Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Campus WLAN Architecture Guide

    Home FortiAP / FortiWiFi 7.0.0 Campus WLAN Architecture Guide
    7.0.0
    7.0.0

    SSID Configuration and Traffic mode

    SSID Configuration and Traffic mode

    SSIDs and Secure Interface Integration

    SSID (or WLAN) setup on a FortiOS Wi-Fi controller is where the power of FortiGate integration and the advantages of Security Driven Networking truly become clear. Unlike other systems where SSID setup is strictly a network Layer-2 process that then must be mapped to the Layer-3 overlay, and then to a security overlay, the FortiGate integrated Wi-Fi controller simplifies and integrates all of this into a unified flow under a true single pane of glass. By default, an SSID is also a network interface on the firewall router, with a DHCP server available, and an address object on the firewall is automatically created for policy definition.

    SSID Traffic Modes

    Tunnel mode is the default setting for a new SSID. The other available modes are Bridge and Mesh, which are for special cases. A Tunnel Mode SSID sends all traffic over the FortiLink connection to the FortiGate Wi-Fi Controllers for inspection and routing. Because each SSID is a unique interface, each SSID is security isolated from the rest of the network, regardless of the underlying network structure. There is no need to configure any VLANs for Wi-Fi traffic. As part of the configuration flow, a DHCP server can also be configured, again, with no need to make ANY changes to the underlying wired network, or to the control plane subnet's DHCP server. Routing will be handled by the FortiGate.

    Bridge Mode, on the other hand keeps the SSID operation at Layer-2, with traffic being directly bridged to FortiAP management subnet. There may be specific reasons for using this mode, and the WLAN traffic could be isolated with VLAN tags, but such reasons are relatively rare and bridge mode gives up one of the great strengths of a Fortinet Wi-Fi campus deployment—the tight integration with FortiGate's security and inspection capabilities.

    Mesh mode is for when Ethernet backhaul is not available. It bridges traffic from one SSID—the client service SSID—to a wireless backhaul SSID. Mesh mode is for cases where a FortiAP radio, rather than its Ethernet port, provides the backhaul to the controller. A Mesh SSID is meant for only connecting FortiAPs wirelessly. For instance, an outbuilding with power but no Ethernet to the main building could have a FortiAP in mesh mode connected to a root FortiAP that does have an Ethernet connection to the main network. In this remote building example, wired devices that are Ethernet connected to the mesh FortiAP could also use this uplink.

    Previous
    Next

    SSID Configuration and Traffic mode

    SSID Configuration and Traffic mode

    SSIDs and Secure Interface Integration

    SSID (or WLAN) setup on a FortiOS Wi-Fi controller is where the power of FortiGate integration and the advantages of Security Driven Networking truly become clear. Unlike other systems where SSID setup is strictly a network Layer-2 process that then must be mapped to the Layer-3 overlay, and then to a security overlay, the FortiGate integrated Wi-Fi controller simplifies and integrates all of this into a unified flow under a true single pane of glass. By default, an SSID is also a network interface on the firewall router, with a DHCP server available, and an address object on the firewall is automatically created for policy definition.

    SSID Traffic Modes

    Tunnel mode is the default setting for a new SSID. The other available modes are Bridge and Mesh, which are for special cases. A Tunnel Mode SSID sends all traffic over the FortiLink connection to the FortiGate Wi-Fi Controllers for inspection and routing. Because each SSID is a unique interface, each SSID is security isolated from the rest of the network, regardless of the underlying network structure. There is no need to configure any VLANs for Wi-Fi traffic. As part of the configuration flow, a DHCP server can also be configured, again, with no need to make ANY changes to the underlying wired network, or to the control plane subnet's DHCP server. Routing will be handled by the FortiGate.

    Bridge Mode, on the other hand keeps the SSID operation at Layer-2, with traffic being directly bridged to FortiAP management subnet. There may be specific reasons for using this mode, and the WLAN traffic could be isolated with VLAN tags, but such reasons are relatively rare and bridge mode gives up one of the great strengths of a Fortinet Wi-Fi campus deployment—the tight integration with FortiGate's security and inspection capabilities.

    Mesh mode is for when Ethernet backhaul is not available. It bridges traffic from one SSID—the client service SSID—to a wireless backhaul SSID. Mesh mode is for cases where a FortiAP radio, rather than its Ethernet port, provides the backhaul to the controller. A Mesh SSID is meant for only connecting FortiAPs wirelessly. For instance, an outbuilding with power but no Ethernet to the main building could have a FortiAP in mesh mode connected to a root FortiAP that does have an Ethernet connection to the main network. In this remote building example, wired devices that are Ethernet connected to the mesh FortiAP could also use this uplink.

    Previous
    Next