Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 6.4.6 FortiWiFi and FortiAP Configuration Guide
    6.4.6
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Creating a FortiAP profile

    Creating a FortiAP profile

    A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two or more radio transceivers, making it possible to provide both 2.4 GHz 802.11b/g/n and 5 GHz 802.11a/n service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

    You can modify existing FortiAP profiles or create new ones of your own.

    Note

    On FortiGate model 30D, GUI configuration of FortiAP Profiles is disabled by default. To enable AP profiles, enter the following CLI commands:

    config system settings
    set gui-ap-profile enable
    end
    To configure a FortiAP profile - GUI
    1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
    2. Enter a Name for the FortiAP Profile.
    3. In Platform, select the FortiWiFi or FortiAP model to which this profile applies.
    4. Select the Country/Region for the FortiAP Profile.
    5. If split tunneling is used, in Split Tunneling Subnets, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.
    6. In Client Load Balancing, select a handoff type as needed (see Wireless client load balancing for high-density deployments).
    7. For each radio, enter:

      8. Mode

      Select the type of mode:

      • Disabled – the radio is disabled.
      • Access Point – the platform is an access point.
      • Dedicated Monitor – the platform is a dedicated monitor. See Wireless network monitoring.

      WIDS Profile

      Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless network protection.

      Radio Resource
      Provision

      Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions.

      Band

      Select the wireless protocols that you want to support. The available choices depend on the radio’s capabilities. Where multiple protocols are supported, the letter suffixes are combined: “802.11g/b” means 802.11g and 802.11b.

      Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

      Channel Width

      Select channel width for 802.11ac or 802.11n on 5 GHz.

      Short Guard
      Interval

      Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

      Channels

      Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

      TX Power
      Control

      Enable automatic or manual adjustment of transmit power.

      • Auto – the TX Power is set by default to a range of 10-17 dBm. Set the range between 1 and 20 for both the lower and upper limits.
      • Manual – the TX Power is set by default to 100% of the maximum power permitted in your region. To change the level, drag the slider.

      TX Power

      Specify either the minimum and maximum TX power levels in dBm or as a percentage.

      SSIDs

      Select a traffic mode for SSIDs.

      • Tunnel – available tunnel-mode SSIDs are automatically assigned to this radio.
      • Bridge – available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
      • Manual – manually select which available SSIDs and SSID groups to assign to this radio.

      Monitor channel utilization

      Select to enable monitoring channel utilization.

      Radio 1 settings are the same as Radio 2 settings except for the options for Channel.

      Radio 2 settings are available only for FortiAP models with dual radios.

    8. Click OK.
    To configure a FortiAP profile - CLI

    This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

    config wireless-controller wtp-profile

    edit guest_prof

    config platform

    set type 220B

    end

    config radio-1

    set mode ap

    set band 802.11g

    set vap-all enable

    end

    config radio-2

    set mode ap

    set band 802.11g

    set vaps example_wlan

    end

    end

    To enable DARRP - CLI

    To prevent interference between APs, the FortiOS WiFi Controller includes the Distributed Automatic Radio Resource Provisioning (DARRP) feature. Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. FortiAP units to select their channel so that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges.

    In this example, DARRP is enabled for both radios in the FAP321C-default profile:

    config wireless-controller wtp-profile

    edit FAP321C-default

    config radio-1

    set darrp enable

    end

    config radio-2

    set darrp enable

    end

    end

    To configure DARRP parameters - CLI

    Channels are selected based on parameters including total RSSI, Noise Floor, Channel Load, Spectral RSSI, and more. Each of those parameters are multiplied by a weight value assigned by default under the arrp-profile. Once you enable DARRP under radio, the default arrp-profile takes effect.

    Default ARRP Profile configuration:

    config wireless-controller arrp-profile

    edit "arrp-default"

    set comment ''

    set selection-period 3600

    set monitor-period 300

    set weight-managed-ap 50

    set weight-rogue-ap 10

    set weight-noise-floor 40

    set weight-channel-load 20

    set weight-spectral-rssi 40

    set weight-weather-channel 1000

    set weight-dfs-channel 500

    set threshold-ap 250

    set threshold-noise-floor "-85"

    set threshold-channel-load 60

    set threshold-spectral-rssi "-65"

    set threshold-tx-retries 300

    set threshold-rx-errors 50

    set include-weather-channel no

    set include-dfs-channel no

    next

    end

    To set DARRP timing - CLI

    DARRP periodically runs based on the "darrp-optimize" timer within active schedules. By default, DARRP runs once a day (every 86400 seconds) from 1:00am to 1:30am, 7 days a week (recurring). You can change the timer and select up to 16 schedules in the CLI.

    FortiOS provides the following default settings:

    config firewall schedule recurring

    edit "default-darrp-optimize"

    set start 01:00

    set end 01:30

    set day sunday monday tuesday wednesday thursday friday saturday

    next

    end

    config wireless-controller setting

    set darrp-optimize 86400

    set darrp-optimize-schedules "default-darrp-optimize"

    end

    Note

    Confine DARRP activity to a low-traffic period to reduce interruption caused by channel change.
    Previous
    Next

    Creating a FortiAP profile

    Creating a FortiAP profile

    A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two or more radio transceivers, making it possible to provide both 2.4 GHz 802.11b/g/n and 5 GHz 802.11a/n service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

    You can modify existing FortiAP profiles or create new ones of your own.

    Note

    On FortiGate model 30D, GUI configuration of FortiAP Profiles is disabled by default. To enable AP profiles, enter the following CLI commands:

    config system settings
    set gui-ap-profile enable
    end
    To configure a FortiAP profile - GUI
    1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
    2. Enter a Name for the FortiAP Profile.
    3. In Platform, select the FortiWiFi or FortiAP model to which this profile applies.
    4. Select the Country/Region for the FortiAP Profile.
    5. If split tunneling is used, in Split Tunneling Subnets, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.
    6. In Client Load Balancing, select a handoff type as needed (see Wireless client load balancing for high-density deployments).
    7. For each radio, enter:

      8. Mode

      Select the type of mode:

      • Disabled – the radio is disabled.
      • Access Point – the platform is an access point.
      • Dedicated Monitor – the platform is a dedicated monitor. See Wireless network monitoring.

      WIDS Profile

      Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless network protection.

      Radio Resource
      Provision

      Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions.

      Band

      Select the wireless protocols that you want to support. The available choices depend on the radio’s capabilities. Where multiple protocols are supported, the letter suffixes are combined: “802.11g/b” means 802.11g and 802.11b.

      Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

      Channel Width

      Select channel width for 802.11ac or 802.11n on 5 GHz.

      Short Guard
      Interval

      Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

      Channels

      Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

      TX Power
      Control

      Enable automatic or manual adjustment of transmit power.

      • Auto – the TX Power is set by default to a range of 10-17 dBm. Set the range between 1 and 20 for both the lower and upper limits.
      • Manual – the TX Power is set by default to 100% of the maximum power permitted in your region. To change the level, drag the slider.

      TX Power

      Specify either the minimum and maximum TX power levels in dBm or as a percentage.

      SSIDs

      Select a traffic mode for SSIDs.

      • Tunnel – available tunnel-mode SSIDs are automatically assigned to this radio.
      • Bridge – available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
      • Manual – manually select which available SSIDs and SSID groups to assign to this radio.

      Monitor channel utilization

      Select to enable monitoring channel utilization.

      Radio 1 settings are the same as Radio 2 settings except for the options for Channel.

      Radio 2 settings are available only for FortiAP models with dual radios.

    8. Click OK.
    To configure a FortiAP profile - CLI

    This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

    config wireless-controller wtp-profile

    edit guest_prof

    config platform

    set type 220B

    end

    config radio-1

    set mode ap

    set band 802.11g

    set vap-all enable

    end

    config radio-2

    set mode ap

    set band 802.11g

    set vaps example_wlan

    end

    end

    To enable DARRP - CLI

    To prevent interference between APs, the FortiOS WiFi Controller includes the Distributed Automatic Radio Resource Provisioning (DARRP) feature. Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. FortiAP units to select their channel so that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges.

    In this example, DARRP is enabled for both radios in the FAP321C-default profile:

    config wireless-controller wtp-profile

    edit FAP321C-default

    config radio-1

    set darrp enable

    end

    config radio-2

    set darrp enable

    end

    end

    To configure DARRP parameters - CLI

    Channels are selected based on parameters including total RSSI, Noise Floor, Channel Load, Spectral RSSI, and more. Each of those parameters are multiplied by a weight value assigned by default under the arrp-profile. Once you enable DARRP under radio, the default arrp-profile takes effect.

    Default ARRP Profile configuration:

    config wireless-controller arrp-profile

    edit "arrp-default"

    set comment ''

    set selection-period 3600

    set monitor-period 300

    set weight-managed-ap 50

    set weight-rogue-ap 10

    set weight-noise-floor 40

    set weight-channel-load 20

    set weight-spectral-rssi 40

    set weight-weather-channel 1000

    set weight-dfs-channel 500

    set threshold-ap 250

    set threshold-noise-floor "-85"

    set threshold-channel-load 60

    set threshold-spectral-rssi "-65"

    set threshold-tx-retries 300

    set threshold-rx-errors 50

    set include-weather-channel no

    set include-dfs-channel no

    next

    end

    To set DARRP timing - CLI

    DARRP periodically runs based on the "darrp-optimize" timer within active schedules. By default, DARRP runs once a day (every 86400 seconds) from 1:00am to 1:30am, 7 days a week (recurring). You can change the timer and select up to 16 schedules in the CLI.

    FortiOS provides the following default settings:

    config firewall schedule recurring

    edit "default-darrp-optimize"

    set start 01:00

    set end 01:30

    set day sunday monday tuesday wednesday thursday friday saturday

    next

    end

    config wireless-controller setting

    set darrp-optimize 86400

    set darrp-optimize-schedules "default-darrp-optimize"

    end

    Note

    Confine DARRP activity to a low-traffic period to reduce interruption caused by channel change.
    Previous
    Next