Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

Download PDF
Copy Link

Remote WLAN FortiAPs

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If you want to use split tunneling, you can configure which traffic is routed to the FortiGate. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate with unnecessary traffic and allows direct access to local private networks at the location of the FortiAP even if the connection to the WiFi controller goes down.

Configuring the FortiGate for remote FortiAPs

This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.

  1. Create FortiAP profiles for the Remote LAN FortiAP models.

    If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see Creating a FortiAP profile.

  2. If you want to configure split tunneling, you must do the following:
    1. enable split tunneling in the FortiGate GUI
    2. apply split tunneling to a FortiAP profile
    3. configure split tunneling behavior in the FortiAP CLI
    4. enable split tunneling in the SSID
  3. Configure a FortiAP to connect to FortiGate
  4. Preauthorize a FortiAP for automatic authorization.

Enable split tunneling options

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:

config system settings

set gui-fortiap-split-tunneling enable

end

Once you enable split tunneling, you can apply it via the FortiAP profile.

Apply split tunneling

To apply split tunneling - FortiGate GUI

Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable Split Tunneling.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s). You can enter a list of the destination IP address ranges.

  • Depending on how you configure split tunneling behavior in the CLI (see Configure split tunneling behavior), you can decide if you want the listed IP addresses to be tunneled to the FortiGate, or if you want to avoid tunneling these IP addresses to the FortiGate.

Configure split tunneling behavior

There are two methods the FortiAP can use to tunnel networks from the remote AP:

  • Tunnel: Define the subnets in the profile that you want to tunnel to the FortiGate. These are usually the IP subnets that contain internal corporate applications such as file shares.

    Uncheck the Include Local Subet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site.

  • Local: Define the subnets that you do not want to be tunneled back to the FortiGate. Use this method if you want all traffic to be inspected by the FortiGate, including traffic destined for the internet. This method is more secure but can add latency to the user's internet browsing.

    Check the Include Local Subnet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site

From the FortiGate CLI, enter the following commands to change the split tunneling behavior in a FortiAP profile:

config wireless-controller wtp-profile

edit <profile_name>

set split-tunneling-acl-path {tunnel | local}

end

end

To configure split tunneling addresses

In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.

config wireless-controller vap

edit example-ssid

set split-tunneling enable

end

 

config wireless-controller wtp-profile

edit FAP21D-default

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit 1

set dest-ip 192.168.0.0 255.255.0.0

end

end

To enter multiple subnets, create a split-tunneling-acl entry for each one.

To override the split tunneling settings on a FortiAP

If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.

config wireless-controller wtp

edit FAP321C3X14019926

set override-split-tunnel enable

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit 1

set dest-ip 192.168.10.0 255.255.255.0

end

end

Enable split tunneling on SSIDs

Once you create your FortiAP profile, you need to enable split tunneling on the SSIDs you want to use on the remote APs.

  1. Go to WiFi & Switch Controller > SSID and edit the SSIDs the remote AP will use.
  2. Enable Split tunneling.
  3. Click OK.

Configure a FortiAP unit to connect to FortiGate

Prior to providing a remote WLAN FortiAP unit to an employee, you need to preconfigure the FortiAP to connect to your FortiGate WiFi controller.

To pre-configure a FortiAP - GUI
  1. Plug the FortiAP you want to deploy into a port or VLAN that has DHCP configured.

    • If no DHCP server is available, the default IP information to log in to the AP is:

      IP Address: 192.168.1.2

      Subnet Mask: 255.255.255.0

      DGW: 192.168.1.1

  2. Look for the assigned IP Address on the router or DHCP server.

    If no DHCP server is available, use a cross-over cable to connect your Ethernet port directly to the LAN port on the AP.

    Note: You might need a power adapter for the FortiAP if POE is not available.

  3. From a web browser, access your FortiAP at https://<FAP-IP> where <FAP-IP> is the IP address of the FortiAP.

  4. Log in with username admin and no password.

  5. From the FortiAP page, click Local Configuration.

  6. In the AC Discovery Type field, select how you want the FortiAP to discover the controller and complete any required fields:

    For more information on discovery methods, refer to Advanced WiFi controller discovery.

    • Auto: Automatically cycle through all six of the discovery methods until it establishes an AC connection.
    • Static: Provide up to three Static IP Addresses (most likely the public facing IP addresses for remote workers).
    • DHCP: Use DHCP Option 138.
    • DNS: Provide up to three FQDN entries that are resolvable by the FortiAP.
    • FortiAP Cloud: Enter your FortiAP Cloud username and password.
  7. In the AP Data Channel Security field, select IPsec Enabled.

  8. Click OK to save your changes.

To pre-configure a FortiAP - CLI
  1. Connect the FortiAP to the FortiGate unit.
  2. Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
  3. Right click the row of the FortiAP that you want to connect to and then select >_ Connect to CLI.

    The CLI Console window opens.

  4. If the password prompt appears, then enter the required password. By default, no password is set.
  5. Enter the following commands to set the FortiGate WiFi controller IP address. This IP address is the FortiGate Internet-facing IP address, in this example 172.20.120.142.

    cfg -a AC_IPADDR_1=172.20.120.142

    cfg -c

  6. To log out of the FortiAP CLI, enter exit.

Preauthorize a FortiAP unit for automatic authorization

By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee name, for easier tracking.

  1. Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.
  2. Enter the Serial Number of the FortiAP unit and give it a Name.
  3. Select the appropriate FortiAP Profile.
  4. Click OK.
  5. Repeat steps 1 to 4 for each FortiAP.

Remote WLAN FortiAPs

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If you want to use split tunneling, you can configure which traffic is routed to the FortiGate. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate with unnecessary traffic and allows direct access to local private networks at the location of the FortiAP even if the connection to the WiFi controller goes down.

Configuring the FortiGate for remote FortiAPs

This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.

  1. Create FortiAP profiles for the Remote LAN FortiAP models.

    If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see Creating a FortiAP profile.

  2. If you want to configure split tunneling, you must do the following:
    1. enable split tunneling in the FortiGate GUI
    2. apply split tunneling to a FortiAP profile
    3. configure split tunneling behavior in the FortiAP CLI
    4. enable split tunneling in the SSID
  3. Configure a FortiAP to connect to FortiGate
  4. Preauthorize a FortiAP for automatic authorization.

Enable split tunneling options

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:

config system settings

set gui-fortiap-split-tunneling enable

end

Once you enable split tunneling, you can apply it via the FortiAP profile.

Apply split tunneling

To apply split tunneling - FortiGate GUI

Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable Split Tunneling.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s). You can enter a list of the destination IP address ranges.

  • Depending on how you configure split tunneling behavior in the CLI (see Configure split tunneling behavior), you can decide if you want the listed IP addresses to be tunneled to the FortiGate, or if you want to avoid tunneling these IP addresses to the FortiGate.

Configure split tunneling behavior

There are two methods the FortiAP can use to tunnel networks from the remote AP:

  • Tunnel: Define the subnets in the profile that you want to tunnel to the FortiGate. These are usually the IP subnets that contain internal corporate applications such as file shares.

    Uncheck the Include Local Subet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site.

  • Local: Define the subnets that you do not want to be tunneled back to the FortiGate. Use this method if you want all traffic to be inspected by the FortiGate, including traffic destined for the internet. This method is more secure but can add latency to the user's internet browsing.

    Check the Include Local Subnet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site

From the FortiGate CLI, enter the following commands to change the split tunneling behavior in a FortiAP profile:

config wireless-controller wtp-profile

edit <profile_name>

set split-tunneling-acl-path {tunnel | local}

end

end

To configure split tunneling addresses

In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.

config wireless-controller vap

edit example-ssid

set split-tunneling enable

end

 

config wireless-controller wtp-profile

edit FAP21D-default

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit 1

set dest-ip 192.168.0.0 255.255.0.0

end

end

To enter multiple subnets, create a split-tunneling-acl entry for each one.

To override the split tunneling settings on a FortiAP

If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.

config wireless-controller wtp

edit FAP321C3X14019926

set override-split-tunnel enable

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit 1

set dest-ip 192.168.10.0 255.255.255.0

end

end

Enable split tunneling on SSIDs

Once you create your FortiAP profile, you need to enable split tunneling on the SSIDs you want to use on the remote APs.

  1. Go to WiFi & Switch Controller > SSID and edit the SSIDs the remote AP will use.
  2. Enable Split tunneling.
  3. Click OK.

Configure a FortiAP unit to connect to FortiGate

Prior to providing a remote WLAN FortiAP unit to an employee, you need to preconfigure the FortiAP to connect to your FortiGate WiFi controller.

To pre-configure a FortiAP - GUI
  1. Plug the FortiAP you want to deploy into a port or VLAN that has DHCP configured.

    • If no DHCP server is available, the default IP information to log in to the AP is:

      IP Address: 192.168.1.2

      Subnet Mask: 255.255.255.0

      DGW: 192.168.1.1

  2. Look for the assigned IP Address on the router or DHCP server.

    If no DHCP server is available, use a cross-over cable to connect your Ethernet port directly to the LAN port on the AP.

    Note: You might need a power adapter for the FortiAP if POE is not available.

  3. From a web browser, access your FortiAP at https://<FAP-IP> where <FAP-IP> is the IP address of the FortiAP.

  4. Log in with username admin and no password.

  5. From the FortiAP page, click Local Configuration.

  6. In the AC Discovery Type field, select how you want the FortiAP to discover the controller and complete any required fields:

    For more information on discovery methods, refer to Advanced WiFi controller discovery.

    • Auto: Automatically cycle through all six of the discovery methods until it establishes an AC connection.
    • Static: Provide up to three Static IP Addresses (most likely the public facing IP addresses for remote workers).
    • DHCP: Use DHCP Option 138.
    • DNS: Provide up to three FQDN entries that are resolvable by the FortiAP.
    • FortiAP Cloud: Enter your FortiAP Cloud username and password.
  7. In the AP Data Channel Security field, select IPsec Enabled.

  8. Click OK to save your changes.

To pre-configure a FortiAP - CLI
  1. Connect the FortiAP to the FortiGate unit.
  2. Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
  3. Right click the row of the FortiAP that you want to connect to and then select >_ Connect to CLI.

    The CLI Console window opens.

  4. If the password prompt appears, then enter the required password. By default, no password is set.
  5. Enter the following commands to set the FortiGate WiFi controller IP address. This IP address is the FortiGate Internet-facing IP address, in this example 172.20.120.142.

    cfg -a AC_IPADDR_1=172.20.120.142

    cfg -c

  6. To log out of the FortiAP CLI, enter exit.

Preauthorize a FortiAP unit for automatic authorization

By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee name, for easier tracking.

  1. Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.
  2. Enter the Serial Number of the FortiAP unit and give it a Name.
  3. Select the appropriate FortiAP Profile.
  4. Click OK.
  5. Repeat steps 1 to 4 for each FortiAP.