Fortinet black logo

FortiGate Cloud WLAN Architecture Guide

Home FortiAP / FortiWiFi 7.0.0 FortiGate Cloud WLAN Architecture Guide
7.0.0
7.0.0

Introduction

Introduction

Executive Summary

This document is intended to provide an architectural overview for both single location and distributed enterprises using Fortinet Wi-Fi gear managed via the FortiGate Cloud portal. The FortiGate Cloud service provides a simple, secure and robust cloud management option for FortiGates, Fortinet's flagship product. Every FortiGate includes, at no additional cost or licensing, a full-featured WiFi & Switch Controller which directly controls the on-site FortiAPs (Fortinet wireless Access Points) at the FortiGate location.

Each FortiGate at a site typically serves as the site's main Internet Gateway (GW). Wireless traffic is tunneled to the controller FortiGate and security inspected before being routed internally or to the Internet. This is often referred to as a branch or SD-Branch architecture.

This guide will focus on using FortiGate Cloud as the management platform, with the site FortiGate serving as the Internet GW. The FortiGate is assumed to be a low to mid-range FortiGate model—generally up to 200/300 series. Up to dozens of FortiAPs will tunnel Wi-Fi traffic to the GW FortiGate. Adding a second FortiGate with the pair configured for High Availability (HA) is recommended, but not required.

FortiGate Cloud provides additional functionality over a standalone FortiGate, not only for distributed enterprises, but also for single sites. FortiGate Cloud adds:

  • Simplified remote management – easier, more secure and manageable than other options

  • One year log retention

  • Analytics – up to one year of data

  • Automated backups and backup storage

  • Sandboxing

  • CLI Scripting and RESTFul API

Licensed features include

  • Multi-tenancy – ideal for MSSPs

  • Indicator of Compromise (IOC) services

The division between a branch architecture and a campus architecture is very vague, but if any of your sites exceeds around 100 APs, consider separating the WiFi & Switch controller function from the main Internet GW, as described in the Campus WLAN Architecture Guide.

The FortiGate Cloud WLAN Architecture Outline

FortiGate Cloud architecture with two branch offices

  • FortiGate Cloud Management Portal (all sites)

  • For each site:

    • FortiGate NGFW as Internet Gateway + WLAN controller

      • Recommended HA FortiGate

    • Campus switch network

      • Recommended PoE access switch ports for FortiAPs

    • FortiAP controller discovery and authorization

    • Possible Mesh AP backhaul

    • Security isolation oriented SSIDs for

      • Corp users

      • Guest users

      • IoT devices

      • FortiLink NAC/onboarding

    • Wi-Fi traffic Inspection policies at the controller(s)

Intended Audience

This guide is intended for an audience interested in learning about FortiGate Cloud managed wireless LAN architectures. Readers should have a basic understanding of networking, wireless and security concepts before they begin. Interested audience may include:

  • Network, Wireless and Security architects

  • Network, Wireless and Security engineers

About this guide

After reading the Fortinet Secure Wireless LANs Concept Guide, readers should have a basic understanding of the concepts and terminologies behind the Fortinet Wireless infrastructure. This guide further explores the design of a Wireless LAN for a branch or small campus network managed via the FortiGate Cloud service portal for a single or multiple locations. Learn about the role of the FortiGate integrated Wi-Fi controller, and the logical and physical placement of the controller. Furthermore, learn about AP placement and channel planning to achieve optimal performance. Also take a deeper dive into the details of the control plane, and how to launch and secure your SSIDs with proper user management and security.

Readers should use this guide to gather ideas for designing their wireless solution. After completing this Architecture guide, you may move on to the FortiGate Cloud WLAN Deployment Guide for actual steps in deploying a specific design scenario.

Previous
Next

Introduction

Executive Summary

This document is intended to provide an architectural overview for both single location and distributed enterprises using Fortinet Wi-Fi gear managed via the FortiGate Cloud portal. The FortiGate Cloud service provides a simple, secure and robust cloud management option for FortiGates, Fortinet's flagship product. Every FortiGate includes, at no additional cost or licensing, a full-featured WiFi & Switch Controller which directly controls the on-site FortiAPs (Fortinet wireless Access Points) at the FortiGate location.

Each FortiGate at a site typically serves as the site's main Internet Gateway (GW). Wireless traffic is tunneled to the controller FortiGate and security inspected before being routed internally or to the Internet. This is often referred to as a branch or SD-Branch architecture.

This guide will focus on using FortiGate Cloud as the management platform, with the site FortiGate serving as the Internet GW. The FortiGate is assumed to be a low to mid-range FortiGate model—generally up to 200/300 series. Up to dozens of FortiAPs will tunnel Wi-Fi traffic to the GW FortiGate. Adding a second FortiGate with the pair configured for High Availability (HA) is recommended, but not required.

FortiGate Cloud provides additional functionality over a standalone FortiGate, not only for distributed enterprises, but also for single sites. FortiGate Cloud adds:

  • Simplified remote management – easier, more secure and manageable than other options

  • One year log retention

  • Analytics – up to one year of data

  • Automated backups and backup storage

  • Sandboxing

  • CLI Scripting and RESTFul API

Licensed features include

  • Multi-tenancy – ideal for MSSPs

  • Indicator of Compromise (IOC) services

The division between a branch architecture and a campus architecture is very vague, but if any of your sites exceeds around 100 APs, consider separating the WiFi & Switch controller function from the main Internet GW, as described in the Campus WLAN Architecture Guide.

The FortiGate Cloud WLAN Architecture Outline

FortiGate Cloud architecture with two branch offices

  • FortiGate Cloud Management Portal (all sites)

  • For each site:

    • FortiGate NGFW as Internet Gateway + WLAN controller

      • Recommended HA FortiGate

    • Campus switch network

      • Recommended PoE access switch ports for FortiAPs

    • FortiAP controller discovery and authorization

    • Possible Mesh AP backhaul

    • Security isolation oriented SSIDs for

      • Corp users

      • Guest users

      • IoT devices

      • FortiLink NAC/onboarding

    • Wi-Fi traffic Inspection policies at the controller(s)

Intended Audience

This guide is intended for an audience interested in learning about FortiGate Cloud managed wireless LAN architectures. Readers should have a basic understanding of networking, wireless and security concepts before they begin. Interested audience may include:

  • Network, Wireless and Security architects

  • Network, Wireless and Security engineers

About this guide

After reading the Fortinet Secure Wireless LANs Concept Guide, readers should have a basic understanding of the concepts and terminologies behind the Fortinet Wireless infrastructure. This guide further explores the design of a Wireless LAN for a branch or small campus network managed via the FortiGate Cloud service portal for a single or multiple locations. Learn about the role of the FortiGate integrated Wi-Fi controller, and the logical and physical placement of the controller. Furthermore, learn about AP placement and channel planning to achieve optimal performance. Also take a deeper dive into the details of the control plane, and how to launch and secure your SSIDs with proper user management and security.

Readers should use this guide to gather ideas for designing their wireless solution. After completing this Architecture guide, you may move on to the FortiGate Cloud WLAN Deployment Guide for actual steps in deploying a specific design scenario.

Previous
Next