FortiWLC Using AeroScout

Using AeroScout

The AeroScout System version 3 (but not version 2) product works with Forti WLC and AP400, A822, AP832, FAP-U421EV and FAP-U423EV and AP1000 models to locate and track tagged assets to deliver direct benefits such as process automation and theft prevention. Tags are small, battery-powered devices attached to equipment or personnel. See AeroScout’s web site for more detailed information about the various tags available from AeroScout.

AeroScout tags do not associate to an access point; instead they send out beacon signals in pre-configurable intervals or when an event is triggered (the tag is in motion, a button is pressed, etc.). Messages transmitted by AeroScout tags are received by access points and are forwarded with additional information, such as RSSI values or signal strength measurements, to the AeroScout Engine. The Engine calculates the accurate location of the tag.

Reporting Tags do not affect the normal operation of access points; they keep performing in all of the supported modes (802.11a/b/g communication). AeroScout Tags also do not have an IP address and are unidirectional in the sense that they transmit and do not receive standard WiFi messages.

For APs to process the tag signals and communicate with the AeroScout Engine, the AeroScout Engine-AP Interface protocol must be implemented on access points. In Figure 8 on page 79, the AeroScout solution architecture is shown. The following is the high-level process that occurs in the implementation:

  • AeroScout tags send short wireless messages at a regular interval.

Using AeroScout

  • The signal is received by access points that are connected to a Forti WLC running AeroScout software, and the signal is sent to the AeroScout engine along with its measured signal strength.
  • The AeroScout engine uses signal strength to determine the coordinates of the reported location, and sends this data to AeroScout MobileView. AeroScout MobileView uses location data to display maps, enable searches, create alerts, manage assets, interface to third parties through an API.

FortiWLC 802.11n Video Service Module (ViSM)

802.11n Video Service Module (ViSM)

Video streaming has the low latency and loss requirements of  with the high-throughput requirements of data. The Fortinet Video Service Module™ (ViSM) is an optional licensed software module that delivers predictable 802.11 video performance with minimal delay, latency and jitter. Sustainable high data rates, even in mixed traffic, are supported along with synchronization of video and audio transmissions.

ViSM also introduces additional mechanisms for optimizing unicast and multicast video such as application aware scheduling, /video synchronization, and client-specific multicast group management. Features include the following:

  • High throughput with low burstiness offers predictable performance and consistent user experience
  • Application-aware prioritization synchronizes the and video components of a video stream, adapting the delivery of each frame based on its importance to the application.

802.11n Video Service Module (ViSM)

  • Multicast group management optimizes delivery to only those Virtual Ports whose clients are members of the multicast group.
  • Seamless video-optimized handoff proactively reroutes the multicast delivery tree to prevent lost video frames during a transition between access points and ensures zero loss for mobile video.
  • User and role based policy enforcement provides granular control over application behavior.
  • Visualization reveals which clients are running which applications.
Implementing ViSM

Virtual Port already changes multicast to unicast transmissions. ViSM adds per-client IGMP Snooping to the transmission. Therefore, to implement ViSM, turn on IGMP Snooping. CLI commands control IGMP snooping (see FortiWLC (SD) Command Reference). At this time, ViSM licensing is not enforced.

FortiWLC Configuring FortiWLM Location Manager

Configuring FortiWLM Location Manager

Location Manager is supported by release 3.7 and later.

Configuring with the CLI

This example creates a packet-capture-profile named Location on a controller and then forwards the captured packets directly from AP 16 to Location Manager on port #9177. Port 9177 is the port where Location Manager is listening for incoming packets in L3 mode.

MC3K‐1#

MC3K‐1# configure terminal

Licensing for Virtual Controllers

 

MC3K‐1(config)# packet‐capture‐profile Location

MC3K‐1(config‐pcap)# mode l3 destination‐ip 1.1.1.1 port 9177

MC3K‐1(config‐pcap)# ap‐list 16

MC3K‐1(config‐pcap)# exit

MC3K‐1(config)# exit

MC3K‐1# show packet‐capture‐profile Location AP Packet Capture profiles

Packet Capture Profile Name            : Location Packet Capture profile Enable/Disable   : off

Modes Allowed L2/L3                     : l3

Destination IP Address                  : 1.1.1.1

UDP Destination Port                    : 9177

Destination MAC for L2 mode             : 00:00:00:00:00:00

Rx only/Tx only/Both                    : rx

Rate Limiting per station or cumulative : station

Token Bucket Rate                       : 10 Token Bucket Size                       : 10 AP Selection                            : 16

Extended Filter String                  : Interface List                          :

Packet Truncation Length                : 82

Rate Limiting                           : off

Capture frames sent by other APs in the network : on MC3K‐1#

For a detailed explanation of the packet capture profile commands, see the Troubleshooting chapter of the FortiWLC (SD) Configuration Guide.

FortiWLC Configure Controller Parameters From the CLI

Configure Controller Parameters From the CLI

Reset System and System Passwords from the CLI

The passwords for the system users “admin’ and “guest” can be reset to their default values during a system boot. When the controller prompts “accepting reset request” displays, type pass to reset the passwords.

To reset the settings for the entire system to their default values, type reset at the reset system values prompt.

Limit Wireless Client Access to the Controller From the CLI

Administrators wishing to block access to the controller management utilities for wireless clients can do so with the no management access command. When wireless management access is blocked, all packets sent to the controller by wireless clients are dropped except for those used for Captive Portal.

To remove wireless access to the controller, enter the command: controller(config)# no management wireless

To check the management status, use the show controller command. The line near the bottom of the output, Management by wireless stations: will show either an on or off value.

mc3200# show controller

Global Controller Parameters

Controller ID : 1

Description : controller Host Name : MC3200 Uptime : 05d:17h:10m:59s

Location :

Contact :

Operational State : Enabled

Availability Status : Online

Alarm State : Major

Automatic AP Upgrade : on

Virtual IP Address : 172.29.0.137

Virtual Netmask : 255.255.192.0

Default Gateway : 172.29.0.1

DHCP Server : 10.0.0.240

Statistics Polling Period (seconds)/0 disable Polling : 60

Audit Polling Period (seconds)/0 disable Polling : 60

Software Version : 6.0.SR1‐4

Network Device Id : 00:90:0b:23:2e:d3 System Id : 08659559054A Default AP Init Script :

DHCP Relay Passthrough : on

Controller Model : MC3200

Region Setting : Unknown

Country Setting : United States Of America

Manufacturing Serial # : 4911MC32009025

Management by wireless stations : on

Controller Index : 0

FastPath Mode : on

Bonding Mode : single

Station Aging Out Period(minutes) : 2

Configure Controller Parameters From the CLI

Roaming Domain State : disable Layer3 Routing Mode : off

To re-enable access to wireless clients, use the management wireless command: controller(config)# management wireless

Limit Wired Client Access to the Controller With QoS Rules

To control access to the controller from wired network devices, you can configure rule-based IP ACL lists using the qosrules command. This section provides qosrule examples for several types of configurations.

The following is an example that blocks management access (on TCP and UDP) to the controller (at 192.168.1.2) for all devices except the host at 192.168.1.7. Notice that match tags are enabled when srcip, dstip, srcport, dstport, netprotocol, or packet min-length is configured for a rule.

Allow the host 192.168.1.7 to access the controller with TCP/UDP:

controller(config)#  qosrule 20 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# srcip 192.168.1.7 controller(config‐qosrule)# srcip‐match controller(config‐qosrule)# srcmask 255.255.255.255 controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

controller(config)# qosrule 21 netprotocol 17 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# srcip 192.168.1.7 controller(config‐qosrule)# srcip‐match controller(config‐qosrule)# srcmask 255.255.255.255 controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

The following qosrules allow wireless clients to access the controller on TCP ports 8080/8081 if using the Captive Portal feature.

controller(config)# qosrule 22 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match

controller(config‐qosrule)# srcip <subnet of wireless clients> controller(config‐qosrule)# srcip‐match

controller(config‐qosrule)# srcmask <netmask of wireless clients>

controller(config‐qosrule)# dstport‐match on controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# dstport 8080 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

controller(config)# qosrule 23 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match

controller(config‐qosrule)# srcip <subnet of wireless clients> controller(config‐qosrule)# srcmask <netmask of wireless clients> controller(config‐qosrule)# dstport‐match on controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# dstport 8081 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

The following qosrules block all hosts from accessing the Controller using TCP/UDP.

controller(config)# qosrule 24 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action drop controller(config‐qosrule)# end

controller(config)# qosrule 25 netprotocol 17 qosprotocol none controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action drop controller(config‐qosrule)# end

Configuring UDP Broadcast From the CLI

You can enable all UDP ports at once with the CLI commands for upstream and downstream traffic. Fortinet does not recommend that you enable this feature on a production network because it could lead to broadcast storms leading to network outages. This feature is provided for testing purposes only.

Configure Controller Parameters From the CLI

You need to assign each ESS (see the chapter “Configuring an ESS.”) to a specific VLAN (see the chapter “Configuring VLANs.”) before enabling all UDP broadcast ports. Having multiple ESS’s in the default VLAN and enabling all UDP broadcast ports does not work.

To configure UDP broadcast upstream/downstream for all ports, use these two CLI commands:

default# configure terminal default(config)# ip udp‐broadcast upstream all‐ports selected default(config)# ip udp‐broadcast downstream all‐ports on default(config)# end

To display configured UDP broadcast upstream/downstream for all ports, use these two CLI commands:

default# show ip udp‐broadcast upstream all‐ports

Upstream UDP Broadcast All Ports

UDP All Ports : on default#

default# show ip udp‐broadcast downstream all‐ports

Downstream UDP Broadcast All Ports

UDP All Ports : selected default#

To view the currently configured broadcast ports for either upstream or downstream, use show ip udp-broadcast [downstream/downstream-bridged/upstream/upstream-bridged].

Configure Time Services From the CLI

We recommend that you configure controllers to synchronize their system clock with a Network Time Protocol (NTP) server. This ensures the system time is accurate and standardized with other systems. Accurate and standardized system time is important for alarms, traces, syslog, and applications such as cryptography that use timestamps as a parameter for key management and lifetime control. An accurate clock is also necessary for intrusion detection, isolation and logging, as well as network monitoring, measurement, and control.

During the initial system configuration, the setup script prompts for an IP address of an NTP server. If you do not supply an IP address of an NTP server at that time, or if you wish to change an assigned server at a later time, you can use the ntp server followed by the ntp sync commands.

  • To set up automatic periodic synchronizing with the configured NTP server, use the command start-ntp.

There are several NTP servers that can be designated as the time server. The site www.ntp.org provides a list of servers that can be used.

To set a server as an NTP server, use the command:

ntp server ip-address

where ip-address is the IP address of the NTP server providing clock synchronization.

Configure a Controller Index with the CLI

To configure a controller index from CLI, using the following commands

ramecntrl(0)# configure terminal ramecntrl(0)(config)# controller‐index 22 ramecntrl(0)(config)# exit

Note that changing the index causes a controller to reboot.

What’s New In FortiOS 6

Security Fabric

This section introduces new Security Fabric features in FortiOS 6.0.

Security Fabric Automation

User-defined Automations allow you to improve response times to security events by automating the activities between devices in the Security Fabric. You can monitor events from any source in the Security Fabric and set up action responses to any destination. To create an Automation, you can set up a Trigger event and response Actions that cause the Security Fabric to respond in a predetermined way. From the root FortiGate, you can set up event triggers for the following event types: compromised host, event log, reboot, conserve mode, high CPU, license expiry, High Availability (HA) failover, and configuration changes. The workflows have the means to launch the following actions in response: email, FortiExplorer notification, AWS Lambda and webhook. Additional actions are available for compromised hosts, such as: access layer quarantine, quarantine FortiClient via EMS, and IP ban.

For more information, see the Security Fabric Handbook.

Security Rating

The Security Rating feature (previously called the Security Fabric Audit) includes new security checks that can help you make improvements to your organization’s network, such as enforce password security, apply recommended login attempt thresholds, encourage two factor authentication, and more.

For more information, see the Fortinet Recommended Security Best Practices document.

Security Rating FortiGuard service

Security Rating is now a subscription service that FortiGuard offers when you purchase a Security Rating license. This service allows you to:

l Dynamically receive updates from FortiGuard. l Run Security Rating checks for each licensed device in a Security Fabric. l Run Security Rating checks in the background or on demand. l Submit rating scores to FortiGuard and receive rating scores from FortiGuard, for ranking customers by percentile.

For more information, see the Security Fabric Handbook.

Solution and service integration

In FortiOS 6.0, the Security Fabric extends to include more Fortinet products.

 

Wireless user quarantine

When you create or edit an SSID, you can enable the Quarantine Host option to quarantine devices that are connected in Tunnel-mode. The option to quarantine a device is available from the Topology and FortiView WiFi pages.

When a host is put into quarantine VLAN, it will get its IP from the quarantine VLAN’s DHCP server, and become part of the quarantined network.

For more information, see the FortiWiFi and FortiAP Configuration Guide.

Fortinet products can join the Security Fabric by serial number

Fortinet products can now easily and securely join the Security Fabric using an authorized device serial number.

To learn how to allow a Fortinet product to join your Security Fabric, see the Security Fabric Handbook.

FortiMail integration

You can now add a FortiMail stats widget to the FortiGate Dashboard page to show mail detection stats from FortiMail. Other FortiMail integrations include the following:

  • A FortiMail section that displays the FortiMail name, IP address, login and password is now available in the Security Fabric Settings page.
  • FortiMail is now shown as a node in the topology tree view in the Fabric Settings page and in the Physical Topology and Logical Topology views.
  • The topology views now show the number of FortiMail devices in the Security Fabric in the device summary.

For more information, see the Security Fabric Handbook.

Synchronize the FortiManager IP address among all Security Fabric members

When you add a FortiManager to the Root FortiGate of the Security Fabric, its configuration is now automatically synchronized with all devices in the Security Fabric. Central management features are now configured from the Security Fabric Settings page.

For more information, see the Security Fabric Handbook.

Improve FortiAP and FortiSwitch support in Security Fabric views

The Security Fabric widget on the dashboard and the Security Fabric Settings page now show the FortiAP and FortiSwitch devices in the Security Fabric.

  • You can now use new shortcuts to easily authorize any newly discovered devices and manage them.
  • Switch stacking is now supported in the Physical and Logical topology views, and Inter-switch Link (ISL-LAG) is now identified by a thicker single line.

For more information, see the Security Fabric Handbook.

 

EMS server support in Security Fabric topology

The FortiClient Endpoint Management System (EMS) can be enabled in FortiClient Endpoint profiles. This feature allows you to maintain FortiClient endpoint protection from FortiClient EMS and dynamically push configuration changes from the EMS to FortiClient endpoints. EMS server support is also integrated with Security Fabric Automation.

For more information, see the Security Fabric Handbook.

Multi-cloud support (Security Fabric connectors)

Security Fabric multi-cloud support adds Security Fabric connectors to the Security Fabric configuration. Security Fabric connectors allow you to integrate Application Centric Infrastructure (ACI), Amazon Web Services (AWS), Microsoft Azure, VMware NSX, and Nuage Virtualized Services Platform configurations into the Security Fabric.

Additionally Cloud init support for Azure is now native to the cloud. FortiGate VM for Azure also supports bootstrapping.

For more information, see the Security Fabric Handbook and the Virtual FortiOS Handbook.

 

Manageability

This section introduces new manageability features in FortiOS 6.0.

Asset tagging

You can use the new Asset Tagging system to create tags to separate and categorize network objects, interfaces, and devices. Tags are flexible, easy to configure, and useful for comprehensive monitoring, audit reporting, and more.

For more information, see the System Administration Handbook.

FortiSwitch network assisted device detection and destination name resolution

Device detection now extends to managed FortiSwitches since some devices may not be visible to the FortiGate that manages them. Devices that are connected to a FortiSwitch are more visible to the FortiGate that manages them and to the Security Fabric.

FortiSwitch destination name resolution clearly presents destination objects and the aggregation of related IP addresses with domains. It also applies Internet service data base (ISDB) mapping for destination data.

For more information, see the Managing Devices Handbook and the FortiSwitch Devices Managed by FortiOS 6.0 Handbook.

Global security profiles

Global Security Profiles can be used by multiple VDOMs instead of creating identical profiles for each VDOM. You can create global security profiles for the following security features:

l Antivirus l Application control l Data leak prevention l Intrusion protection l Web filtering

For more information, see the Virtual Domains handbook.

 

Networking

This section introduces new Networking features in FortiOS 6.0.

SD-WAN improvements

FortiOS 6.0 introduces the following SD-WAN features:

  • Multiple server support for health checks l Internet service groups l Bandwidth options in SD-WAN rules l Custom profiles in SD-WAN rules
  • DSCP tagging of forwarded packets in SD-WAN rules For more information, see the Networking Handbook.

Multipath intelligence and performance SLAs

SD-WAN performance Service-Level Agreements (SLAs) incorporate multilayer SLA monitoring of link selection. To help handle emergency load or outages you can select links based on weight and SLA priority and then return to defaults once the network stabilizes. Also, traffic shaping and application intelligence have been added to the SD-WAN configuration, which gives you more control of SD-WAN traffic.

For more information, see the Networking Handbook.

Application awareness

You can now use application control and application control group options in SD-WAN rules.

Internet Service support is also increased from a single Internet Service to Internet Service groups.

For more information, see the Networking Handbook.

BGP dynamic routing and IPv6 support for SD-WAN

FortiOS 6.0 introduces support for dynamic router for an SD-WAN configuration. You can set up a route map and add a route tag to the route map. Then, you can create an SD-WAN configuration, a health check, and a service for it. When you create the service, you add the configured route tag that you created in the route map to the service.

For more information, see the Networking Handbook.

Interface-based traffic shaping

In FortiOS 6.0, you can now enable traffic shaping on an interface. Interface-based traffic shaping allows you to enforce bandwidth limits by traffic type for individual interfaces.

For more information, see the Traffic Shaping Handbook.

 

Cloud-assisted One-Click VPN

One-Click VPN (OCVPN) is a cloud-based solution that greatly simplifies the provisioning and configuration of IPsec VPN. The administrator enables OCVPN with a single click, adds the required subnets, and then the configuration is complete. The OCVPN updates each FortiGate automatically as devices join and leave the VPN, as subnets are added and removed, when dynamic external IP addresses change (for example, DHCP or PPPoE), and when WAN interface bindings change (as in the case of dual WAN redundancy).

For more information, see the IPsec VPN Handbook.

IPv6 enhancements

The following new IPv6 features have been added.

l IPv6 captive portal l IPv6 FQDN and wildcard firewall addresses l IPv6 ISIS dynamic routing l DHCPv6 server prefix delegation l IPv6 DFD and VRRP

For more information, see the Firewall Handbook.

NAT enhancements

The following new NAT features have been added.

  • Central source NAT (SNAT) policies now include a comment field l Port block allocation timeout is configurable l NAT 46 IP Pools
  • VRRP HA supports firewall virtual IPs (VIPs) and IP pools For more information, see the Firewall Handbook.

EMAC-VLAN support

The media access control (MAC) virtual local area network (VLAN) feature in Linux allows you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information, see the Networking Handbook.

 

Security

This section introduces new security features in FortiOS 6.0.

FortiGuard virus outbreak prevention

FortiGuard virus outbreak prevention is an additional layer of protection that keeps your network safe from newly emerging malware. Quick virus outbreaks can infect a network before signatures can be developed to stop them. Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.

For more information, see the Security Profiles Handbook.

FortiGuard content disarm and reconstruction

Content Disarm and Reconstruction (CDR) removes exploitable content and replaces it with content that’s known to be safe. As files are processed through an enabled AntiVirus profile, content that’s found to be malicious or unsafe is replaced with content that allows the traffic to continue, but doesn’t put the recipient at risk.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (such as, HTTP web download, SMTP email send, IMAP and POP3 email retrieval—MAPI isn’t supported).

This feature work even if FortiSandbox is not configured, but only if you want to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it passes the content unmodified.

For more information, see the Security Profiles Handbook.

Application groups for NGFW policies

When a FortiGate operates in NGFW policy mode, you can create application groups when you add NGFW policies. Then, when you add IPv4 or IPv6 policies you can create application groups to simplify policy creation.

For more information, see the Firewall Handbook.

Application control rule sequencing

To have more control over application control outcomes, you can control the order that application signatures appear in application control sensors. Signatures for applications that are more sensitive can appear higher in the list so they get matched first.

For more information, see the Security Profiles Handbook.

 

External dynamic block lists

This feature introduces the ability to dynamically import external block lists from an HTTP server. You can use the block lists to enforce special security requirements that your organization has. This can include long term policies to always block access to some websites or short time requirements to block access to known compromised locations. Since the lists are dynamically imported any changes made to the list are instantly imported by FortiOS. Dynamic block lists can be added to:

l Web Filter profiles and SSL inspection exemptions. l DNS Filter profiles and “Source/Destination” addresses in proxy policies.

In each profile, the administrator can configure multiple external block lists.

For more information, see the Security Profiles Handbook.

FortiWLC Configure Controller Parameters From the Web UI

Configure Controller Parameters From the Web UI

To reconfigure an existing controller, click Configuration > Devices > Controller > [select a controller] > Settings. The following parameters can be configured from the Web UI with Level 10 permission:

  • Information for recognizing and tracking controllers such as the Description, Location, and Contact person
  • Whether or not APs should be Automatically Upgraded by a controller
  • DHCP Server address and DHCP Relay Passthrough (whether or not packets are actually passed to the DHCP server)
  • Statistics Polling Period and Audit Polling Period, which affect how often a controller refreshes data
  • Default AP Initialization Script (bootscript) that run on APs with no other script specified
  • Controller Index number used for identification (Note that changing this initiates a controller reboot.)
  • Whether or not the controller will interact with the AeroScout Location Engine and associated APs will interact with AeroScout Tags to provide real-time asset tracking
  • Whether or not Fastpath Mode is used. Fastpath Mode accelerates the rate that packets move through the Ethernet interface based on identification of an IP packet stream. When FastPath is enabled, the beginning of the IP packet stream is processed by the controller, and all subsequent packets of the same stream are forwarded according to the disposition of the initial packets, without being processed by the controller. This offloads a significant amount of processing from the controller.
  • Bonding Mode affects MC4200, MC5000, and MC6000 models. Single Bonding combines all Ethernet ports into one port for accelerated throughput. Dual Bonding configures two ports for the controller.

Configure Controller Parameters From the Web UI

  • Virtual Cell for AP400, or AP1000 is not determined by any controller setting.
  • Whether or not Dynamic Frequency Selection (DFS) is enforced. For installations within the United States, enforcing DFS means that channels 52-64 (5.25-5.35 GHz), 100-116 (5.475.725 GHz), and 136-140 (5.68-5.70 GHz) conform to DFS regulations, protecting radar from interference on these channels.
  • The number of minutes of station inactivity that causes a client to time out is set by the Station Aging Out Period.
Configure UDP Broadcast with Web UI

You can enable all UDP ports at once with the WebUI commands for upstream and downstream traffic. Fortinet does not recommend that you enable this feature on a production network because it could lead to broadcast storms leading to network outages. This feature is provided for testing purposes only.

You need to assign each ESS (see the chapter “Configuring an ESS.”) to a specific VLAN (see the chapter “Configuring VLANs.”) before enabling all UDP broadcast ports. Having multiple ESS’s in the default VLAN and enabling all UDP broadcast ports does not work.

To configure UDP broadcast upstream/downstream for all ports, follow these steps:

  1. Click Configuration > Devices > System Settings.
  2. Click the tab UDP Broadcast Ports.
  3. Determine the type of UDP Broadcast mode you wish to configure (Tunnel Mode or Bridge Mode) and click that Tab.
  4. Click Add.
  5. Check the type of UDP Broadcast rule you wish to configure, Upstream or Downstream.
  6. Enter a UDP Port Number in the range 1-65355 and then click Save. The port number now appears in the UDP Broadcast Port list.

Perform the above steps for as many ports as desired.

FortiWLC Configure Basic Controller Parameters During Setup

Configure Basic Controller Parameters During Setup

These basic controller parameters are configured by someone with Level 15 permission, using the interactive setup script that sets up every new controller:

  • Country setting
  • Controller location

Configure Basic Controller Parameters During Setup                                                                                                             69

  • Hostname
  • Passwords for admins and guests
  • Dynamic IP address or a static IP address and netmask
  • Time zone
  • DNS server names
  • Gateway server name
  • Network Time Protocol server

To start the setup script, at the Privileged EXEC prompt, type setup. Refer to the “Initial Setup” chapter of the FortiWLC (SD) Getting Started Guide for an example session using the setup command.