DOCUMENT LIBRARY

FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
  - Airtime fairness
- Configuring security
- Defining SSID groups
- Configuring dynamic user VLAN assignment
- Configuring wireless NAC support
- Configuring user authentication
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 configuration
WiFi network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Bluetooth Low Energy scan
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling console port access
- Configuring 802.1X supplicant on LAN
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
FortiWiFi unit as a wireless client
- FortiWiFi unit in client mode
- Configuring a FortiWiFi unit as a wireless client
WiFi maps
Support for location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.2.0 FortiWiFi and FortiAP Configuration Guide

7.2.0

Monitoring application usage for clients connected to bridge mode SSIDs

FortiAPs must be running firmware version 7.2.0 and later. WiFi clients must be connected to a bridge mode SSID.

You can monitor the application usage data for clients that are connected on bridge mode IDs by using the CLI command "diagnose wireless-controller wlac -d sta online". FortiGate receives the wireless client application information from FortiAPs and analyzes the traffic information on each application.

The following CLI commands can be configured under config wireless-controller vap:

set application-detection enable | disable: Enable or disable the reporting of wireless client application information for the bridge mode SSID that it is configured for. Application reporting is disabled by default.
set application-report-intv <seconds>: Configure the time interval for the FortiAP to collect and report the application traffic information to the FortiGate. The default interval is 120 seconds.

To enable application-detection in VAP

config wireless-controller vap
  edit "vap-ndpi"
    set ssid "SSID_NDPI"
    set passphrase ENC 
    set local-bridging enable
    set schedule "always"
    set application-detection-engine enable
    set application-report-intv 60
  next
end

To check the application detection attribute from FortiAP

FortiAP-231F # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 SSID_NDPI ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan10, vap=0x3db5702c, bssid=e0:23:ff:d7:74:b0
           11ax high-efficiency=enabled target-wake-time=enabled
           bss-color-partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=enabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=1/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=disabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp 
           auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
           key=f4cf7fd6 32dbced5 6d9fb25c 8894ad9b
           pmf=disable
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled mbo=disabled
           port_macauth=disable
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00, 
           ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
           primary wag: 
           secondary wag: 
           application detection engine: enabled, report-interval=60, configured
-------------------------------Total    1 VAP Configurations----------------------------

To check the application detection information from FortiAP

FortiAP-231F # cw_diag -d ndpi sta


Station 00:c0:ca:87:07:50 flow stats list:
-----------------------------------------------------------------------------
 AID  TX total   TX new     RX total   RX new     Application/Protocol Name
----- ---------- ---------- ---------- ---------- ---------------------------
    0      992 B        0 B   3.821 KB        0 B ukn
    7   2.056 KB        0 B   1.888 KB        0 B twitter
   12      342 B        0 B       62 B        0 B icloud
   28  68.553 KB   7.416 KB  11.400 KB   3.879 KB youtube
  139   6.281 KB        0 B   1.841 KB        0 B yahoo
  609   4.847 KB        0 B   1.734 KB        0 B new-relic
  632  20.167 KB        0 B   4.310 KB        0 B google-services
  664   6.080 KB        0 B  13.842 KB        0 B microsoft-services
  728  18.324 KB        0 B  12.785 KB        0 B amazon-services
  765   2.031 MB        0 B 345.697 KB        0 B service_amazon
  768  70.786 KB  70.497 KB   7.094 KB   7.031 KB service_google
  786   3.927 KB        0 B   1.992 KB        0 B service_microsoft
  866   5.842 KB        0 B   2.656 KB        0 B spotxchange
  889      359 B        0 B       63 B        0 B goodreads
 1032      480 B      480 B       58 B       58 B imdb
 1090  23.201 KB        0 B   7.608 KB        0 B adobeanalytics
 1141   7.160 KB        0 B   2.030 KB        0 B casale
 1218   5.226 KB        0 B   2.002 KB        0 B rubiconproject
 1397   5.411 KB   5.411 KB   1.938 KB   1.938 KB exelate
 1788  25.110 KB  25.110 KB   6.503 KB   6.503 KB bing
 1838  12.417 KB  12.417 KB   2.830 KB   2.830 KB delicious
 1861   6.106 KB   6.106 KB   2.008 KB   2.008 KB pubmatic
 1968      753 B        0 B      406 B        0 B http
 1974  11.720 KB  11.375 KB   1.826 KB   1.757 KB dns
 1979 475.727 KB        0 B  66.211 KB        0 B ssl
 2012      357 B        0 B        0 B        0 B dhcp
 2182   1.033 MB        0 B 152.760 KB        0 B quic
-----------------------------------------------------------------------------

To check the application detection information from FortiGate

FortiGate-201E # diag wire wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=vap-ndpi vlan_id=0 ip=10.132.132.11 ip6=fe80::90bf:3f23:991:c8d4 mac=00:c0:ca:87:07:50 vci=MSFT 5.0 host=DESKTOP-CJ6F7M2 user= group= signal=-42 noise=-95 idle=0 bw=4158 use=6 chan=36 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2
                ip6=*fe80::90bf:3f23:991:c8d4,57, 
Id 0 App:ukn
Tx:992 Rx:2466 Age:9
Id 28 App:youtube
Tx:60614 Rx:7460 Age:9
Id 609 App:new-relic
Tx:4847 Rx:1734 Age:9
Id 632 App:google-services
Tx:8521 Rx:2404 Age:9
Id 765 App:service_amazon
Tx:4057 Rx:18035 Age:9
Id 1979 App:ssl
Tx:474313 Rx:64787 Age:9
Id 2182 App:quic
Tx:1028073 Rx:138326 Age:9
Id 1090 App:adobeanalytics
Tx:23201 Rx:7608 Age:9
Id 1141 App:casale
Tx:7160 Rx:2030 Age:9
Id 1218 App:rubiconproject
Tx:5226 Rx:2002 Age:9

Monitoring application usage for clients connected to bridge mode SSIDs

FortiAPs must be running firmware version 7.2.0 and later. WiFi clients must be connected to a bridge mode SSID.

The following CLI commands can be configured under config wireless-controller vap:

set application-detection enable | disable: Enable or disable the reporting of wireless client application information for the bridge mode SSID that it is configured for. Application reporting is disabled by default.
set application-report-intv <seconds>: Configure the time interval for the FortiAP to collect and report the application traffic information to the FortiGate. The default interval is 120 seconds.

To enable application-detection in VAP

config wireless-controller vap
  edit "vap-ndpi"
    set ssid "SSID_NDPI"
    set passphrase ENC 
    set local-bridging enable
    set schedule "always"
    set application-detection-engine enable
    set application-report-intv 60
  next
end

To check the application detection attribute from FortiAP

FortiAP-231F # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 SSID_NDPI ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan10, vap=0x3db5702c, bssid=e0:23:ff:d7:74:b0
           11ax high-efficiency=enabled target-wake-time=enabled
           bss-color-partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=enabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=1/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=disabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp 
           auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
           key=f4cf7fd6 32dbced5 6d9fb25c 8894ad9b
           pmf=disable
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled mbo=disabled
           port_macauth=disable
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00, 
           ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
           primary wag: 
           secondary wag: 
           application detection engine: enabled, report-interval=60, configured
-------------------------------Total    1 VAP Configurations----------------------------

To check the application detection information from FortiAP

FortiAP-231F # cw_diag -d ndpi sta


Station 00:c0:ca:87:07:50 flow stats list:
-----------------------------------------------------------------------------
 AID  TX total   TX new     RX total   RX new     Application/Protocol Name
----- ---------- ---------- ---------- ---------- ---------------------------
    0      992 B        0 B   3.821 KB        0 B ukn
    7   2.056 KB        0 B   1.888 KB        0 B twitter
   12      342 B        0 B       62 B        0 B icloud
   28  68.553 KB   7.416 KB  11.400 KB   3.879 KB youtube
  139   6.281 KB        0 B   1.841 KB        0 B yahoo
  609   4.847 KB        0 B   1.734 KB        0 B new-relic
  632  20.167 KB        0 B   4.310 KB        0 B google-services
  664   6.080 KB        0 B  13.842 KB        0 B microsoft-services
  728  18.324 KB        0 B  12.785 KB        0 B amazon-services
  765   2.031 MB        0 B 345.697 KB        0 B service_amazon
  768  70.786 KB  70.497 KB   7.094 KB   7.031 KB service_google
  786   3.927 KB        0 B   1.992 KB        0 B service_microsoft
  866   5.842 KB        0 B   2.656 KB        0 B spotxchange
  889      359 B        0 B       63 B        0 B goodreads
 1032      480 B      480 B       58 B       58 B imdb
 1090  23.201 KB        0 B   7.608 KB        0 B adobeanalytics
 1141   7.160 KB        0 B   2.030 KB        0 B casale
 1218   5.226 KB        0 B   2.002 KB        0 B rubiconproject
 1397   5.411 KB   5.411 KB   1.938 KB   1.938 KB exelate
 1788  25.110 KB  25.110 KB   6.503 KB   6.503 KB bing
 1838  12.417 KB  12.417 KB   2.830 KB   2.830 KB delicious
 1861   6.106 KB   6.106 KB   2.008 KB   2.008 KB pubmatic
 1968      753 B        0 B      406 B        0 B http
 1974  11.720 KB  11.375 KB   1.826 KB   1.757 KB dns
 1979 475.727 KB        0 B  66.211 KB        0 B ssl
 2012      357 B        0 B        0 B        0 B dhcp
 2182   1.033 MB        0 B 152.760 KB        0 B quic
-----------------------------------------------------------------------------

To check the application detection information from FortiGate

FortiGate-201E # diag wire wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=vap-ndpi vlan_id=0 ip=10.132.132.11 ip6=fe80::90bf:3f23:991:c8d4 mac=00:c0:ca:87:07:50 vci=MSFT 5.0 host=DESKTOP-CJ6F7M2 user= group= signal=-42 noise=-95 idle=0 bw=4158 use=6 chan=36 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2
                ip6=*fe80::90bf:3f23:991:c8d4,57, 
Id 0 App:ukn
Tx:992 Rx:2466 Age:9
Id 28 App:youtube
Tx:60614 Rx:7460 Age:9
Id 609 App:new-relic
Tx:4847 Rx:1734 Age:9
Id 632 App:google-services
Tx:8521 Rx:2404 Age:9
Id 765 App:service_amazon
Tx:4057 Rx:18035 Age:9
Id 1979 App:ssl
Tx:474313 Rx:64787 Age:9
Id 2182 App:quic
Tx:1028073 Rx:138326 Age:9
Id 1090 App:adobeanalytics
Tx:23201 Rx:7608 Age:9
Id 1141 App:casale
Tx:7160 Rx:2030 Age:9
Id 1218 App:rubiconproject
Tx:5226 Rx:2002 Age:9

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

FortiWiFi and FortiAP Configuration Guide

Monitoring application usage for clients connected to bridge mode SSIDs

Monitoring application usage for clients connected to bridge mode SSIDs

To enable application-detection in VAP

To check the application detection attribute from FortiAP

To check the application detection information from FortiAP

To check the application detection information from FortiGate

Monitoring application usage for clients connected to bridge mode SSIDs

Monitoring application usage for clients connected to bridge mode SSIDs

To enable application-detection in VAP

To check the application detection attribute from FortiAP

To check the application detection information from FortiAP

To check the application detection information from FortiGate