Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 6.4.0 FortiWiFi and FortiAP Configuration Guide
    6.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    FortiAP-S bridge mode security profiles

    FortiAP-S bridge mode security profiles

    If a bridge mode SSID is configured for a managed FortiAP-S (or smart FortiAP), you can add a security profile group to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:

    • AntiVirus
    • Scan Botnets
    • Intrusion Prevention
    • Application Control
    • Web Filter
    Configure Security Profile Groups - GUI
    1. Go to WiFi and Switch Controller > SSIDs and select the bridge mode SSID assigned to the FortiAP Profile that you want to configure.
    2. In the selected SSID, enable the Security profile group option.

    3. From the Security profile group drop-down field, you can either edit the wifi-default profile or select Create to make a new one.

      The Security Profile Group window loads.

    4. Enable or disable Logging.

    5. Enable or disable Scan Botnets.

      This option is enabled by default. If you enable this option, select Blocked or Monitor.

    6. Under Security Profiles, you can enable or disable the AntiVirus, Web Filter, Application Control, and Intrusion Prevention profiles. To view available profiles or create new ones, click the drop-down field.
    7. Click OK to save your Security Profile Group changes.
    8. Click OK to save your SSID changes.
    Configure Security Profile Groups - CLI

    You configure security profile groups on managed smart FortiAPs by using the config wireless-controller utm-profile command. Then, you can assign a security profile group by using the set utm-profile command under config wirelesscontroller vap, after local-bridging is set to enable.

    Note that the default utm-profile, named wifi-default, has all applicable options within the command set to wifi-default.

    To view all available profiles that you can assign, type "?". For example, "set ips-sensor ?".

    config wireless-controller utm-profile

    edit <name>

    set comment <comment>

    set utm-log {enable | disable}

    set ips-sensor <name>

    set application-list <name>

    set antivirus-profile <name>

    set webfilter-profile <name>

    set scan-botnet-connections {disable | block | monitor}

    next

    end

    config wireless-controller vap

    edit <name>

    set local-bridging enable

    set utm-profile <name>

    next

    end

    To debug the wireless-controller configurations related to security profile groups, use the following diagnose command:

    diagnose wireless-controller wlac_hlp

    Previous
    Next

    FortiAP-S bridge mode security profiles

    FortiAP-S bridge mode security profiles

    If a bridge mode SSID is configured for a managed FortiAP-S (or smart FortiAP), you can add a security profile group to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:

    • AntiVirus
    • Scan Botnets
    • Intrusion Prevention
    • Application Control
    • Web Filter
    Configure Security Profile Groups - GUI
    1. Go to WiFi and Switch Controller > SSIDs and select the bridge mode SSID assigned to the FortiAP Profile that you want to configure.
    2. In the selected SSID, enable the Security profile group option.

    3. From the Security profile group drop-down field, you can either edit the wifi-default profile or select Create to make a new one.

      The Security Profile Group window loads.

    4. Enable or disable Logging.

    5. Enable or disable Scan Botnets.

      This option is enabled by default. If you enable this option, select Blocked or Monitor.

    6. Under Security Profiles, you can enable or disable the AntiVirus, Web Filter, Application Control, and Intrusion Prevention profiles. To view available profiles or create new ones, click the drop-down field.
    7. Click OK to save your Security Profile Group changes.
    8. Click OK to save your SSID changes.
    Configure Security Profile Groups - CLI

    You configure security profile groups on managed smart FortiAPs by using the config wireless-controller utm-profile command. Then, you can assign a security profile group by using the set utm-profile command under config wirelesscontroller vap, after local-bridging is set to enable.

    Note that the default utm-profile, named wifi-default, has all applicable options within the command set to wifi-default.

    To view all available profiles that you can assign, type "?". For example, "set ips-sensor ?".

    config wireless-controller utm-profile

    edit <name>

    set comment <comment>

    set utm-log {enable | disable}

    set ips-sensor <name>

    set application-list <name>

    set antivirus-profile <name>

    set webfilter-profile <name>

    set scan-botnet-connections {disable | block | monitor}

    next

    end

    config wireless-controller vap

    edit <name>

    set local-bridging enable

    set utm-profile <name>

    next

    end

    To debug the wireless-controller configurations related to security profile groups, use the following diagnose command:

    diagnose wireless-controller wlac_hlp

    Previous
    Next