Category Archives: FortiOS 5.6

Combining WiFi and wired networks with a software switch

Combining WiFi and wired networks with a software switch

Combining WiFi and wired networks with a software switch

FortiAP local bridging (Private Cloud-Managed AP)

Using bridged FortiAPs to increase scalability

Combining WiFi and wired networks with a software switch

A WiFi network can be combined with a wired LAN so that WiFi and wired clients are on the same subnet. This is a convenient configuration for users. Note that software switches are only available if your FortiGate is in Interface mode.

To create the WiFi and wired LAN configuration, you need to:

  • Configure the SSID so that traffic is tunneled to the WiFi controller.
  • Configure a software switch interface on the FortiGate unit with the WiFi and internal network interface as members. l Configure Captive Portal security for the software switch interface.

To configure the SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New.
  2. Enter:
Interface name A name for the new WiFi interface, homenet_if for example.
Traffic Mode Tunnel to Wireless Controller
SSID The SSID visible to users, homenet for example.
Security Mode

Data Encryption

Preshared Key

Configure security as you would for a regular WiFi network.
  1. Select OK.
  2. Go to WiFi & Switch Controller > Managed FortiAPs, select the FortiAP unit for editing.
  3. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

Combining WiFi and wired networks with a software switch

To configure the SSID – CLI

This example creates a WiFi interface “homenet_if” with SSID “homenet” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “homenet_if” set vdom “root” set ssid “homenet” set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354 set admin enable set vaps “homenet_if”

end

To configure the FortiGate software switch – web-based manager

  1. Go to Network > Interfaces and select Create New > Interface.
  2. Enter:
Interface Name A name for the new interface, homenet_nw for example.
Type Software Switch
Physical Interface Members Add homenet_if and the internal network interface.
Addressing mode Select Manual and enter an address, for example 172.16.96.32/255.255.255.0
DHCP Server Enable and configure an address range for clients.
Security Mode Select Captive Portal. Add the permitted User Groups.
  1. Select OK.

To configure the FortiGate unit – CLI

config system interface edit homenet_nw set ip 172.16.96.32 255.255.255.0 set type switch set security-mode captive-portal set security-groups “Guest-group”

end

config system interface edit homenet_nw set member “homenet_if” “internal” end

FortiAP local bridging (Private Cloud-Managed AP)

VLAN configuration

If your environment uses VLAN tagging, you assign the SSID to a specific VLAN in the CLI. For example, to assign the homenet_if interface to VLAN 100, enter:

config wireless-controller vap edit “homenet_if” set vlanid 100

end

Additional configuration

The configuration described above provides communication between WiFi and wired LAN users only. To provide access to other networks, create appropriate firewall policies between the software switch and other interfaces.

FortiAP local bridging (Private Cloud-Managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

  • Installations where the WiFI controller is remote and most of the traffic is local or uses the local Internet gateway l Wireless-PCI compliance with remote WiFi controller
  • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.

FortiAP local bridging (Private Cloud-Managed AP)

Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The FortiAP unit’s WiFi and Ethernet interfaces behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

The Local Bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspotdeployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

To configure a FortiAP local bridge – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter:
Interface name A name for the new WiFi interface.
Traffic Mode Local bridge with FortiAP’s Interface
SSID The SSID visible to users.

FortiAP local bridging (Private Cloud-Managed AP)

Security Mode

Data Encryption

Preshared Key

Configure security as you would for a regular WiFi network.
  1. Select OK.
  2. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
  3. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

SSID configured for Local Bridge operation

To configure a FortiAP local bridge – CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “branchbridge” set vdom “root” set ssid “LANbridge” set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354 set admin enable set vaps “branchbridge” end

Using bridged FortiAPs to increase scalability

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

  • Traffic Mode is Local bridge with FortiAP’s Interface.

In this mode, the FortiAP unit does not send traffic back to the wireless controller.

  • Security Mode is WPA2 Personal.

These modes do not require the user database. In WPA2 Personal authentication, all clients use the same preshared key which is known to the FortiAP unit.

  • Allow New WiFi Client Connections When Controller is down is enabled. This field is available only if the other conditions have been met.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap edit “branchbridge” set vdom “root” set ssid “LANbridge” set local-bridging enable set security wpa-personal set passphrase “Fortinet1” set local-authentication enable

end

Using bridged FortiAPs to increase scalability

The FortiGate wireless controller can support more FortiAP units in local bridge mode than in the normal mode. But this is only true if you configure some of your FortiAP units to operate in remote mode, which supports only local bridge mode SSIDs.

The Managed FortAP page (WiFi & Switch Controller > Managed FortiAPs) shows at the top right the current number of Managed FortiAPs and the maximum number that can be managed, “5/64” for example. The maximum number, however, is true only if all FortiAP units operate in remote mode. For more detailed information, consult the Maximum Values Table. For each FortiGate model, there are two maximum values for managed FortiAP units: the total number of FortiAPs and the number of FortiAPs that can operate in normal mode.

Using bridged FortiAPs to increase scalability

To configure FortiAP units for remote mode operation

  1. Create at least one SSID with Traffic Mode set to Local bridge with FortiAP’s Interface.
  2. Create a custom AP profile that includes only local bridge SSIDs.
  3. Configure each managed FortiAP unit to use the custom AP profile. You also need to set the FortiAP unit’s wtpmode to remote, which is possible only in the CLI. The following example uses the CLI both to set wtp-mode and select the custom AP profile:

config wireless-controller wtp edit FAP22B3U11005354 set wtp-mode remote set wtp-profile 220B_bridge end

 

Wireless Mesh

Wireless Mesh

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

Overview of Wireless Mesh

Configuring a meshed WiFi network

Configuring a point-to-point bridge

Overview of Wireless Mesh

The figure below shows a wireless mesh topology.

A wireless mesh is a multiple AP network in which only one FortiAP unit is connected to the wired network. The other FortiAPs communicate with the controller over a separate backhaul SSID that is not available to regular WiFi clients. The AP that is connected to the network by Ethernet is called the Mesh Root node. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection.

The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve regular WiFi clients are called Leaf nodes. Leaf APs also carry the mesh SSID for more distant leaf nodes. A leaf node can connect to the mesh SSID directly from the root node or from any of the other leaf nodes. This provides redundancy in case of an AP failure.

All access points in a wireless mesh configuration must have at least one of their radios configured to provide mesh backhaul communication. As with wired APs, when mesh APs start up they can be discovered by a FortiGate or FortiWiFi unit WiFi controller and authorized to join the network.

Overview of Wireless Mesh

The backhaul SSID delivers the best performance when it is carried on a dedicated radio. On a two-radio FortiAP unit, for example, the 5GHz radio could carry only the backhaul SSID while the 2.4GHz radio carries one or more SSIDs that serve users. Background WiFi scanning is possible in this mode.

The backhaul SSID can also share the same radio with SSIDs that serve users. Performance is reduced because the backhaul and user traffic compete for the available bandwidth. Background WiFi scanning is not available in this mode. One advantage of this mode is that a two-radio AP can offer WiFi coverage on both bands.

Wireless mesh deployment modes

There are two common wireless mesh deployment modes:

Wireless Mesh Access points are wirelessly connected to a FortiGate or FortiWiFi unit WiFi controller. WiFi users connect to wireless SSIDs in the same way as on non-mesh WiFi networks.
Wireless bridging Two LAN segments are connected together over a wireless link (the backhaul SSID).

On the leaf AP, the Ethernet connection can be used to provide a wired network. Both WiFi and wired users on the leaf AP are connected to the LAN segment to which the root AP is connected.

Firmware requirements

All FortiAP units that will be part of the wireless mesh network must be upgraded to FAP firmware version 5.0 build 003. FortiAP-222B units must have their BIOS upgraded to version 400012. The FortiWiFi or FortiGate unit used as the WiFi controller must be running FortiOS 5.0.

Types of wireless mesh

A WiFi mesh can provide access to widely-distributed clients. The root mesh AP which is directly connected to the WiFi controller can be either a FortiAP unit or the built-in AP of a FortiWiFi unit that is also the WiFi controller.

FortiAP units used as both mesh root AP and leaf AP

Overview of Wireless Mesh

FortiWiFi unit as root mesh AP with FortiAP units as leaf APs

An alternate use of the wireless mesh functionality is as a point-to-point relay. Both wired and WiFi users on the leaf AP side are connected to the LAN segment on the root mesh side.

Overview of Wireless Mesh Point-to-point wireless mesh

Configuring a meshed WiFi network

Fast-roaming for mesh backhaul link

Mesh implementations for leaf FortiAP can perform background scan when the leaf AP is associated to root. Various options for background scanning can be configured with the CLI. See Mesh variables on page 183 for more details.

Configuring a meshed WiFi network

You need to:

  • Create the mesh root SSID. l Create the FortiAP profile. l Configure mesh leaf AP units.
  • Configure the mesh root AP, either a FortiWiFi unit’s Local Radio or a FortiAP unit. l Authorize the mesh branch/leaf units when they connect to the WiFi Controller.
  • Create security policies.

This section assumes that the end-user SSIDs already exist.

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

To configure the mesh root SSID

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter a Name for the WiFi interface.
  3. In Traffic Mode, select Mesh Downlink.
  4. Enter the SSID.
  5. Set Security Mode to WPA2 Personal and enter the Pre-shared key.

Remember the key, you need to enter it into the configurations of the leaf FortiAPs.

  1. Select OK.

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

The radio that carries the backhaul traffic must not carry other SSIDs. Use the Select SSIDs option and choose only the backhaul SSID. Similarly, the radio that carries user SSIDs, should not carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Configuring a WiFi LAN on page 40.

Configuring the mesh root FortiAP

The mesh root AP can be either a FortiWiFi unit’s built-in AP or a FortiAP unit.

 

Configuring a meshed WiFi network

To enable a FortiWiFi unit’s Local Radio as mesh root – web-based manager

  1. Go to WiFi Controller > Local WiFi Radio.
  2. Select Enable WiFi Radio.
  3. In SSID, select Select SSIDs, then select the mesh root SSID.
  4. Optionally, adjust TX Power or select Auto Tx Power Control.
  5. Select Apply.

In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi & Switch Controller > SSID to change the SSID.

To configure a network interface for the mesh root FortiAP unit

  1. On the FortiGate unit, go to Network > Interfaces.
  2. Select the interface where you will connect the FortiAP unit, and edit it.
  3. Make sure that Role is LAN.
  4. In Addressing mode, select Dedicated to Extension Device.
  5. In IP/Network Mask, enter an IP address and netmask for the interface.

DHCP will provide addresses to connected devices. To maximize the number of available addresses, the interface address should end with 1, for example 192.168.10.1.

  1. Select OK.

At this point you can connect the mesh root FortiAP, as described next. If you are going to configure leaf FortiAPs through the wireless controller (see “Configuring a meshed WiFi network” on page 89), it would be convenient to leave connecting the root unit for later.

To enable the root FortiAP unit

  1. Connect the root FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for it.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

  1. Right-click the FortiAP entry and choose your profile from the Assign Profile
  2. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

  1. Select OK.

You might need to select Refresh a few times before the FortiAP shows as Online.

Configuring the leaf mesh FortiAPs

The FortiAP units that will serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit internal configuration.You can do this by direct connection or through the FortiGate wireless controller. 89

Configuring a meshed WiFi network

Method 1: Direct connection to the FortiAP

  1. Connect a computer to the FortiAP unit’s Ethernet port. Configure the computer’s IP as 192.168.1.3.
  2. Telnet to 192.168.1.2. Login as admin. By default, no password is set.
  3. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1 cfg -a MESH_AP_SSID=fortinet.mesh.root cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c exit

  1. Disconnect the computer.
  2. Power down the FortiAP.
  3. Repeat the preceding steps for each branch FortiAP.

Method 2: Connecting through the FortiGate unit

  1. Connect the branch FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for FortiAPs. Connect the FortiAP unit to a power source unless POE is used.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the FortiAP unit and try again.

  1. Select the discovered FortiAP unit and authorize it. Click Refresh every 10 seconds until the State indicator is green.
  2. Right-click the FortiAP and select >_Connect to CLI. The CLI Console window opens. Log in as “admin”.
  3. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1 cfg -a MESH_AP_SSID=fortinet.mesh.root cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c exit

  1. Disconnect the branch FortiAP and delete it from the Managed FortiAP list.
  2. Repeat the preceding steps for each branch FortiAP.

Authorizing leaf APs

When the root FortiAP is connected and online, apply power to the pre-configured leaf FortiAPs. The leaf FortiAPs will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit.

  1. Go to WiFi & Switch Controller > Managed FortiAPs. Periodically select Refresh until the FortiAP unit is listed. This can take up to three minutes.

The State of the FortiAP unit should be Waiting for Authorization.

  1. Right-click the FortiAP entry and choose your profile from the Assign Profile
  2. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

Configuring a point-to-point bridge

Creating security policies

You need to create security policies to permit traffic to flow from the end-user WiFi network to the network interfaces for the Internet and other networks. Enable NAT.

Viewing the status of the mesh network

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of APs.

The Connected Via field lists the IP address of each FortiAP and uses icons to show whether the FortiAP is connected by Ethernet or Mesh.

Ethernet
Mesh

If you mouse over the Connected Via information, a topology displays, showing how the FortiGate wireless controller connects to the FortiAP.

Configuring a point-to-point bridge

You can create a point-to-point bridge to connect two wired network segments using a WiFi link. The effect is the same as connecting the two network segments to the same wired switch.

You need to:

Configuring a point-to-point bridge

l Configure a backhaul link and root mesh AP as described in Configuring a point-to-point bridge on page 91.

Note: The root mesh AP for a point-to-point bridge must be a FortiAP unit, not the internal AP of a FortiWiFi unit. l Configure bridging on the leaf AP unit.

To configure the leaf AP unit for bridged operation – FortiAP web-based manager

  1. With your browser, connect to the FortiAP unit web-based manager.

You can temporarily connect to the unit’s Ethernet port and use its default address: 192.168.1.2.

  1. Enter:
Operation Mode Mesh
Mesh AP SSID fortinet-ap
Mesh AP Password fortinet
Ethernet Bridge Select
  1. Select Apply.
  2. Connect the local wired network to the Ethernet port on the FortiAP unit.

Users are assigned IP addresses from the DHCP server on the wired network connected to the root mesh AP unit.

To configure a FortiAP unit as a leaf AP – FortiAP CLI

cfg -a MESH_AP_SSID=fortinet-ap cfg -a MESH_AP_PASSWD=fortinet cfg -a MESH_ETH_BRIDGE=1 cfg -a MESH_AP_TYPE=1 cfg -c

 

Access point deployment

Access point deployment

This chapter describes how to configure access points for your wireless network.

Overview

Network topology for managed APs

Discovering and authorizing APs

Advanced WiFi controller discovery

Wireless client load balancing for high-density deployments

FortiAP Groups

LAN port options

Preventing IP fragmentation of packets in CAPWAP tunnels

LED options

CAPWAP bandwidth formula

Overview

FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.

In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 64, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 64.

If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 64 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.

Network topology for managed APs

The FortiAP unit can be connected to the FortiGate unit in any of the following ways:

Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them.

This configuration is common for locations where the number of FortiAP’s matches up with the number of

‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.

Network topology for managed APs

Wirecloset deployment

Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.

Network topology for managed

Gateway Deployment

 

Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.

Remote deployment

Discovering and authorizing APs

After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to l Configure the network interface to which the AP will connect. l Configure DHCP service on the interface to which the AP will connect. l Optionally, preauthorize FortiAP units. They will begin to function when connected. l Connect the AP units and let the FortiGate unit discover them. l Enable each discovered AP and configure it or assign it to an AP profile.

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the interface to which the AP unit connects.
  2. Set Addressing Mode to Dedicate to Extension Device.
  3. Enter the IP address and netmask to use.

This FortiGate unit automatically configures a DHCP server on the interface that will assign the remaining higher addresses up to .254 to FortiAP units. For example, if the IP address is 10.10.1.100, the FortiAP units will be assigned 10.10.1.101 to 10.10.1.254. To maximize the available addresses, use the .1 address for the interface:

10.10.1.1, for example.

  1. Select OK.

To configure the interface for the AP unit – CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface edit port3 set mode static

set ip 10.10.70.1 255.255.255.0

end

config system dhcp server edit 0 set interface “dmz” config ip-range edit 1 set end-ip 10.10.70.254 set start-ip 10.10.70.2

end

set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

Pre-authorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.

To pre-authorize a FortiAP unit

  1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.

On some models the WiFi Controller menu is called WiFi & Switch Controller.

  1. Enter the Serial Number of the FortiAP unit.
  2. Configure the Wireless Settings as required.
  3. Select OK.

Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.

Discovered access point unit

When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile if needed. The FortiAP Profile defines the entire configuration for the AP.

To add and configure the discovered AP unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.

This configuration also applies to local WiFi radio on FortiWiFi models.

  1. Select the FortiAP unit from the list and edit it.
  2. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
  3. Select Authorize.
  4. Select a FortiAP Profile.
  5. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit – CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp edit FAP22A3U10600118 set admin enable set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding web-based manager procedure for more information.

Disable automatic discovery of unknown FortiAPs

By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator’s authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface edit port15 set ap-discover disable

end

Automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface edit <port> set auto-auth-extension-device enable

end

Assigning the same profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

  1. Go to WiFi & Switch Controller > Managed FortiAPs to view the AP list.
  2. Select all FortiAP units you wish to apply the profile to.
  3. Right click on one of the selected FortiAPs and select Assign Profile.
  4. Choose the profile you wish to apply.

Overriding the FortiAP Profile

In the FortiAP configuration WiFi & Switch Controller > Managed FortiAPs, there several radio settings under Override Radio 1 and Override Radio 2 to choose a value independently of the FortiAP Profile setting.

When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

Band The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.
Channels Choose channels. The available channels depend on the Band.
TX Power Control If you enable Auto, adjust to set the power range in dBm.

If you enable Manual, adjust the slider. The 100% setting is the maximum power permitted in your region. See Configuring a WiFi LAN on page 40.

SSIDs Select between Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual.

To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp edit FP221C3X14019926 config radio-1 set override-band enable set band 802.11n set override-channel enable

set channel 11

end

Override settings are available for band, channel, vaps (SSIDs), and txpower.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

Accessing the FortiAP CLI through the FortiGate unit

Enable remote login for the FortiAP. In the FortiAP Profile for this FortiAP, enable remote access.

Connecting to the FortiAP CLI

The FortiAP unit has a CLI through which some configuration options can be set. You can access the CLI using Telnet.

To access the FortiAP unit CLI through the FortiAP Ethernet port

  1. Connect your computer to the FortiAP Ethernet interface, either directly with a cross-over cable or through a separate switch or hub.
  2. Change your computer’s IP address to 192.168.1.3
  3. Telnet to IP address 192.168.1.2.

Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible.

  1. Login with user name admin and no password.
  2. Enter commands as needed.
  3. Optionally, use the passwd command to assign an administrative password for better security.
  4. Save the configuration by entering the following command:

cfg –c .

  1. Unplug the FortiAP and then plug it back in, in order for the configuration to take effect

Accessing the FortiAP CLI through the FortiGate

After the FortiAP has been installed, physical access to the unit might be inconvenient. You can access a connected FortiAP unit’s CLI through the FortiGate unit that controls it.

To enable remote access to the FortiAP CLI

In the CLI, edit the FortiAP Profile that applies to this FortiAP.

config wireless-controller wtp-profile edit FAP221C-default set allowaccess telnet

end

FortiAP now supports HTTPS and SSH administrative access, as well as HTTP and Telnet. Use the command above to set administrative access to telnet, http, https, or ssh.

To access the FortiAP unit CLI through the FortiGate unit – GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. In the list, right-click the FortiAP unit and select >_Connect to CLI. A detached Console window opens.
  3. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.
To access the FortiAP unit CLI through the FortiGate unit – CLI
  1. Use the FortiGate CLI execute telnet command to access the FortiAP. For example, if the FortiAP unit IP address is 192.168.1.2, enter:

execute telnet 192.168.1.2

  1. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.

Checking and updating FortiAP unit firmware

You can view and update the FortiAP unit’s firmware from the FortiGate unit that acts as its WiFi controller.

Checking the FortiAP unit firmware version

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of FortiAP units that the FortiGate unit can manage. The OS Version column shows the current firmware version running on each AP.

Updating FortiAP firmware from the FortiGate unit

You can update the FortiAP firmware using either the web-based manager or the CLI. Only the CLI method can update all FortiAP units at once.

To update FortiAP unit firmware – web-based manager
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Right-click the FortiAP unit in the list and select Upgrade Firmware.

or

Edit the FortiAP entry and select Upgrade from File in FortiAP OS Version.

  1. Select Browse and locate the firmware upgrade file.
  2. Select OK.
  3. When the upgrade process completes, select OK. The FortiAP unit restarts.
To update FortiAP unit firmware – CLI
  1. Upload the FortiAP image to the FortiGate unit.

For example, the Firmware file is FAP_22A_v4.3.0_b0212_fortinet.out and the server IP address is 192.168.0.100.

execute wireless-controller upload-wtp-image tftp FAP_22A_v4.3.0_b0212_fortinet.out 192.168.0.100

If your server is FTP, change tftp to ftp, and if necessary add your user name and password at the end of the command.

  1. Verify that the image is uploaded:

execute wireless-controller list-wtp-image

  1. Upgrade the FortiAP units:

exec wireless-controller reset-wtp all

If you want to upgrade only one FortiAP unit, enter its serial number instead of all.

Updating FortiAP firmware from the FortiAP unit

You can connect to a FortiAP unit’s internal CLI to update its firmware from a TFTP server on the same network. This method does not require access to the wireless controller.

  1. Place the FortiAP firmware image on a TFTP server on your computer.
  2. Connect the FortiAP unit to a separate private switch or hub or directly connect to your computer via a cross-over cable.
  3. Change your computer’s IP address to 192.168.1.3.
  4. Telnet to IP address 192.168.1.2.

This IP address is overwritten if the FortiAP is connected to a DHCP environment. Ensure that the FortiAP unit is in a private network with no DHCP server.

  1. Login with the username “admin” and no password.
  2. Enter the following command.

For example, the FortiAP image file name is FAP_22A_v4.3.0_b0212_fortinet.out.

restore FAP_22A_v4.3.0_b0212_fortinet.out 192.168.1.3

 

Advanced WiFi controller discovery

Advanced WiFi controller discovery

A FortiAP unit can use any of six methods to locate a controller. By default, FortiAP units cycle through all six of the discovery methods. In most cases there is no need to make configuration changes on the FortiAP unit.

There are exceptions. The following section describes the WiFi controller discovery methods in more detail and provides information about configuration changes you might need to make so that discovery will work.

Controller discovery methods

There are six methods that a FortiAP unit can use to discover a WiFi controller. Below is the list of AC discovery methods used in sequence:

0(auto) → 1(static) → 2(dhcp) → 3(dns) → 7(forticloud) → 5(broadcast) → 6(multicast)

Static IP configuration

If FortiAP and the controller are not in the same subnet, broadcast and multicast packets cannot reach the controller. The admin can specify the controller’s static IP on the AP unit. The AP unit sends a discovery request message in unicast to the controller. Routing must be properly configured in both directions.

To specify the controller’s IP address on a FortiAP unit

cfg –a AC_IPADDR_1=”192.168.0.100″

By default, the FortiAP unit receives its IP address, netmask, and gateway address by DHCP. If you prefer, you can assign these statically.

To assign a static IP address to the FortiAP unit

cfg -a ADDR_MODE=STATIC cfg –a AP_IPADDR=”192.168.0.100″ cfg -a AP_NETMASK=”255.255.255.0″ cfg –a IPGW=192.168.0.1 cfg -c

For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI on page 71.

DHCP

If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time. This is useful if the AP is located remotely from the WiFi controller and other discovery techniques will not work.

When you configure the DHCP server, configure Option 138 to specify the WiFi controller IP address. You need to convert the address into hexadecimal. Convert each octet value separately from left to right and concatenate them. For example, 192.168.0.1 converts to C0A80001.

If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match.

To change the FortiAP DHCP option code To use option code 139 for example, enter Wireless client load balancing for high-density deployments

cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139

For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI on page 71.

DNS

The access point can discover controllers through your domain name server (DNS). For the access point to do so, you must configure your DNS to return controller IP addresses in response. Allow DNS lookup of the hostname configured in the AP by using the AP parameter “AC_HOSTNAME_1”.

FortiCloud

The access point can discover FortiCloud by doing a DNS lookup of the hardcoded FortiCloud AP controller hostname “apctrl1.fortinet.com”. The forticloud AC discovery technique finds the AC info from apctl1.fortinet.com using HTTPS.

FortiCloud APController: apctrl1.fortinet.com:443 208.91.113.187:443

Broadcast request

The AP unit broadcasts a discovery request message to the network and the controller replies. The AP and the controller must be in the same broadcast domain. No configuration adjustments are required.

Multicast request

The AP unit sends a multicast discovery request and the controller replies with a unicast discovery response message. The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured.

The default multicast destination address is 224.0.1.140. It can be changed through the CLI. The address must be same on the controller and AP.

To change the multicast address on the controller

config wireless-controller global set discovery-mc-addr 224.0.1.250

end

To change the multicast address on a FortiAP unit

cfg –a AC_DISCOVERY_MC_ADDR=”224.0.1.250″

For information about connecting to the FortiAP CLI, see Advanced WiFi controller discovery on page 74.

Wireless client load balancing for high-density deployments

Wireless load balancing allows your wireless network to distribute wireless traffic more efficiently among wireless access points and available frequency bands. FortiGate wireless controllers support the following types of client load balancing:

  • Access Point Hand-off – the wireless controller signals a client to switch to another access point.
  • Frequency Hand-off – the wireless controller monitors the usage of 2.4GHz and 5GHz bands, and signals clients to switch to the lesser-used frequency.

Wireless client load balancing for high-density deployments

Load balancing is not applied to roaming clients.

Access point hand-off

Access point handoff wireless load balancing involves the following:

  • If the load on an access point (ap1) exceeds a threshold (of for example, 30 clients) then the client with the weakest signal will be signaled by wireless controller to drop off and join another nearby access point (ap2).
  • When one or more access points are overloaded (for example, more than 30 clients) and a new client attempts to join a wireless network, the wireless controller selects the least busy access point that is closest to the new client and this access point is the one that responds to the client and the one that the client joins.

Frequency hand-off or band-steering

Encouraging clients to use the 5GHz WiFi band if possible enables those clients to benefit from faster interference-free 5GHz communication. The remaining 2.4GHz clients benefit from reduced interference.

The WiFi controller probes clients to determine their WiFi band capability. It also records the RSSI (signal strength) for each client on each band.

If a new client attempts to join the network, the controller looks up that client’s MAC address in its wireless device table and determines if it’s a dual band device. If it is not a dual band device, then its allowed to join. If it is a dual band device, then its RSSI on 5GHz is used to determine whether the device is close enough to an access point to benefit from movement to 5GHz frequency.

If both conditions of 1) dual band device and 2) RSSI value is strong, then the wireless controller does not reply to the join request of the client. This forces the client to retry a few more times and then timeout and attempt to join the same SSID on 5GHz. Once the Controller see this new request on 5GHz, the RSSI is again measured and the client is allowed to join. If the RSSI is below threshold, then the device table is updated and the controller forces the client to timeout again. A client’s second attempt to connect on 2.4GHz will be accepted.

Configuration

From the web-based manager, edit a custom AP profile and select Frequency Handoff and AP Handoff as required for each radio on the AP.

From the CLI, you configure wireless client load balancing thresholds for each custom AP profile. Enable access point hand-off and frequency hand-off separately for each radio in the custom AP profile.

config wireless-controller wtp-profile edit new-ap-profile set handoff-rssi <rssi_int> set handoff-sta-thresh <clients_int> config radio-1 set frequency-handoff {disable | enable} set ap-handoff {disable | enable}

end config radio-2 set frequency-handoff {disable | enable} set ap-handoff {disable | enable}

end

end Where:

FortiAP Groups

  • handoff-rssi is the RSSI threshold. Clients with a 5 GHz RSSI threshold over this value are load balanced to the 5GHz frequency band. Default is 25. Range is 20 to 30.
  • handoff-sta-thresh is the access point handoff threshold. If the access point has more clients than this threshold it is considered busy and clients are changed to another access point. Default is 30, range is 5 to 25. l frequency-handoff enable or disable frequency handoff load balancing for this radio. Disabled by default. l ap-handoff enable or disable access point handoff load balancing for this radio. Disabled by default.

Frequency handoff must be enabled on the 5GHz radio to learn client capability.

FortiAP Groups

FortiAP Groups facilitate the application of FortiAP profiles to large numbers of FortiAPs. A FortiAP can belong to no more than one FortiAP Group. A FortiAP Group can include only one model of FortiAP.

Through the VLAN pool feature, a FortiAP Group can be associated with a VLAN to which WiFi clients will be assigned. For more on VLAN pool assignment, see VLAN assignment by VLAN pool.

FortiAP groups are only configurable in the CLI Console.

To create a FortiAP group – CLI

In this example, wtp-group-1 is created for a FortiAP-221C and one member device is added.

config wireless-controller wtp-group edit wtp-group-1 set platform-type 221C config wtp-list edit FP221C3X14019926

end

end

LAN port options

Some FortiAP models have one or more LAN interfaces that can provide wired network access. LAN ports can be l bridged to the incoming WAN interface l bridged to one of the WiFi SSIDs that the FortiAP unit carries l connected by NAT to the incoming WAN interface There are some differences among FortiAP models.

Models like 11C and 14C have one port labeled WAN and one or more ports labeled LAN. By default, the LAN ports are offline. You can configure LAN port operation in the FortiAP Profile in the GUI (Wireless Controller > FortiAP Profiles) or in the CLI (config wireless-controller wtp-profile, config lan subcommand).

Models like 320C, 320B, 112D, and 112B have two ports, labeled LAN1 and LAN2. LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or FortiCloud. By default, LAN2 is bridged to LAN1. Other modes of LAN2 operation must be enabled in the CLI:

config wireless-controller wtp-profile edit <profile_name>

LAN port options

set wan-port-mode wan-lan

end

By default wan-port-mode is set to wan-only.

When wan-port-mode is set to wan-lan, LAN2 Port options are available in the GUI and the CLI the same as the other FortiAP models that have labeled WAN and LAN ports.

Bridging a LAN port with an SSID

Bridging a LAN port with a FortiAP SSID combines traffic from both sources to provide a single broadcast domain for wired and wireless users. In this configuration l The IP addresses for LAN clients come from the DHCP server that serves the wireless clients.

  • Traffic from LAN clients is bridged to the SSID’s VLAN. Dynamic VLAN assignment for hosts on the LAN port is not supported.
  • Wireless and LAN clients are on the same network and can communicate locally, via the FortiAP.
  • Any host connected to the LAN port will be taken as authenticated. RADIUS MAC authentication for hosts on the LAN port is not supported.

For configuration instructions, see LAN port options on page 77.

Bridging a LAN port with the WAN port

Bridging a LAN port with the WAN port enables the FortiAP unit to be used as a hub which is also an access point. In this configuration l The IP addresses for LAN clients come from the WAN directly and will typically be in the same range as the AP itself. l All LAN client traffic is bridged directly to the WAN interface.

l Communication between wireless and LAN clients can only occur if a policy on the FortiGate unit allows it.

For configuration instructions, see LAN port options on page 77.

Configuring FortiAP LAN ports

You can configure FortiAP LAN ports for APs in a FortiAP Profile. A profile applies to APs that are the same model and share the same configuration. If you have multiple models or different configurations, you might need to create several FortiAP Profiles. For an individual AP, it is also possible to override the profile settings.

To configure FortiAP LAN ports – web-based manager

  1. If your FortiAP unit has LAN ports, but no port labeled WAN (models 320C, 320B, 112D, and 112B for example), enable LAN port options in the CLI:

config wireless-controller wtp-profile edit <profile_name> set wan-port-mode wan-lan

end

  1. Go to WiFi & Switch Controller > FortiAP Profiles.
  2. Edit the default profile for your FortiAP model or select Create New.
  3. If you are creating a new profile, enter a Name and select the correct Platform (model).

LAN port options

  1. Select SSIDs.
  2. In the LAN Port section, set Mode to Bridge to and select an SSID or WAN Port as needed.

On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually.

Enable each port that you want to use and select an SSID or WAN Port as needed.

  1. Select OK.

Be sure to select this profile when you authorize your FortiAP units.

To configure FortiAP LAN ports – CLI

In this example, the default FortiAP-11C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile edit FAP11C-default config lan set port-mode bridge-to-ssid set port-ssid office

end

end

end

In this example, the default FortiAP-28C profile is configured to bridge LAN port1 to the office SSID and to bridge the other LAN ports to the WAN port.

config wireless-controller wtp-profile edit FAP28C-default config lan set port1-mode bridge-to-ssid set port1-ssid office set port2-mode bridge-to-wan set port3-mode bridge-to-wan set port4-mode bridge-to-wan set port5-mode bridge-to-wan set port6-mode bridge-to-wan set port7-mode bridge-to-wan set port8-mode bridge-to-wan

end

end

In this example, the default FortiAP-320C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile edit FAP320C-default set wan-port-mode wan-lan config lan set port-mode bridge-to-ssid set port-ssid office

end

end

end

To configure FortiAP unit LAN ports as a FortiAP Profile override – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Select the FortiAP unit from the list and select Edit.
  3. Select the FortiAP Profile, if this has not already been done.
  4. In the LAN Port section, select Override. The options for Mode are shown.

Preventing IP fragmentation of packets in CAPWAP tunnels

  1. Set Mode to Bridge to and select an SSID or WAN Port, or NAT to WAN as needed.

On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually.

Enable and configure each port that you want to use.

  1. Select OK.

To configure FortiAP unit LAN ports as a FortiAP Profile override – CLI

In this example, a FortiAP unit’s configuration overrides the FortiAP Profile to bridge the LAN port to the office SSID.

config wireless-controller wtp edit FP320C3X14020000 set wtp-profile FAP320C-default set override-wan-port-mode enable set wan-port-mode wan-lan set override-lan enable config lan set port-mode bridge-to-ssid set port-ssid office

end

end

Preventing IP fragmentation of packets in CAPWAP tunnels

A common problem with controller-based WiFi networks is reduced performance due to IP fragmentation of the packets in the CAPWAP tunnel.

Fragmentation can occur because of CAPWAP tunnel overhead increasing packet size. If the original wireless client packets are close to the maximum transmission unit (MTU) size for the network (usually 1500 bytes for Ethernet networks unless jumbo frames are used) the resulting CAPWAP packets may be larger than the MTU, causing the packets to be fragmented. Fragmenting packets can result in data loss, jitter, and decreased throughput.

The FortiOS/FortiAP solution to this problem is to cause wireless clients to send smaller packets to FortiAP devices, resulting in1500-byte CAPWAP packets and no fragmentation. The following options configure CAPWAP IP fragmentation control:

config wireless-controller wtp-profle edit FAP321C-default set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

set tun-mtu-uplink {0 | 576 | 1500} set tun-mtu-downlink {0 | 576 | 1500}

end

end

By default, tcp-mss-adjust is enabled, icmp-unreachable is disabled, and tun-mtu-uplink and tun-mtu-downlink are set to 0.

To set tun-mtu-uplink and tun-mtu-downlink, use the default TCP MTU value of 1500. This default configuration prevents packet fragmentation because the FortiAP unit limits the size of TCP packets received from wireless clients so the packets don’t have to be fragmented before CAPWAP encapsulation.

The tcp-mss-adjust option causes the FortiAP unit to limit the maximum segment size (MSS) of TCP packets sent by wireless clients. The FortiAP does this by adding a reduced MSS value to the SYN packets sent LED options

by the FortiAP unit when negotiating with a wireless client to establish a session. This results in the wireless client sending packets that are smaller than the tun-mtu-uplink setting, so that when the CAPWAP headers are added, the CAPWAP packets have an MTU that matches the tun-mtu-uplink size.

The icmp-unreachable option affects all traffic (UDP and TCP) between wireless clients and the FortiAP unit. This option causes the FortiAP unit to drop packets that have the “Don’t Fragment” bit set in their IP header and that are large enough to cause fragmentation and then send an ICMP packet — type 3 “ICMP Destination unreachable” with code 4 “Fragmentation Needed and Don’t Fragment was Set” back to the wireless controller. This should cause the wireless client to send smaller TCP and UDP packets.

Overriding IP fragmentation settings on a FortiAP

If the FortiAP Profile settings for IP fragmentation are not appropriate for a particular FortiAP, you can override the settings on that specific unit.

config wireless-controller wtp edit FAP321C3X14019926 set override-ip-fragment enable

set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

set tun-mtu-uplink {0 | 576 | 1500} set tun-mtu-downlink {0 | 576 | 1500}

end

end

LED options

Optionally, the status LEDs on the FortiAP can be kept dark. This is useful in dormitories, classrooms, hotels, medical clinics, hospitals where the lights might be distracting or annoying to occupants.

On the FortiGate, the LED state is controlled in the FortiAP Profile. By default the LEDs are enabled. The setting is CLI-only. For example, to disable the LEDs on FortiAP-221C units controlled by the FAP221C-default profile, enter:

config wireless-controller wtp-profile edit FAP221C-default set led-state disable

end

You can override the FortiAP Profile LED state setting on an individual FortiAP using the CLI. For example, to make sure the LEDs are disabled on one specific unit, enter:

config wireless-controller wtp edit FAP221C3X14019926 set override-led-state enable set led-state disable

end

The LED state is also controllable from the FortiAP unit itself. By default, the FortiAP follows the FortiAP Profile setting.

CAPWAP bandwidth formula

CAPWAP bandwidth formula

The following section provides information on how to calculate the control plane CAPWAP traffic load in local bridging. The formula provided can help estimate the approximate package bandwidth cost. This is important for knowing precisely how much bandwidth is required on a WAN link for a centralized ForitGate managing hundreds of access points.

There are multiple factors that might affect the volume of CAPWAP control traffic, including the number of stations there are and large WiFi events.

The Ethernet/IP/UDP/CAPWAP uplink header cost should be approximately 66 bytes.

The tables below depict basic and commonly used optional CAPWAP bandwidth costs, on a per-AP basis.

Note the following:

l STA: The number of stations associated with the FortiAP. l ARP scan: Finds hidden devices in your network. l VAP: The number of VAPS held by the FortiAP. l Radio: The number of radios (maximum of two) enabled by the FortiAP.

Basic per-AP CAPWAP bandwidth costs

Content Time

(seconds)

Payload

(byte)

Package bandwidth cost (bps)
Echo Req 30 16 (66+16)*8/30=21.86
STA scan 30 25+20*sta (66+25+20*sta)*8/30=24.26+5.3*sta
ARP scan 30 25+18*sta (66+25+18*sta)*8/30=24.26+4.8*sta
STA CAP 30 25+19*sta (66+25+19*sta)*8/30=24.26+5.1*sta
STA stats 1 25+41*sta (66+25+41*sta)*8/1=728.0+328.0*sta
VAP stats 15 40+18*vap (66+40+18*vap)*8/15=56.53+9.6*vap
Radio stats 15 25+25*radio (66+25+25*radio)*8/15=48.53+13.3*radio
Total: 908.7+343.2*sta+9.6*vap+13.3*radio

Commonly used optional per-AP CAPWAP bandwidth costs

Content Time

Payload (byte)

(seconds)

Package bandwidth cost (bps)
AP scan 30              25+63*scannedap (66+25+63*scanned-ap)*8/30=24.26+16.8*scanned-ap

CAPWAP bandwidth formula

Content Time

Payload (byte)

(seconds)

Package bandwidth cost (bps)
Total: 932.96+343.2*sta+9.6*vap+13.3*radio+16.8*scannedap

Example:

There are 100 FortiAPs, with 187 stations distributed among them. Each FortiAP holds five VAPs among their radios, and each enables two radios. The basic CAPWAP bandwidth cost would be: 908.7*100+343.2*187+9.6*5*100+13.3*2*100 = 162.51kbps

Additionally, if two FortiAPs enabled “AP scan”, and suppose one scans 99 APs in each scan and the other scans 20 APs in each scan, the additional CAPWAP bandwidth cost would be:

(24.26+16.8*99)+(24.26+16.8*20) = 2 kbps

Enabling LLDP protocol

You can enable the LLDP protocol in the FortiAP Profile via the CLI. Each FortiAP using that profile can then send back information about the switch and port that it is connected to.

To enable LLDP, enter the following:

config wireless-controller wtp-profile edit <profile-name> set lldp enable

end

 

Configuring the built-in access point on a FortiWiFi unit

Configuring the built-in access point on a FortiWiFi unit

Both FortiGate and FortiWiFi units have the WiFi controller feature. If you configure a WiFi network on a

FortiWiFi unit, you can also use the built-in wireless capabilities in your WiFi network as one of the access points.

If Virtual Domains are enabled, you must select the VDOM to which the built-in access point belongs. You do this in the CLI. For example:

config wireless-controller global set local-radio-vdom vdom1

end

To configure the FortiWiFi unit’s built-in WiFi access point

  1. Go to WiFi Controller > Local WiFi Radio.
  2. Make sure that Enable WiFi Radio is selected.
  3. In SSID, if you do not want this AP to carry all SSIDs, select Select SSIDs and then select the required SSIDs.
  4. Optionally, adjust the TX Power

If you have selected your location correctly (see Configuring the built-in access point on a FortiWiFi unit on page 62), the 100% setting corresponds to the maximum power allowed in your region.

the built-in access point on a FortiWiFi unit

  1. If you do not want the built-in WiFi radio to be used for rogue scanning, select Do not participate in Rogue AP scanning.
  2. Select OK.

If you want to connect external APs, such as FortiAP units, see the next chapter, Access point deployment.

 

FortiOS 5.6.1 Release Notes

Introduction

This document provides the following information for FortiOS 5.6.1 build 1484:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.1 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-61E, FG-70D, FG-70D-

POE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE,

FG-90D, FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E,

FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D,

FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE,

FG-300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D,

FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E,

FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-

POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E,

FWF-61E, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.1 images are delivered upon request and are not available on the customer support firmware download page.

What’s new in FortiOS 5.6.1                                                                                                                Introduction

What’s new in FortiOS 5.6.1

For a list of new features and enhancements that have been made in FortiOS 5.6.1, see the What’s New for FortiOS 5.6.1 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements                                                                                Special Notices

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.1, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.1

FortiOS version 5.6.1 officially supports upgrading from version 5.4.4, 5.4.5, and 5.6.0. To upgrade from other versions, see Supported Upgrade Paths.

Before upgrading, ensure that port 4433 is not used for admin-port or adminsport (in config system global), or for SSL VPN (in config vpn ssl settings).

If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Security Fabric Upgrade

FortiOS 5.6.1 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.1 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths FortiGate-VM 5.6 for VMware ESXi   Upgrade Information

  • Client-side web filtering when on-net
  • iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.1, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.0, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.1, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.1 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Upgrade Information                                                                                                            FortiGate VM firmware

When downgrading from 5.6.1 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums                                                                                                    Upgrade Information

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.1 support

The following table lists 5.6.1 product integration and support information:

Web Browsers l Microsoft Edge 38 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 54 l Google Chrome version 59 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 10 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric Upgrade on page 9. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric Upgrade on page 9. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

See important compatibility information in Security Fabric Upgrade on page 9.

l 5.6.0

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later

 

FortiOS 5.6.1 support

FortiClient Android and FortiClient VPN Android l 5.4.1 and later
FortiAP l 5.4.2 and later l 5.6.0
FortiAP-S l 5.4.3 and later l 5.6.0
FortiSwitch OS

(FortiLink support)

l 3.5.6 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExtender l 3.1.1 and later
AV Engine l 5.247
IPS Engine l 3.426
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later

Product Integration and Support                                                                                                  Language support

VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54

Product Integration and Support                                                                                                  SSL VPN support

Operating System Web Browser
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Product Antivirus Firewall
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.6.1. For inquires about a particular bug, please contact CustomerService & Support.

Antivirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file (.json).
398332 FortiSandbox results are not showing up in FortiView > FortiSandbox.
408147 Virus detected with correct name but wrong virusid.
411432 scanunitd causes high CPU usage when making configuration changes.

Authentication

Bug ID Description
402621 Radius Accounting Packet Calling-Station-ID field should return MAC address instead of IP address.
403147 Cannot create guest users with short phone number.
412846 Google Chrome browser display NET::ERR_CERT_COMMON_NAME_INVALID certificate waning on authentication page.
416618 LDAP does not work when number of matching entries is even in user group.
437204 authd sends malformed NTLM TYPE2 to browser and breaks NTLM authentication.
438972 Nested Groups in LDAP authentication does not work when the Domain users in AD is not the Primary Group.

DLP

Bug ID Description
367514 Executable files may not be blocked by DLP built-in .exe file-type filter.
416469 DLP quarantined IP when the action is set to block/log-only.
422355 DLP file-type filter cannot detect .mov file during file upload.

DNSFilter

Bug ID Description
414243 DNSFilter local FortiGuard SDNS servers failed to respond due to malformed packet.
422407 dnsproxy causes high CPU usage and degradation of DNS traffic.

FOC

Bug ID Description
406692 GTP noip-filter blocking IPv6 gtp-u traffic.
412883 Over-subscription of TP2 XAUI when running GTP in LAG with FG3700DX platform.
Bug ID Description
305575 In the Policy List, the NAT column can give more useful information.
416111 FQDN address is unresolved in a VDOM, although the URL is resolved with IP.

FortiGate 92D

Bug ID Description
412432 fgt92d_link running in D state.

FortiLink

Bug ID Description
422750 FortiGate sending corrupted configuration to FortiSwitch.
435219 cu_acd causing memory leak leading to Conserve Mode.
438973 Managed FortiSwitch speed setting not synced in FortiGate HA cluster.

FortiView

Bug ID Description
378576 The All Sessions > filter application on historical view does not work and suggests adding filter for destination port.
390495 Unable to view web sites in FortiView for 5 minutes, 1 hour, and 24 hours.

Firewall

Bug ID Description
416678 FG-100E and FG-101E may have firewall lockups in production.
424558 Renaming onetime schedule causes policy activation.
433688 Netflow report for a long, live FTP session is incorrect.
435070 Full Cone NAT not working for WhatsApp video and voice call.
435095 FortiOS ICMP replies or error messages are dropped when asymmetric routing is involved.
435700 RSTP session-helper does not modify the IP in describe payload when the server IP is a VIP.

GUI

Bug ID Description
310497 Improve GUI error message when trying to create a VLAN interface and physical interface is not selected.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
373602 Cannot access System > Advanced from the GUI – page keep loading.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
380943 Webfilter profile, GUI to support search in URL filter table.
388104 Interface list expand column display improperly in VLAN interface in a Zone.
394359 REST API firewall policy lookup does not work properly.
397010 GUI does not display the App-DB and INDUSTRIAL-DB information.
398394 Log viewer, negative filter for severity Information field cannot be done manually.
407938 device-access-list configuration is removed when making a change to the interface in the GUI.
408577 Admin and FortiClient profile cannot be displayed when language is Japanese.
413754 GUI create VDOM link on TP VDOM fails with error.
413891 In Topology > FortiAnalyzer, clicking Configure setting redirects to VDOM security fabric page.
Bug ID Description
413921 In FSSO standard mode, context menu allows you to delete ad-groups polled from CA.
415326 CLI configuration for address object allows IP range 0.0.0.0-x.x.x.x, but not in GUI.
418534 IP address, DHCP, allowaccess disappeared when selecting a local-bridge SSID as a member in soft-switch interface.
421263 Multiple wildcard login accounts gives wrong guest account provisioning when Postlogin-banner is enabled.
423410 Zone interface shows as down in the IPv4 Policy page even when its member is up.
434613 GUI cannot select HA monitor interfaces in other VDOMs.
438709 GUI system time is incorrect when setting timezone.
438948 Address object length name is limited in CLI Console tool.
441350 Trying to access the root FortiGate Security Fabric dashboard produces Error 404.

HA

Bug ID Description
392677 The HA widget shows the slave status as Not Synchronized even when the status is synchronized.
404089 Uninterruptible upgrade fails because routes are not yet synced with new master.
414336 Slave cannot sync to master with redundant interface.
416673 The System > HA pane is not in the GUI. HA is supported and can be configured in the CLI.
421639 HA kernel routes are not flushed after failover when cluster has a large number of routes.
423144 Reliable syslog using dedicated HA management interface doesn’t work.
434800 SNMP trap does not reach SNMP server via HA Master when hbdev interface is up.
437390 HA failover triggered before pingserver-failover-threshold is reached.
438374 HA reserved management interface unable to access or ping.

IPS

Bug ID Description
412470 When a firewall policy is deleted, traffic is lost.
417411 One-ARM sniffer logs sent/revd shown in reverse direction.
434478 Information incorrect in diag test app ipsmonitor 13.
434592 Ethernet.IP is not recognized in ICS app ctrl signature by sniffer mode.

IPsec

Bug ID Description
401847 Half of IPsec tunnels traffic lost 26 minutes after powering on a spare FG-1500D.
412863 NP6 drops fragment packet with payload 15319 bytes or higher.
412987 IPsec VPN certificate not validated against PKI user’s CN and Subject.
414899 Apple Cisco IPsec VPN group name (IKE ID) length limit.
415353 Telnet connection timing out with IPsec through MPLS when offloading is enabled.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

438648 outbound enable not set on bi-directional IPsec policy.
439923 For FG-60E, 12-character FQDN Peer ID causes communication failure.
440615 When monitor-hold-down-delay is used in IKEv2 then the value of monitorhold-down-delay has no effect and so once the IKE SA for the primary tunnel is established, it immediately takes the secondary down.

Log & Report

Bug ID Description
386668 FortiGate sends FortiAnalyzer different time stamps from its disk log.
391013 Some traffic flow does not show in traffic log.
396319 For the NGFW_vdom, the application UTM log action is always PASS when firewall policy deny the traffic.
409831 Traffic statistic not tally in report.
Bug ID Description
413778 With long VDOM names, no log is displayed when only one field subtype forward is added to traffic log filter.
417128 Syslog message are missed in FortiGate.

Proxy

Bug ID Description
414496 URL getting Blocked -IPS SensorTriggered.
415627 After upgrading to 5.6, certificate inspection causes certificate warning.
418193 Some HTTPS sites show Secure Connection Failed (static URL filter only flow-based webfilter, certificate inspection).
424362 Multiple crashes of WAD process.
437990 MiTM Proxy mode HTTPS Interception Weakens TLS Security.

Router

Bug ID Description
397087 VRIP cannot be reached on FG-51E when it is acting as VRRP master.
412336 Specific static route on vwl member interface should not be controlled by vwl status.
415366 WAN LLB with IP pools configured for two ISP connections.
424381 TCP sessions are stuck or time out randomly.
434026 SD-WAN health check does not remove route.

Security Fabric

Bug ID Description
385341 If there are multiple FortiAPs managed, GUI cannot display managed FortiAPs in FortiView > Physical Topology page.
403085 The session tab cannot be displayed on historical page when you drill down.
406561 Matching username is not highlighted in tooltip after topology search.
Bug ID Description
408495 An improper warning message may appear in the FortiAnalyzer log when changing the root FortiGate to a downstream FortiGate.
411479 The icon used to signify the source of logs when the time range is set to now is incorrect.
411645 Drilling down from a root FortiGate to a downstream FortiGate causes an error.
412104 The drill down for an aggregated device is not displayed as an individual device.
412249 Threats of a downstream FortiGate cannot be displayed on the root FortiGate.
412930 The Security Audit Event is not hidden on Security Fabric child nodes.
413189 The bubble chart with FortiAnalyzer view may not be drawn correctly.
413492 Security Fabric topology change can cause high CPU usage by miglogd on Security Fabric root.
413742 In Security Fabric topology, the red circle to indicate the root node of the Security Fabric should not be displayed on each child FortiGate.
413912 In Security Fabric topology, the upstream FortiGate can still be displayed when Security Fabric is disabled on a downstream FortiGate.
414147 In Security Fabric topology, the topology cannot be updated after changing the upstream port on a child FortiGate.
414301 Security Fabric topology is not displayed due to js error Cannot read property ‘VDOM’ of undefined.

SLBC

Bug ID Description
378207 authd process causes high CPU usage when only RSSO logging is configured.

Spam

Bug ID Description
398277 Application scanunit crashes with signal 6 received.
408971 Management Traffic is sent out via wrong interface in Virtual WAN Link.
410420 Spam emails are exempted if they are sent in one session.
Bug ID Description
416790 (no.x pattern matched) is not logged when bwl matches envelop MAIL FROM.
424443 Client behind FG-60E cannot get bounced mail when sending a spam mail to Hotmail /Outlook.

SSL VPN

Bug ID Description
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
380974 Possible root cause of SSL VPN fail with error:0B080074: ..X509_check_ private_key:key values mismatch/ApacheSSLSetCertStuff.
396788 SSL VPN GUI is unable to keep SSO password information for user bookmark.
399784 URL modified incorrectly in a dropdown list in application server.
406028 Citrix with Xenapp 7.x not working via SSL VPN web portal.
408624 SSL VPN certificate UPN+LDAP authentication works only on first policy.
412850 SSL VPN portal redirect fails with a Javascript error.
413758 Auto-generated SSL interface do not associate with SSLVPN_TUNNEL_ADDR1 for a long name VDOM.
414074 Application with Jira 7.2 and higher does not display properly in SSL VPN web mode.
415543 Request ability to exclude certain services from being created via personal bookmark.
415746 SSO on SSL VPN HTTP bookmark uses OTP instead of password in Auth HTTP header field when user authenticates via TFA.
423415 Incorrectly resolved membership for group members using SSL VPN.
424561 SSL VPN web mode has trouble loading certain page in HTTP/HTTPS bookmark.
433779 RDP bookmark doesn’t work after upgrading to 5.6.
438004 A bookmark having access link to a web page does not work via SSL VPN web mode.

System

Bug ID Description
383126 FG-50E/FG-51E TP mode – STP BPDU forwarding destined to 01:80:c2:00:00:00 stops after warm/cold reboot.
396781 Interface policy cannot block traffic encapsulated in PPPoE.
403572 Fragmentation not working on VLAN with mtu-override on NP6.
410463 SNMP is not responding when queried on a loopback IP address with an asymmetric SNMP packet path.
412184 If you use port 4433 for the admin-port, admin-sport, you cannot access GUI anymore.
412244 Fortitoken Mobile push won’t work when VDOM is enabled.
413885 long-vdom-name of global setting is disabled after exe factoryrest2.
413909,

404337

The diagnose hardware test system cpu, diagnose hardware test cpu model, and diagnose hardware test bios fail to produce a correct hardware report.

Affected models: FortiGate / FortiWiFi 30E, 50E, 51E, 52E, 60E, 61E, 80E, 81E, 100E, 100EF, 101E, and 140E series.

414242 Offload not supported on 200E aggregate interfaces.
414482 The pre-allocated size for interface cache and policy cache is not big enough.
415555 IPv6 ipv6-neighbor-cache configuration is lost after a reboot or flush command.
416950 NP6 stops process traffic through IPsec tunnel.
417644 When remote wildcard admin with Radius accprofile-override is enabled (super admin), restoring config fails on slave.
420150 NTPv3 with authentication enabled fails with error receive: authentication failed.
421813 With VDOM enabled, after restoring a VDOM, the members of a zone are removed.
422414 FG-90D + FG-100D modem port not responding.
422755 FG-60D removes session unexpectedly – memory_tension_drop increase even though memory usage is very low.
423039 After the upgrade from 5.4.4 to 5.6.0, FortiGate cannot receive public IP with Netgear Aircard 341U.
Bug ID Description
423375 Some configurations are missing in the output of show full-configuration.
424213 Cluster virtual MAC address is changed to physical port MAC address when ports are assigned on MGMT-VDOM.
434480 Admin user session does not time out.
434823 Firewall system halted when the sniffer is enabled in console.
436211 Kernel conserve mode due to memory leak.
436437 FortiGate cannot apply the FortiClient renew license from FortiGuard server.
437599 ICMP unreachable packet is blocked by transparent FortiGate.
438197 PPPoE connection is disrupted by HA failover/failback.
438944 BPDU frames are not changed in TP mode when one arm is connected to multiple VLANs.
439897 Virtual wire pair on asymmetric environment issue.
440041 DHCPv6 seems to fail when ip6-mode is DHCP – failed to assign link-local address.
Bug ID Description
414402 vmtoolsd continuously crashes.

User

Bug ID Description
378085 User authentication timeout max setting change.
410901 PKI peer CA search stops on first match based on CA subject name.
412487 RSSO Endpoint Storage limits the number of characters to 48.
421456 FortiGate cannot authenticate with Cisco ISE Radius and token.
434849 Guest UserEmail Template cut off when emailed to the recipient.
439760 User name is not visible in logs and on blocking page when using explicit proxy and Kerberos authentication.

VM

Bug ID Description
414811 Restore NIC offload capabilities on FortiGate KVM VM.
416783 FortiGate Image for ESXi loses interface information when reboot-upon-configrestore is disabled and a config is restored.
438174 Fortinet VM Product range device detection improved.

VoIP

Bug ID Description
423437 SIP ALG does not translate all MSRP SEND messages if more than one SEND message is contained within a single packet.

WebProxy

Bug ID Description
398405 WAD crashes without backtrace – WAF HTTP header matching problem.
406292 After update to 5.4.3 (B1111), WAD sometimes crashes.
415385 Explicit FTP proxy issue on zero file size transfers.
417491 WAD crashes when handling FTP over HTTP traffic.
421092 WAD consuming memory when explicit webproxy is used.
423077 WAD crashed after upgrading from 5.2.10 to 5.4.4 GA release.
423128 Unable to access www.ch.endress.com when deep inspection is enabled on explicitproxy policy.
424208 Expired certificates with valid issuers are treated as untrusted.
438759 TeamViewer not blocked with explicit proxy application control with SSL “deep inspection”.

WiFi

Bug ID Description
396580 Memory leak and crash reported for hostapd.
409110 Web page override login page loads slowly.
413214 Remote APs traffic not working.
Bug ID Description
413693 WPA_Entreprise with Radius Auth mode fails with VDOM that has a long VDOM name.
417001 Explicit HTTP proxy drops HTTPS connections on WiFi rating failures.
420967 Proxy AV + Proxy WF + SSL Certificate Inspection (Inspect All Ports) results in HTTPS traffic bypassing WiFi.
423020 Regex value changes in the URL filter.
436354 Replace Message Group Web FilterBlock Override page not working.
438003 Part of APs failed to be managed by FortiGate because cw_acd crashed in CMCC portal authentication.

Common Vulnerabilities and Exposures

FortiOS5.6.1 is no longer vulnerable to the following issues and CVE references. For more information, see https://fortiguard.com/psirt.

Bug ID Description
409913 l 2017-3130
414418 l 2017-3131 l 2017-3132 l 2017-3133
416322 l 2017-2636
416914 l 2016-10229
421539 l 2009-3555
422133 l 2009-3555
438599 FortiOS: SHA1-intermediate is not transfer to browser after proxy DPI.
440744 FortiOS: Reflected XSS in Web Proxy Disclaimer Response web page due proxy URL has not been sanitized.

 

Known Issues

The following issues have been identified in version 5.6.1. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
441996 No UTM AppCtrl log for signature Gmail_Attachment.Download when action is blocked.

Firewall

Bug ID Description
434959 NGFW policy with App Control policy blocks traffic.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiLink

Bug ID Description
434470 Explicit policy for traffic originating from interface dedicated to FortiLink.
441300 Limited options in FortiLink quarantine stanza to use, giving users no way to trigger the quarantine function.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.

Known

Bug ID Description
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP.

Workaround: disable switch-controller-dhcp-snooping on FortiLink VLAN interfaces.

FortiView

Bug ID Description
366627 FortiView Cloud Application may display the incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
402507 In physical/logical topology, threat drill down fails and keeps GUI loading unexpectedly.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.
441835 Drill down a auth-failed wifi client entry in “Failed Authentication” could not display detail logs when CSF enabled
442238 FortiView VPN map can’t display Google map (199 dialup VPN tunnel).
442367 In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load.

GUI

Bug ID Description
374247 GUI list may list another VDOM interface when editing a redundant interface.
375036 The Archived Data in the SnifferTraffic log may not display detailed content and download.
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.
398397 Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
402775 Add multiple ports and port range support in the explicit FTP/web proxy.

Known Issues

Bug ID Description
403146 Slow GUI Policy tab with more than 600 policies.
412401 Incorrect throughput reading in GUI-System-HA page.
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is

FortiAnalyzer.

442231 Link cannot show different colors based on link usage legend in logical topology real time view.
Bug ID Description
442252 WAD stops forwarding traffic on both transparent proxy and explicit web proxy after IPS test over web proxy.

HA

Bug ID Description
439152 FGSP – standalone config sync – synchronizes BGP neighbor.
441078 The time duration of packet-transporting process stops to pre-master node after HA failover takes too long.
441716 Traffic stops when load-balance-all is enabled in active-active HA when npu_vlink is used in the path.
436585 Issues with different hardware generation when operating in a HA cluster.

IPsec

Bug ID Description
416102 Traffic over IPsec VPN gets dropped after two pings when it is getting offloaded to NPU.

Log & Report

Bug ID Description
412649 In NGFW Policy mode, FGT does not create webfilter logs.
438858 Synchronized log destination with Log View and FortiView display source.
441476 Rolled log file is not uploaded to FTP server by max-log-file-size.

Proxy

Known Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
409156 In Security Fabric Audit, The unlicensed FDS FortiGate shouldn’t be marked Passed in Firmware & Subscriptions.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
414013 Log Settings shows Internal CLI error when enabling historical FortiView at the same time as disk logging.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.

System

Bug ID Description
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
437801 FG-30E WAN interface MTU override drop packet issue.
438405 HRX/PKTCHK drops over NP6 with 1.5 Gbps.
439126 Auto-script using diagnose command fails with Unknown action 0 after rebooting FortiGate.
439553 Virtual wire pair config missing after reboot.
440411 Monitor NP6 IPsec engine status.

Known Issues

Bug ID Description
440412 SNMP trap for per-CPU usage.
440448 FG-800C will not get IP on the LTE-modem interface using Novatel U620.
441532 Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.6 SSL VPN Troubleshooting

Troubleshooting

This section contains tips to help you with some common challenges of SSL VPNs.

  • Enter the following to display debug messages for SSL VPN: diagnose debug application sslvpn -1

This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results. l Enter the following command to verify the debug configuration:

diagnose debug info debug output: disable console timestamp: disable console no user log message: disable sslvpn debug level: -1 (0xffffffff) CLI debug level: 3

This output verifies that SSL VPN debugging is enabled with a debug level of -1, and shows what filters are in place. The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging has not been enabled for any software systems.

  • Enter the following to enable displaying debug messages: diagnose debug enable

To view the debug messages, log into the SSL VPN portal. The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)

[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)

[282:root]SSL state:SSLv3 write finished B (172.20.120.12)

[282:root]SSL state:SSLv3 flush data (172.20.120.12)

[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)

[282:root]SSL state:SSLv3 read finished A (172.20.120.12)

[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 l Enter the following to stop displaying debug messages: diagnose debug disable

The following is a list of potential issues. The suggestions below are not exhaustive, and may not reflect your network topology.

There is no response from the SSL VPN URL.

  • Go to VPN > SSL-VPN Settings and check the SSL VPN port assignment. Also, verify that the SSL VPN policy is configured correctly. l Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>/remote/login

Troubleshooting

  • Ensure that you are using the correct port number in the URL.

FortiClient cannot connect.

Read the Release Notes to ensure that the version of FortiClient you are using is compatible with your version of FortiOS.

Tunnel-mode connection shuts down after a few seconds.

This issue can occur when there are multiple interfaces connected to the Internet (for example, a dual WAN). Upgrade to the latest firmware then use the following CLI command:

config vpn ssl settings set route-source-interface enable

end

When you attempt to connect using FortiClient or in Web mode, you are returned to the login page, or you receive the following error message: “Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12).

  • Ensure that cookies are enabled in your browser. l If you are using a remote authentication server, ensure that the FortiGate is able to communicate with it.
  • Access to the web portal or tunnel will fail if Internet Explorer has the privacy Internet Options set to High. If set to High, Internet Explorer will block cookies that do not have a compact privacy policy, and that use personally identifiable information without your explicit consent.

You receive an error message stating: “Destination address of Split Tunneling policy is invalid.

The SSL VPN security policy uses the ALL address as its destination. Change the address to that of the protected network instead.

The tunnel connects but there is no communication.

Go to Network > Static Routes and ensure that there is a static route to direct packets destined for the tunnel users to the SSL VPN interface.

You can connect remotely to the VPN tunnel but are unable to access the network resources.

Go to Policy & Objects > IPv4 Policy and examine the policy allowing VPN access to the local network. If the destination address is set to all, create a firewall address for the internal network. Change the destination address and attempt to connect remotely again.

Users are unable to download the SSL VPN plugin.

Go to VPN > SSL-VPN Portals to make sure that the option to Limit Users to One SSL-VPN Connection at a Time is disabled. This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.

Users are being assigned to the wrong IP range.

Ensure that the same IP Pool is used in VPN Portal and VPN Settings to avoid conflicts. If there is a conflict, the portal settings will be used.

Troubleshooting

Flow-based (vdom) AntiVirus profiles in SSL VPN web mode limitation

In flow mode vdom, SSL VPN web mode doesn’t block antivirus even when av-profile is set (however, SSL VPN tunnel mode AV profile does work).

Sending tunnel statistics to FortiAnalyzer

By default, logged events include tunnel-up and tunnel-down status events. Other events, by default, will appear in the FortiAnalyzer report as “No Data Available”. More accurate results require logs with action=tunnelstats, which is used in generating reports on the FortiAnalyzer (rather than the tunnel-up and tunnel-down event logs). The FortiGate does not, by default, send tunnel-stats information.

To allow VPN tunnel-stats to be sent to FortiAnalyzer, configure the FortiGate unit as follows using the CLI:

config system settings set vpn-stats-log ipsec ssl set vpn-stats-period 300 end

FortiOS 5.6 SSL VPN Setup examples

Setup examples

The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals, applying the steps outlined in Basic configuration on page 17.

The following examples are included:

Secure Internet browsing

Split Tunnel

Multiple user groups with different access permissions

Client device certificate authentication with multiple groups

Secure Internet browsing

This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic. Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet.

Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the Internet safely.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Disable Split Tunneling.
  3. For Source IP Pools select SSLVPN_TUNNEL_ADDR1.
  4. Select OK.

Creating the SSL VPN user and user group

  1. Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
  2. Go to User & Device > User Definition and select Create New to add the user:

 

Secure Internet browsing

User Name twhite
Password password
  1. Select OK.
  2. Go to User & Device > User Groups and select Create New to add twhite to a group called SSL VPN:
Name SSL VPN
Type Firewall
  1. Move twhite to the Members
  2. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New to add the static route.
Destination IP/Mask 10.212.134.0/255.255.255.0
Device ssl.root
  1. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Add an SSL VPN security policy as below, and click OK.
Incoming Interface ssl.root
Outgoing Interface internal
Source Address all
Source User Group SSL VPN
Destination all
  1. Select OK.

Split Tunnel

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
Users/Groups Tunnel
Portal tunnel-access
  1. Select OK and Apply.

Results

Using the FortiClient SSLVPN application, access the VPN using the address https://172.20.120.136:443/ and log in as twhite. Once connected, you can browse the Internet.

From the FortiGate web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.

Split Tunnel

In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.

The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.

Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.

In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user’s indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

Creating a firewall address for the head office server

  1. Go to Policy & Objects > Addresses and select Create New and add the head office server address:
Category Address
Name Head office server
Type Subnet
Subnet / IP Range 192.168.1.12
Interface Internal

Split Tunnel

  1. Select OK.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Enter the following:
Name Connect to head office server
Enable Tunnel Mode Enable
Enable Split Tunneling Enable
Routing Address Internal
Source IP Pools SSLVPN_TUNNEL_ADDR1
  1. Select OK.

Creating the SSL VPN user and user group

Create the SSL VPN user and add the user to a user group.

  1. Go to User & Device > User Definition, select Create New and add the user:
User Name twhite
Password password
  1. Select OK.
  2. Go to User & Device > User Groups and select Create New to add the new user to the SSL VPN user group:
Name Tunnel
Type Firewall
  1. Move twhite to the Members
  2. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New
Destination IP/Mask 10.212.134.0/255.255.255.0
Device ssl.root
  1. Select OK.

Split Tunnel

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Complete the following:
Incoming Interface ssl.root
Source Address all
Source User(s) Tunnel
Outgoing Interface internal
Destination Address Head office server
  1. Select OK.
  2. Add a security policy that allows remote SSL VPN users to connect to the Internet.
  3. Select Create New.
  4. Complete the following and select OK:
Incoming Interface ssl.root
Source Address all
Source User(s) Tunnel
Outgoing Interface wan1
Destination Address all
Schedule always
Service ALL
Action ACCEPT

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
Users/Groups Tunnel
Portal tunnel-access
  1. Select OK and Apply.

 

Results

Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.

From the web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.

Multiple user groups with different access permissions

You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit. In this example configuration, there are two users:

l User1 can access the servers on Subnet_1. l User2 can access the workstation PCs on Subnet_2.

You could easily add more users to either user group to provide them access to the user group’s assigned web portal.

General configuration steps

  1. Create firewall addresses for: l The destination networks.
    • Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups.
  2. Create two web portals.
  3. Create two user accounts, User1 and User2.
  4. Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 (similar configuration for User2).
  5. Create security policies:
    • Two SSL VPN security policies, one to each destination. l Two tunnel-mode policies to allow each group of users to reach its permitted destination network.
  6. Create the static route to direct packets for the users to the tunnel.

Creating the firewall addresses

Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance.

Creating the destination addresses

SSL VPN users in this example can access either Subnet_1 or Subnet_2.

Multiple user groups with different access permissions

To define destination addresses – web-based manager:

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:
Name Subnet_1
Type Subnet
Subnet/IP Range 10.11.101.0/24
Interface port2
  1. Select Create New, enter the following information, and select OK:
Name Subnet_2
Type Subnet
Subnet/IP Range 10.11.201.0/24
Interface port3

Creating the tunnel client range addresses

To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses.

To define tunnel client addresses – web-based manager:

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:
Name Tunnel_group1
Type IP Range
Subnet/IP Range 10.11.254.1-10.11.254.50
Interface Any
  1. Select Create New, enter the following information, and select OK.
Name Tunnel_group2
Type IP Range
Subnet/IP Range 10.11.254.51-10.11.254.100
Interface Any

Creating the web portals

To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups, one to assign to portal1 and the other to assign to portal2.

To create the portal1 web portal:

  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal1 in the Name
  3. In Source IP Pools, select Tunnel_ group1.
  4. Select OK.

To create the portal2 web portal:

  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal2 in the Name field and select OK. In IP Pools, select Tunnel_ group2
  3. Select OK.

Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users.

Creating the user accounts and user groups

After enabling SSL VPN and creating the web portals that you need, you need to create the user accounts and then the user groups that require SSL VPN access.

Go to User & Device > User Definition and create user1 and user2 with password authentication. After you create the users, create the SSL VPN user groups.

To create the user groups – web-based manager:

  1. Go to User & Device > User Groups.
  2. Select Create New and enter the following information:
Name Group1
Type Firewall
  1. From the Available list, select User1 and move it to the Members list by selecting the right arrow button.
  2. Select OK.
  3. Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member.

Creating the security policies

You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses on page 59.

Multiple user groups with different access permissions

Two types of security policy are required:

  • An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication ensures that only authorized users can access the destination network.
  • A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.

To create the SSL VPN security policies – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and click OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address All
Source User(s) Group1
Outgoing Interface port2
Destination Address Subnet_1
Service All
  1. Select Create New.
  2. Enter the following information:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address All
Source User(s) Group2
Outgoing Interface port3
Destination Address Subnet_2
Service All
  1. Click OK.

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the first remote group:
Users/Groups Group1
Portal Portal1
  1. Select OK and Apply.
  2. Select Create New and add an authentication rule for the second remote group:
Users/Groups Group2
Portal Portal2
  1. Select OK and Apply.

To create the tunnel-mode security policies – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address Tunnel_group1
Source User(s) Group1
Outgoing Interface port2
Destination Address Subnet_1
Service All
Action ACCEPT
Enable NAT Enable
  1. Select Create New.
  2. Enter the following information, and select OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address Tunnel_group2
Source User(s) Group2
Outgoing Interface port3
Destination Address Subnet_2
Service All
Action ACCEPT
Enable NAT Enable

Client device certificate authentication with multiple groups

Create the static route to tunnel mode clients

Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. You need to define a static route to allow this.

To add a route to SSL VPN tunnel mode clients – web-based manager:

  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
Destination IP/Mask 10.11.254.0/24

This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users. See Creating the tunnel client range addresses on page 60.

Device Select the SSL VPN virtual interface, ssl.root for example.

Client device certificate authentication with multiple groups

In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN.

Employees (in a specific OU in AD) will be required to have a device certificate to connect, while vendors (in a separate OU in AD) will not be required to have a device certificate.

This can only be performed in the CLI console.

The Authentication-rule option is only available in theCLI as an advanced setting to achieve your requirements. It is not available on the GUI. So in VPN > SSL-VPN Settings, do not enable Require Client Certificate, but selectively enable client-cert in each authentication-rule based on the requirements through CLI instead.

Configuring SSL VPN shared settings and authentication rules – CLI:

The following example assumes that remote LDAP users/groups have been pre-configured.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”

set port 443 set source-interface “wan1” set source-address “all”

 

Client device certificate authentication with multiple groups

set default-portal “full-access” config authentication-rule edit 1 set source-interface “wan1 set source-address “all” set groups “Employees” set portal “full-access” set client-cert enable

next edit 2 set source-interface “wan1” set source-address “all” set groups “Vendors” set portal “full-access” set client-cert disable <– Set by default and will not be displayed.

next

end

end

Configure the remainder of the SSL VPN tunnel as normal (creating a firewall policy allowing SSL VPN access to the internal network, including the VPN groups, necessary security profiles, etc.).

If configured correctly, only the ‘Employees’ group should require a client certificate to authenticate to the VPN.

FortiOS 5.6 The SSL VPN web portal

The SSL VPN web portal

This chapter explains how to use and configure the web portal features. This chapter is written for end users as well as administrators.

The following topics are included:

Connecting to the FortiGate unit

Web portal overview

Portal configuration

Using the Bookmarks widget

Using the Quick Connection Tool

Using the SSL VPN virtual desktop

Using FortiClient

Connecting to the FortiGate unit

You can connect to the FortiGate unit using a web browser. The URL of the FortiGate interface may vary from one installation to the next. If required, ask your FortiGate administrator for the URL of the FortiGate unit, and obtain a user name and password. You can connect to the web portal using an Android phone, iPhone, or iPad. The FortiGate unit will display the content of the portal to fit the device’s screen.

In addition, if you will be using a personal or group security (X.509) certificate to connect to the FortiGate unit, your web browser may prompt you for the name of the certificate. Your FortiGate administrator can tell you which certificate to select.

To log into the secure FortiGate HTTP gateway

  1. Using the web browser on your computer, browse to the URL of the FortiGate unit (for example, https://<FortiGate_IP_address>:443/remote/login). The FortiGate unit may offer you a self-signed security certificate. If you are prompted to proceed, select Yes.

A second message may be displayed to inform you that the FortiGate certificate distinguished name differs from the original request. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. You can ignore the message.

  1. When you are prompted for your user name and password:
    • In the Name field, type your user name.
    • In the Password field, type your password.
  2. Select Login.

The FortiGate unit will redirect your web browser to the FortiGate SSL VPN web portal home page automatically.

Web portal overview

After logging in to the web portal, the remote user is presented with a web portal page similar to the following:

 

Portal

Various widgets provide the web portal’s features:

  • Session Information displays the elapsed time since login and the volume of HTTP and HTTPS traffic, both inbound and outbound.
  • Quick Connection enables you to connect to network resources without using or creating a bookmark. l Download Forticlient provides access to the FortiClient tunnel application for various operating systems.
  • Bookmarks provides links to network resources. You can use the administrator-defined bookmarks and you can

add your own bookmarks.

While using the web portal, you can select the Help button to get information to assist you in using the portal features. This information displays in a separate browser window.

When you have finished using the web portal, select the Logout button in the top right corner of the portal window.

Portal configuration

The SSL VPN web portal enables users to access network resources through a secure channel using a web browser. Fortinet administrators can configure log in privileges for system users and which network resources are available to the users.

Portal configuration

The portal configuration determines what the user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

There are three pre-defined default web portal configurations available:

  • full-access: Includes all widgets available to the user – Session Information, Tunnel Mode options, Connection Launcher, Remote Desktop, and Predefined Bookmarks. l tunnel-access: Includes Session Information and Tunnel Mode
  • web-access: Includes Session Information and Predefined Bookmarks

You can also create your own web portal to meet your corporate requirements.

Portal page
Create New Creates a new web portal.
Edit Select a portal from the list to enable the Edit option, and modify the portal configuration.
Delete Removes a portal configuration.

To remove multiple portals from the list, select the check box beside the portal names, then select Delete.

Name The name of the web portal.
Ref. Displays the number of times the object is referenced in other configurations on the FortiGate unit, such as security policies.

To view the location of the referenced object, select the number in Ref.

column.

To view more information about how the object is used, select one of:

View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with.

View the details for this object – similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with.

Portal settings

A web portal defines SSL VPN user access to network resources. The portal configuration determines what SSL VPN users see when they log in to the unit. Both the Fortinet administrator and the SSL VPN user have the ability to customize the web portal settings. Portal settings are configured in VPN > SSL-VPN Portals.

The following settings are available, allow you to configure general and security console options for your web portal.

Portal

Portal Setting Description
Name The name for the portal.
Limit Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.
Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.

Source IP Pools Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

l Allow client to save password – When enabled, if the user

selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.

l Allow client to connect automatically – When enabled, if the

user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

l Allow client to keep connections alive – When enabled, if the

user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).

Enable Web Mode Select to enable web mode access.
Portal Message This is a text header that appears on the top of the web portal.

Portal configuration

Portal Setting Description
Theme Select a color styling specifically for the web portal.
Show Session Information The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher Displays the Connection Launcher widget in the web portal.
Show Login History Select to include user login history on the web portal.
User Bookmarks Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML filebrowser.

Predefined Bookmarks

Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, RDP, and VNC pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform Model
FortiGate 80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C,

3240C, 3600C, and 5001C

FortiGate-Rugged 90D
FortiWiFi 92D

A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.

Applications available in the web portal

Depending on the web portal configuration and user group settings, one or more of the following server applications are available to you through Predefined Bookmarks, as well as the Quick Connection widget:

  • Citrix makes use of SOCKS so that the Citrix client can connect to the SSL VPN port forward module to provide the connection.
  • FTP (File Transfer Protocol) enables you to transfer files between your computer and a remote host.

 

Using the Bookmarks widget

  • HTTP/HTTPS accesses web pages.
  • Port Forward provides the middle ground between web mode and tunnel mode. When the SSL VPN receives data from a client application, the data is encrypted and sent to the FortiGate unit, which then forwards the traffic to the application server. l RDP (Remote Desktop Protocol), similar to VNC, enables you to remotely control a computer running Microsoft Terminal Services.
  • SMB/CIFS implements the Server Message Block (SMB) protocol to support file sharing between your computer and a remote server host.
  • SSH (Secure Shell) enables you to exchange data between two computers using a secure channel.
  • TELNET (Teletype Network emulation) enables you to use your computer as a virtual text-only terminal to log in to a remote host.
  • VNC (Virtual Network Computing) enables you to remotely control another computer, for example, accessing your work computer from your home computer.

Some server applications may prompt you for a user name and password. You must have a user account created by the server administrator so that you can log in.

Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks – CLI:

config vpn ssl web portal edit “portal-name” set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark edit “group-name” config bookmark edit “bookmark1” ….

next

end

next

end

Using the Bookmarks widget

The Bookmarks widget shows both administrator-configured and user-configured bookmarks. Administrator bookmarks cannot be altered but you can add, edit or delete user bookmarks.

Bookmarks widget

The FortiGate unit forwards client requests to servers on the Internet or internal network. To use the web-portal applications, you add the URL, IP address, or name of the server application to the My Bookmarks list. For more information, see Adding bookmarks on page 48.

If you want to access a web server or telnet server without first adding a bookmark to the My Bookmarks list, use the Connection Tool instead. For more information, see Using the Bookmarks widget on page 47.

Adding bookmarks

You can add frequently used connections as bookmarks. Afterward, select any hyperlink from the Bookmarks list to initiate a session.

To add a bookmark

  1. In the web portal, select New Bookmark.
  2. Enter the following information:
Name Enter the name to display in the Bookmarks list.
Type Select the abbreviated name of the server application or network service from the drop-down list.
Location Enter the IP address or FQDN of the server application or network service.

For RDP connections, you can append some parameters to control screen size and keyboard layout. See Using the Bookmarks widget on page 47.

Description Optionally enter a short description. The description displays when you pause the mouse pointer over the hyperlink.
SSO Single Sign On (SSO) is available for HTTP/HTTPS bookmarks only.

Disabled — This is not an SSO bookmark.

Automatic — Use your SSL VPN credentials or an alternate set. See the SSO Credentials field.

Static — Supply credentials and other required information (such as an account number) to a web site that uses an HTML form for authentication. You provide a list of the form field names and the values to enter into them. This method does not work for sites that use HTTP authentication, in which the browser opens a pop-up dialog box requesting credentials.

SSO fields
SSO Credentials SSL VPN Login — Use your SSL VPN login credentials.

Alternative — Enter Username and Password below.

Username Alternative username. Available if SSO Credentials is Alternative.

48

Using the Bookmarks widget

Password Alternative password. Available if SSO Credentials is Alternative.
Static SSO fields These fields are available if SSO is Static.
Field Name Enter the field name, as it appears in the HTML form.
Value Enter the field value.

To use the values from SSO Credentials, enter %passwd% for password or %username% for username.

Add Add another Field Name / Value pair.
  1. Select OK and then select Done.

Group-based SSL VPN bookmarks

This CLI-only feature allows administrators to add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client.

Syntax:

config vpn ssl web portal edit “portal-name” set user-group-bookmark enable*/disable

next

end

conf vpn ssl web user-group-bookmark edit “group-name” conf bookmark edit “bookmark1” ….

next

end

next

end

Group-based SSL VPN bookmarks

This CLI-only feature allows administrators to add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client.

Syntax:

config vpn ssl web portal edit <portal-name> set user-group-bookmark [enable | disable]

next

end

config vpn ssl web user-group-bookmark edit <group-name> config bookmark edit <bookmark1> …. next

Quick Connection Tool

end

next

end

Using the Quick Connection Tool

The Quick Connection Tool widget enables a user to connect to a resource when it isn’t a predefined bookmark.

You can connect to any type of server without adding a bookmark to the Bookmarks list. The fields in the Quick Connection Tool enable you to specify the type of server and the URL or IP address of the host computer.

See the following procedures:

l To connect to a web server on page 50 l To ping a host or server behind the FortiGate unit on page 50 l To start a Telnet session on page 51 l To start an FTP session on page 51 l To start an SMB/CIFS session on page 51 l To start an SSH session on page 52 l To start an RDP session on page 52 l To start a VNC session on page 52

Except for ping, these services require that you have an account on the server to which you connect.

When you use the Connection Tool, the FortiGate unit may offer you its self-signed security certificate. Select Yes to proceed. A second message may be displayed to inform you of a host name mismatch. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. Select Yes to proceed.

To connect to a web server

  1. In Type, select HTTP/HTTPS.
  2. In the Host field, type the URL of the web server.

For example: http://www.mywebexample.com or https://172.20.120.101

  1. Select Go.
  2. To end the session, close the browser window.

To ping a host or server behind the FortiGate unit

  1. In Type, select Ping.
  2. In the Host field, enter the IP address of the host or server that you want to reach. For example: 11.101.22
  3. Select Go.

A message stating whether the IP address can be reached or not is displayed.

50

Using the Quick Connection Tool

To start a Telnet session

  1. In Type, select Telnet.
  2. In the Host field, type the IP address of the telnet host. For example: 11.101.12
  3. Select Go.

A Telnet window opens.

  1. Select Connect.
  2. A telnet session starts and you are prompted to log in to the remote host.

After you log in, you may enter any series of valid telnet commands at the system prompt.

  1. To end the session, select Disconnect (or type exit) and then close the TELNET connection window.

To start an FTP session

  1. In Type, select FTP.
  2. In the Host field, type the IP address of the FTP server. For example: 11.101.12
  3. Select Go.

A login window opens.

  1. Enter your user name and password and then select Login. You must have a user account on the remote host to log in.
  2. Manipulate the files in any of the following ways:
    • To download a file, select the file link in the Name
    • To access a subdirectory (Type is Folder), select the link in the Name
    • To create a subdirectory in the current directory, select New directory. l To delete a file or subdirectory from the current directory, select its Delete
    • To rename a file in the current directory, select its Rename l To upload a file to the current directory from your client computer, select Upload. l When the current directory is a subdirectory, you can select Up to access the parent directory.
  3. To end the FTP session, select Logout.

To start an SMB/CIFS session

  1. In Type, select SMB/CIFS.
  2. In the Host field, type the IP address of the SMB or CIFS server. For example: 11.101.12
  3. Select Go.
  4. Enter your user name and password and then select Login. You must have a user account on the remote host to log in.
  5. Manipulate the files in any of the following ways:
    • To download a file, select the file link in the Name l To access a subdirectory (Type is Folder), select the file link in the Name column.
    • To create a subdirectory in the current directory, select New Directory. l To delete a file or subdirectory from the current directory, select its Delete l To rename a file, select its Rename icon.

 

Quick Connection Tool

  • To upload a file from your client computer to the current directory, select Upload.
  • When the current directory is a subdirectory, you can select Up to access the parent directory.
  1. To end the SMB/CIFS session, select Logout and then close the SMB/CIFS window.

To start an SSH session

  1. In Type, select SSH.
  2. In the Host field, type the IP address of the SSH host. For example: 11.101.12
  3. Select Go.
    • login window opens.
  4. Select Connect.
    • SSH session starts and you are prompted to log in to the remote host. You must have a user account to log in. After you log in, you may enter any series of valid commands at the system prompt.
  5. To end the session, select Disconnect (or type exit) and then close the SSH connection window.

To start an RDP session

  1. In Type, select RDP.
  2. In the Host field, type the IP address of the RDP host. For example: 11.101.12
  3. Optionally, you can specify additional options for RDP by adding them to the Host field following the host address. See Using the Quick Connection Tool on page 50 for information about the available options. For example, to use a French language keyboard layout you would add the -m parameter:

10.11.101.12 -m fr

  1. Select Go.

A login window opens.

  1. When you see a screen configuration dialog, click OK.

The screen configuration dialog does not appear if you specified the screen resolution with the host address.

  1. When you are prompted to log in to the remote host, type your user name and password. You must have a user account on the remote host to log in.
  2. Select Login.

If you need to send Ctrl-Alt-Delete in your session, use Ctrl-Alt-End.

  1. To end the RDP session, Log out of Windows or select Cancel from the Logon window.

To start a VNC session

  1. In Type, select VNC.
  2. In the Host field, type the IP address of the VNC host. For example: 11.101.12
  3. Select Go.

A login window opens.

  1. Type your user name and password when prompted to log in to the remote host. You must have a user account on the remote host to log in.
  2. Select OK.

If you need to send Ctrl-Alt-Delete in your session, press F8, then select Send Ctrl-Alt-Delete from the pop-up menu.

  1. To end the VNC session, close the VNC window.

Using the SSL VPN virtual desktop

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform Model
FortiGate 80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C,

3240C, 3600C, and 5001C

FortiGate-Rugged 90D
FortiWiFi 92D

Using the SSL VPN virtual desktop

The virtual desktop feature is available for Windows only. When you start an SSL VPN session, the virtual desktop replaces your normal desktop. When the virtual desktop exits, your regular desktop is restored. Virtual desktop information is encrypted so that no information from it remains available after your session ends.

To use the SSL VPN virtual desktop, simply log in to an SSL VPN that requires the use of the virtual desktop. Wait for the virtual desktop to initialize and replace your desktop with the SSL VPN desktop, which has a Fortinet SSL VPN logo as wallpaper. Your web browser will open to the web portal page.

You can use the virtual desktop just as you use your regular desktop, subject to the limitations that virtual desktop application control imposes. If it is enabled in the web portal virtual desktop settings, you can switch between the virtual desktop and your regular desktop. Right-click the SSL VPN Virtual Desktop icon in the taskbar and select Switch Desktop.

To see the web portal virtual desktop settings, right-click the SSL VPN Virtual Desktop icon in the taskbar and select Virtual Desktop Option.

When you have finished working with the virtual desktop, right-click the SSL VPN Virtual Desktop icon in the taskbar and select Exit. Select Yes to confirm. The virtual desktop closes and your regular desktop is restored.

Using FortiClient

Remote users can use FortiClient Endpoint Security to initiate an SSL VPN tunnel to connect to the internal network. FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit, on port TCP 10443. When connecting using FortiClient, the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. the FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. Once the tunnel has been established, the user can access the network behind the FortiGate unit.

For information on configuring the FortiGate unit for SSL VPN connectivity, see Basic configuration on page 17.

For details on configuring FortiClient for SSL VPN connections, see the FortiClient documentation.