WEIGHT AP channel RSSI multiplier. Default 100. | |
| Survey variables | |
| SURVEY_SSID SSID to broadcast in site survey mode (AP_MODE=2). | |
| SURVEY_TX_POWER Transmitter power in site survey mode (AP_MODE=2). | |
| SURVEY_CH_24 Site survey transmit channel for the 2.4Ghz band (default
6). |
|
| Site survey transmit channel for the 5Ghz band (default
SURVEY_CH_50 36). |
|
| SURVEY_BEACON_INTV Site survey beacon interval. Default 100msec. | |
| cw_diag | help | Display help for all diagnose commands. | |
| cw_diag | uptime | Show daemon uptime. | |
| cw_diag | –tlog | <on|off> | Turn on/off telnet log message. |
| cw_diag | –clog | <on|off> | Turn on/off console log message. |
| cw_diag 38400 | | baudrate [9600 | 19200 | 57600 | 115200] | Set the console baud rate. | |
Previously, FortiAP accepted Telnet and HTTP connection to any virtual interfaces that have an IP address. For security reasons, Telnet and HTTP access are now limited to br0 or br.vlan for AP_MGMT_VLAN_ID.
Diagnose commands include:
| cw_diag | plain-ctl [0|1] | Show or change current plain control setting. | |
| cw_diag | sniff-cfg ip port | Set sniff server ip and port. | |
| cw_diag | sniff [0|1|2] | Enable/disable sniff packet. | |
| cw_diag | stats wl_intf | Show wl_intf status. | |
| cw_diag | admin-timeout [30] | Set shell idle timeout in minutes. | |
| cw_diag | -c | wtp-cfg | Show current wtp config parameters in control plane. |
| cw_diag | -c | radio-cfg | Show current radio config parameters in control plane. |
| cw_diag | -c | vap-cfg | Show current vaps in control plane. |
| cw_diag | -c | ap-rogue | Show rogue APs pushed by AC for on-wire scan. |
| cw_diag | -c | sta-rogue | Show rogue STAs pushed by AC for on-wire scan. |
| cw_diag | -c | arp-req | Show scanned arp requests. |
| cw_diag | -c | ap-scan | Show scanned APs. |
| cw_diag | -c | sta-scan | Show scanned STAs. |
| cw_diag | -c | sta-cap | Show scanned STA capabilities. |
| cw_diag | -c | wids | Show scanned WIDS detections. |
| cw_diag | -c | darrp | Show darrp radio channel. |
| cw_diag | -c | mesh | Show mesh status. |
| cw_diag | -c | mesh-veth-acinfo | Show mesh veth ac info, and mesh ether type. |
| cw_diag | -c | mesh-veth-vap | Show mesh veth vap. |
| cw_diag | -c | mesh-veth-host | Show mesh veth host. |
| cw_diag | -c | mesh-ap | Show mesh ap candidates. |
| cw_diag | -c | scan-clr-all | Flush all scanned AP/STA/ARPs. |
| cw_diag | -c | ap-suppress | Show suppressed APs. |
| cw_diag | -c | sta-deauth | De-authenticate an STA. |
Link aggregation can also be set in the CLI. Link aggregation is used to combine multiple network connections in parallel in order to increase throughput beyond what a single connection could sustain.
- FortiAP 320B and 320C models are supported. l FortiAP 112B and 112D models cannot support link aggregation.
- NPI FAP-S3xxCR and “wave2” FAP/FAP-S models will have link aggregation feature via synchronization with regular FortiAP trunk build.