Category Archives: FortiOS 6.2

Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled

Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled

This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by a standalone FortiGate as switch controller via aggregate interface, where the FortiGate can provide redundant links to multiple distribution FortiSwitches.

Prerequisites:

  • The FortiGate model supports an aggregate interface. l FortiSwitch units have been upgraded to latest released software version.
  • Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Create an aggregate interface and designate it as Fortilink interface on the FortiGate:

Using the CLI:

config system interface edit “aggr1” set vdom “vdom1” set fortilink enable set type aggregate set member “port11” “port12” set fortilink-split-interface enable

next

end

Using the GUI:

  1. Go to WiFi & Switch Controller> FortiLink Interface.
  2. In Interface members, select one or more physical ports that are connected to different distribution FortiSwitches to create an aggregate interface.
  3. Enable FortiLink split interface.
  4. Configure other fields as necessary.
  5. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Extend the security perimeter to the edge of FortiSwitch:

  1. Configure the VLAN arrangement.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
    2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

  1. Configure FortiSwitch ports.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
    2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
    3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
  2. Configure access authentication.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
    2. Configure the 1X security policies.
    3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
    4. Configure other fields as necessary.
    5. Go to WiFi & Switch Controller> FortiSwitch Ports.
    6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.

execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK aggr1 enabled

DHCP server … OK aggr1 enabled

NTP server … OK aggr1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

Multiple FortiSwitches managed via hardware/software switch

Multiple FortiSwitches managed via hardware/software switch

This example provides a recommended configuration of FortiLink where multiple FortiSwitches are managed by a standalone FortiGate as switch controller via hardware or software switch interface; such as when you need multiple distribution FortiSwitches but lack supporting aggregate on FortiGate.

Prerequisites:

  • The FortiGate model supports hardware or software switch interface. l FortiSwitch units have been upgraded to latest released software version.
  • Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Create hardware or software switch interface and designate it as FortiLink interface on the FortiGate:

Create a hardware switch using the CLI:

config system virtual-switch edit “hardswitch1” set physical-switch “sw0” config port edit “port11” next edit “port12” next

end

next

end

Create a software switch using the CLI:

config system switch-interface edit “softswitch1” set vdom “vdom1” set member “port11” “port12”

next

end

Using the GUI:

  1. Go to WiFi & Switch Controller> FortiLink Interface.
  2. In Interface members, select an existing hardware/software switch interface (if there is one) or select one or more physical ports to create a hardware/software switch interface.
  3. Configure other fields as necessary.
  4. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Extend the security perimeter to the edge of FortiSwitch:

  1. Configure the VLAN arrangement.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
    2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

  1. Configure FortiSwitch ports.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
    2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
    3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
  2. Configure access authentication.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
    2. Configure the 1X security policies.
    3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
    4. Configure other fields as necessary.
    5. Go to WiFi & Switch Controller> FortiSwitch Ports.
    6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Bind FortiLink on hardware switch interface

Fortinet recommends binding FortiLink on the hardware switch interface. Since the hardware switch interface can leverage hardware chips to forward traffic, it does not consume CPU capacity, unlike a software switch.

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.

execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK hardswitch1 enabled

DHCP server … OK hardswitch1 enabled

NTP server … OK hardswitch1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

Standalone FortiGate as switch controller

Standalone FortiGate as switch controller

In this example, one FortiSwitch is managed by a standalone FortiGate. The FortiGate uses an aggregate interface to operate as a switch controller. This configuration might be used in branch office. It might also be used before increasing the number of connected FortiSwitch units and evolving to a multi-tier structure.

Prerequisites:

  • The FortiGate model supports an aggregate interface. l FortiSwitch units have been upgraded to latest released software version.
  • Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Create an aggregate interface and designate it as Fortilink interface on the FortiGate:

Using the CLI:

config system interface edit “aggr1” set vdom “vdom1” set fortilink enable set type aggregate set member “port11” “port12”

next

end

Using the GUI:

  1. Go to WiFi & Switch Controller> FortiLink Interface.
  2. In Interface members, select an existing aggregate interface (if there is one) or select one or more physical ports to create an aggregate interface.
  3. Configure other fields as necessary.
  4. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Extend the security perimeter to the edge of FortiSwitch:

  1. Configure the VLAN arrangement.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
    2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

  1. Configure FortiSwitch ports.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
    2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
    3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
  2. Configure access authentication.
    1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
    2. Configure the 1X security policies.
    3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
    4. Configure other fields as necessary.
    5. Go to WiFi & Switch Controller> FortiSwitch Ports.
    6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.

execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK aggr1 enabled

DHCP server … OK aggr1 enabled

NTP server … OK aggr1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

Switch Controller

Switch Controller

The Switch Controller function, also known as FortiLink, is used to remotely manage FortiSwitch unit. In the most common layer 2 scenario, the FortiGate that is acting as a switch controller is connected to distribution FortiSwitch units. The distribution FortiSwitch units are in the top tier of stacks of FortiSwitch units and connected downwards with Convergent or Access layer FortiSwitch units. To leverage CAPWAP and the Fortinet proprietary FortiLink protocol, data and control planes are established between the FortiGate and FortiSwitch units.

FortiLink allows administrators to create and manage different VLANs, and apply the full-fledged security functions of

FortiOS to them, such as 802.1X authentication and firewall policies. Most of the security control capabilities on the FortiGate are extended to the edge of the entire network, combining FortiGate, FortiSwitch, and FortiAP devices, and providing secure, seamless, and unified access control to users.

CAPWAP Offloading (NP6 only)

CAPWAP Offloading (NP6 only)

Simple Network Topology

NP6 offloading over CAPWAP traffic is supported by all the FortiGate high-level models and most middle-level models.

NP6 offloading over CAPWAP configuration

  1. NP6 session fast path requirements:

config system npu set capwap-offload enable end

  1. Enable the capwap-offload option in system npu

config firewall policy edit 1

set auto-asic-offload enable

next end

  1. NP6 offloading over CAPWAP traffic is supported:
    • only with traffic from Tunnel mode VAP. l dtls-policy is clear-text or ipsec-vpn in wireless-controller wtp-profile configuration.
    • Traffic is not offloaded when dtls-policy=dtls-enable l Traffic is not offloaded with fragment.

Verify the system session of NP6 offloading

  • check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8

FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=21 expire=3591 tim

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=5 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f total session 1

l check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8 FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=7 expire=3592 time

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/ state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tupl tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f

total session 1

1+1 fast failover between FortiGate WiFi controllers

1+1 fast failover between FortiGate WiFi controllers

The following shows a simple network topology for this recipe. The primary and secondary FortiGates should reach the FortiAP at the physical level:

The following takes place in the event of a failover:

  1. The primary FortiGate syncs the wireless configuration to the secondary FortiGate.
  2. If the primary FortiGate fails, the secondary FortiGate takes over management of the FortiAP. The client can still connect with the SSID from the FortiAP and pass traffic.
  3. When the primary FortiGate is back online, it returns to managing the FortiAP.

In the CLI samples below, the primary FortiGate has an IP address of 10.43.1.80, while the secondary FortiGate has an IP address of 10.43.1.62.

To configure the primary FortiGate:

config wireless-controller inter-controller set inter-controller mode 1+1 set inter-controller key 123456 config inter-controller-peer edit 1 set peer-ip 10.43.1.62 set peer-priority secondary

next

end

To configure the secondary FortiGate:

config wireless-controller inter-controller set inter-controller mode 1+1 set inter-controller key 123456 set inter-controller-pri secondary config inter-controller-peer edit 1 set peer-ip 10.43.1.80

next

end

To run diagnose commands:

  1. On the primary FortiGate, run the diag wireless-controller wlac -c ha The output should resemble the following:

WC fast failover info cfg iter: 1 (age=17995, size=220729, fp=0x5477e28) dhcpd_db iter: 123 (age=132, size=1163, fp=0x5435930) dhcpd_ipmac iter: 123 (age=132, size=2860, fp=0x587d848) mode: 1+1-ffo pri: primary

key csum: 0x9c99 max: 10 wait: 10 peer cnt: 1

FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

  1. On the secondary FortiGate, run the diag wireless-controller wlac -c ha The output should resemble the following: WC fast failover info mode: 1+1-ffo status: monitoring pri: secondary key csum: 0x9c99 max: 10 wait: 10 peer cnt: 1

FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

UTM security profile groups on FortiAP-S

UTM security profile groups on FortiAP-S

This guide provides instructions for simple configuration of security profile groups for FortiAP, including creating security profile groups and selecting profile groups for the SSID.

To configure UTM security profile groups on the FortiOS GUI:

  1. Create a security profile group:
    1. Go to WiFi & Switch Controller> Security Profile Groups, then click Create New.
    2. Enter the desired interface name. Configure logging as desired.
    3. Enable Antivirus, Web Filter, Application, IPS, or Botnet, then select the desired profile.
  2. Create a local bridge mode SSID and enable security profile groups:
    1. Go to WiFi & Switch Controller> SSID. Select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Bridge.
    3. In the SSID field, enter the desired SSID name. Configure security as desired.
    4. Enable Security Profile Group, then select the group created in step 1.
    5. Click OK.
  3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C: Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
    1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    3. Click OK.

To configure UTM security profile groups using the FortiOS CLI:

  1. Create a security profile group:

config wireless-controller utm-profile edit “wifi-UTM” set ips-sensor “default” set application-list “default” set antivirus-profile “default” set webfilter-profile “default” set scan-botnet-connections block

next

end

  1. Create a local bridge mode SSID and enable security profile groups:

config wireless-controller vap edit “wifi-vap” set ssid “SSID-UTM” set passphrase 12345678 set local-bridging enable set schedule “always” set utm-profile “wifi-UTM”

next

end

  1. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

WIFI Statistics – WiFi client monitor

Statistics

WiFi client monitor

The following shows a simple network topology when using FortiAPs with FortiGate:

To view connected WiFi clients on the FortiGate unit, go to Monitor> WiFi Client Monitor. The following columns display:

Column   Description
SSID   SSID that the client connected to, such as the tunnel, bridge, or mesh.
FortiAP   Serial number of the FortiAP unit that the client connected to.
User   Username if using WPA enterprise authentication.
IP   IP address assigned to the wireless client.
Device   Wireless client device type.
Channel   FortiAP operation channel.
Auth   Authentication type used.
Channel   WiFi radio channel in use.
Column Description
Bandwidth Tx/Rx Client received and transmitted bandwidth in Kbps.
Signal Strength/Noise Signal-to-noise ratio in decibels calculated from signal strength and noise level.
Association Time How long the client has been connected to this AP.
Device OS Wireless device OS.
Manufacturer Wireless device manufacturer.
MIMO Wireless device MIMO information.

WiFi health monitor

The following shows a simple network topology when using FortiAPs with FortiGate:

The Monitor> WiFi Health Monitor page displays the following charts: l Active Clients: Currently active clients on each FortiAP

  • AP Status: APs by status, sorted by those that have been up for over 24 hours, rebooted in the past 24 hours, and down/missing
  • Channel Utilization: Allow users to view 10-20 most and least utilized channels for each AP radio and a third histogram view showing utilization counts
  • Client Count: Shows client count overtime. Can view forthe past hour, day, or30 days.
  • Login Failures: Time, SSID, hostname, and username forfailed login attempts. The widget also displays the AP name and group of FortiAP units with failed login attempts.
  • Top Wireless Interference: Separate widgets for2.4 GHz and 5 GHz bands. This requires spectrum analysis to be enabled on the radios.

WiFi maps

WiFi maps allow you to place FortiAP units on a map, such as an office floor plan. This allows you to know where the FortiAPs are and get their operating statuses at a glance.

To configure WiFi maps on the FortiOS GUI:

  1. Create a WiFi map:
    1. In FortiOS, go to WiFi & Switch Controller> WiFi Maps.
    2. Click the Add Map
    3. Specify the desired map name.
    4. Upload the image file.
    5. If desired, enable the Image grayscale
    6. Set the Image opacity.
  2. Place the FortiAP units on the map:
    1. Unlock the map by clicking the lock icon in the top left corner.
    2. Click Unplaced AP(s) beside the lock icon. This displays a list of candidate APs.
    3. Drag and drop the candidate FortiAPs from the list to the map as desired.
    4. Once all desired FortiAPs have been placed on the map, lock the map.
  3. Hover the cursor over a FortiAP icon to view the operating data per FortiAP unit.
  4. To configure AP settings, click the FortiAP icon for that unit.
  5. You can show numerical operating data on the FortiAP icons such as the client count, channel, operating TX power, and channel utilization using the options in the dropdown list above the map.

To configure WiFi maps using the FortiOS CLI:

You can only upload the WiFi map image file using the FortiOS CLI.

config wireless-controller region edit <MAP_NAME> set grayscale enable|disable set opacity 100 <0-100>

next

end

config wireless-controller wtp edit <FAP_SN> set region <MAP_NAME set region-x “0.419911” <0-1> set region-y “0.349466” <0-1>

next

end

Fortinet Security Fabric

The following shows a simple network topology when using FortiAP as part of the Security Fabric:

The Security Fabric > Settings page on the root FortiGate lists all FortiAP devices on the CSF root and leaf.

The Security Fabric > Physical Topology view on the root FortiGate shows the devices in the Security Fabric and the devices they are connected to.

Wireless security

Enabling rogue AP scan

The guide provides simple configuration instructions for enabling ap-scan on FortiAP. The steps include creating a WIDS profile and selecting the WIDS profile on the managed FortiAP.

To enable rogue AP scan on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. Enable Enable Rogue AP Detection.
    3. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Enable WIDS Profile. Select the profile created in step 1. Click OK.

To enable rogue AP scan using the FortiOS CLI:

  1. Create a WIDS profile:

config wireless-controller wids-profile edit “example-wids-profile” set ap-scan enable

next

end

  1. Select the WIDS profile for the managed FortiAP:

config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>

end

set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n

set wids-profile “example-wids-profile” set vap-all disable

end config radio-2 set band 802.11ac set vap-all disable

end

next

end

Enabling rogue AP suppression

The guide provides simple configuration instructions for suppressing rogue APs on FortiAP. The steps include creating a WIDS profile and suppressing rogue APs.

To enable rogue AP suppression on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. For SensorMode, select Foreign and Home Channels.
    3. Enable Enable Rogue AP Detection.
    4. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP. The monitoring radio must be in Dedicated Monitor mode:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Select Dedicated Monitor on Radio 1 or Radio 2.
    4. Enable WIDS Profile. Select the profile created in step 1. Click OK.
  3. Suppress FortiAP:
    1. Go to Monitor> Rogue AP Monitor.
    2. Right-click the desired SSID, then select Mark as Rogue.
    3. Right-click the SSID again, then select Suppress AP.

To enable rogue AP scan using the FortiOS CLI:

  1. Create a WIDS profile:

config wireless-controller wids-profile edit “example-wids-profile” set sensor-mode both set ap-scan enable

next

end

  1. Select the WIDS profile for the managed FortiAP:

config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>

end config radio-1 set mode monitor

set wids-profile “example-wids-profile”

end

next

end

  1. Suppress FortiAP:

config wireless-controller ap-status edit 1 set bssid 90:6c:ac:da:a7:f1 set ssid “example-SSID” set status suppressed

next

end

Wireless Intrusion Detection System

The guide provides simple configuration instructions for enabling a Wireless Intrusion Detection System (WIDS) profile on FortiAP.

To enable a WIDS profile on the FortiOS GUI:

  1. Create a WIDS profile:
    1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
    2. In the Name field, enter the desired name.
    3. Under Intrusion Detection Settings, enable all intrusion types as desired.
    4. Complete the configuration, then click OK.
  2. Select the WIDS profile for the managed FortiAP:
    1. Go to WiFi & Switch Controller> FortiAP Profiles.
    2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
    3. Enable WIDS Profile. Select the profile created in step 1. Click OK.

To enable a WIDS profile using the FortiOS CLI:

config wireless-controller wtp-profile edit “example-FAP-profile”

config platform set type <FAP-model-number>

end

set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n

set wids-profile “example-wids-profile” set vap-all disable

end config radio-2 set band 802.11ac

set wids-profile “example-wids-profile” set vap-all disable

end

next

end