Fortinet Document Library

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

Download PDF
Copy Link

Remote WLAN FortiAPs

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If split tunneling is configured, only traffic destined for the corporate office networks is routed to the FortiGate. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate with unnecessary traffic and allows direct access to local private networks at the location of the FortiAP even if the connection to the WiFi controller goes down.

Configuring the FortiGate for remote FortiAPs

This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.

  • Create FortiAP profiles for the Remote LAN FortiAP models
  • If split tunneling will be used
    • configure override split tunneling in Managed FortiAPs
    • enable split tunneling in the SSID
    • configure the split tunnel networks in the FortiAP profile
To create FortiAP profiles

If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see Creating a FortiAP profile.

To override split tunneling

Go to WiFi & Switch Controller > Managed FortiAPs and edit your managed APs. When preconfiguring the AP to connect to your FortiGate WiFi controller, you can choose to override split tunneling, optionally including the local subnet of the FortiAP.

To enable split tunneling options

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:

config system settings

set gui-fortiap-split-tunneling enable

end

To configure split tunneling - FortiGate GUI

Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable Split Tunneling.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s), where you can enter a list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller. Packets for these destinations will instead be routed through the remote gateway local to the FortiAP.

The list of split tunneling subnets includes public Internet destinations and private subnets local to the FortiAP. Split tunneling public Internet destinations reduces traffic through the FortiGate unit. Split tunneling local private subnets allows these networks to be accessible to the client behind the FortiAP. Otherwise, private network IP destinations are assumed to be behind the FortiGate WiFi controller.

To configure split tunneling - FortiGate CLI

In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.

config wireless-controller vap

edit example-ssid

set split-tunneling enable

end

 

config wireless-controller wtp-profile

edit FAP21D-default

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit 1

set dest-ip 192.168.0.0 255.255.0.0

end

end

To enter multiple subnets, create a split-tunneling-acl entry for each one.

To override the split tunneling settings on a FortiAP

If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.

config wireless-controller wtp

edit FAP321C3X14019926

set override-split-tunnel enable

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit 1

set dest-ip 192.168.10.0 255.255.255.0

end

end

Configuring a FortiAP unit

Prior to providing a remote WLAN FortiAP unit to an employee, you need to preconfigure the FortiAP to connect to your FortiGate WiFi controller.

To pre-configure a FortiAP
  1. Connect the FortiAP to the FortiGate unit.
  2. Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
  3. Right click the row of the FortiAP that you want to connect to and then select >_ Connect to CLI.

    The CLI Console window opens.

  4. If the password prompt appears, then enter the required password. By default, no password is set.
  5. Enter the following commands to set the FortiGate WiFi controller IP address. This IP address is the FortiGate Internet-facing IP address, in this example 172.20.120.142.

    cfg -a AC_IPADDR_1=172.20.120.142

    cfg -c

  6. To log out of the FortiAP CLI, enter exit.
  7. To close the CLI Console window, click the X in the top right corner of the window.

Preauthorizing a FortiAP unit

By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee name, for easier tracking.

  1. Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.
  2. Enter the Serial Number of the FortiAP unit and give it a Name. Select the appropriate FortiAP Profile.
  3. Click OK.
  4. Repeat steps 1 to 3 for each FortiAP.

Remote WLAN FortiAPs

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If split tunneling is configured, only traffic destined for the corporate office networks is routed to the FortiGate. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate with unnecessary traffic and allows direct access to local private networks at the location of the FortiAP even if the connection to the WiFi controller goes down.

Configuring the FortiGate for remote FortiAPs

This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.

  • Create FortiAP profiles for the Remote LAN FortiAP models
  • If split tunneling will be used
    • configure override split tunneling in Managed FortiAPs
    • enable split tunneling in the SSID
    • configure the split tunnel networks in the FortiAP profile
To create FortiAP profiles

If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see Creating a FortiAP profile.

To override split tunneling

Go to WiFi & Switch Controller > Managed FortiAPs and edit your managed APs. When preconfiguring the AP to connect to your FortiGate WiFi controller, you can choose to override split tunneling, optionally including the local subnet of the FortiAP.

To enable split tunneling options

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:

config system settings

set gui-fortiap-split-tunneling enable

end

To configure split tunneling - FortiGate GUI

Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable Split Tunneling.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s), where you can enter a list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller. Packets for these destinations will instead be routed through the remote gateway local to the FortiAP.

The list of split tunneling subnets includes public Internet destinations and private subnets local to the FortiAP. Split tunneling public Internet destinations reduces traffic through the FortiGate unit. Split tunneling local private subnets allows these networks to be accessible to the client behind the FortiAP. Otherwise, private network IP destinations are assumed to be behind the FortiGate WiFi controller.

To configure split tunneling - FortiGate CLI

In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.

config wireless-controller vap

edit example-ssid

set split-tunneling enable

end

 

config wireless-controller wtp-profile

edit FAP21D-default

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit 1

set dest-ip 192.168.0.0 255.255.0.0

end

end

To enter multiple subnets, create a split-tunneling-acl entry for each one.

To override the split tunneling settings on a FortiAP

If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.

config wireless-controller wtp

edit FAP321C3X14019926

set override-split-tunnel enable

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit 1

set dest-ip 192.168.10.0 255.255.255.0

end

end

Configuring a FortiAP unit

Prior to providing a remote WLAN FortiAP unit to an employee, you need to preconfigure the FortiAP to connect to your FortiGate WiFi controller.

To pre-configure a FortiAP
  1. Connect the FortiAP to the FortiGate unit.
  2. Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
  3. Right click the row of the FortiAP that you want to connect to and then select >_ Connect to CLI.

    The CLI Console window opens.

  4. If the password prompt appears, then enter the required password. By default, no password is set.
  5. Enter the following commands to set the FortiGate WiFi controller IP address. This IP address is the FortiGate Internet-facing IP address, in this example 172.20.120.142.

    cfg -a AC_IPADDR_1=172.20.120.142

    cfg -c

  6. To log out of the FortiAP CLI, enter exit.
  7. To close the CLI Console window, click the X in the top right corner of the window.

Preauthorizing a FortiAP unit

By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee name, for easier tracking.

  1. Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.
  2. Enter the Serial Number of the FortiAP unit and give it a Name. Select the appropriate FortiAP Profile.
  3. Click OK.
  4. Repeat steps 1 to 3 for each FortiAP.