Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

FortiAP-S and FortiAP-U bridge mode security profiles

FortiAP-S and FortiAP-U bridge mode security profiles

If a bridge mode SSID is configured for a managed FortiAP-S or FortiAP-U, you can add security profiles to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:

  • AntiVirus
  • Scan Botnets
  • Intrusion Prevention
  • Application Control
  • Web Filter
Configure security profiles - GUI
  1. Go to System > Feature Visibility to enable the Security Features you want to apply to your SSID, and then click Apply.

    You can enable the AntiVirus, Application Control, Intrusion Prevention, and Web Filter features.

  2. Go to WiFi and Switch Controller > SSIDs and select the bridge mode SSID assigned to the FortiAP Profile that you want to configure.
  3. In the selected SSID, enable Security Profiles option.
  4. Enable the security profiles you want to apply to the SSID. You can choose from AntiVirus, Web Filter, Application Control, and Intrusion Prevention.

    You can either use or edit an existing default profile, or click Create to make a new one. To see what each default profile does, hover your mouse over the profile for a brief description.

  5. In the Scan Botnets field, select if you want to Block or Monitor botnets.

    Botnet scanning is enabled by default. To disable this feature, select Disable.

  6. Enable or disable Logging.
  7. Click OK to save your SSID changes.

    Once you save your changes, you can check to the SSID page to see which security profiles are attached to an SSID in the Security Profiles column.

Configure security profiles - CLI

You can configure security profiles on managed FortiAP-S and FortiAP-U under config wireless-controller vap, after local-bridging and utm-status are set to enable.

To view all available profiles that you can assign, type "?". For example, "set ips-sensor ?".

config wireless-controller vap

edit "utm_ssid1"

set ssid "utm_ssid1"

set local-bridging enable

set utm-status enable

set ips-sensor "wifi-default"

set application-list "wifi-default"

set antivirus-profile "wifi-default"

set webfilter-profile "wifi-default"

set scan-botnet-connections monitor

next

end

Debug configurations

To debug wireless-controller configurations related to security profiles, use the following diagnose command:

diagnose wireless-controller wlac_hlp

FortiAP-S and FortiAP-U bridge mode security profiles

FortiAP-S and FortiAP-U bridge mode security profiles

If a bridge mode SSID is configured for a managed FortiAP-S or FortiAP-U, you can add security profiles to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:

  • AntiVirus
  • Scan Botnets
  • Intrusion Prevention
  • Application Control
  • Web Filter
Configure security profiles - GUI
  1. Go to System > Feature Visibility to enable the Security Features you want to apply to your SSID, and then click Apply.

    You can enable the AntiVirus, Application Control, Intrusion Prevention, and Web Filter features.

  2. Go to WiFi and Switch Controller > SSIDs and select the bridge mode SSID assigned to the FortiAP Profile that you want to configure.
  3. In the selected SSID, enable Security Profiles option.
  4. Enable the security profiles you want to apply to the SSID. You can choose from AntiVirus, Web Filter, Application Control, and Intrusion Prevention.

    You can either use or edit an existing default profile, or click Create to make a new one. To see what each default profile does, hover your mouse over the profile for a brief description.

  5. In the Scan Botnets field, select if you want to Block or Monitor botnets.

    Botnet scanning is enabled by default. To disable this feature, select Disable.

  6. Enable or disable Logging.
  7. Click OK to save your SSID changes.

    Once you save your changes, you can check to the SSID page to see which security profiles are attached to an SSID in the Security Profiles column.

Configure security profiles - CLI

You can configure security profiles on managed FortiAP-S and FortiAP-U under config wireless-controller vap, after local-bridging and utm-status are set to enable.

To view all available profiles that you can assign, type "?". For example, "set ips-sensor ?".

config wireless-controller vap

edit "utm_ssid1"

set ssid "utm_ssid1"

set local-bridging enable

set utm-status enable

set ips-sensor "wifi-default"

set application-list "wifi-default"

set antivirus-profile "wifi-default"

set webfilter-profile "wifi-default"

set scan-botnet-connections monitor

next

end

Debug configurations

To debug wireless-controller configurations related to security profiles, use the following diagnose command:

diagnose wireless-controller wlac_hlp