Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

FortiAP-S bridge mode security profiles

Copy Link
Copy Doc ID b92a67f9-73a6-11ea-9384-00505692583a:47321
Download PDF

FortiAP-S bridge mode security profiles

If a bridge mode SSID is configured for a managed FortiAP-S (or smart FortiAP), you can add a security profile group to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:

  • AntiVirus
  • Scan Botnets
  • Intrusion Prevention
  • Application Control
  • Web Filter
Configure Security Profile Groups - GUI
  1. Go to WiFi and Switch Controller > SSIDs and select the bridge mode SSID assigned to the FortiAP Profile that you want to configure.
  2. In the selected SSID, enable the Security profile group option.
  3. From the Security profile group drop-down field, you can either edit the wifi-default profile or select Create to make a new one.

    The Security Profile Group window loads.

  4. Enable or disable Logging.
  5. Enable or disable Scan Botnets.

    This option is enabled by default. If you enable this option, select Blocked or Monitor.

  6. Under Security Profiles, you can enable or disable the AntiVirus, Web Filter, Application Control, and Intrusion Prevention profiles. To view available profiles or create new ones, click the drop-down field.
  7. Click OK to save your Security Profile Group changes.
  8. Click OK to save your SSID changes.
Configure Security Profile Groups - CLI

You configure security profile groups on managed smart FortiAPs by using the config wireless-controller utm-profile command. Then, you can assign a security profile group by using the set utm-profile command under config wirelesscontroller vap, after local-bridging is set to enable.

Note that the default utm-profile, named wifi-default, has all applicable options within the command set to wifi-default.

To view all available profiles that you can assign, type "?". For example, "set ips-sensor ?".

config wireless-controller utm-profile

edit <name>

set comment <comment>

set utm-log {enable | disable}

set ips-sensor <name>

set application-list <name>

set antivirus-profile <name>

set webfilter-profile <name>

set scan-botnet-connections {disable | block | monitor}

next

end

config wireless-controller vap

edit <name>

set local-bridging enable

set utm-profile <name>

next

end

To debug the wireless-controller configurations related to security profile groups, use the following diagnose command:

diagnose wireless-controller wlac_hlp

FortiAP-S bridge mode security profiles

If a bridge mode SSID is configured for a managed FortiAP-S (or smart FortiAP), you can add a security profile group to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:

  • AntiVirus
  • Scan Botnets
  • Intrusion Prevention
  • Application Control
  • Web Filter
Configure Security Profile Groups - GUI
  1. Go to WiFi and Switch Controller > SSIDs and select the bridge mode SSID assigned to the FortiAP Profile that you want to configure.
  2. In the selected SSID, enable the Security profile group option.
  3. From the Security profile group drop-down field, you can either edit the wifi-default profile or select Create to make a new one.

    The Security Profile Group window loads.

  4. Enable or disable Logging.
  5. Enable or disable Scan Botnets.

    This option is enabled by default. If you enable this option, select Blocked or Monitor.

  6. Under Security Profiles, you can enable or disable the AntiVirus, Web Filter, Application Control, and Intrusion Prevention profiles. To view available profiles or create new ones, click the drop-down field.
  7. Click OK to save your Security Profile Group changes.
  8. Click OK to save your SSID changes.
Configure Security Profile Groups - CLI

You configure security profile groups on managed smart FortiAPs by using the config wireless-controller utm-profile command. Then, you can assign a security profile group by using the set utm-profile command under config wirelesscontroller vap, after local-bridging is set to enable.

Note that the default utm-profile, named wifi-default, has all applicable options within the command set to wifi-default.

To view all available profiles that you can assign, type "?". For example, "set ips-sensor ?".

config wireless-controller utm-profile

edit <name>

set comment <comment>

set utm-log {enable | disable}

set ips-sensor <name>

set application-list <name>

set antivirus-profile <name>

set webfilter-profile <name>

set scan-botnet-connections {disable | block | monitor}

next

end

config wireless-controller vap

edit <name>

set local-bridging enable

set utm-profile <name>

next

end

To debug the wireless-controller configurations related to security profile groups, use the following diagnose command:

diagnose wireless-controller wlac_hlp