Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Features for high-density deployments

Copy Link
Copy Doc ID c672b7cf-ea72-11eb-97f7-00505692583a:702421
Download PDF

Features for high-density deployments

High-density environments such as auditoriums, classrooms, and meeting rooms present a challenge to WiFi providers. When a large number of mobile devices try to connect to a WiFi network, difficulties arise because of the limited number of radio channels and interference between devices.

FortiOS and FortiAP devices provide several tools to mitigate the difficulties deploying in high-density environments.

Upgrading the firmware for multiple FortiAPs

Administrators can upgrade the firmware for multiple FortiAPs; they don't need to upgrade each AP individually.

From WiFi and Switch Controller > Managed FortiAPs, you can select a FortiAP Group and right-click to select Upgrade. This will upgrade all the APs in that group.

Controlling the power save feature

Occasionally, voice calls can become disrupted. One way to alleviate this issue is by controlling the power save feature, or to disable it altogether.

Manually configure packet transmit optimization settings by entering the following command:

config wireless-controller wtp-profile

edit <name>

config <radio-1> | <radio-2>

set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}

Transmit optimization options

Description

disable

Disable transmit optimization.

power-save

Mark a client as power save mode if excessive transmit retries happen.

aggr-limit

Set aggregation limit to a lower value when data rate is low.

retry-limit

Set software retry limit to a lower value when data rate is low.

send-bar

Do not send BAR frame too often.

11n radio powersave optimization

The following powersave-optimize parameters (under config radio) are used for 11n radios to optimize system performance for specific situations.

  • tim: Set traffic indication map (TIM) bit for client in power save mode. TIM bit mask indicates to any sleeping listening stations if the AP has any buffered frames present. If enabled, the AP will always indicate to the connected client that there is a packet waiting in the AP, so it will help to prevent the client from entering a sleep state.
  • ac-vo: Use Access Category (AC) Voice (VO) priority to send packets in the power save queue. AC VO is one of the highest classes/priority levels used to ensure quality of service (QoS). If enabled, when a client returns from a sleep state, the AP will send its buffered packet using a higher priority queue, instead of the normal priority queue.
  • no-obss-scan: Do not put Overlapping Basic Service Set (OBSS), or high-noise (i.e. non-802.11), scan IE into a Beacon or Probe Response frame.
  • no-11b-rate: Do not send frame using 11b data rate.
  • client-rate-follow: Adapt transmitting PHY rate with receiving PHY rate from client. If enabled, the AP will integrate the current client's transmission PHY rate into its rate adaptation algorithm for transmitting.

Configuring the broadcast packet suppression

You can use broadcast packet suppression to reduce the traffic on your WiFi networks. In addition, some broadcast packets are unnecessary or even potentially detrimental to the network and should be suppressed. To configure broadcast suppression for each virtual access point, enter the following commands:

config wireless-controller vap

edit <name>

set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arp-unknown | arp-reply | arp-poison | arp-proxy | netbios-ns | netbios-ds | ipv6 | all-other-mc | all-other-bc}

end

Broadcast suppression options

Description

dhcp-up

Suppress DHCP discovery and request packets broadcast by WiFi clients. Forward DHCP packets to the Ethernet uplink only. Prevent malicious WiFi clients from acting as DHCP servers. Default setting.

dhcp-down

Suppress DHCP packets broadcast by the Ethernet downlink to WiFi clients. Prevent malicious WiFi clients from acting as DHCP servers.

dhcp-starvation

Suppress DHCP starvation attacks from malicious WiFi clients. Prevent malicious WiFi clients from depleting the DHCP address pool.

arp-known

Suppress ARP request packets broadcast to known WiFi clients. Instead, forward ARP packets as unicast packets to the known clients. Default setting.

arp-unknown

Suppress ARP request packets broadcast to unknown WiFi clients.

arp-reply

Suppress ARP reply packets broadcast by WiFi clients. Instead, forward the ARP packets as unicast packets to the clients with target MAC addresses.

arp-poison

Suppress ARP poison attacks from malicious WiFi clients. Prevent malicious WiFi clients from spoofing ARP packets.

arp-proxy

Suppress ARP request packets broadcast by the Ethernet downlink to known WiFi clients. Instead, send ARP reply packets to the Ethernet uplink, as a proxy for WiFi clients.

The arp-known option must be set for arp-proxy to work.

netbios-ns

Suppress NetBIOS name services packets with UDP port 137.

netbios-ds

Suppress NetBIOS datagram services packets with UDP port 138.

ipv6

Suppress IPv6 broadcast packets.

all-other-mc

Suppress multicast packets not covered by any of the specific options.

all-other-bc

Suppress broadcast packets not covered by any of the specific options.

The default configuration enables both the dhcp-up and arp-known options. The following example leaves the default settings in place and also configures a virtual access point to suppress:

  • unnecessary DHCP down link broadcast packets
  • broadcast ARP requests for unknown WiFi clients
  • other broadcast packets not specifically identified

config wireless-controller vap

edit <name>

set broadcast-suppression dhcp-up arp-known dhcp-down arp-unknown all-other-bc

end

Converting multicast streams to unicast

FortiOS provides a multicast enhancement option (disabled by default) that converts multicast streams to unicast and improves performance in WiFi networks. Multicast data, such as streaming audio or video, is sent at a low data rate in WiFi networks. A unicast stream is sent to each client at high data rate that makes more efficient use of air time. To enable multicast-to-unicast conversion, enter the following commands:

config wireless-controller vap

edit <vap_name>

set multicast-enhance enable

end

Ignoring weak or distant clients

Clients beyond the intended coverage area can have some impact on your high-density network. Your APs will respond to these clients' probe signals, consuming valuable air time. You can configure your WiFi network to ignore weak signals that most likely come from beyond the intended coverage area. The settings are available in the CLI:

config wireless-controller vap

edit <vap_name>

set probe-resp-suppression enable

set probe-resp-threshold <level_int>

end

vap_name is the SSID name.

probe-resp-threshold is the signal strength in dBm below which the client is ignored. The range is -95 to -20dBm. The default level is -80dBm.

Turning off the 802.11b protocol

By disabling support for the obsolete 802.11b protocol, you can reduce the air time that data frames occupy. These signals will now be sent at a minimum of 6 Mbps, instead of 1 Mbps. You can set this for each radio in the FortiAP profile, using the CLI:

config wireless-controller wtp-profile

edit <name_string>

config radio-1

set powersave-optimize no-11b-rate

end

Disabling low data rates

Each of the 802.11 protocols supports several data rates. By disabling the lowest rates, air time is conserved, allowing the channel to serve more users. You can set the available rates for each 802.11 protocol: a, b, g, n, ac. Data rates set as Basic are mandatory for clients to support. Other specified rates are supported.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54 Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix "basic", "12-basic" for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by the Modulation and Coding Scheme (MCS) Index and the number of spatial streams.

  • 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
  • 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
  • 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
  • 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4

Here are some examples of setting basic and supported rates.

config wireless-controller vap

edit <vap_name>

set rates-11a 12-basic 18 24 36 48 54

set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4

set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

Enabling the automatic TX power control

High-density deployments usually cover a small area that has many clients. Maximum AP signal power is usually not required. Reducing the power reduces interference between APs. Fortinet recommends that you use FortiAP automatic power control which can be set from the FortiAP profile.

  1. Go to WiFi and Switch Controller > FortiAP Profiles and edit the profile for your AP model.
  2. For each radio, enable Auto TX Power Control and set the TX Power Low and TX Power High levels.

    The default range of 10 to 17 dBm is recommended.

Enabling the frequency band load-balancing

In a high-density environment, it is important to make the best use of the two WiFi bands, 2.4 GHz and 5 GHz. The 5 GHz band has more non-overlapping channels and receives less interference from non-WiFi devices, but not all devices support it. Clients that are capable of 5 GHz operation should be encouraged to use 5 GHz rather than the 2.4 GHz band.

To load-balance the WiFi bands, you enable Frequency Handoff in the FortiAP profile. In the FortiGate GUI, go to WiFi and Switch Controller > FortiAP Profiles and edit the relevant profile to set Client Load Balancing to Frequency Handoff. Or, you can use the CLI:

config wireless-controller wtp-profile

edit FAP221C-default

set frequency-handoff enable

end

The FortiGate WiFi controller continuously scans all clients in the area and records their signal strength (RSSI) on each band. When Frequency Handoff is enabled, the AP does not reply to clients on the 2.4 GHz band that have sufficient signal strength on the 5 GHz band. These clients can associate only on the 5 GHz band. Devices that support only 2.4 GHz receive replies and associate with the AP on the 2.4 GHz band.

Setting the handoff RSSI threshold

The FortiAP applies load balancing to a client only if the client has a sufficient signal level on 5GHz. The minimum signal strength threshold is set in the FortiAP profile, but is accessible only through the CLI:

config wireless-controller wtp-profile

edit FAP221C-default

set handoff-rssi 25

end

handoff-rssi has a range of 20 to 30. RSSI is a relative measure; the higher the number, the stronger the signal.

Enabling the AP load balancing

The performance of an AP degrades if it attempts to serve too many clients. In high-density environments, multiple access points are deployed with some overlap in their coverage areas. The WiFi controller can manage the association of new clients with APs to prevent overloading.

To load-balance between APs, enable AP Handoff in the FortiAP profile.

In the FortiGate GUI, go to WiFi and Switch Controller > FortiAP Profiles and edit the relevant profile to set Client Load Balancing to AP Handoff.

Or, you can use the CLI:

config wireless-controller wtp-profile

edit FAP221C-default

set ap-handoff enable

end

When an AP exceeds the threshold (the default is 30 clients), the overloaded AP does not reply to a new client that has a sufficient signal at another AP.

Setting the AP load balance threshold

The thresholds for AP handoff are set in the FortiAP profile, but is accessible only through the CLI:

config wireless-controller wtp-profile

edit FAP221C-default

set handoff-sta-thresh 30

set handoff-rssi 25

end

handoff-sta-thresh sets the number of clients at which AP load balancing begins. It has a range of 5 to 35.

handoff-rssi sets the minimum signal strength that a new client must have at an alternate AP for the overloaded AP to ignore the client. It has a range of 20 to 30. RSSI is a relative measure. The higher the number, the stronger the signal.

Setting the Application Control feature

To prevent particular application types from consuming too much bandwidth, you can use the FortiOS Application Control feature.

  1. Go to Security Profiles > Application Control. You can use the default profile or create a new one.
  2. Click the category, select Traffic Shaping and then select the priority for the category.
    Repeat for each category to be controlled.
  3. Select Apply.
  4. Go to Policy & Objects > Firewall Policy and edit your Firewall policy.
  5. In the Security Profiles section, enable Application Control and select the security profile that you edited.
  6. Click OK.

Managing the FortiAP group and assigning a dynamic VLAN

You can create FortiAP groups to manage multiple APs at once. Grouping an AP enables you to apply specific profile settings and assign VLANs to all the APs in that group, simplifying the administrative workload. Each AP can belong to one group only.

To create a FortiAP group, navigate to WiFi and Switch Controller > FortiAP Profiles and click Create New > Managed AP Group.

In addition, VLANs can be assigned dynamically based on FortiAP groups. Dynamic VLAN assignment allows the same SSID to be deployed to many APs, avoiding the need to produce multiple SSIDs.

  1. Navigate to WiFi and Switch Controller > SSIDs to define an SSID.
  2. Enable VLAN Pooling and select Managed AP Group to assign a VLAN ID to a specified group.

    You can also choose other methods of assigning VLAN IDs:

    • Round Robin: Assigns the next VLAN ID to each device as it is detected.
    • Hash: Always assigns the same VLAN ID to a specific device.
  3. Under VLAN pooling, click Create New to enter the VLAN ID you want to assign and the AP group you want to apply the ID to.

Sharing tunnel SSIDs within a single managed FortiAP

This feature enables you to move a tunnel mode virtual AP (VAP) into a VDOM, similar to an interface/VLAN in VDOMs. FortiAP is registered into the root VDOM.

Within a customer VDOM, customer VAPs can be created or added. In the root VDOM, the customer VAP can be added to the registered FortiAP. Any necessary firewall rules and interfaces can be configured between the two VDOMs.

Syntax

config wireless-controller global

set wtp-share {enable | disable}

end

Enabling the manual quarantine of devices on FortiAP (tunnel mode)

Quarantined MAC addresses are blocked on the connected FortiAP from the network and the LAN. When a tunnel VAP is created, a sub-interface named wqtn is automatically created under tunnel interface. This sub-interface is added under a software switch.

To quarantine an SSID:

  1. Go to WiFi and Switch Controller > SSIDs.
  2. Edit the SSID.
  3. Under WiFi Settings section, enable Quarantine Host.

Alternatively, you can quarantine an SSID using the CLI console. This feature consolidates previous CLI syntax for quarantining a host, so that the host does not need to be configured in multiple places (FortiAP and FortiSwitch). Host endpoints can be entered in a single place and the host will be quarantined throughout the access layer devices on the Fortinet Security Fabric.

Note

You can only quarantine an SSID that is in Tunnel Mode.

Syntax - SSID:

config wireless-controller vap

edit <name>

set quarantine {enable | disable}

next

end

Syntax - Software Switch, DHCP, and User Quarantine

config system switch-interface

edit "wqt.root"

set vdom "root"

set member "wqtn.26.AV-Qtn"

next

end

config system dhcp server

edit <id>

set interface "AV-Qtn"

config ip-range

edit <id>

set start-ip 10.111.0.2

set end-ip 10.111.0.254

next

...

config user quarantine

set quarantine {enable | disable}

end

To list stations in quarantine, use the following diagnose command:

diagnose wireless-controller wlac -c sta-qtn

Enabling host quarantine per SSID

Upon creating or editing an SSID, a Quarantine Host option is available to enable (by default) or disable quarantining devices that are connected in Tunnel-mode. The option to quarantine a device is available on Topology and FortiView WiFi pages.

When a host is put into quarantine VLAN, it will get its IP from the quarantine VLAN's DHCP server, and become part of the quarantined network.

Syntax

config wireless-controller vap

edit <name>

set quarantine {enable | disable}

next

end

To list all stations in quarantine:

diagnose wireless-controller wlac -c sta-qtn

Locating a FortiAP with LED blinking

If you have an environment that contains numerous APs it can be difficult to locate a specific AP that you need to monitor. To help you locate specific APs, you can configure the AP lights to blink, making it easier to find.

To start or stop LED blinking of a managed FortiAP, using the GUI:
  1. Go to WiFi and Switch Controller > Managed FortiAPs.
  2. Right-click in the row of the device you want to control.
  3. In the dialog box, scroll down to LED Blink and select Start or Stop.

The following models support LED blink control through the GUI, operating on FortiAP software 6.0.1, or later:

  • FortiAP-112D, 221C, 223C, 224D, 320C, 321C
  • FortiAP-S/W2
To start or stop LED blinking of a managed FortiAP, using the CLI:

execute wireless-controller led-blink <wtp-id> {on | on 10 | off}

The following models support LED blink control through the CLI, operating on FortiAP software 5.6.2, or later:

  • FortiAP-112D, 221C, 223C, 224D, 320C, 321C
  • FortiAP-S/W2

Uploading a FortiAP image on the wireless controller

Using the CLI to upgrade the FortiAP image is the preferred method especially for large deployments. Use the following CLI command to upload the desired FortiAP image on the wireless controller:

execute wireless-controller upload-wtp-image

After entering the command, reboot the FortiAP devices. This feature allows the administrator to configure all FortiAP devices to download the image from the controller at join time.

Syntax

config wireless-controller global

set image-download {enable | disable}

end

To fine-tune this process, in order to deploy FortiAP image upgrades to a subset of devices for pilot testing, use the following command:

config wireless-controller wtp

edit <name>

set image-download {enable | disable}

next

end

Configuring control message off-loading

Users can configure control message off-loading to optimize performance. This is especially useful in environments where the AP count is from 300 to 350 (with a device count between 1500 and 3000), where existing users are disconnected and unable to reauthenticate due to high CPU usage. This feature includes aeroscout enhancements.

Syntax

config wireless-controller global

set control-message-offload {evp-frame | areoscout-tag | ap-list | sta-list | sta-cap-list | stats | aeroscout-mu}

end

config wireless-controller wtp-profile

edit <name>

set control-message-offload {enable | disable}

config lbs

set ekahau-blink-mode {enable | disable}

set aeroscout {enable | disable}

set aeroscout-server-ip <address>

set aeroscount-server-port <UDP listening port>

set aeroscout-mu {enable | disable}

end

end

Enabling Dynamic Radio Mode Assignment (DRMA)

In deployments with a high AP density, there can be redundant coverage and strong radio interference. Dynamic Radio Mode Assignment (DRMA) allows FortiAP devices to calculate the Network Coverage Factor (NCF) based on radio interference and reassign the AP mode.

When DRMA is enabled in the WTP profile or on the specific AP, the APs run in automatic mode. The AC assigns the radio mode to the APs based on the DRMA NCF value that is calculated at each configured interval.

The NCF value is calculated based on overlapping coverage in a radio coverage area. If a radio is determined to be redundant based on the configured NCF threshold, then it switches from AP mode to monitor mode. When the NCF is next calculated, if the value is below the threshold then the radio switches back to AP mode.

To configure the DRMA interval

config wireless-controller timers

set drma-interval <integer>

end

drma-interval

Dynamic radio mode assignment (DRMA) schedule interval, in minutes (1 - 1440, default = 60).

To configure DRMA in a WTP profile

config wireless-controller wtp-profile

edit <profile>

config <2.4Ghz radio>

set drma enable

set drma-sensitivity {low | medium | high}

end

next

end

DRMA is disabled by default. The sensitivity options are:

low

Consider a radio as redundant when its NCF is 100% (default).

medium

Consider a radio as redundant when its NCF is 95%.

high

Consider a radio as redundant when its NCF is 90%.

To manually configure DRMA on a specific AP device

config wireless-controller wtp

edit <id>

config <2.4Ghz radio>

set drma-manual-mode {ap | monitor | ncf | ncf-peek}

end

next

end

Manual mode options include:

ap

Set the radio to AP mode.

monitor

Set the radio to monitor mode.

ncf

Select and set the radio mode based on the NCF score (default).

ncf-peek

Select the radio mode based on the NCF score, but do not apply it.

Features for high-density deployments

High-density environments such as auditoriums, classrooms, and meeting rooms present a challenge to WiFi providers. When a large number of mobile devices try to connect to a WiFi network, difficulties arise because of the limited number of radio channels and interference between devices.

FortiOS and FortiAP devices provide several tools to mitigate the difficulties deploying in high-density environments.

Upgrading the firmware for multiple FortiAPs

Administrators can upgrade the firmware for multiple FortiAPs; they don't need to upgrade each AP individually.

From WiFi and Switch Controller > Managed FortiAPs, you can select a FortiAP Group and right-click to select Upgrade. This will upgrade all the APs in that group.

Controlling the power save feature

Occasionally, voice calls can become disrupted. One way to alleviate this issue is by controlling the power save feature, or to disable it altogether.

Manually configure packet transmit optimization settings by entering the following command:

config wireless-controller wtp-profile

edit <name>

config <radio-1> | <radio-2>

set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}

Transmit optimization options

Description

disable

Disable transmit optimization.

power-save

Mark a client as power save mode if excessive transmit retries happen.

aggr-limit

Set aggregation limit to a lower value when data rate is low.

retry-limit

Set software retry limit to a lower value when data rate is low.

send-bar

Do not send BAR frame too often.

11n radio powersave optimization

The following powersave-optimize parameters (under config radio) are used for 11n radios to optimize system performance for specific situations.

  • tim: Set traffic indication map (TIM) bit for client in power save mode. TIM bit mask indicates to any sleeping listening stations if the AP has any buffered frames present. If enabled, the AP will always indicate to the connected client that there is a packet waiting in the AP, so it will help to prevent the client from entering a sleep state.
  • ac-vo: Use Access Category (AC) Voice (VO) priority to send packets in the power save queue. AC VO is one of the highest classes/priority levels used to ensure quality of service (QoS). If enabled, when a client returns from a sleep state, the AP will send its buffered packet using a higher priority queue, instead of the normal priority queue.
  • no-obss-scan: Do not put Overlapping Basic Service Set (OBSS), or high-noise (i.e. non-802.11), scan IE into a Beacon or Probe Response frame.
  • no-11b-rate: Do not send frame using 11b data rate.
  • client-rate-follow: Adapt transmitting PHY rate with receiving PHY rate from client. If enabled, the AP will integrate the current client's transmission PHY rate into its rate adaptation algorithm for transmitting.

Configuring the broadcast packet suppression

You can use broadcast packet suppression to reduce the traffic on your WiFi networks. In addition, some broadcast packets are unnecessary or even potentially detrimental to the network and should be suppressed. To configure broadcast suppression for each virtual access point, enter the following commands:

config wireless-controller vap

edit <name>

set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arp-unknown | arp-reply | arp-poison | arp-proxy | netbios-ns | netbios-ds | ipv6 | all-other-mc | all-other-bc}

end

Broadcast suppression options

Description

dhcp-up

Suppress DHCP discovery and request packets broadcast by WiFi clients. Forward DHCP packets to the Ethernet uplink only. Prevent malicious WiFi clients from acting as DHCP servers. Default setting.

dhcp-down

Suppress DHCP packets broadcast by the Ethernet downlink to WiFi clients. Prevent malicious WiFi clients from acting as DHCP servers.

dhcp-starvation

Suppress DHCP starvation attacks from malicious WiFi clients. Prevent malicious WiFi clients from depleting the DHCP address pool.

arp-known

Suppress ARP request packets broadcast to known WiFi clients. Instead, forward ARP packets as unicast packets to the known clients. Default setting.

arp-unknown

Suppress ARP request packets broadcast to unknown WiFi clients.

arp-reply

Suppress ARP reply packets broadcast by WiFi clients. Instead, forward the ARP packets as unicast packets to the clients with target MAC addresses.

arp-poison

Suppress ARP poison attacks from malicious WiFi clients. Prevent malicious WiFi clients from spoofing ARP packets.

arp-proxy

Suppress ARP request packets broadcast by the Ethernet downlink to known WiFi clients. Instead, send ARP reply packets to the Ethernet uplink, as a proxy for WiFi clients.

The arp-known option must be set for arp-proxy to work.

netbios-ns

Suppress NetBIOS name services packets with UDP port 137.

netbios-ds

Suppress NetBIOS datagram services packets with UDP port 138.

ipv6

Suppress IPv6 broadcast packets.

all-other-mc

Suppress multicast packets not covered by any of the specific options.

all-other-bc

Suppress broadcast packets not covered by any of the specific options.

The default configuration enables both the dhcp-up and arp-known options. The following example leaves the default settings in place and also configures a virtual access point to suppress:

  • unnecessary DHCP down link broadcast packets
  • broadcast ARP requests for unknown WiFi clients
  • other broadcast packets not specifically identified

config wireless-controller vap

edit <name>

set broadcast-suppression dhcp-up arp-known dhcp-down arp-unknown all-other-bc

end

Converting multicast streams to unicast

FortiOS provides a multicast enhancement option (disabled by default) that converts multicast streams to unicast and improves performance in WiFi networks. Multicast data, such as streaming audio or video, is sent at a low data rate in WiFi networks. A unicast stream is sent to each client at high data rate that makes more efficient use of air time. To enable multicast-to-unicast conversion, enter the following commands:

config wireless-controller vap

edit <vap_name>

set multicast-enhance enable

end

Ignoring weak or distant clients

Clients beyond the intended coverage area can have some impact on your high-density network. Your APs will respond to these clients' probe signals, consuming valuable air time. You can configure your WiFi network to ignore weak signals that most likely come from beyond the intended coverage area. The settings are available in the CLI:

config wireless-controller vap

edit <vap_name>

set probe-resp-suppression enable

set probe-resp-threshold <level_int>

end

vap_name is the SSID name.

probe-resp-threshold is the signal strength in dBm below which the client is ignored. The range is -95 to -20dBm. The default level is -80dBm.

Turning off the 802.11b protocol

By disabling support for the obsolete 802.11b protocol, you can reduce the air time that data frames occupy. These signals will now be sent at a minimum of 6 Mbps, instead of 1 Mbps. You can set this for each radio in the FortiAP profile, using the CLI:

config wireless-controller wtp-profile

edit <name_string>

config radio-1

set powersave-optimize no-11b-rate

end

Disabling low data rates

Each of the 802.11 protocols supports several data rates. By disabling the lowest rates, air time is conserved, allowing the channel to serve more users. You can set the available rates for each 802.11 protocol: a, b, g, n, ac. Data rates set as Basic are mandatory for clients to support. Other specified rates are supported.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54 Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix "basic", "12-basic" for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by the Modulation and Coding Scheme (MCS) Index and the number of spatial streams.

  • 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
  • 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
  • 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
  • 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4

Here are some examples of setting basic and supported rates.

config wireless-controller vap

edit <vap_name>

set rates-11a 12-basic 18 24 36 48 54

set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4

set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

Enabling the automatic TX power control

High-density deployments usually cover a small area that has many clients. Maximum AP signal power is usually not required. Reducing the power reduces interference between APs. Fortinet recommends that you use FortiAP automatic power control which can be set from the FortiAP profile.

  1. Go to WiFi and Switch Controller > FortiAP Profiles and edit the profile for your AP model.
  2. For each radio, enable Auto TX Power Control and set the TX Power Low and TX Power High levels.

    The default range of 10 to 17 dBm is recommended.

Enabling the frequency band load-balancing

In a high-density environment, it is important to make the best use of the two WiFi bands, 2.4 GHz and 5 GHz. The 5 GHz band has more non-overlapping channels and receives less interference from non-WiFi devices, but not all devices support it. Clients that are capable of 5 GHz operation should be encouraged to use 5 GHz rather than the 2.4 GHz band.

To load-balance the WiFi bands, you enable Frequency Handoff in the FortiAP profile. In the FortiGate GUI, go to WiFi and Switch Controller > FortiAP Profiles and edit the relevant profile to set Client Load Balancing to Frequency Handoff. Or, you can use the CLI:

config wireless-controller wtp-profile

edit FAP221C-default

set frequency-handoff enable

end

The FortiGate WiFi controller continuously scans all clients in the area and records their signal strength (RSSI) on each band. When Frequency Handoff is enabled, the AP does not reply to clients on the 2.4 GHz band that have sufficient signal strength on the 5 GHz band. These clients can associate only on the 5 GHz band. Devices that support only 2.4 GHz receive replies and associate with the AP on the 2.4 GHz band.

Setting the handoff RSSI threshold

The FortiAP applies load balancing to a client only if the client has a sufficient signal level on 5GHz. The minimum signal strength threshold is set in the FortiAP profile, but is accessible only through the CLI:

config wireless-controller wtp-profile

edit FAP221C-default

set handoff-rssi 25

end

handoff-rssi has a range of 20 to 30. RSSI is a relative measure; the higher the number, the stronger the signal.

Enabling the AP load balancing

The performance of an AP degrades if it attempts to serve too many clients. In high-density environments, multiple access points are deployed with some overlap in their coverage areas. The WiFi controller can manage the association of new clients with APs to prevent overloading.

To load-balance between APs, enable AP Handoff in the FortiAP profile.

In the FortiGate GUI, go to WiFi and Switch Controller > FortiAP Profiles and edit the relevant profile to set Client Load Balancing to AP Handoff.

Or, you can use the CLI:

config wireless-controller wtp-profile

edit FAP221C-default

set ap-handoff enable

end

When an AP exceeds the threshold (the default is 30 clients), the overloaded AP does not reply to a new client that has a sufficient signal at another AP.

Setting the AP load balance threshold

The thresholds for AP handoff are set in the FortiAP profile, but is accessible only through the CLI:

config wireless-controller wtp-profile

edit FAP221C-default

set handoff-sta-thresh 30

set handoff-rssi 25

end

handoff-sta-thresh sets the number of clients at which AP load balancing begins. It has a range of 5 to 35.

handoff-rssi sets the minimum signal strength that a new client must have at an alternate AP for the overloaded AP to ignore the client. It has a range of 20 to 30. RSSI is a relative measure. The higher the number, the stronger the signal.

Setting the Application Control feature

To prevent particular application types from consuming too much bandwidth, you can use the FortiOS Application Control feature.

  1. Go to Security Profiles > Application Control. You can use the default profile or create a new one.
  2. Click the category, select Traffic Shaping and then select the priority for the category.
    Repeat for each category to be controlled.
  3. Select Apply.
  4. Go to Policy & Objects > Firewall Policy and edit your Firewall policy.
  5. In the Security Profiles section, enable Application Control and select the security profile that you edited.
  6. Click OK.

Managing the FortiAP group and assigning a dynamic VLAN

You can create FortiAP groups to manage multiple APs at once. Grouping an AP enables you to apply specific profile settings and assign VLANs to all the APs in that group, simplifying the administrative workload. Each AP can belong to one group only.

To create a FortiAP group, navigate to WiFi and Switch Controller > FortiAP Profiles and click Create New > Managed AP Group.

In addition, VLANs can be assigned dynamically based on FortiAP groups. Dynamic VLAN assignment allows the same SSID to be deployed to many APs, avoiding the need to produce multiple SSIDs.

  1. Navigate to WiFi and Switch Controller > SSIDs to define an SSID.
  2. Enable VLAN Pooling and select Managed AP Group to assign a VLAN ID to a specified group.

    You can also choose other methods of assigning VLAN IDs:

    • Round Robin: Assigns the next VLAN ID to each device as it is detected.
    • Hash: Always assigns the same VLAN ID to a specific device.
  3. Under VLAN pooling, click Create New to enter the VLAN ID you want to assign and the AP group you want to apply the ID to.

Sharing tunnel SSIDs within a single managed FortiAP

This feature enables you to move a tunnel mode virtual AP (VAP) into a VDOM, similar to an interface/VLAN in VDOMs. FortiAP is registered into the root VDOM.

Within a customer VDOM, customer VAPs can be created or added. In the root VDOM, the customer VAP can be added to the registered FortiAP. Any necessary firewall rules and interfaces can be configured between the two VDOMs.

Syntax

config wireless-controller global

set wtp-share {enable | disable}

end

Enabling the manual quarantine of devices on FortiAP (tunnel mode)

Quarantined MAC addresses are blocked on the connected FortiAP from the network and the LAN. When a tunnel VAP is created, a sub-interface named wqtn is automatically created under tunnel interface. This sub-interface is added under a software switch.

To quarantine an SSID:

  1. Go to WiFi and Switch Controller > SSIDs.
  2. Edit the SSID.
  3. Under WiFi Settings section, enable Quarantine Host.

Alternatively, you can quarantine an SSID using the CLI console. This feature consolidates previous CLI syntax for quarantining a host, so that the host does not need to be configured in multiple places (FortiAP and FortiSwitch). Host endpoints can be entered in a single place and the host will be quarantined throughout the access layer devices on the Fortinet Security Fabric.

Note

You can only quarantine an SSID that is in Tunnel Mode.

Syntax - SSID:

config wireless-controller vap

edit <name>

set quarantine {enable | disable}

next

end

Syntax - Software Switch, DHCP, and User Quarantine

config system switch-interface

edit "wqt.root"

set vdom "root"

set member "wqtn.26.AV-Qtn"

next

end

config system dhcp server

edit <id>

set interface "AV-Qtn"

config ip-range

edit <id>

set start-ip 10.111.0.2

set end-ip 10.111.0.254

next

...

config user quarantine

set quarantine {enable | disable}

end

To list stations in quarantine, use the following diagnose command:

diagnose wireless-controller wlac -c sta-qtn

Enabling host quarantine per SSID

Upon creating or editing an SSID, a Quarantine Host option is available to enable (by default) or disable quarantining devices that are connected in Tunnel-mode. The option to quarantine a device is available on Topology and FortiView WiFi pages.

When a host is put into quarantine VLAN, it will get its IP from the quarantine VLAN's DHCP server, and become part of the quarantined network.

Syntax

config wireless-controller vap

edit <name>

set quarantine {enable | disable}

next

end

To list all stations in quarantine:

diagnose wireless-controller wlac -c sta-qtn

Locating a FortiAP with LED blinking

If you have an environment that contains numerous APs it can be difficult to locate a specific AP that you need to monitor. To help you locate specific APs, you can configure the AP lights to blink, making it easier to find.

To start or stop LED blinking of a managed FortiAP, using the GUI:
  1. Go to WiFi and Switch Controller > Managed FortiAPs.
  2. Right-click in the row of the device you want to control.
  3. In the dialog box, scroll down to LED Blink and select Start or Stop.

The following models support LED blink control through the GUI, operating on FortiAP software 6.0.1, or later:

  • FortiAP-112D, 221C, 223C, 224D, 320C, 321C
  • FortiAP-S/W2
To start or stop LED blinking of a managed FortiAP, using the CLI:

execute wireless-controller led-blink <wtp-id> {on | on 10 | off}

The following models support LED blink control through the CLI, operating on FortiAP software 5.6.2, or later:

  • FortiAP-112D, 221C, 223C, 224D, 320C, 321C
  • FortiAP-S/W2

Uploading a FortiAP image on the wireless controller

Using the CLI to upgrade the FortiAP image is the preferred method especially for large deployments. Use the following CLI command to upload the desired FortiAP image on the wireless controller:

execute wireless-controller upload-wtp-image

After entering the command, reboot the FortiAP devices. This feature allows the administrator to configure all FortiAP devices to download the image from the controller at join time.

Syntax

config wireless-controller global

set image-download {enable | disable}

end

To fine-tune this process, in order to deploy FortiAP image upgrades to a subset of devices for pilot testing, use the following command:

config wireless-controller wtp

edit <name>

set image-download {enable | disable}

next

end

Configuring control message off-loading

Users can configure control message off-loading to optimize performance. This is especially useful in environments where the AP count is from 300 to 350 (with a device count between 1500 and 3000), where existing users are disconnected and unable to reauthenticate due to high CPU usage. This feature includes aeroscout enhancements.

Syntax

config wireless-controller global

set control-message-offload {evp-frame | areoscout-tag | ap-list | sta-list | sta-cap-list | stats | aeroscout-mu}

end

config wireless-controller wtp-profile

edit <name>

set control-message-offload {enable | disable}

config lbs

set ekahau-blink-mode {enable | disable}

set aeroscout {enable | disable}

set aeroscout-server-ip <address>

set aeroscount-server-port <UDP listening port>

set aeroscout-mu {enable | disable}

end

end

Enabling Dynamic Radio Mode Assignment (DRMA)

In deployments with a high AP density, there can be redundant coverage and strong radio interference. Dynamic Radio Mode Assignment (DRMA) allows FortiAP devices to calculate the Network Coverage Factor (NCF) based on radio interference and reassign the AP mode.

When DRMA is enabled in the WTP profile or on the specific AP, the APs run in automatic mode. The AC assigns the radio mode to the APs based on the DRMA NCF value that is calculated at each configured interval.

The NCF value is calculated based on overlapping coverage in a radio coverage area. If a radio is determined to be redundant based on the configured NCF threshold, then it switches from AP mode to monitor mode. When the NCF is next calculated, if the value is below the threshold then the radio switches back to AP mode.

To configure the DRMA interval

config wireless-controller timers

set drma-interval <integer>

end

drma-interval

Dynamic radio mode assignment (DRMA) schedule interval, in minutes (1 - 1440, default = 60).

To configure DRMA in a WTP profile

config wireless-controller wtp-profile

edit <profile>

config <2.4Ghz radio>

set drma enable

set drma-sensitivity {low | medium | high}

end

next

end

DRMA is disabled by default. The sensitivity options are:

low

Consider a radio as redundant when its NCF is 100% (default).

medium

Consider a radio as redundant when its NCF is 95%.

high

Consider a radio as redundant when its NCF is 90%.

To manually configure DRMA on a specific AP device

config wireless-controller wtp

edit <id>

config <2.4Ghz radio>

set drma-manual-mode {ap | monitor | ncf | ncf-peek}

end

next

end

Manual mode options include:

ap

Set the radio to AP mode.

monitor

Set the radio to monitor mode.

ncf

Select and set the radio mode based on the NCF score (default).

ncf-peek

Select the radio mode based on the NCF score, but do not apply it.