Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 6.2.0 FortiWiFi and FortiAP Configuration Guide
    6.2.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Configuring a FortiAP local bridge (private cloud-managed AP)

    Configuring a FortiAP local bridge (private cloud-managed AP)

    A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

    • Installations where the WiFi controller is remote and most of the traffic is local or uses the local Internet gateway
    • Wireless-PCI compliance with remote WiFi controller
    • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.
    Remotely-managed FortiAP providing WiFi access to local network

    On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The WiFi and Ethernet interfaces on the FortiAP behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

    Caution

    The local bridge feature cannot be used in conjunction with Wireless Mesh features.

    Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspot deployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

    To configure a FortiAP local bridge - GUI
    1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
    2. Enter:

      Interface name

      A name for the new WiFi interface.

      Traffic Mode

      Local bridge with FortiAP interface.

      SSID

      The SSID visible to users.

      Security Mode
      Data Encryption
      Preshared Key

      Configure security as you would for a regular WiFi network.
    3. Select OK.
    4. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
    5. Authorize the FortiAP unit.
      The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.
    SSID configured for local bridge operation

    To configure a FortiAP local bridge - CLI

    This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

    config wireless-controller vap

    edit "branchbridge"

    set vdom "root"

    set ssid "LANbridge"

    set local-bridging enable

    set security wpa-personal

    set passphrase "Fortinet1"

    end

    config wireless-controller wtp

    edit FAP22B3U11005354

    set admin enable

    set vaps "branchbridge"

    end

    Note

    Disabling local-bridging forcefully disables local-standalone. Also, disabling either local-bridging or local-standalone forcefully disables intra-vap-privacy.

    Enabling intra-vap-privacy forcefully disables local-standalone.

    Enabling local-standalone forcefully enables local-bridging.

    Continued FortiAP operation when WiFi controller connection is down

    The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

    • Traffic Mode is Local bridge with FortiAP’s Interface.
      In this mode, the FortiAP unit does not send traffic back to the wireless controller.
    • Security Mode is WPA2 Personal.
      These modes do not require the user database. In WPA2 Personal authentication, all clients use the same pre-shared key which is known to the FortiAP unit.
    • Allow New WiFi Client Connections When Controller is down is enabled.
      This field is available only if the other conditions have been met.

    The “LANbridge” SSID example would be configured like this in the CLI:

    config wireless-controller vap

    edit "branchbridge"

    set vdom "root"

    set ssid "LANbridge"

    set local-bridging enable

    set security wpa-personal

    set passphrase "Fortinet1"

    set local-authentication enable

    end

    Previous
    Next

    Configuring a FortiAP local bridge (private cloud-managed AP)

    Configuring a FortiAP local bridge (private cloud-managed AP)

    A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

    • Installations where the WiFi controller is remote and most of the traffic is local or uses the local Internet gateway
    • Wireless-PCI compliance with remote WiFi controller
    • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.
    Remotely-managed FortiAP providing WiFi access to local network

    On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The WiFi and Ethernet interfaces on the FortiAP behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

    Caution

    The local bridge feature cannot be used in conjunction with Wireless Mesh features.

    Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspot deployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

    To configure a FortiAP local bridge - GUI
    1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
    2. Enter:

      Interface name

      A name for the new WiFi interface.

      Traffic Mode

      Local bridge with FortiAP interface.

      SSID

      The SSID visible to users.

      Security Mode
      Data Encryption
      Preshared Key

      Configure security as you would for a regular WiFi network.
    3. Select OK.
    4. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
    5. Authorize the FortiAP unit.
      The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.
    SSID configured for local bridge operation

    To configure a FortiAP local bridge - CLI

    This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

    config wireless-controller vap

    edit "branchbridge"

    set vdom "root"

    set ssid "LANbridge"

    set local-bridging enable

    set security wpa-personal

    set passphrase "Fortinet1"

    end

    config wireless-controller wtp

    edit FAP22B3U11005354

    set admin enable

    set vaps "branchbridge"

    end

    Note

    Disabling local-bridging forcefully disables local-standalone. Also, disabling either local-bridging or local-standalone forcefully disables intra-vap-privacy.

    Enabling intra-vap-privacy forcefully disables local-standalone.

    Enabling local-standalone forcefully enables local-bridging.

    Continued FortiAP operation when WiFi controller connection is down

    The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

    • Traffic Mode is Local bridge with FortiAP’s Interface.
      In this mode, the FortiAP unit does not send traffic back to the wireless controller.
    • Security Mode is WPA2 Personal.
      These modes do not require the user database. In WPA2 Personal authentication, all clients use the same pre-shared key which is known to the FortiAP unit.
    • Allow New WiFi Client Connections When Controller is down is enabled.
      This field is available only if the other conditions have been met.

    The “LANbridge” SSID example would be configured like this in the CLI:

    config wireless-controller vap

    edit "branchbridge"

    set vdom "root"

    set ssid "LANbridge"

    set local-bridging enable

    set security wpa-personal

    set passphrase "Fortinet1"

    set local-authentication enable

    end

    Previous
    Next