FortiWLC Configure Controller Parameters From the CLI

Configure Controller Parameters From the CLI

Reset System and System Passwords from the CLI

The passwords for the system users “admin’ and “guest” can be reset to their default values during a system boot. When the controller prompts “accepting reset request” displays, type pass to reset the passwords.

To reset the settings for the entire system to their default values, type reset at the reset system values prompt.

Limit Wireless Client Access to the Controller From the CLI

Administrators wishing to block access to the controller management utilities for wireless clients can do so with the no management access command. When wireless management access is blocked, all packets sent to the controller by wireless clients are dropped except for those used for Captive Portal.

To remove wireless access to the controller, enter the command: controller(config)# no management wireless

To check the management status, use the show controller command. The line near the bottom of the output, Management by wireless stations: will show either an on or off value.

mc3200# show controller

Global Controller Parameters

Controller ID : 1

Description : controller Host Name : MC3200 Uptime : 05d:17h:10m:59s

Location :

Contact :

Operational State : Enabled

Availability Status : Online

Alarm State : Major

Automatic AP Upgrade : on

Virtual IP Address : 172.29.0.137

Virtual Netmask : 255.255.192.0

Default Gateway : 172.29.0.1

DHCP Server : 10.0.0.240

Statistics Polling Period (seconds)/0 disable Polling : 60

Audit Polling Period (seconds)/0 disable Polling : 60

Software Version : 6.0.SR1‐4

Network Device Id : 00:90:0b:23:2e:d3 System Id : 08659559054A Default AP Init Script :

DHCP Relay Passthrough : on

Controller Model : MC3200

Region Setting : Unknown

Country Setting : United States Of America

Manufacturing Serial # : 4911MC32009025

Management by wireless stations : on

Controller Index : 0

FastPath Mode : on

Bonding Mode : single

Station Aging Out Period(minutes) : 2

Configure Controller Parameters From the CLI

Roaming Domain State : disable Layer3 Routing Mode : off

To re-enable access to wireless clients, use the management wireless command: controller(config)# management wireless

Limit Wired Client Access to the Controller With QoS Rules

To control access to the controller from wired network devices, you can configure rule-based IP ACL lists using the qosrules command. This section provides qosrule examples for several types of configurations.

The following is an example that blocks management access (on TCP and UDP) to the controller (at 192.168.1.2) for all devices except the host at 192.168.1.7. Notice that match tags are enabled when srcip, dstip, srcport, dstport, netprotocol, or packet min-length is configured for a rule.

Allow the host 192.168.1.7 to access the controller with TCP/UDP:

controller(config)#  qosrule 20 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# srcip 192.168.1.7 controller(config‐qosrule)# srcip‐match controller(config‐qosrule)# srcmask 255.255.255.255 controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

controller(config)# qosrule 21 netprotocol 17 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# srcip 192.168.1.7 controller(config‐qosrule)# srcip‐match controller(config‐qosrule)# srcmask 255.255.255.255 controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

The following qosrules allow wireless clients to access the controller on TCP ports 8080/8081 if using the Captive Portal feature.

controller(config)# qosrule 22 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match

controller(config‐qosrule)# srcip <subnet of wireless clients> controller(config‐qosrule)# srcip‐match

controller(config‐qosrule)# srcmask <netmask of wireless clients>

controller(config‐qosrule)# dstport‐match on controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# dstport 8080 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

controller(config)# qosrule 23 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match

controller(config‐qosrule)# srcip <subnet of wireless clients> controller(config‐qosrule)# srcmask <netmask of wireless clients> controller(config‐qosrule)# dstport‐match on controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# dstport 8081 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

The following qosrules block all hosts from accessing the Controller using TCP/UDP.

controller(config)# qosrule 24 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action drop controller(config‐qosrule)# end

controller(config)# qosrule 25 netprotocol 17 qosprotocol none controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action drop controller(config‐qosrule)# end

Configuring UDP Broadcast From the CLI

You can enable all UDP ports at once with the CLI commands for upstream and downstream traffic. Fortinet does not recommend that you enable this feature on a production network because it could lead to broadcast storms leading to network outages. This feature is provided for testing purposes only.

Configure Controller Parameters From the CLI

You need to assign each ESS (see the chapter “Configuring an ESS.”) to a specific VLAN (see the chapter “Configuring VLANs.”) before enabling all UDP broadcast ports. Having multiple ESS’s in the default VLAN and enabling all UDP broadcast ports does not work.

To configure UDP broadcast upstream/downstream for all ports, use these two CLI commands:

default# configure terminal default(config)# ip udp‐broadcast upstream all‐ports selected default(config)# ip udp‐broadcast downstream all‐ports on default(config)# end

To display configured UDP broadcast upstream/downstream for all ports, use these two CLI commands:

default# show ip udp‐broadcast upstream all‐ports

Upstream UDP Broadcast All Ports

UDP All Ports : on default#

default# show ip udp‐broadcast downstream all‐ports

Downstream UDP Broadcast All Ports

UDP All Ports : selected default#

To view the currently configured broadcast ports for either upstream or downstream, use show ip udp-broadcast [downstream/downstream-bridged/upstream/upstream-bridged].

Configure Time Services From the CLI

We recommend that you configure controllers to synchronize their system clock with a Network Time Protocol (NTP) server. This ensures the system time is accurate and standardized with other systems. Accurate and standardized system time is important for alarms, traces, syslog, and applications such as cryptography that use timestamps as a parameter for key management and lifetime control. An accurate clock is also necessary for intrusion detection, isolation and logging, as well as network monitoring, measurement, and control.

During the initial system configuration, the setup script prompts for an IP address of an NTP server. If you do not supply an IP address of an NTP server at that time, or if you wish to change an assigned server at a later time, you can use the ntp server followed by the ntp sync commands.

  • To set up automatic periodic synchronizing with the configured NTP server, use the command start-ntp.

There are several NTP servers that can be designated as the time server. The site www.ntp.org provides a list of servers that can be used.

To set a server as an NTP server, use the command:

ntp server ip-address

where ip-address is the IP address of the NTP server providing clock synchronization.

Configure a Controller Index with the CLI

To configure a controller index from CLI, using the following commands

ramecntrl(0)# configure terminal ramecntrl(0)(config)# controller‐index 22 ramecntrl(0)(config)# exit

Note that changing the index causes a controller to reboot.

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.