Category Archives: FortiGate

CAPWAP Offloading (NP6 only)

CAPWAP Offloading (NP6 only)

Simple Network Topology

NP6 offloading over CAPWAP traffic is supported by all the FortiGate high-level models and most middle-level models.

NP6 offloading over CAPWAP configuration

  1. NP6 session fast path requirements:

config system npu set capwap-offload enable end

  1. Enable the capwap-offload option in system npu

config firewall policy edit 1

set auto-asic-offload enable

next end

  1. NP6 offloading over CAPWAP traffic is supported:
    • only with traffic from Tunnel mode VAP. l dtls-policy is clear-text or ipsec-vpn in wireless-controller wtp-profile configuration.
    • Traffic is not offloaded when dtls-policy=dtls-enable l Traffic is not offloaded with fragment.

Verify the system session of NP6 offloading

  • check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8

FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=21 expire=3591 tim

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=5 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f total session 1

l check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8 FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=7 expire=3592 time

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/ state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tupl tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f

total session 1

1+1 fast failover between FortiGate WiFi controllers

1+1 fast failover between FortiGate WiFi controllers

The following shows a simple network topology for this recipe. The primary and secondary FortiGates should reach the FortiAP at the physical level:

The following takes place in the event of a failover:

  1. The primary FortiGate syncs the wireless configuration to the secondary FortiGate.
  2. If the primary FortiGate fails, the secondary FortiGate takes over management of the FortiAP. The client can still connect with the SSID from the FortiAP and pass traffic.
  3. When the primary FortiGate is back online, it returns to managing the FortiAP.

In the CLI samples below, the primary FortiGate has an IP address of 10.43.1.80, while the secondary FortiGate has an IP address of 10.43.1.62.

To configure the primary FortiGate:

config wireless-controller inter-controller set inter-controller mode 1+1 set inter-controller key 123456 config inter-controller-peer edit 1 set peer-ip 10.43.1.62 set peer-priority secondary

next

end

To configure the secondary FortiGate:

config wireless-controller inter-controller set inter-controller mode 1+1 set inter-controller key 123456 set inter-controller-pri secondary config inter-controller-peer edit 1 set peer-ip 10.43.1.80

next

end

To run diagnose commands:

  1. On the primary FortiGate, run the diag wireless-controller wlac -c ha The output should resemble the following:

WC fast failover info cfg iter: 1 (age=17995, size=220729, fp=0x5477e28) dhcpd_db iter: 123 (age=132, size=1163, fp=0x5435930) dhcpd_ipmac iter: 123 (age=132, size=2860, fp=0x587d848) mode: 1+1-ffo pri: primary

key csum: 0x9c99 max: 10 wait: 10 peer cnt: 1

FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

  1. On the secondary FortiGate, run the diag wireless-controller wlac -c ha The output should resemble the following: WC fast failover info mode: 1+1-ffo status: monitoring pri: secondary key csum: 0x9c99 max: 10 wait: 10 peer cnt: 1

FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

UTM security profile groups on FortiAP-S

UTM security profile groups on FortiAP-S

This guide provides instructions for simple configuration of security profile groups for FortiAP, including creating security profile groups and selecting profile groups for the SSID.

To configure UTM security profile groups on the FortiOS GUI:

  1. Create a security profile group:
    1. Go to WiFi & Switch Controller> Security Profile Groups, then click Create New.
    2. Enter the desired interface name. Configure logging as desired.
    3. Enable Antivirus, Web Filter, Application, IPS, or Botnet, then select the desired profile.
  2. Create a local bridge mode SSID and enable security profile groups:
    1. Go to WiFi & Switch Controller> SSID. Select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Bridge.
    3. In the SSID field, enter the desired SSID name. Configure security as desired.
    4. Enable Security Profile Group, then select the group created in step 1.
    5. Click OK.
  3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C: Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
    1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    3. Click OK.

To configure UTM security profile groups using the FortiOS CLI:

  1. Create a security profile group:

config wireless-controller utm-profile edit “wifi-UTM” set ips-sensor “default” set application-list “default” set antivirus-profile “default” set webfilter-profile “default” set scan-botnet-connections block

next

end

  1. Create a local bridge mode SSID and enable security profile groups:

config wireless-controller vap edit “wifi-vap” set ssid “SSID-UTM” set passphrase 12345678 set local-bridging enable set schedule “always” set utm-profile “wifi-UTM”

next

end

  1. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

WIFI Statistics – WiFi client monitor

Statistics

WiFi client monitor

The following shows a simple network topology when using FortiAPs with FortiGate:

To view connected WiFi clients on the FortiGate unit, go to Monitor> WiFi Client Monitor. The following columns display:

Column   Description
SSID   SSID that the client connected to, such as the tunnel, bridge, or mesh.
FortiAP   Serial number of the FortiAP unit that the client connected to.
User   Username if using WPA enterprise authentication.
IP   IP address assigned to the wireless client.
Device   Wireless client device type.
Channel   FortiAP operation channel.
Auth   Authentication type used.
Channel   WiFi radio channel in use.
Column Description
Bandwidth Tx/Rx Client received and transmitted bandwidth in Kbps.
Signal Strength/Noise Signal-to-noise ratio in decibels calculated from signal strength and noise level.
Association Time How long the client has been connected to this AP.
Device OS Wireless device OS.
Manufacturer Wireless device manufacturer.
MIMO Wireless device MIMO information.

WiFi health monitor

The following shows a simple network topology when using FortiAPs with FortiGate:

The Monitor> WiFi Health Monitor page displays the following charts: l Active Clients: Currently active clients on each FortiAP

  • AP Status: APs by status, sorted by those that have been up for over 24 hours, rebooted in the past 24 hours, and down/missing
  • Channel Utilization: Allow users to view 10-20 most and least utilized channels for each AP radio and a third histogram view showing utilization counts
  • Client Count: Shows client count overtime. Can view forthe past hour, day, or30 days.
  • Login Failures: Time, SSID, hostname, and username forfailed login attempts. The widget also displays the AP name and group of FortiAP units with failed login attempts.
  • Top Wireless Interference: Separate widgets for2.4 GHz and 5 GHz bands. This requires spectrum analysis to be enabled on the radios.

WiFi maps

WiFi maps allow you to place FortiAP units on a map, such as an office floor plan. This allows you to know where the FortiAPs are and get their operating statuses at a glance.

To configure WiFi maps on the FortiOS GUI:

  1. Create a WiFi map:
    1. In FortiOS, go to WiFi & Switch Controller> WiFi Maps.
    2. Click the Add Map
    3. Specify the desired map name.
    4. Upload the image file.
    5. If desired, enable the Image grayscale
    6. Set the Image opacity.
  2. Place the FortiAP units on the map:
    1. Unlock the map by clicking the lock icon in the top left corner.
    2. Click Unplaced AP(s) beside the lock icon. This displays a list of candidate APs.
    3. Drag and drop the candidate FortiAPs from the list to the map as desired.
    4. Once all desired FortiAPs have been placed on the map, lock the map.
  3. Hover the cursor over a FortiAP icon to view the operating data per FortiAP unit.
  4. To configure AP settings, click the FortiAP icon for that unit.
  5. You can show numerical operating data on the FortiAP icons such as the client count, channel, operating TX power, and channel utilization using the options in the dropdown list above the map.

To configure WiFi maps using the FortiOS CLI:

You can only upload the WiFi map image file using the FortiOS CLI.

config wireless-controller region edit <MAP_NAME> set grayscale enable|disable set opacity 100 <0-100>

next

end

config wireless-controller wtp edit <FAP_SN> set region <MAP_NAME set region-x “0.419911” <0-1> set region-y “0.349466” <0-1>

next

end

Fortinet Security Fabric

The following shows a simple network topology when using FortiAP as part of the Security Fabric:

The Security Fabric > Settings page on the root FortiGate lists all FortiAP devices on the CSF root and leaf.

The Security Fabric > Physical Topology view on the root FortiGate shows the devices in the Security Fabric and the devices they are connected to.

Wireless security

Enabling rogue AP scan

The guide provides simple configuration instructions for enabling ap-scan on FortiAP. The steps include creating a WIDS profile and selecting the WIDS profile on the managed FortiAP.

To enable rogue AP scan on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. Enable Enable Rogue AP Detection.
    3. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Enable WIDS Profile. Select the profile created in step 1. Click OK.

To enable rogue AP scan using the FortiOS CLI:

  1. Create a WIDS profile:

config wireless-controller wids-profile edit “example-wids-profile” set ap-scan enable

next

end

  1. Select the WIDS profile for the managed FortiAP:

config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>

end

set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n

set wids-profile “example-wids-profile” set vap-all disable

end config radio-2 set band 802.11ac set vap-all disable

end

next

end

Enabling rogue AP suppression

The guide provides simple configuration instructions for suppressing rogue APs on FortiAP. The steps include creating a WIDS profile and suppressing rogue APs.

To enable rogue AP suppression on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. For SensorMode, select Foreign and Home Channels.
    3. Enable Enable Rogue AP Detection.
    4. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP. The monitoring radio must be in Dedicated Monitor mode:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Select Dedicated Monitor on Radio 1 or Radio 2.
    4. Enable WIDS Profile. Select the profile created in step 1. Click OK.
  3. Suppress FortiAP:
    1. Go to Monitor> Rogue AP Monitor.
    2. Right-click the desired SSID, then select Mark as Rogue.
    3. Right-click the SSID again, then select Suppress AP.

To enable rogue AP scan using the FortiOS CLI:

  1. Create a WIDS profile:

config wireless-controller wids-profile edit “example-wids-profile” set sensor-mode both set ap-scan enable

next

end

  1. Select the WIDS profile for the managed FortiAP:

config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>

end config radio-1 set mode monitor

set wids-profile “example-wids-profile”

end

next

end

  1. Suppress FortiAP:

config wireless-controller ap-status edit 1 set bssid 90:6c:ac:da:a7:f1 set ssid “example-SSID” set status suppressed

next

end

Wireless Intrusion Detection System

The guide provides simple configuration instructions for enabling a Wireless Intrusion Detection System (WIDS) profile on FortiAP.

To enable a WIDS profile on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. In the Name field, enter the desired name.
    3. Under Intrusion Detection Settings, enable all intrusion types as desired.
    4. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Enable WIDS Profile. Select the profile created in step 1. Click OK.

To enable a WIDS profile using the FortiOS CLI:

config wireless-controller wtp-profile edit “example-FAP-profile”

config platform set type <FAP-model-number>

end

set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n

set wids-profile “example-wids-profile” set vap-all disable

end config radio-2 set band 802.11ac

set wids-profile “example-wids-profile” set vap-all disable

end

next

end

FortiAP Management – Support for WPA3 on FAP

Support for WPA3 on FAP

This feature is implemented on FortiOS 6.2.0 B0816 and FAP-S/W2 6.2.0 b0218. In October 2017, Mathy Vanhoef published a document that exposed a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard were coming in 2018.

The Wi-Fi Alliance defines three areas for improvement:

  • Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110)to improve security in such networks.
  • WPA3 Personal: WPA3-Personal utilizes Simultaneous Authentication of Equals (SAE). l WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.

All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.

Configuration

  1. WPA3 OWE
    1. WPA3 OWE only: only Client which support WPA3 can connect with this SSID.

config wireless-controller vap

edit “80e_owe”

set ssid “80e_owe” set security owe set pmf enable set schedule “always”

next end

  1. WPA3 OWE TRANSITION: Client connected with normal OPEN or OWE depends on its capability. If client can support WPA3, it will connect with owe standard. If client not support WPA3, it will connect with Open SSID.

config wireless-controller vap

edit “80e_open” set ssid “80e_open” set security open set owe-transition enable set owe-transition-ssid “wpa3_open” set schedule “always” next edit “wpa3_owe_tr” set ssid “wpa3_open” set broadcast-ssid disable set security owe set pmf enable set owe-transition enable set owe-transition-ssid “80e_open” set schedule “always” next

  1. WPA3 SAE
  2. WPA3 SAE: Client with WPA3 support can connect with the SSID.

config wireless-controller vap

edit “80e_sae” set ssid “80e_sae” set security wpa3-sae set pmf enable set schedule “always” set sae-password 12345678

next end

  1. WPA3 SAE TRANSITION: There are two passwords in the SSID. Client will connect with WPA2 PSK if passphrase is used. Client will connect with WPA3 SAE if sae-password is used.

config wireless-controller vap

edit “80e_sae-tr” set ssid “80e_sae-transition” set security wpa3-sae-transition

set pmf optional set passphrase 11111111 set schedule “always” set sae-password 22222222

next end

  1. WPA3 Enterprise: When select security as wpa3-enterprise, the auth type can choose either radius authentication or local user authentication.

config wireless-controller vap edit “80e_wpa3” set ssid “80e_wpa3” set security wpa3-enterprise

set pmf enable set auth radius

set radius-server “wifi-radius” set schedule “always” next

edit “80e_wpa3_user” set ssid “80e_wpa3_user” set security wpa3-enterprise

set pmf enable set auth usergroup set usergroup “usergroup” set schedule “always”

next end

FortiAP Management – Configuring MAC filter on SSID

Configuring MAC filter on SSID

This guide provides instructions on simple configuration for enabling MAC filter on SSID. Consider the following for this feature:

  • The MAC filter function is independent of the SSID security mode.
  • To enable MAC filter on SSID, you must first configure the wireless controller address and wireless controller address group. This is covered in the CLI instructions below.

The following shows a simple network topology for this recipe:

To block a specific client from connecting to the SSID using MAC filter:

  1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72 set policy deny

next

end

  1. Create a wireless controller address group. Select the above address. Set the default policy to allow:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy allow

next

end

  1. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied from connecting to SSID Fortinetpsk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, can connect.

To allow a specific client to connect to the SSID using MAC filter:

  1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72

set policy deny

next

end

  1. Create a wireless controller address group. Select the above address. Set the default policy to deny:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy deny

next

end

  1. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, are denied from connecting.

FortiAP Management – Configuring quarantining on SSID

Configuring quarantining on SSID

This guide provides instructions on simple configuration for on SSID. Consider the following for this feature:

l The quarantine function only works with SSID tunnel mode. l The quarantine function is independent of SSID security mode.

The following shows a simple network topology for this recipe:

To quarantine a wireless client on the FortiOS GUI:

  1. In FortiOS, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
  2. Edit the SSID:
    1. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
    2. Enable Device Detection.
    3. Enable Quarantine Host.
    4. Click OK.
  3. Quarantine a wireless client:
    1. Do one of the following:
      1. Go to Security Fabric > Physical Topology. View the topology by access device.
      2. Go to FortiView > Traffic from LAN/DMZ > Source.
  • Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
  1. Right-click the wireless client, then click Quarantine Host.

To quarantine a wireless client using the FortiOS CLI:

  1. Under global quarantine settings, enable quarantine:

config user quarantine set quarantine enable

end

  1. Under virtual access point (VAP) settings, enable quarantine:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set quarantine enable

next

end

  1. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:

config user quarantine config targets edit “DESKTOP-Surface” config macs edit b4:ae:2b:cb:d1:72 set description “Surface”

next

end

next

end

end

FortiAP Management – Deploying captive portal SSID to FortiAP units

Deploying captive portal SSID to FortiAP units

The guide provides simple configuration instructions for developing captive portal SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy captive portal SSID to FortiAP units on the FortiOS GUI:

  1. Create a local user:
    1. Go to User& Device > UserDefinition, then click Create New.
    2. In the Users/Groups Creation Wizard, select Local User, then click Next.
    3. Enter the desired values in the Username and Password fields, then click Next.
    4. On the Contact Info tab, fill in any information as desired, then click You do not need to configure any contact information for the user.
    5. On the Extra Info tab, set the UserAccount Status to Enabled.
    6. If the desired user group already exists, enable UserGroup, then select the desired user group. Click Submit.
  2. Create a user group:
    1. Go to User& Device > UserGroups, then click Create New.
    2. Enter the desired group name.
    3. For Type, select Firewall.
    4. For Members, click the + button. In the dropdown list, select the local user created in step 1. Click OK. Click OK.
  3. Create a captive portal SSID:
    1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Captive Portal, select Security.
    5. Configure the portal type as one of the following:
      1. For Portal Type, select Authentication. In the UserGroup dropdown list, select the user group created in step 2.
      2. For Portal Type, select Disclaimer+ Authentication. In the UserGroup dropdown list, select the user group created in step 2.
  • For Portal Type, select DisclaimerOnly.
  1. To configure the portal type as email collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.
  1. Click OK.
  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
  2. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
    • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
  1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  3. Click OK.
  4. Select the SSID by editing the FortiAP profile:
  1. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
  2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  3. Click OK.
  4. Create the SSID-to-Internet firewall policy:
  5. Go to Policy & Objects > IPv4 Policy, then click Create New.
  6. Enter the desired policy name.
  7. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
  8. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
  9. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
  10. Click OK.

To deploy captive portal SSID to FortiAP units using the FortiOS CLI:

  1. Create a local user:

config user local edit “local” set type password set passwd 123456

next

end

  1. Create a user group:

config user group edit “group-local” set member “local”

next

end

  1. Create a captive portal SSID. Do one of the following:
    1. Create a captive portal SSID with portal type Authentication:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal

set portal-type auth

set selected-usergroups “group-local”

next

end

  1. Create a captive portal SSID with portal type Disclaimer+ Authentication:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type auth+disclaimer set selected-usergroups “group-local”

next

end

  1. Create a captive portal SSID with portal type DisclaimerOnly:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type disclaimer

next

end

  1. Create a captive portal SSID with portal type Email Collection:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type email-collect

next

end

  1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next

end

config system dhcp server

edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

  1. Create the SSID-to-Internet firewall policy: config firewall policy

edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next

end