Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Campus WLAN Architecture Guide

    Home FortiAP / FortiWiFi 7.0.0 Campus WLAN Architecture Guide
    7.0.0
    7.0.0

    FortiGate Secure WLAN Controller Logical and Physical Placement

    FortiGate Secure WLAN Controller Logical and Physical Placement

    For Campus deployments with substantial numbers of APs, the Secure WLAN Controller FortiGates should generally NOT be the main WAN/Internet firewall, for a number of reasons.

    For maximum flexibility, Fortinet WLAN equipment is fully compliant with network standards and will work with any vendor's network equipment. While we think our customers would be well served by having a FortiGate as their primary Internet firewall and SD-WAN solution, most networks are multi-vendor.

    Even when the main Internet Firewall is a FortiGate, experience has shown that best practice is to separate the WLAN administration from the Internet Firewall/SD-WAN. This way administration of WLANs and WLAN security is simplified and appropriately divided. Performance can be 'right-sized' for the differing jobs, troubleshooting simplified, and etc. The Controller FortiGate(s) can be thought of as Internal Segmentation Firewalls for WLAN traffic.

    Controller and FortiAP communication

    FortiAPs will communicate with their controllers via the FortiLink protocol, which provides both control plane traffic, or management of the APs and data plane tunneling, securely bringing all data traffic to a central management and inspection point. Data plane traffic is the control and administration traffic between the FortiAPs and the FortiGate WLAN controller, and will work over L2 or L3. So any logical placement that allows routing from the APs to the FortGate Controller will work, but should be analyzed for expected traffic and how it fits into the network. The FortiGate WLAN Controller will be the central router for all WLAN traffic to the rest of the network while providing security inspection services.

    No WLAN VLAN will need to be defined going to the controller. VLANs will essentially exist in the tunnel and within the FortiGate but usually nowhere else.

    FortiGate WLAN controllers should be deployed in Active/Passive High Availability mode to provide redundancy for this critical portion of the network.

    Access Layer and Power consumption

    Although the FortiGate WLAN controllers for a given network might be placed at any network level—access, distribution, or core layers of the typical switch network—FortiAPs are Wireless Access Points which are part of the access layer of the campus network and are on the LAN Edge boundary. As a general rule, the indoor Wi-Fi FortiAPs require 802.3bt High Power over Ethernet and support 2.5 Gigabit Ethernet speeds. The underlying switch network should be ready to support that for maximum value. Confirm capabilities of switch ports are matched to the FortiAPs, whether new or existing.

    Wi-Fi 6 FortiAPs will work with Gigabit Ethernet, and will operate on basic 802.3af PoE, but capabilities will be reduced. There are also special case FortiAPs, such as the FAP831, an ultra-High-Density model with two 5 GE ports for uplink. There are also outdoor models with a PoE output to another device, and will require higher input power to support that output. Refer to the datasheet of the particular models you wish to deploy and make sure the underlying switch network supports the capabilities you are seeking. Power injectors are available and can increase flexibility when dealing with an underlying switch network that is not ready for a refresh.

    Previous
    Next

    FortiGate Secure WLAN Controller Logical and Physical Placement

    FortiGate Secure WLAN Controller Logical and Physical Placement

    For Campus deployments with substantial numbers of APs, the Secure WLAN Controller FortiGates should generally NOT be the main WAN/Internet firewall, for a number of reasons.

    For maximum flexibility, Fortinet WLAN equipment is fully compliant with network standards and will work with any vendor's network equipment. While we think our customers would be well served by having a FortiGate as their primary Internet firewall and SD-WAN solution, most networks are multi-vendor.

    Even when the main Internet Firewall is a FortiGate, experience has shown that best practice is to separate the WLAN administration from the Internet Firewall/SD-WAN. This way administration of WLANs and WLAN security is simplified and appropriately divided. Performance can be 'right-sized' for the differing jobs, troubleshooting simplified, and etc. The Controller FortiGate(s) can be thought of as Internal Segmentation Firewalls for WLAN traffic.

    Controller and FortiAP communication

    FortiAPs will communicate with their controllers via the FortiLink protocol, which provides both control plane traffic, or management of the APs and data plane tunneling, securely bringing all data traffic to a central management and inspection point. Data plane traffic is the control and administration traffic between the FortiAPs and the FortiGate WLAN controller, and will work over L2 or L3. So any logical placement that allows routing from the APs to the FortGate Controller will work, but should be analyzed for expected traffic and how it fits into the network. The FortiGate WLAN Controller will be the central router for all WLAN traffic to the rest of the network while providing security inspection services.

    No WLAN VLAN will need to be defined going to the controller. VLANs will essentially exist in the tunnel and within the FortiGate but usually nowhere else.

    FortiGate WLAN controllers should be deployed in Active/Passive High Availability mode to provide redundancy for this critical portion of the network.

    Access Layer and Power consumption

    Although the FortiGate WLAN controllers for a given network might be placed at any network level—access, distribution, or core layers of the typical switch network—FortiAPs are Wireless Access Points which are part of the access layer of the campus network and are on the LAN Edge boundary. As a general rule, the indoor Wi-Fi FortiAPs require 802.3bt High Power over Ethernet and support 2.5 Gigabit Ethernet speeds. The underlying switch network should be ready to support that for maximum value. Confirm capabilities of switch ports are matched to the FortiAPs, whether new or existing.

    Wi-Fi 6 FortiAPs will work with Gigabit Ethernet, and will operate on basic 802.3af PoE, but capabilities will be reduced. There are also special case FortiAPs, such as the FAP831, an ultra-High-Density model with two 5 GE ports for uplink. There are also outdoor models with a PoE output to another device, and will require higher input power to support that output. Refer to the datasheet of the particular models you wish to deploy and make sure the underlying switch network supports the capabilities you are seeking. Power injectors are available and can increase flexibility when dealing with an underlying switch network that is not ready for a refresh.

    Previous
    Next