FortiSwitch Managed By FortiOS 6 – FortiLink mode over a layer-3 network

FortiLink mode over a layer-3 network

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

  • All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

 

To configure a FortiSwitch unit to operate in a layer-3 network:

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset
  2. Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

  1. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

To use DHCP discovery:

config switch-controller global

ac-discovery dhcp

dhcp-option-code <integer>

end end

To use static discovery:

config switch-controller global

ac-discovery static           config ac-list

id <integer>

set ipv4-address <IPv4_address>

next

end

end

  1. Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

FortiSwitch Managed By FortiOS 6 – FortiLink configuration using the FortiGate CLI

FortiLink configuration using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

  1. Configure FortiLink on a physical port or configure FortiLink on a logical interface.
  2. Configure NTP.
  3. Authorize the managed FortiSwitch unit.
  4. Configure DHCP.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port 1 is configured as the FortiLink port.

  1. If required, remove port 1 from the lan interface:

config system virtual-switch edit lan config port delete port1

end

end

end

  1. Configure port 1 as the FortiLink interface:

config system interface edit port1 set auto-auth-extension-device enable set fortilink enable

end

end

  1. Configure an NTP server on port 1:

config system ntp set server-mode enable set interface port1 end

 

  1. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370 set fsw-wan1-admin enable

end

end

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Ensure that you configure autodiscovery on the FortiSwitch ports (unless it is auto-discovery by default).

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

  1. If required, remove the FortiLink ports from the lan interface:

config system virtual-switch edit lan config port delete port4 delete port5

end

end

end

  1. Create a trunk with the two ports that you connected to the switch:

config system interface edit flink1 (enter a name, 11 characters maximum) set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable

(optional) set fortilink-split-interface enable next

end

NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-split-interface.

  1. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable

end

end

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

Go to WiFi & Switch Controller> FortiSwitch Ports. Right-click any port and then enable or disable the following features:

  • DHCP blocking—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
  • IGMP snooping—IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
  • Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
  • Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
  • STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
  • STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

STP is enabled on all ports by default. Loop guard is disabled by default on all ports.

 

 

FortiSwitch Managed By FortiOS 6 – Connecting FortiLink ports

Connecting FortiLink ports

This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection.

In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports.

You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation group, hardware switch, or software switch).

1. Enable the switch controller on the FortiGate unit

Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate web-based manager or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.

Using the FortiGate GUI

  1. Go to System > Feature Visibility.
  2. Turn on the Switch Controller feature, which is in the Basic Features
  3. Select Apply.

The menu option WiFi & Switch Controller now appears.

Using the FortiGate CLI

Use the following commands to enable the switch controller:

config system global set switch-controller enable

end

2. Connect the FortiSwitch unit and FortiGate unit

FortiSwitchOS 3.3.0 and later provides flexibility for FortiLink:

  • Use any switch port for FortiLink l Provides auto-discovery of the FortiLink ports on the FortiSwitch
  • Choice of a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG)

Auto-discovery of the FortiSwitch ports

In FortiSwitchOS 3.3.0 and later releases, D-series FortiSwitch models support FortiLink auto-discovery, on automatic detection of the port connected to the FortiGate unit.

  1. Connect the FortiSwitch unit and FortiGate unit Connecting FortiLink ports

You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface edit <port>

set auto-discovery-fortilink enable

end

By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.

In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have autodiscovery enabled.

The following table lists the default auto-discovery ports for each switch model.

NOTE: Any port can be used for FortiLink if it is manually configured.

FortiSwitch Model Default Auto-FortiLink ports
FS-108D ports 9 and 10
FS-108D-POE ports 9 and 10
FSR-112D ports 9, 10, 11 and 12
FSR-112D-POE ports 5, 6, 7, 8, 9, 10, 11, and 12
FS-124D, FS-124D-POE ports 23, 24, 25, and 26
FS-224D-POE ports 21, 22, 23, and 24
FS-224D-FPOE ports 21, 22, 23, 24, 25, 26, 27, and 28
FS-248D, FS-248D-FPOE, FS-448D, FS448D-FPOE, FS-448D-POE ports 45, 46, 47, 48, 49, 50, 51, and 52
FS-248D-POE ports 47, 48, 49, and 50
FS-424D, FS-424D-POE, FS-424D-FPOE ports 23, 24, 25, and 26
FS-524D, FS-524D-FPOE ports 21, 22, 23, 24, 25, 26, 27, 28, 29, and 30
FS-548D, FS-548D-FPOE ports 45, 46, 47, 48, 49, 50, 51, 52, 53, and 54
FS-1024D, FS-1048D, FS-3032D all ports

Choosing the FortiGate ports

The FortiGate unit manages all of the switches through one active FortiLink. The FortiLink can consist of one port or multiple ports (for a LAG).

25

Connecting FortiLink ports                                                              2. Connect the FortiSwitch unit and               unit

As a general rule, FortiLink is supported on all ports that are not listed as HA ports.

 

configuration using the FortiGate GUI Summary of the procedure FortiLink configuration using the FortiGate GUI

This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

Summary of the procedure

  1. On the FortiGate unit, configure the FortLink port or create a logical FortLink interface.
  2. Authorize the managed FortiSwitch unit.

Configure FortiLink as a single link

To configure the FortiLink port on the FortiGate unit:

  1. Go to Network > Interfaces.
  2. (Optional) If the FortiLink physical port is currently included in the internal interface, edit it and remove the desired port from the Physical Interface Members.
  3. Edit the FortiLink port.
  4. Set Addressing mode to Dedicated to FortiSwitch.
  5. Configure the IP/Network Mask for your network.
  6. Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
  7. Select OK.

Configure FortiLink as a logical interface

You can configure the FortiLink as a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate unit to the FortiSwitch unit. Ensure that you configure auto-discovery on the FortiSwitch ports (unless it is so by default).

  1. Go to Network > Interfaces.
  2. (Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface, and remove the desired ports from the Physical Interface Members.
  3. Select Create New > Interface.
  4. Enter a name for the interface (11 characters maximum).
  5. Set the Type to 3ad Aggregate, Hardware Switch, or Software Switch.
  6. Select the FortiGate ports for the logical interface.
  7. Set Addressing mode to Dedicated to FortiSwitch.
  8. Configure the IP/Network Mask for your network.
  9. Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
  10. Select OK.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

You must enable the split interface on the FortiLink aggregate interface using the FortiGate CLI:

config system interface edit <name of the FortiLink interface> set fortilink-split-interface enable

end

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Click Create New.
  3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
  4. Move the Authorized slider to the right.
  5. Click OK.

The Managed FortiSwitch page shows a FortiSwitch faceplate for the preauthorized switch.

configuration using the FortiGate GUI                                                             Managed FortiSwitch display

Managed FortiSwitch display

Go to WiFi & Switch Controller> Managed FortiSwitch to see all of the switches being managed by your FortiGate.

When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the FortiSwitch faceplate), and the link between the ports is a solid line.

If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware running on the FortiGate unit.

From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.

 

 

Edit a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

  1. Go to Wifi & Switch Controller> Managed FortiSwitch.
  2. Click on the FortiSwitch to and click Edit, right-click on a FortiSwitch unit and select Edit, or double-click on a FortiSwitch unit.

From the Edit Managed FortiSwitch form, you can:

  • Change the Name and Description of the FortiSwitch unit. l View the Status of the FortiSwitch unit.
  • Restart the FortiSwitch.
  • Authorize or deauthorize the FortiSwitch. l Update the firmware running on the switch.

Network interface display

On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.

Add link aggregation groups (Trunks)

To create a link aggregation group for FortiSwitch user ports:

  1. Go to WiFi & Switch Controller> FortiSwitch Ports.
  2. Click Create New > Trunk.
  3. In the New Trunk Group page, enter a Name for the trunk group.
  4. Select two or more physical ports to add to the trunk group.
  5. Select the Mode: Static, Passive LACP, or Active LACP.
  6. Click OK.

FortiLink configuration using the                Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed

 

FortiSwitch Managed By FortiOS 6 – Whatʼs new in FortiOS 6.0

Whatʼs new in FortiOS 6.0

The following list contains new features added in FortiOS 6.0. Click on a link to navigate to that section for further information.

l “Limiting the number of learned MAC addresses on a FortiSwitch interface (445087)” on page 12 l “Sharing FortiSwitch ports between VDOMs (391878)” on page 13 l “sFlow support (450507)” on page 15 l “Restricting the type of frames allowed through IEEE 802.1Q ports (448505)” on page 17 l “Dynamic ARP inspection (DAI) support (462511)” on page 17 l “FortiSwitch port mirroring support (457122)” on page 17 l “Quarantining MAC addresses (459525)” on page 18 l “Banning IP addresses (459525)” on page 19 l “Synchronizing the FortiGate unit with the managed FortiSwitch units (454664)” on page 19 l “Enabling the use of HTTPS to download firmware to managed FortiSwitch units (454664)” on page 20 l “RADIUS accounting support (451023)” on page 20 l “FortiLink mode supported over a layer-3 network (457103)” on page 20 l “Limiting the number of parallel process for FortiSwitch configuration (457103)” on page 22 l “CLI changes for FortiLink mode (447349, 473773)” on page 22 l “Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)” on page 23 l “Network-assisted device detection (377467) ” on page 23

FortiOS 6.0

These features first appeared in FortiOS 6.0.

Limiting the number of learned MAC addresses on a FortiSwitch interface (445087)

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

next

end

end

end

Sharing FortiSwitch ports between VDOMs (391878)

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

  1. Create one or more VDOMs.
  2. Assign VLANs to each VDOM as required.
  3. From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can

reassign the ports to other VLANs later.

  1. Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

next

end

  1. Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

next

end

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

next

end

next

end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3” next

end

next

end

  1. Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

  1. Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

l 802.1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS

l Port security l MCLAG sFlow support (450507)

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next

next end

Restricting the type of frames allowed through IEEE 802.1Q ports (448505)

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN> config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged>

next

next

end

Dynamic ARP inspection (DAI) support (462511)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end

config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

FortiSwitch port mirroring support (457122)

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name>

set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

next

end

next

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror

edit 2

set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

next

end

next

Quarantining MAC addresses (459525)

To create a permanent quarantine of specific MAC addresses, use the following CLI commands:

config user quarantine

set quarantine enable config targets edit <MAC_address>

set description <string>

set tags <tag1 tag2 tag3 …>

next

end

end

Option Description
MAC_address_1, MAC_ address_2 A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
string Optional. A description of the MAC address being quarantined.
tag1 tag2 tag3 … Optional. A list of arbitrary strings.

For example:

config user quarantine

set quarantine enable config targets edit 00:00:00:aa:bb:cc set description “infected by virus” set tags “quarantined”

next

end

end

Previously, this feature used the config switch-controller quarantine CLI command.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

Banning IP addresses (459525)

To temporarily ban an IP address, use the following CLI command: diagnose user ban add src4 <IPv4_address>

Previously, this feature used the diagnose user quarantine CLI command.

Synchronizing the FortiGate unit with the managed FortiSwitch units (454664)

You can now synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number> execute switch-controller get-sync-status name <FortiSwitch_name>

Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

execute switch-controller get-sync-status group <FortiSwitch_group_name>

Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM: execute switch-controller get-sync-status all

For example:

FG100D3G14813513 (root) # execute switch-controller get-sync-status all Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port5

SWITCH (NAME)                               STATUS CONFIG             MAC-SYNC          UPGRADE

FS1D243Z14000173 Up Idle Idle Idle S124DP3X16006228 (Desktop-Switch) Up Idle Idle Idle

Enabling the use of HTTPS to download firmware to managed FortiSwitch units (454664)

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global set https-image-push enable

end

RADIUS accounting support (451023)

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

  • START—The FortiSwitch has been successfully authenticated, and the session has started.
  • STOP—The FortiSwitch session has ended.
  • INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command. l ON—FortiSwitch will send this message when the switch is turned on. l OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius edit <RADIUS_server_name> set acct-interim-interval <seconds> config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number>

next

end

next

end

FortiLink mode supported over a layer-3 network (457103)

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

  • All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

To configure a FortiSwitch unit to operate in a layer-3 network:

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset
  2. Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

  1. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

To use DHCP discovery:

config switch-controller global

ac-discovery dhcp

dhcp-option-code <integer>

end end

To use static discovery:

config switch-controller global

ac-discovery static           config ac-list

id <integer>

set ipv4-address <IPv4_address>

next

end

end

  1. Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

Limiting the number of parallel process for FortiSwitch configuration (457103)

Use the following CLI commands to reduce the number of parallel process that the switch controller uses for configuring FortiSwitch units: config global config switch-controller system set parallel-process-override enable set parallel-process <1-300>

end

end

CLI changes for FortiLink mode (447349, 473773)

There are changes to the execute switch-controller get-physical-connection, execute switch-controller get-conn-status, and diagnose switch-controller dump networkupgrade status CLI commands.

  • The execute switch-controller get-physical-connection CLI command has new parameters:

Use the execute switch-controller get-physical-connection standard command to get the FortiSwitch stack connectivity graph in the standard output format.

Use the execute switch-controller get-physical-connection dot command to get the

FortiSwitch stack connectivity graph in a .dot (Graphviz) output format.

  • The execute switch-controller get-conn-status CLI command output now includes virtual

FortiSwitch units. Virtual FortiSwitch units are indicated by an asterisk (*) after the switch identifier. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2      
SWITCH-ID            VERSION STATUS ADDRESS JOIN-TIME NAME
S108DV2EJZDAC42F     v3.6.0 Authorized/Up 169.254.2.4 Thu Feb 8 17:07:35 2018
S108DV4FQON40Q07     v3.6.0 Authorized/Up 169.254.2.5 Thu Feb 8 17:08:37 2018
S108DVBWVLH4QGEB     v3.6.0 Authorized/Up 169.254.2.6 Thu Feb 8 17:09:13 2018
S108DVCY19SA0CD8     v3.6.0 Authorized/Up 169.254.2.2 Thu Feb 8 17:04:41 2018
S108DVD98KMQGC44* v3.6.0 Authorized/Up 169.254.2.7 Thu Feb 8 17:10:50 2018
S108DVGGBJLQQO48* v3.6.0 Authorized/Up 169.254.2.3 Thu Feb 8 17:06:57 2018
S108DVKM5T2QEA92     v3.6.0 Authorized/Up 169.254.2.8 Thu Feb 8 17:11:00 2018
S108DVZX3VTAOO45     v3.6.0 Authorized/Up 169.254.2.9 Thu Feb 8 17:11:00 2018
Managed-Switches: 8 UP: 8 DOWN: 0      
  • The diagnose switch-controller dump network-upgrade status CLI command output now

includes the location of the image that is loaded when the FortiSwitch unit is restarted. If the Next boot column is blank, the FortiSwitch unit uses the same location each it is restarted. The status column shows the percentage downloaded, the percentage erased in flash memory, and the percentage written to flash memory.

For example:

diagnose switch-controller dump network-upgrade status

Running                                       Status       Next boot

__________________ ________________________________________ _________ ___________________________ VDOM : root

S108DVCY19SA0CD8 S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0) S108DV-v3.7.0build4277,171207 (Interim)

S108DV2EJZDAC42F S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0)

Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)

To upgrade the firmware on multiple FortiSwitch units at the same time:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.

The Upgrade FortiSwitches page opens.

  1. Select FortiGuard or select Upload and then select the firmware file to upload.

You can select only one firmware image to use to upgrade the selected FortiSwitch units. If the FortiSwitch unit already has the latest firmware image, it will not be upgraded.

  1. Select Upgrade.

Network-assisted device detection (377467)

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings set network-monitoring enable end

 

Connecting FortiLink ports                                                            1. Enable the switch controller on the               unit

FortiSwitch Managed By FortiOS 6 – Introduction

Supported models

Introduction

NOTE: FortiLink is not supported in Transparent mode.

The maximum number of supported FortiSwitch units depends on the FortiGate model:

 

FortiGate Model Range
 

Number of FortiSwitch Units Supported

Up to FortiGate-98 and FortiGate-VM01                                8

FortiGate-100 to 280 and FortiGate-VM02                             24

FortiGate-300 to 5xx                                                           48

FortiGate-600 to 900 and FortiGate-VM04                             64

FortiGate-1000 and up                                                        128

FortiGate-3xxx and up and FortiGate-VM08 and up                300

Supported models

The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases. For example, the FGT-500E model with FortiOS 5.6.3 and later supports all FortiSwitch D-series and E-series models running FortiSwitchOS 3.6.0 and later.

Each row includes support for earlier FortiGate models. For example, the FGT-500E row includes support by the FortiGate models in the rows above it.

    FortiSwitch Models
FortiGate and FortiWiFi Models Earliest FortiOS
FGT-90D 5.2.2 FS-224D-POE

Supported models

 
FortiGate and FortiWiFi Models Earliest FortiOS FortiSwitch Models
FGT-60D

FGT-100D, 140D, 140D-POE, 140D-T1

FGT-200D, 240D, 280D, 280D-POE

FGT-600C

FGT-800C

FGT-1000C, 1200D, 1500D

FGT-3700D, FGT-3700DX

5.2.3 FSR-112D-POE

FS-108D-POE

FS-124D (POE)

FS-224D-POE and FPOE

5.4.0 All FortiSwitch D-series models.

FortiSwitchOS 3.3.x or 3.4.0 is recommended.

FGT and FWF-30D, 30D-POE, 30E

FGT and FWF-50E, 51E

FGR-60D

FGT-70D, 70D-POE

FGT-80D

FGR-90D

FGT and FWF-92D

FGT-94D-POE, 98D-POE

FGT-300D

FGT-400D

FGT-500D

FGT-600D

FGT-900D

FGT-1000D

FGT-3000D, 3100D, 3200D, 3240C, 3600C,

3810D, 3815D

FGT_VM, VM64, VM64-AWS, VM64AWSONDEMAND, VM64-HV, VM64-KVM, VMVMX, VM64-XEN

5.4.1 All FortiSwitch D-series models.

FortiSwitchOS 3.4.2 or later is required for all managed switches.

FGT and FWF- 60E, 61E FGT-100E, 101E 5.4.2 All FortiSwitch D-series models.

FortiSwitchOS 3.4.2 or later is required for all managed switches.

FGT-80E, 80E-POE, 81E, 81E-POE FGT-100EF 5.4.3 All FortiSwitch D-series models.

FortiSwitchOS 3.4.2 or later is required for all managed switches.

FGT-90E, 91E

FGT-200E, 201E

FGT-2000E, 2500E

5.6.0 All FortiSwitch D-series models.

FortiSwitchOS 3.5.4 or later is required for all managed switches.

Support of FortiLink features

    FortiSwitch Models
FortiGate and FortiWiFi Models Earliest FortiOS
FGT-500E 5.6.3 All FortiSwitch D-series and E-series models.

FortiSwitchOS 3.6.0 or later is required for all managed switches.

Support of FortiLink features

The following table lists the FortiSwitch models supported by FortiLink features.

FortiLink Features FortiSwitch Models
Centralized VLAN Configuration D-series, E-series
Switch POE Control D-series, E-series
Link Aggregation Configuration D-series, E-series
Spanning Tree Protocol (STP) D-series, E-series
LLDP/MED D-series, E-series
IGMP Snooping Not supported on 112D-POE, 1xxE-Series
802.1x Authentication (Port-based, MAC-based, MAB) D-series, E-series
Syslog Collection D-series, E-series
DHCP Snooping Not supported on 1xxE-Series
Device Detection D-series, E-series
Support FortiLink FortiGate in HA Cluster D-series, E-series
LAG support for FortiLink Connection D-series, E-series
Active-Active Split MLAG from FortiGate to FortiSwitch units for Advanced Redundancy Not supported on FS-1xx Series
sFlow Not supported on 1xxE-Series
Dynamic ARP Inspection (DAI) Not supported on 1xxE-Series
Port Mirroring D-series, E-series

Before you begin

FortiLink Features FortiSwitch Models
RADIUS Accounting Support Not supported on 1xxE-Series
Centralized Configuration D-series, E-series
Access VLAN Not supported on 1xxE-Series, 112D-POE
STP BDPU Guard, Root Guard, Edge Port D-series, E-series
Loop Guard D-series, E-series
Switch admin Password D-series, E-series
Storm Control D-series, E-series
802.1x-Authenticated Dynamic VLAN Assignment D-series, E-series
Host Quarantine on Switch Port Not supported on 1xxE Series, 112D-POE
QoS Not supported on 1xxE-Series, 112D-POE
Centralized Firmware Management D-series, E-series

Before you begin

Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this manual:

  • You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model, and you have administrative access to the FortiSwitch web-based manager and CLI.
  • You have installed a FortiGate unit on your network and have administrative access to the FortiGate web-based manager and CLI.

How this guide is organized

This guide contains the following sections:

  • Whatʼs new in FortiOS 6.0 describes the new features for this release. l Connecting FortiLink ports describes how to connect FortiSwitch ports to FortiGate ports. l FortiLink configuration using the FortiGate GUI describes how to use the FortiGate GUI for FortiLink configuration. l FortiLink configuration using the FortiGate CLI describes how to use the FortiGate CLI for FortiLink configuration. l Network topologies for managed FortiSwitch units describes the configuration for various network topologies.
  • Optional setup tasks describes other setup tasks that are optional. l FortiSwitch features configuration describes how to configure managed FortiSwitch features, including VLANs. l FortiSwitch port features describe how to configure ports and PoE from the FortiGate unit.

 

FortiWLC Configuring FortiPresence API

Configuring FortiPresence API

The FortiPresence API extends the wireless retail analytics solution to retailers who can use data from the analytics report to understand customer behavior, for example when they arrive, length of stay or come into the store, how long they stay, and if they are a new or repeat customer.

How it Works

When the location server feature is enabled on the controller, all 11ac APs send STA reports of STA/AP in their discovered list and STA in the assigned list at configured time intervals.

The controller forwards the STA reports to the data analytics server which then analyses the data and provides user-friendly information to the user.

Configuring the Controller

The location-server feature can be enabled on the controller using the following commands. There are two report formats – Legacy and FortiPresence. The standard FortiPresence feed should be used by 3rd party partners. The information needed below can be obtained when you purchase a FortiPresence license for this feature.

  1. Specify the location server IP address.

(config)# location-server ip-address 1.1.1.1

  1. Specify the location server port. The port is the port used for communication between the controller and the location server

(config)# location-server port 300

  1. Specify the project name. The project-name indicates to which customer project the packets belong. Maximum of 16 ASCII characters can be used

(config)# location-server project-name FortiStore

Configuring FortiPresence API

  1. Specify password. The secret (password) is a shared secret to sign each packet to in order to validate its authenticity and integrity. Maximum of 16 ASCII characters can be used.

(config)# location-server secret fortisecret

  1. Specify the report format. The standard FortiPresence feed should be used. Maximum of

16 ASCII characters can be used

(config)# location-server report-format forti-presence

  1. Specify report interval at which the reports are queried. The Location Report Interval (in Seconds). The default is 5 seconds.

(config)# location-server report interval 30

  1. Specify the location server source.

(config)# location-server source wifi

To view the configured details, use the show location- server command.

#show location‐server Location Server Configuration

ReportFormat                          : forti‐presence

Project Name                          : FortiStore

Enable/Disable Location Server        : enable

Secret                                : *****

Location Server Source                : wifi

Location Server IP Address            : 1.1.1.1

Location Server Port                  : 300

Location Report Interval (in Seconds) : 30

The output indicates that all APs should send station-locate reports every 30 seconds and the controller forwards it to the server 1:1:1:1 configured on UDP port 300

The update frequency specifies the frequency at which the updates are sent for a client and is measured in seconds. The default is 5 seconds.The client devices will be spread out across the 5 seconds based on MAC address. There will be an update every 5 seconds for each cli-

Configuring FortiPresence API

ent. Increasing the frequency can have a negative impact on location data in congested wireless networks.

FortiWLC AeroScout

Using Location Feed

Figure 8: AeroScout Network Diagram

In addition to Fortinet standard Wi-Fi infrastructure, AeroScout Location Receivers and Exciters can be deployed for time-different of arrival (TDOA) locationing and choke points respectively.

Configuring AeroScout

Tracking tags is done from the AeroScout product using a Forti WLC and APs. To configure a Forti WLC to work with AeroScout, use the command aeroscout enable as shown here:

 

controller(config)# aeroscout ?

disable                (10) Disabling AeroScout Feature. enable                 (10) Enabling AeroScout Feature. ip‐address             (10) The Aeroscout engine IP address. port                   (10) The Aeroscout engine port. controller(config)#

Location Accuracy

Since RSSI values are the basis of the location calculation, the access point must match its channel with the tag’s transmission channel, and drop tag messages that were transmitted on a channel other than that of the access point. The matching is implemented because tag reports contain the transmission channel in each message.

For this reason, the combination of AeroScout’s solution architecture with Fortinet’s Virtual Cell deployments and Air Traffic ControlTM technology provide a more accurate location for tags. In other words, Fortinet’s APs can all be deployed in a single channel with a virtualized BSSID, thereby providing more reference points for the tag messages and a more accurate location.

For the location of a tag to be calculated accurately, at least three access points need to report the Wi-Fi message transmitted by the tag. A message received and reported by less than three APs provides only a very general location which, in most cases, is the location of the AP closest to the tag. To see the tag locations, use AeroScout. Tags do not show up when you use the Fortinet CLI command show discovered-station or anywhere else from the Fortinet CLI.

It is important to place APs closer to the perimeter of the space that will tag and track assets, filling in coverage holes in the center of the coverage area. It is better to surround the tracking area. Aside from this, use standard Fortinet Networks deployment guidelines in placing the APs and distancing them from one another. In other words, plan for coverage and optimal data rates. When AeroScout Exciters are used for choke-point location, one AP receiving the Tag message is enough to deliver an accurate location report.

Tag Protocol Implementation

The Tag protocol operates between access points and the AeroScout engine. The Fortinet AeroScout implementation supports tag (but not laptop) messages transmitted in either in IBSS (default) or WDS frame format, although Fortinet APs receive and process tag frames only in IBSS format.

Once the Forti WLC and access points are upgraded to the current version, the tag protocol is enabled automatically. No additional configuration steps are necessary. Management of the AeroScout Tags, Engine, and MobileView application are managed through the AeroScout platform. Figure 9 on page 81 shows the operation and messages used in the Tag protocol:

Figure 9: AeroScout Tag Protocol Messages

AeroScout Tag                    AP                            Controller                         AeroScout Engine

AeroScout and Rogue Detection

If an AP interface is in dedicated scanning mode with Rogue AP enabled, tags are not forwarded for any channels. If an AP interface is in normal mode with Rogue AP enabled, tags are forwarded on the home channel only. Tags on foreign channels are not forwarded.

AeroScout Syslog Error Messages
Error Condition Severity Message
Cannot create a ATS AeroScout Manager mailbox critical AeroScoutMgr mailbox creation failed
Cannot set AeroScout mode in the driver critical Cannot set AeroScout mode to enable/disable
Invalid AE messages warning Unknown Message Code[0xXX]
    Data length error. rcvdLength[%d], expect at least [%d]
Messages from unknown or unsupported mailboxes miscellaneous Msg from Unknown MailboxId[xx]
Cannot allocate a mailbox buffer to send a controller message warning AllocBuf failed reqID[0xXXXX]
IOCTL to the AeroScout kernel module failed warning reqID[0xXXXX] IOCTL[xx] to AeroScout kernel module failed
Cannot get wireless channel config information warning Could not get wireless interface config for interface[xx]
AeroScout Mobile Unit

AeroScout offers Wi-Fi-based solutions for Real Time Location Service (RTLS). The following devices support AeroScout tag based location management:

  • AP400 AP822
  • AP832
  • FAP-U421EV
  • FAP-U423EV
  • AP1000

The AeroScout Mobile Unit architecture is displayed in Figure 10 on page 83. The following is the high-level process that occurs in the implementation:

  • Wi-Fi mobile units send wireless frames to one or more APs.
  • The AP sends reports for each Wi-Fi mobile unit (by using a dilution mechanism to control traffic between AP and Engine) to the AeroScout Engine.
  • The AeroScout Engine determines the coordinates and sends it to AeroScout MobileView.
  • The AeroScout Mobile View uses location data to display maps, enable searches, create alerts, manage assets, work with third-parties, and much more.

Figure 10: Aeroscout Mobile Unit

Wi-Fi Mobile Units (MUs) can be located, if associated to some access point, or while transmitting broadcast or unicast messages. The messages transmitted by Wi-Fi Mobile Units are received by Access Points and are passed along with additional information (e.g., signal strength measurements) to the AeroScout Engine, which is a core component of the AeroScout visibility system. The AeroScout Engine also calculates an accurate location of the WiFi device. In order to locate the Mobile Units, Access Points that receive their messages must pass the RSSI values of each message to the AeroScout Engine. The access points must also be able to collect data messages from MUs that are not associated with them and pass the RSSI values to the AeroScout Engine.

Reporting Tags and/or Wi-Fi mobile units must not affect the normal operation of the AP—that is, the AP must be performing in all its supported modes, such as normal 802.11a/b/g communication, monitoring, bridge modes, etc. Due to the high MU traffic, it is possible to dilute the MU messages that are sent to AeroScout Engine.

Configuring AeroScout

Tracking tags is preformed from the AeroScout product using a Forti WLC and APs. To configure a Forti WLC to work with AeroScout, use the command aeroscout enable, as shown below:

default# sh aeroscout

Aeroscout Parameters

Enable/Disable              : enable

Aeroscout Engine IP Address : 0.0.0.0 Aeroscout Engine Port       : 12092 default#

Configure AeroScout Mobile Unit from AeroScout Engine

Follow the steps below to configure an AeroScout Mobile Unit from the AeroScout Engine:

  1. Enable Aeroscout on the controller.
  2. Open the Aeroscout Engine.
  3. Load the Floor Map on the Engine.
  4. Add the APs on the Aeroscout Engine.
  5. In the Configuration->System Parameters->Access Points, check the “Enable mobile-unit location with access Points” checkbox.
  6. To start the Mobile Unit Positioning option on the AeroScout engine, select ‘Start MU positioning’ from the Actions menu.
AeroScout Compounded Report

For better performance, several MU reports can be combined within a fixed pre-defined period in Compounded Reports. Fortinet’s system combines a maximum of 18 MU reports in one Compounded Report. The number of Mobile Unit reports inside the Compounded Report varies as per the Compounded Message Timeout configured on the Aeroscout Integration Tool. The ‘Compounded Message timeout’ is configured on the Aeroscout Integration tool under ‘Set Configuration’.

Dilution Timeout

In certain scenarios, the Mobile Unit traffic may be high, and the time resolution needed for location is much lower than the data rate of most Mobile Units. If every AP starts reporting every Wi-Fi frame to the Aeroscout Engine, it will create unnecessary data overhead on the network, and provide a real-time location in a level much higher than required.

To help the AP dilute messages from each Mobile Unit, the Aeroscout protocol provides the following two parameters:

  • Dilution Factor
  • Dilution Timeout

Fortinet Mobile Unit reporting supports and implements only Dilution Timeout. The Dilution Timeout allows to set a limitation for the amount of time with no Mobile Unit messages from a specific Mobile Unit.

For Example: If the Dilution Timeout value is set to 60 seconds and, if the AP receives a message from an MU for which it has not reported a message to the AE for more than 60 seconds, the new message will be reported to the AE immediately regardless of the dilution factor and the dilution counter will be initialized. Commands broadcast by an MU (e.g. Probe Requests) are required to be forwarded to the AE regardless of the dilution parameters.

The Dilution Timeout can be configured on the Aeroscout Engine as follows Configuration->system parameters->Access Points->Dilution Time out.

Generic AP Notification

Generic AP notifications are autonomous messages sent to the Aeroscout Integration tool on port 12092 to report the AP connectivity state (AP comes online, offline, Aersocout parameter configuration changes).The Aeroscout Integration tool acknowledges all Generic AP notification messages sent by the controller. For Generic AP Notifications, the IP address of the Aeroscout engine must be configured on the controller.

In the Fortinet solution, Generic AP notifications are sent out from the controller to the Aeroscout Engine during the AP connectivity state change or when aeroscout configurations on the controller undergoes a change. In general a Generic AP notification is used to communicate an IP address change, a “wake up” from reboot, and or any error conditions that need to be communicated to the Aeroscout engine.

Configure AeroScout Integration tool for Receiving the Generic AP Notification

To Configure AeroScout Integration tool for receiving the Generic AP Notification, perform the following steps:

  • Enable AeroScout on the controller and configure the ip-address of the AeroScout Integration tool on controller.

 

  • Open the AeroScout Integration Tool and configure the port from the default value 1122′ to ‘12092’. In the scenario where the AP’s come online and go offline, change the AeroScout Configuration parameter on the controller. The Controller sends a generic AP Notification for all the AP’s on the Controller and the AeroScout Integration Tool acknowledges to the controller’s notification for each generic AP Notification.