FortiWLC – Supported Modes of Operation for APs

Supported Modes of Operation for APs

AP332/AP400/AP832 and AP1000 with two radios can have both set to 5.0 GHz, but both radios cannot be set to 2.4 GHz. If you want to use both radios on 2.4 GHz, put the radios on separate channels.

AP1000 radios default to the following bands:

AP Model Radio 1 Radio 2 Radio 3
AP122 BGN AC
AP332 BGN AN
AP1010 BGN  
AP1020 BGN AN
AP400 BGN AN Scanning on both bands (in AP433is)

Supported Modes of Operation for APs

AP Model Radio 1 Radio 2   Radio 3
AP822 BGN AC    
AP832 BGN AC  
FAP-U421EV BGN AC  
FAP-U423EV BGN AC  
Security Modes

Although AP400/AP1000 support all security modes supported by the 802.11i security standard (WEP, WPA, WPA2 and mixed mode), 802.11n supports only clear and WPA2 security. Even though you can configure any security mode for 802.11n, you only gain 11n benefits using WPA2 or clear. Because of this, any 11n client connected to an SSID configured for WEP or WPA will behave like a legacy ABG client. An 802.11n ESSID configured for either

WEP or WPA has no 802.11n rates for that ESSID. If you configure an ESSID for Mixed Mode, 802.11n rates are enabled only for the WPA2 clients; WPA clients behave like a legacy ABG client. See the chart below for details.

ESSID Security AP400/AP1000 Realize These 11n Benefits
Clear and

WPA2

All 11n benefits are realized.
WEP and WPA No 11n benefits are realized. Clients behave like legacy ABG clients.
Mixed Mode 11n performance in ESS configured for mixed mode depends on kind of application used in the network. Only WPA2 clients connected to mixed mode have 11n benefits. WPA clients behave like legacy ABG clients.

FortiWLC – Replacing Access Points

Replacing Access Points

You can replace APs in one of the following conditions:

  • If you have a faulty AP, you can replace that with a new AP of the same model as the faulty AP.
  • Migrate from an older AP model to a newer AP model.
Before Replacing Access Points

The following are important points to remember before you replace your access points: Replacing one AP model with another usually preserves the settings of the original configuration. A newer AP may have settings that the older one does not; those settings will be set to the default.

  • Despite the fact that some AP settings and configurations can be carried over when replacing an AP, users cannot simply replace an AP400 with a different model (such as an AP1000). The two models have very different capabilities and configuration specifications and should not be considered synonymous.

Replacing Access Points

How to Replace Access Points

If you are replacing existing APs with a newer model of APs, use the ap‐swap command to ease the task of updating your site’s AP settings. To use the ap‐swap command, you need the MAC addresses of the new and old APs. You can check MAC addresses of the APs to be replaced with the show ap command.

The ap‐swap command equates the MAC address of an AP that you want to replace with the MAC address of the new AP. By linking the numbers to an AP ID in the replacement table, the system can assign the configured settings from the old AP to the new AP. The settings that are tracked are the channel number, preamble, and power settings. After inputting the swap information, use the show ap‐swap command to double check the AP MAC settings before physically swapping the APs.

Once you have double-checked the MAC addresses, take the old APs off-line by disconnecting them from the system. Replace the APs. When the APs are discovered, the replacement table is checked, and the changes are applied to the new APs. Once the new AP has been updated, the entry is removed from the replacement table.

To summarize the steps to replace the APs:

meru‐wifi (config)# show ap (gets the serial numbers of the APs you are replacing) meru‐wifi (config)# swap ap 00:oc:e6:00:00:66 00:CE:60:00:17:BD meru‐wifi (config)# exit meru‐wifi# show ap‐swap

 AP Serial Number        New AP Serial Number 00:0c:e6:00:00:66       00:ce:60:00:17:bd

AP Replacement Table(1 entry) meru‐wifi# show ap

After you completed the commands for replacing APs, disconnect the old APs and make sure they show Disconnect/off-line status) and then replace the old APs with the new APs

Replacing Access Points

Configuration Updates After AP Replacements

 

TABLE 25: Configuration Updates After AP Replacement

AP Types Configuration Changes Other
Both APs (new and the one that is replaced) are same The following configurations are preserved: ATS-Entry: AP name, location, Contact, Descr, KeepAlive

•  802.11 Entry: RFType, Channel, Tx Power, Channel-Width, VCell Mode.

•  ESS-AP Entry: BSSID, Channel

This is usually used while replacing faulty APs.
AP Models are different Only the following AP configurations will be preserved

•  ATS-Entry: AP name, location, Contact, Descr,

KeepAlive

The following Radio/BSSID configuration will be changed to default setting for the newer AP model.

•  802.11 Entry: RFType, Channel, Tx Power, Channel-Width, VCell Mode.

•  ESS-AP Entry: BSSID, Channel

This is usually done while migrating from older AP models to newer AP models.

For example: Migrating from AP1020/ AP1010 to AP822

FortiWLC – Roaming Across Controllers (RAC)

Roaming Across Controllers (RAC)

Clients can roam between access points connected to two different controllers in same subnet or different subnets. FortiWLC (SD) allows you to specify static or dynamic roaming.

Things to consider before enabling RAC

  • IP PREFIX validation has to be OFF in the RAC enabled ESS profile.
  • RAC can be enabled on more than one ESSID
  • If any parameter of an ESSID profile is changed, then RAC must be stopped and the changes made in the ESSID must be updated to all controllers in the roaming domain. Ensure that the controller IP is reachable before adding its IP address to the roaming domain.
  • In the output of show roaming-domain all command, the -1 value in the VLAN column depicts tunnelling to another controller in the roaming domain.

In static DHCP home configuration, you specify one of the controllers (in the roaming domain) as the home controller. A client associating with any controller in the roaming domain will receive an IP address from this home controller. Once a controller is set has the home controller, it applies to all the native VLAN, configured VLAN and dynamic VLAN configurations of that controller as per the “tunnel interface type” set in the ESS profile.

In dynamic DHCP home configuration, a client associating with a controller for the first time will continue to receive IP address from that controller and will be the clients the home controller. To allow dynamic roaming, set the home controller IP address as 0.0.0.0.

Roaming Time-out

In a dynamic roaming scenario, if a client leaves the coverage area and returns after the configured timeout value, a fresh association happens and the client may get associated with a different controller as its home controller. The roaming time-out value (in minutes) for clients can be configured via CLI:

default(15)(config)# roaming‐domain roam‐time‐out 70

Roaming Across Controllers (RAC)

Default and minimum timeout value is 60 minutes and maximum is 240 minutes. The roaming timeout countdown starts as soon as the client leaves the coverage area.

NOTE: When RCA is stopped all the existing clients are forcefully de-authenticated and forced to reconnect. Irrespective of the client has roamed or not, this process is applied to all clients in the roaming domain.

Setting up RAC requires the following steps

Static Roaming

  1. Specify an ESSID for the roaming domain.
  2. Add your controller’s IP address as the member controller.
  3. Add your controller’s IP address as the Home controller.
  4. Repeat the above steps for adding peer controllers. Ensure that you keep the same ESSID name and the home controller IP address.

Dynamic Roaming

  1. Specify an ESSID for the roaming domain.
  2. Add your controller’s IP address as the member controller.\
  3. Add 0.0.0.0 as the IP address of the home controller.
  4. Repeat the above steps for adding peer controllers. Ensure that you keep the same ESSID name and the home controller IP address as 0.0.0.0.
Configuring Using WebUI
  1. Go to Configuration > Wired > RAC.
  2. In the Peer Controllers tab add the following:
  • ESSID: This should be replicated as-is across in all controllers in the roaming domain.
  • Peer Controller IP address

Roaming Across Controllers (RAC)

  • Home DHCP controller IP address: IP address of the home controller in the roaming domain. All the DHCP packets from the visiting client will be forwarded to this home controller and will be delivered locally in the home controller.

Roaming Across Controllers (RAC)

Configuring Using CLI

A new CLI command roaming-domain with the following options is available to set up RAC essid – Specify the name of the common ESSID that is available in all 6 controllers in the roaming domain

  • start – To start RAC.
  • stop – To stop RAC
  • peer-controller – To specify the IP address of the peer controller in the roaming domain
  • homedhcp-controller – To specify the home controller in the roaming domain.

Example default(15)(config)# roaming‐domain start

default(15)(config)# roaming‐domain essid Roaming1 peer‐controller 10.10.1.20 homedhcp‐controller 10.10.12.100

Dynamic DHCP home

default(15)(config)# roaming‐domain essid Roaming1 peer‐controller 10.10.1.20 homedhcp‐controller 0.0.0.0.

Where, essid is the name of the “ESS profile” string displayed in the show essid command.

FortiWLC – Configuring 802.11k/r

Configuring 802.11k/r

Devices can now benefit from the 802.11r implementation to fast roam between best available access points within a controller domain. Additionally, with implementation of 802.11k specifications you can now calculate 802.11k neighbor and radio measurement reports.

The fast roaming capability and 802.11k is configurable in ESS profile.

Supported Access Points: AP122, AP822, AP832, OAP832

Limitations
  • Supported only for clients that are compliant with 802.11k/v/r specifications Fast roaming is not available in inter-controller roaming.
Enabling 802.11k
Using WebUI
  • Go to Configuration > Wireless > ESS and in the ESS Profile tab, change the following:
  • For 802.11r, select On.
  • For 802.11r Mobility Domain, enter an integer value.
  • For 802.11k, select On to perform radio measurements.

Configuring 802.11k/r

 

Using CLI

default(15)# configure terminal default(15)(config)# essid fastroam‐1 default(15)(config‐essid)# 802.11r on default(15)(config‐essid)# 802.11k on default(15)(config‐essid)# 802.11r‐mobility‐domain‐id 100

FortiOS 6.0.2 Release Notes

Introduction

This document provides the following information for FortiOS 6.0.2 build 0163:

Supported models

FortiOS 6.0.2 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E,

FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG70D-POE, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE,

FG-90E, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E,

FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-200E,

FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E,

FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG-900D, FG-1000D,

FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D,

FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN,

FG-VM64-GCP, FG-VM64-OPC, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCPONDEMAND

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.0.2 images are delivered upon request and are not available on the customer support firmware download page.

Special Notices

WAN optimization and web caching functions

WAN optimization and web caching functions are removed from 60D and 90D series platforms, starting from 6.0.0 due to their limited disk size. Platforms affected are: l FGT-60D l FGT-60D-POE l FWF-60D l FWF-60D-POE l FGT-90D l FGT-90D-POE l FWF-90D l FWF-90D-POE l FGT-94D-POE

Upon upgrading from 5.6 patches to 6.0.0, diagnose debug config-error-log read will show command parse error about wanopt and webcache settings.

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate mode:

  • FGR-30D-A l FGR-30D l FGR-35D l FGR-60D l FGR-90D l FGT-200D l FGT-200D-POE l FGT-240D l FGT-240D-POE l FGT-280D-POE l FGT-30D l FGT-30D-POE l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E Special Notices 7
  • FGT-51E l FGT-52E l FGT-60D l FGT-60D-POE l FGT-70D l FGT-70D-POE l FGT-90D l FGT-90D-POE l FGT-94D-POE l FGT-98D-POE l FWF-30D l FWF-30D-POE l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E l FWF-60D l FWF-60D-POE l FWF-90D l FWF-90D-POE l FWF-92D

Built-in certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

 

Special Notices

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiClient profile changes

With introduction of the Fortinet Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn.

FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 6.0.2

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version 5. Click Go.

If you are upgrading from version 5.6.2 or 5.6.3, this caution does not apply.

Before upgrading, ensure that port 4433 is not used for admin-port or admin-sport (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Physical interface inclusion in zones

Upgrading from 5.6.3 or later removes all of the members of a zone if the zone contains a physical interface and at least one of that physical interface’s VLAN interfaces is removed. For example:

Before Upgrade:

config system zone edit “Trust”

set interface “port1” “Vlan01” “Vlan02” “Vlan03”

next

After Upgrade:

config system zone edit “Trust”

next

Remove “port1” from the list and the upgrade will retain the VLANs.

Conditions when physical zone members are removed: l If a physical interface has a VLAN associated (regardless of whether they are in the same zone or any zone) Conditions when VLAN zone members are removed: l If the parent physical interface is also set on a zone

You can use the following options to prepare for the upgrade:

  • Use only physical interfaces that have no VLAN associations Or:
  • Create new VLANs in place of current physical interface zone members, and remove all physical zone members from zones using only the associated, new VLAN entries.

Fortinet Security Fabric upgrade

FortiOS 6.0.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.0.0 l FortiClient 6.0.0 l FortiClient EMS 6.0.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.4 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.0.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.0.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

  • Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox) l FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting)

 

  • LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS enhanced networking compatibility issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.0.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.0.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any] end

 

Product Integration and Support

FortiOS 6.0.2 support

The following table lists 6.0.2 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l    Microsoft Edge 41

l    Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 10. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 10. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.0.0

See important compatibility information in Fortinet Security Fabric upgrade on page 10.

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 5.6.0 and later
FortiClient Android and FortiClient VPN Android l 5.4.2 and later

 

FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later
FortiSwitch OS

(FortiLink support)

l 3.6.4 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0268 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00012
IPS Engine l 4.00021
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2336. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus   Firewall
Symantec Endpoint Protection 11  
Kaspersky Antivirus 2009    
McAfee Security Center 8.1  
Trend Micro Internet Security Pro  
F-Secure Internet Security 2009  

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 6.0.2. For inquires about a particular bug, please contact Customer Service & Support.

AntiVirus

Bug ID Description
487946 MSS value increases when AV or WEB filter in use resulting in Packet too big message.
489308 scanunit process frequently crashes.
497371 Flow-AV blocks Windows updates (.cab files).

Application Control

Bug ID Description
423140 All IPS sessions lost when new custom signature added.

Authentication & User

Bug ID Description
477392 Cannot use FAC username password and FortiToken two-factor authenticate login HA slave unit.
481469 Failed to resolve hostname for configured CRL URL on a non-managment VDOM.
488566 Renaming guest user group name doesn’t reflect under Guest administrator account assigned leads to black page.
491175 diag test application fnbamd 1 causes fnbamd to enter an idle state and causes authentication failure.
491235 New diag command diag test app wad 13.
491241 Enhance diag command diag test app fnbamd 1.
493470 Authenticated user receives Oops “Authentication requested” referencing a proxy policy which does not have authentication.
493930 Admins who use dedicated HA mgmt interfaces are not visible in the CLI.
495210 Guest user accounts do not show expiration time, but time until expiration only.
496524 After successful wired portal auth, the wired PC still gets many http redirection and fails to access the internet.

Connectivity

Bug ID Description
463982 FortiManager IP is unset in FortiGate CM.
479607 Scheduled auto-update happens twice in 10 seconds but a log entry for the first try is not logged.
481058 Configuration revision control list can’t be retrieved from FortiCloud.

DLP

Bug ID Description
478524 Diskless model missing full-archive-proto in config DLP sensor when only FortiCloud logging enabled.
486958 Scanunit signal 14 alarm clock caused by DLP scanning bz2 file.
492624 DLP blocking web sites in FortiOS v6.0 GA.
496255 Some XML-based MS Office files are recognized as ZIP files.

Firewall

Bug ID Description
474612 SNAT is using low ports below 1023.
475539 Inaccurate netflow export. Traffic measurements do not match with SNMP readings.
478681 Should be able to disable SNAT when a VIP exists and central-NAT is enabled.
492961 Set utm-status disable did not hide profile-group. Unset profile-group will make profile-protocol-options empty.
498188 Dirty_session_check in FortiGate drops all established VIP64 sessions.
502579 Local-In-Policies with FQDN address is not working after upgrade from 5.6 to 6.0.1.

FortiView

Bug ID Description
414172 HTTPsd / DNSproxy/ high CPU/memory with high rate UDP 1Byte spoofing traffic.
GUI  
Bug ID Description
402457 Suggest to improve IPsec VPN monitor page Proxy ID Source and Proxy ID Destination fields.

 

Bug ID Description
413881 VDOM link tooltip displays Failed to retrieve info.
444104 Accept/Decline buttons cannot be seen in GUI with a long login disclaimer and screen under certain resolutions.
449598 Remote LDAP User Definition wizard does not pull users.
457627 Want the ability to change the date/time format displayed in the GUI of the FortiGate.
457721 FortiLink Switch-controller GUI – allow user to edit Port Description for FortiLink/ISL.
457966 Virtual wire pair > Add VLAN range filter on GUI.
460617 GUI FortiGuard Check Again button doesn’t work as expected due to FortiGuard service 8888/53 incorrectly routed.
462011 GUI is blank when accessed with RADIUS user with read-access profile and the FortiGate is managed by FortiManager.
462072 GUI should show full FQDN name in reputation search result.
468465 Some filters do not return logs when source is FortiCloud.
468797 Cannot filter by date or timestamp when viewing logs from FortiCloud.
469082 prof_admin profile admins are not able to display GUI IPv4 source address.
470241 Raw logs are downloaded from the default location even if you select another log device in GUI.
472023 Outbreak prevention detection makes “clean” counter increment in Advanced Threat Protection Stats widget.
472558 DHCP Server GUI – GUI populates wrong information when switching from DHCP Relay to DHCP

Server.

473808 Column filter is not persistent and is removed after refreshing the page.
474807 Cannot restore default page in replacement message group.
475036 Virtual Server Duplicate Entry found error in GUI.
477393 Negative values in Load Balance monitor logs.
477870 Alias for modem interface present in GUI but not in CLI.
479468 The link status is lost after SD-WAN GUI changes to List Edit.
479937 GUI should hide options that don’t apply to certificate inspection.
481902 When accessing FortiView > Websites page, gets error Failed to get FortiView data and httpsd keeps crashing.
482628 CPU.Speculative.Execution.Timing.Information.Disclosure signature can’t be filtered if Application is selected.
Bug ID Description
489674 When scroll to the end of an muTable, GUI should shows 100% of entry.
489675 The Firefox web browser sometimes cannot delete performance SLA rules.
489715 Destination address should not be mandatory in GUI in SD-WAN Rules.
492898 Cannot delete FSSO AD group entries in GUI anymore.
493351 Object tooltip of last page should not always display on current page.
493773 SD-WAN rule in GUI unable to select (whether as source or destination) the address group grp_ citrixfarm.
494724 When creating trunk interface on managed FSW, FSW ports in right-side list show down, even when some are up.
496613 Editing web filter profile in GUI deletes web-proxy profile and URL filter entries.
497667 FortiSwitch Ports page loads very slowly.
502785 Remove # of interfaces from device list.

HA

Bug ID Description
408886 Uninterrupted upgrade from B718 to tag 9702 failed with 1.5M BGP routes and 6M sessions load.
461915 When standalone config sync is enabled in FGSP, IPv6 setting of interface is synced.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
474622 IPsec itn=0 after a unit joins an FGSP cluster.
482548 Conserve mode caused by hasync consuming most of memory.
485340 Cluster Uptime: -141 days -20:-31:-50.
486552 vcluster HA failover fails with large site-to-site IPsec VPN configuration on 3800D.
487444 FortiGate stops accepting traffic from any interface in a hardware switch after HA failover in 80/81E.
491311 Management port has sync’ed when creating a new NAT VDOM.
493759 When vcluster2 is removed from HA config, all active sessions are killed once session-ttl is reached.
494029 After failover, sometimes cannot connect to management-ip of backup device.
501147 Moving VDOM to virtual cluster from GUI causes cluster to go out of sync.

IPS

Bug ID Description
478185 Improve the ability of detection fragmented intrusion attacks.
489557 Strange traceroute issues when IPS is enabled.

IPsec VPN

Bug ID Description
486756 Traffic is not fragmented for IPsec VPN when Proxy-based UTM is enabled.
489990 Make PKI validation of IDi & Certificate Identity optional.
490066 FortiClient with IPsec with Proxy / Webfilter – Fragmentation is needed.
491305 Packet from FortiClient cannot go through VXLAN over IPsec depending on packet size.
492046 FortiGate does not respond to INFORMATIONAL exchange message as requested by RFC.
493918 Memory leak with IKED.

Log & Report

Bug ID Description
459306 Suggest to lower Threat Level for oversized file.
493140 Need to see application signature names instead of LDS under Logs & Report > System event logs.
494040 Creating or modifying security profiles generate multiple logs with misleading action.
497357 FortiGate logs show the action as block when we use DNS filter and if a DNS query timeout happens.
498519 Web filter authentication failed to set status field in the event log message.

Proxy

Bug ID Description
479678 IPpool does not work properly in explicit Proxy-policy.
482916 WAD crashes with signal 6.
486821 Web application Symphony fails with AV profile enabled in policy.
487096 SSL handshake fails when activate ESET application.
491417 FortiGate is dropping server hello packets when URLFILTER is enabled.
Bug ID Description
491424 Adjust the proxy-auth-timeout default value and unit.
491630 With UTM enabled, client failed to get response from server, gets 500 Internal error.
494081 WAD process crashes with signal 11 after upgrading the firmware to v5.6.4.

Router

Bug ID Description
443948 High memory usage for zebos_launcher and isisd.
482631 OSPF adjacencies lost, FGFMD high CPU while pushing policies from FortiManager.
491423 BGP shutdown neighbor capability-default-originate parameter always in use.
491679 FortiGate chooses higher metric OSPF E2 route for traffic under some circumstance.
492063 Route map not able to set attribute with BGP conditional advertisement.
493454 Large PIM SM bootstrap packets are not forwarded with kernel 3.2.
494393 Router access list should not default to prefix any and exact match disable.
500673 SD-WAN rules with application do not work after HA switchover.

SSL VPN

Bug ID Description
466438 High CPU usage by sslvpnd.
483712 sslvpnd consumes high memory causing FortiGate to enter conserve mode.
486918 SSL VPN web mode unable to load the page correctly.
489827 In SSL VPN web mode, Visteon.service-now.com/vss URL is not loading.
491895 Web mode SSL VPN HTTP bookmark not working.
494948 Confluence software is not rendered correctly in web mode.
494960 SSL VPN web mode has trouble loading internal web application.
494978 authd registers SSL VPN user with wrong user/group information and breaking SSL VPN after upgrade to 5.6.4.
498249 Need update SCEP over SSL host name/certificate check.
501769 SSL VPN: Bookmark to internal web site not loading correctly – JavaScript errors.

Switch

Bug ID Description
493685 Hardware switch flooding traffic.

System

Bug ID Description
370953 SLBC worker blade failed to re-synchronize with the config master blade due to the frozen confsync daemon.
394509 No log entry for failed admin PKI authentication.
414081 SMB1 support has been by default disabled under part models.
441483 Confused by set enable-shaper disable to enable HPE protection.
459273 Slave worker blade loses local administrator accounts.
462178 Front panel SPEED LED is flashing green when transmitting and receiving data.
466317 [api] is in Z state.
468938 Kernel panic on 3700D – slave.
472267 DNS filter performance improvement.
472270 SNMP feature for DNS filter counts.
473354 Suggest enable per-session-accounting on NP6Lite by default.
477886 PRP support.
479142 SLBC 5001D slave blade going out of sync.
481783 DHCP address assignment sometimes fails – DHCPD crashing multiple times.
485781 Deleting EMAC VLAN interface on a different VDOM causing connectivity loss to the EMAC VLAN for 5-7 pings.
493219 Softirq and nice are taking high CPU resources when sending and receiving packets with a virtual wire pair.
494603 FortiGate in transparent mode is not accessible over https/ssh (administrative access) once trusted host is configured.
494707 FortiGate trusthost settings not respected.
499332 No error message when configuring address .067 and address converted with .55.
499435 Allow packet sniffer to use RAM disk.
499793 FortiGate set wrong timezone for Paraguay.

Upgrade

Bug ID Description
495994 After upgrade to 5.4.9, observing a lot of IPS syntax errors on the console screen.

VM

Bug ID Description
493225 FTG-VM01 is missing diag sys mpstat command option.
499154 FortiGate Azure rejects static route configure pushing from FortiManager.
501911 In FOS-AWS prompt, user password = instance ID, and force user to change password upon initial log in.
Bug ID Description
471638 FortiGate disconnects all clients when they roam from AP to AP.
479415 Incorrect auth-success-page Authentication Success Page Replacement message.

VoIP

Bug ID Description
478634 Debug commands for SIP filter are not applied.

Web Filter

Bug ID Description
454634 Web filter set warning-prompt per-domain is warning per-category instead of per-domain.
476806 FortiOS incorrectly sends ICMP “Destination Unreachable” with WF/certificate inspection.
486171 The Web Rating Overrides option doesn’t work with flow-mode.
490377 The Web Rating Overrides option doesn’t work properly on proxy-based.
498231 Web sites like FedEx.com is catogized as malicious category incorrectly.

Web Proxy

Bug ID Description
500182 UDP over SOCKS proxy.

WiFi

Bug ID Description
491248 VAP RADIUS-based MAC authentication should support CoA.
491769 Support for third-party external portal with RADIUS MAC authentication.
495995 Custom categories override doesn’t work.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
450553 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2017-12150 l CVE-2017-12151 l CVE-2017-12163

487421 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13365

495090 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13366

496431 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-9192

499552 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2016-7431

 

Known Issues

The following issues have been identified in version 6.0.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.
Bug ID Description
256264 Realtime session list cannot show IPv6 session and related issues.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.

FortiView

Bug ID Description
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
453610 Fortiview->Policies(or Sources)->Now, it shows nothing when filtered by physical interface at PPPoE mode.
460016 In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
482045 FortiView – no data shown on Traffic from WAN.
494731 Incorrect reporting in Fortiview.

GUI

Bug ID Description
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
451776 Admin GUI has limit of 10 characters for OTP.
470589 The Forward Traffic Log Details panel Security tab does not display security log details when multiple log devices are enabled.
487350 FortiGuard Filtering Services Availability showing Unavailable on GUI when no valid Anti-spam license is present.
493839 Cannot change quota type (time-based, traffic-based).

HA

Bug ID Description
451470 Unexpected performance reduction in case of Inter-Chassis HA fail-back with enabling HA override.
479987 FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).
503433 hasync daemon crashes when admin session times out and cluster could be out of sync for a short period.

IPS

Bug ID Description
445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.

IPsec VPN

Bug ID Description
469798 The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201 The OCVPN feature is delayed about one day after registering on FortiCare.

Log & Report

Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create webfilter logs.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.

System

Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
466048 Huawei USB LTE E3276 cannot be detected.
468684 EHP drop improvement for units using NP_SERVICE_MODULE.
472843 When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132 FG-51E hang under stress test since build 0050.
482497 Running diagnose npu np6lite session in FGT-201E results in high CPU and system instability.
494042 If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.

Upgrade

Bug ID Description
470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and webfilter.
473075 When upgrading, multicast policies are lost when there is a zone member as interface.
Bug ID Description
481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name.

Web Filter

Bug ID Description
480003 FortiGuard category does not work in NGFW mode policy.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiWLC – Hotspot 2.0

Hotspot 2.0

Hotspot 2.0 is a specification by the Wi-Fi Alliance that specifies a framework for seamless roaming between WiFi networks and Cellular networks. The specification is based on the IEEE802.11u standard; a Generic Advertisement Service (GAS) that provides over-the-air

Hotspot 2.0

transportation for frames of higher layer advertisements between stations APs and external information servers. This feature will allow users to configure hotspot profiles that can (optionally) be connected to existing ESS Profiles as desired. An ESS-profile connected to a hotspot profile will advertise 802.11u capabilities in its beacons.

FAP-U42x and FAP-U32x are Passpoint R2 certified.

Adding a Hotspot 2.0 Profile

The Hotspot Profiles can be created from the Configuration > Wireles > Hotspot 2.0 page. By default, the page shows the following details about a Hotspot profile.

  • Hotspot Profile Name – Displays the name of the Hotspot Profile.
  • Description – Displays the Description provided for the Hotspot profile.
  • Venue Type – Displays the Venue Type.
  • Access Network Type – Select the Access Network Type from the list. The default selection is displayed as Private Network. The types are as follows:
  • Private Network
  • Private Network with Guest Access
  • Chargeable Public Network
  • Free Public Network
  • Personal Device Network
  • Emergency Services Only Network
  • Test or Experimental Network
  • Wildcard Network
  • IPv6 Availability – Select the IPv6 Availability from the list. The default selection is displayed as Address type not available. The types are as follows:
  • Address type available
  • Address type not available
  • Availability of the Address type not known
  • IPv4 Availability – Select the IPv4 Availability from the list. The default selection is displayed as Address type not available. The types are as follows:
  • Address type available
  • Address type not available
  • Availability of the Address type not known
  • Port-restricted IPv4 address available
  • Single NATed private IPv4 address available
  • Double NATed private IPv4 address available

Hotspot 2.0

 

Port-restricted IPv4 address and single NATed IPv4 address available

  • Port-restricted IPv4 address and double NATed IPv4 address available
  • Roaming Consortium – Enter the roaming ORG ID for the Hotspot profile. The valid range is 0-10 characters.
  • Operators – Enter multiple network operators. Select a language and enter a name. The valid range is 0 – 256 characters.
  • Venue – Enter multiple hotspot venues. Select a language and enter a name. The valid range is 0 – 512 characters.
  • 3GPP Cell Network – Provide the following details:
  • Country code of the operator.
  • Provide the 3GPP Cell Network MCC. The default value is displayed is 0. The Valid range is [0-999]. Provide the 3GPP Cell Network MNC. The default value is displayed is 0. The Valid range is [0-999].
  • Domain Name – Provide the Domain Name. The valid range is [0-128] chars.
  • NAI Realm from 1-10 – Provide the NAI Realm [1-10] from the list. The valid range is [0-50] chars.
  • NAI Realm Auth Method from 1-10 – Select the NAI Realm Auth Method [1-10] from the list. The valid range is [0-50] chars. The types are as follows:
  • EAP TLS Certificate
  • EAP TTLS MSCHAPv2 Username/Password
  • EAP SIM
  • EAP AKA
  • EAP AKA`
  • Advanced Settings – Provide the following configuration details for advanced settings: HESSID – A globally unique identifier, used to give a single identifier for a group of APs connected to the same SP or other destination network(s).
  • GTK Per Station – Enables the Group Temporal Key (GTK) to be assigned per station.
  • Gas Come Back Flag – Enables the Generic Advertisement Service (GAS) comeback request/response option.
  • Gas Come back Delay (millisecs) – At the end of the GAS comeback delay interval, the client can attempt to retrieve the query response using the comeback request action frame.
  • ASRA Flag – Enable the Additional Step Required for Access (ASRA) to indicate that the network requires one more step for access. Authentication type – Configure the network authentication type required as per ASRA. Supported values are, Acceptance of terms and conditions, On line enrolment supported, http/https redirection, and DNS redirection.

Hotspot 2.0

Redirect URL – Specify the Redirect URL in case of http/https redirection and DNS Redirection.

  • WAN Metrics – Provide the following configuration details for WAN metrics:
  • Link Status State – Select the status of the WAN link.
  • Symmetric Link – Enable symmetric bandwidth. At Capacity – Select whether the WAN link is at capacity and no additional mobile devices will be allowed to associate with the AP.
  • Down Link speed/Up Link speed – The WAN Backhaul link for current downlink/uplink speed in KBPS.
  • Down Link load/Up Link load – The current percentage load of the downlink/uplink connection, measured over an interval the duration of which is reported by the Load Measurement Duration.
  • Load Measurement Duration – The duration over which the downlink/uplink load is measured in KBPS.
  • Connection CapabilityThe Connection Capability enables filtering of protocols, allowing or restricting traffic on some protocols and ports. A set of system defined protocols as listed. Additionally, you can also create rules for custom protocols.
  • QoS Map – Create a Quality of Service (QoS) policy by configuring the following DSCP ranges and DSCP exceptions.
  • DSCP Ranges – For a given DSCP range, specify the User Priority (valid range: 0 -7), DSCP High Priority (valid range: 0 – 255), and DSCP Low Priority (valid range: 0-255). DSCP Exceptions – For a given DSCP exception, specify the User Priority (valid range: 0 -7) and the DSCP Value (valid range: 0 – 255).
  • OSU Settings – The Online Sign Up (OSU) Service settings configures one or more Hotspot providers offering OSU service.
  • Online Sign Up Support – Select to enable OSU.
  • OSEN Enable – Enable OSU Server-only authenticated layer-2 Encryption Network (OSEN) to indicate that the hotspot uses a OSEN network type. This network provisions clients using the OSU functionality.
  • OSU/OSEN ESSID – Specify the OSU ESSID.

OSU Server URL – Specify the URL of the OSU server.

  • OSU NAI – Specify the OSU NAI for authentication.

Click Settings to configure the OSU provider settings.

  • OSU Provider Friendly Names
  • OSU Provoder Icons
  • OSU Provider Method – Select one of the OSU provider provisioning methods, OMADM or SOAP-XML.

Hotspot 2.0

OSU Provider Description – The description of the OSU Provider.

Select OK. The Hotspot Profile is added and displayed on the Hotspot Profile screen.

The following operations can be performed on the Hotspot 2.0 profile.

  • Delete – Select a Hotspot Profile and click Delete. The selected Hotspot Profile gets deleted from the Hotspot Profile screen.
  • Edit – Select a Hotspot Profile and click Edit.
  • View – Allows to view the details of the Hotspot Profile. Select a Hotspot Profile and click View.

FortiWLC – Automatic Radio Resource Provisioning (ARRP)

Automatic Radio Resource Provisioning (ARRP)

By using the ARRP feature, each AP scans all channels and provides the scan details to the controller. The controller uses this information to select and allocate the best available channel per radio. By default, this feature is disabled.

  • Supported only on 11ac APs.
  • Once enabled, the virtual cell is not available for 11ac APs.
  • Non-11ac APs will continue to work as configured and will not be affected by auto channel feature.
  • The APs will reboot to the newly allocated channel after both initial planning and dynamic channel change.
  • If the ARRP is disabled, all 11ac APs will reboot to default channels.

Automatic Radio Resource Provisioning (ARRP)

Configuring Using WebUI

To enable this feature, go to Configuration > Wireless > ARRP and in the configuration tab, enable the Auto Channel option.

  • Planning Channel: Once enabled, the respective radios of all APs are set to the channels selected for radio 1 and radio 2. In the above screenshot, the planning channel is set to 1 / 20MHz for radio 1 and 149/40MHz for radio 2. Based on the report received by all APs, the controller allocates the optimum channel. DFS channels are not available to be set as planning channel.
  • Auto Power: The auto power functionality is applied only after channel allocation irrespective of when the auto power option was enabled. When enabled, the controller will determine the optimum power level between neighbouring (by channel) 11ac APs. The auto power option can be enabled and applied only when ARRP feature is enabled.
  • Freeze: The option is applied after the initial planning phase. When this option is disabled, the 11ac APs perform a periodic scan (at the end of every minute) on their allocated channels. This is used to determine the quality of the channel. If the quality of the channel crosses the threshold limit (based on three consecutive scans), it sends a request for change of channel. If enabled, the periodic scan is disabled and the 11ac APs remain in allocated channels irrespective of the channel quality.
  • If this option is disabled, the radio interface settings cannot be modified.
  • Timer State and Timer: This option is available only when the Freeze option is disabled. If Timer State is Off, channel scanning occurs every one minute continuously. To avoid frequent channel change, you can set the channel scan interval to happen at the end of 15

Automatic Radio Resource Provisioning (ARRP)

minutes. With this, channel scan is scheduled for once in 15 mins. In each scan cycle sampling is done for 10 iterations i.e. for 10 mins.

  • DFS: By default scanning and allocation of DFS channel is disabled during the planning phase. If enabled, the APs can scan DFS channels and they can be allocated DFS channels.
  • DFS option must be selected when the ARRP is enabled. Enabling DFS after enabling Auto RF will require re-planning of channel allocation for all APs
  • REPLAN: This option is to be used if a new AP is added to the network after the initial planning is complete.

The AP-Radio Interfaces tab lists all APs with its operating frequency and transmit-power respectively.

Configuring Using CLI
  • Use the show arrp‐config command to view the current settings

MC‐4200‐AC‐MCA(15)# show arrp‐config MCA Global Settings

Enable/Disable Auto Channel : enable Radio 1 Channel             : 11 Radio 1 Channel Width       : 20‐mhz Radio 2 Channel             : 48 Radio 2 Channel Width       : 20‐mhz

Auto Power on/off           : off

Freeze yes/no               : No

Timer State on/off          : on

Timer                       : 15

Dfs on/off                  : on

  • Use the show arrp‐ap‐radio‐interface command to view the list of APs and their operating frequency and power values.

MC‐4200‐AC‐ARRP(15)# show arrp‐ap‐radio‐interface

AP ID AP Name Radio1 oper ch Radio2 oper ch Radio1 Transmit Power (dBm) Radio2 Transmit Power (dBm)

  • AP‐3 6              36             24                            23

Automatic Radio Resource Provisioning (ARRP)

  • AP‐4 1              36             24                            23 6     AP‐6     6              40             24                            23 13    AP‐13    1              36             24                            23 17    AP‐17    1              36             24                            23 19    AP‐19    6              36             10                            13 20    AP‐20    6              36             24                            23

ARRP radio interfaces(7 entries)

  • Use the arrp global command followed by one of the following options to configure and use the ARRP feature

‐auto‐power ‐ To enable or disable auto allocation of transmit power

‐dfs ‐ To enable or disable the use of DFS channels in planning

‐disable ‐ To disable ARRP   

‐Enable ‐ To enable ARRP

‐Freeze‐ To enable or disable dynamic channel scanning

‐radio1‐channel‐planning‐ To specify channel for initial planning

‐radio2‐channel‐planning‐ To specify channel for initial planning

‐replan‐ To perform re‐planning if a new AP has joined network

‐timer‐state‐ Enable or disable to avoid frequent channel change

‐timer‐value‐ To specify the time interval for the dynamic channel scan

Limitations
  • If disabled, existing vCell profiles will be pushed to all 11ac APs irrespective of whether the AP was part of the vCell profile before auto channel feature was enabled. Native cell profiles will remain unchanged.
  • As part of auto power functionality, the Tx power levels on the AP is not increased back to default values if the neighboring AP which this AP earlier reported as having high power goes down.