Fortinet Document Library

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

Download PDF
Copy Link

FortiAP-S bridge mode security profiles

If a bridge mode SSID is configured for a managed FortiAP-S (or smart FortiAP), you can add a security profile group to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:

  • AntiVirus (including botnet protection)
  • Intrusion Prevention
  • Application Control
  • Web Filter
Configure Security Profile Groups - GUI syntax
  1. For this configuration to work, you must go to WiFi & Switch Controller > SSID and enable the Security profile group option on the bridge mode SSID assigned to the FortiAP Profile for your smart FortiAP.
  2. Go to WiFi & Switch Controller > Security Profile Groups. Select Create New or edit the wifi-default profile.
  3. Enable or disable Logging.
  4. Enable or disable Scan Botnets. This option is enabled by default. If you enable this option, select Blocked or Monitor. The default is Monitor.
  5. Under Security Profiles, you can enable or disable the AntiVirus, Web Filter, Application Control, and Intrusion Prevention profiles. To view available profiles, click the down arrow. The defaults for these options are wifi-default.

 

Configure Security Profile Groups - CLI syntax

You configure security profile groups on managed smart FortiAPs by using the config wireless-controller utm-profile command. Then, you can assign a security profile group by using the set utm-profile command under config wirelesscontroller vap, after local-bridging is set to enable.

Note that the default utm-profile, named wifi-default, has all applicable options within the command set to wifi-default.

To view all available profiles that you can assign, type "?". For example, "set ips-sensor ?".

config wireless-controller utm-profile

edit <name>

set comment <comment>

set utm-log {enable | disable}

set ips-sensor <name>

set application-list <name>

set antivirus-profile <name>

set webfilter-profile <name>

set scan-botnet-connections {disable | block | monitor}

next

end

 

config wireless-controller vap

edit <name>

set local-bridging enable

set utm-profile <name>

next

end

 

To debug the wireless-controller configurations related to security profile groups, use the following diagnose command:

diagnose wireless-controller wlac_hlp

 

FortiAP-S bridge mode security profiles

If a bridge mode SSID is configured for a managed FortiAP-S (or smart FortiAP), you can add a security profile group to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:

  • AntiVirus (including botnet protection)
  • Intrusion Prevention
  • Application Control
  • Web Filter
Configure Security Profile Groups - GUI syntax
  1. For this configuration to work, you must go to WiFi & Switch Controller > SSID and enable the Security profile group option on the bridge mode SSID assigned to the FortiAP Profile for your smart FortiAP.
  2. Go to WiFi & Switch Controller > Security Profile Groups. Select Create New or edit the wifi-default profile.
  3. Enable or disable Logging.
  4. Enable or disable Scan Botnets. This option is enabled by default. If you enable this option, select Blocked or Monitor. The default is Monitor.
  5. Under Security Profiles, you can enable or disable the AntiVirus, Web Filter, Application Control, and Intrusion Prevention profiles. To view available profiles, click the down arrow. The defaults for these options are wifi-default.

 

Configure Security Profile Groups - CLI syntax

You configure security profile groups on managed smart FortiAPs by using the config wireless-controller utm-profile command. Then, you can assign a security profile group by using the set utm-profile command under config wirelesscontroller vap, after local-bridging is set to enable.

Note that the default utm-profile, named wifi-default, has all applicable options within the command set to wifi-default.

To view all available profiles that you can assign, type "?". For example, "set ips-sensor ?".

config wireless-controller utm-profile

edit <name>

set comment <comment>

set utm-log {enable | disable}

set ips-sensor <name>

set application-list <name>

set antivirus-profile <name>

set webfilter-profile <name>

set scan-botnet-connections {disable | block | monitor}

next

end

 

config wireless-controller vap

edit <name>

set local-bridging enable

set utm-profile <name>

next

end

 

To debug the wireless-controller configurations related to security profile groups, use the following diagnose command:

diagnose wireless-controller wlac_hlp