FortiAP-S and FortiAP-U bridge mode security profiles
If a bridge mode SSID is configured for a managed FortiAP-S or FortiAP-U, you can add security profiles to the wireless controller configuration that allows you to apply the following security profile features to the traffic over the bridge SSID:
- AntiVirus
- Scan Botnets
- Intrusion Prevention
- Application Control
- Web Filter
Configure security profiles - GUI
-
Go to System > Feature Visibility to enable the Security Features you want to apply to your SSID, and then click Apply.
You can enable the AntiVirus, Application Control, Intrusion Prevention, and Web Filter features.
- Go to WiFi and Switch Controller > SSIDs and select the bridge mode SSID assigned to the FortiAP Profile that you want to configure.
- In the selected SSID, enable Security Profiles option.
-
Enable the security profiles you want to apply to the SSID. You can choose from AntiVirus, Web Filter, Application Control, and Intrusion Prevention.
You can either use or edit an existing default profile, or click Create to make a new one. To see what each default profile does, hover your mouse over the profile for a brief description.
-
In the Scan Botnets field, select if you want to Block or Monitor botnets.
Botnet scanning is enabled by default. To disable this feature, select Disable.
- Enable or disable Logging.
-
Click OK to save your SSID changes.
Once you save your changes, you can check to the SSID page to see which security profiles are attached to an SSID in the Security Profiles column.
Configure security profiles - CLI
You can configure security profiles on managed FortiAP-S and FortiAP-U under config wireless-controller vap
, after local-bridging
and utm-status
are set to enable
.
To view all available profiles that you can assign, type "?
". For example, "set ips-sensor ?
".
config wireless-controller vap
edit "utm_ssid1"
set ssid "utm_ssid1"
set local-bridging enable
set utm-status enable
set ips-sensor "wifi-default"
set application-list "wifi-default"
set antivirus-profile "wifi-default"
set webfilter-profile "wifi-default"
set scan-botnet-connections monitor
next
end
Debug configurations
To debug wireless-controller
configurations related to security profiles, use the following diagnose command:
diagnose wireless-controller wlac_hlp