Configuring a WiFi LAN

2 Replies

Configuring the built-in access point on a FortiWiFi unit

Both FortiGate and FortiWiFi units have the WiFi controller feature. If you configure a WiFi network on a

FortiWiFi unit, you can also use the built-in wireless capabilities in your WiFi network as one of the access points.

If Virtual Domains are enabled, you must select the VDOM to which the built-in access point belongs. You do this in the CLI. For example:

config wireless-controller global set local-radio-vdom vdom1

end

To configure the FortiWiFi unit’s built-in WiFi access point

  1. Go to WiFi Controller > Local WiFi Radio.
  2. Make sure that Enable WiFi Radio is selected.
  3. In SSID, if you do not want this AP to carry all SSIDs, select Select SSIDs and then select the required SSIDs.
  4. Optionally, adjust the TX Power

If you have selected your location correctly (see Configuring the built-in access point on a FortiWiFi unit on page 53), the 100% setting corresponds to the maximum power allowed in your region.

  1. If you do not want the built-in WiFi radio to be used for rogue scanning, select Do not participate in Rogue AP scanning.
  2. Select OK.

If you want to connect external APs, such as FortiAP units, see the next chapter, Access point deployment.

Enforcing UTM policies on a local bridge SSID for managed smart APs

The config wireless-controller utm-profile command lets administrators configure UTM profiles in order to enforce UTM policies on a local bridge SSID when Smart AP’s are managed by FortiGate.

As a result, these UTM profiles can also be assigned under config wireless-controller vap.

Please note that this is only supported in Bridge-mode.

In addition, a new diagnose command has been introduced to determine the status of the cw_acd daemon, which handles the communication between FortiGate and APs.

 

Enforcing UTM policies on a local bridge SSID for managed smart APs

Note that the default utm-profile available (named wifi-default) has all applicable options within the command set to wifi-default.

Use “?” to view all available profiles to assign, for example, “set ips-sensor ?”.

Syntax:

config wireless-controller utm-profile edit <name> set comment <comment> set utm-log {enable | disable} set ips-sensor <name> set application-list <name> set antivirus-profile <name> set webfilter-profile <name> set firewall-policy <id>

set scan-botnet-connections {disable | block | monitor}

next

end

config wireless-controller vap edit <name> set utm-profile <name>

next

end

To debug the cw_acd_helper daemon, use the following diagnose command:

diagnose wireless-controller wlac_hlp

Pages: 1 2 3 4 5 6 7 8 9
This entry was posted in Administration Guides, FortiGate, FortiOS, FortiOS 6, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “Configuring a WiFi LAN

  1. Tony

    Hi Mike,
    Since I know by following your posts that you are really good the Fortinet in general, please allow me to ask you a question. In a Fortigate, FortiAP and Radius scenario, can I dynamically assign the VLAN to the WIFI users based on their device type? More specifically, I would like to move any iOS/Android to a different VLAN than a normal Windows Client would get. Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.