Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Creating a FortiAP profile

Creating a FortiAP profile

A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two or more radio transceivers, making it possible to provide 2.4 GHz 802.11b/g/n, 5 GHz 802.11a/n, or 6 GHz 802.11ax service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

You can modify existing FortiAP profiles or create new ones of your own.

Note

On FortiGate model 30D, GUI configuration of FortiAP Profiles is disabled by default. To enable AP profiles, enter the following CLI commands:
config system settings
set gui-ap-profile enable
end

To configure a FortiAP profile - GUI
  1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
  2. Enter a Name for the FortiAP Profile.
  3. In Platform, select the FortiWiFi or FortiAP model to which this profile applies.

    If you selected a WiFi 6E capable model, select a Platform mode:

    • Single 5G - Only one radio operates on the 5GHz 802.11ax/ac/n/a band.
    • Dual 5G - Two radios operate on the 5GHz 802.11ax/ac/n/a band and dedicated scanning is always disabled.
  4. In Indoor/Outdoor, select where the FortiAP is being installed. You can override the default designation of the FortiAP to change the available channels based on your region.
  5. Select the Country/Region for the FortiAP Profile.
  6. If split tunneling is used, in Split Tunneling Subnets, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.
  7. In Client load balancing, select a handoff type as needed (see Wireless client load balancing for high-density deployments).
  8. In 802.1X authentication, enable if you want to configure the FortiAP to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP (see Configuring 802.1X supplicant on LAN).
  9. For each radio, enter:
  10. Mode

    Select the type of mode:

    • Disabled – the radio is disabled.
    • Access Point – the platform is an access point.
    • Dedicated Monitor – the platform is a dedicated monitor. See Wireless network monitoring.

    WIDS profile

    Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless Intrusion Detection System.

    Radio resource
    provision

    Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions. See Understanding Distributed Radio Resource Provisioning.

    Band

    Select the wireless protocols that you want to support. The available choices depend on the radio’s capabilities. Where multiple protocols are supported, the letter suffixes are combined: “802.11g/b” means 802.11g and 802.11b.

    Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

    Channel width

    Select channel width for 802.11ac or 802.11n on 5 GHz.

    Channel plan

    Select if you want to automatically configure a Channel plan or if want to select custom channels.

    • Three Channels – Automatically selects channel 1, 6, and 11.

    • Four Channels – Automatically selects channels 1, 4, 8, and 11.

    • Custom – Select custom channels.

    Channels

    Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

    For 5GHz radios, clicking Set Channels loads a channel selector panel where you can select individual channels.

    • Toggle DFS Channels – Select DFS channels.
    • Toggle Weather Radar Channels – Select Weather Radar channels.

    The channel chart also shows channel availability for 40MHz or 80MHz channel-bonding.

    Short guard
    interval

    Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

    Transmit power mode

    Select how you want to determine transmit power:

    • Percent – Transmit power is determined by multiplying set percentage with maximum available power determined by region and FortiAP device.
    • dBm – Transmit power is setting using a dBm value.
    • Auto – Set a range of dBm values and the power is set automatically.

    Transmit power

    Specify either the minimum and maximum Transmit power levels in dBm or as a percentage.

    SSIDs

    Select a traffic mode for SSIDs.

    • Tunnel – available tunnel-mode SSIDs are automatically assigned to this radio.
    • Bridge – available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
    • Manual – manually select which available SSIDs and SSID groups to assign to this radio.

    Monitor channel utilization

    Select to enable monitoring channel utilization.

    Radio 2 settings are available only for FortiAP models with dual radios.

  11. In Syslog profile, enable if you want to your FortiAPs to send logs to a syslog server (see Configuring a Syslog profile).
  12. Click OK.
To configure a FortiAP profile - CLI

This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

config wireless-controller wtp-profile

edit guest_prof

config platform

set type 220B

end

config radio-1

set mode ap

set band 802.11g

set vap-all enable

end

config radio-2

set mode ap

set band 802.11g

set vaps example_wlan

end

end

Creating a FortiAP profile

Creating a FortiAP profile

A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two or more radio transceivers, making it possible to provide 2.4 GHz 802.11b/g/n, 5 GHz 802.11a/n, or 6 GHz 802.11ax service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

You can modify existing FortiAP profiles or create new ones of your own.

Note

On FortiGate model 30D, GUI configuration of FortiAP Profiles is disabled by default. To enable AP profiles, enter the following CLI commands:
config system settings
set gui-ap-profile enable
end

To configure a FortiAP profile - GUI
  1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
  2. Enter a Name for the FortiAP Profile.
  3. In Platform, select the FortiWiFi or FortiAP model to which this profile applies.

    If you selected a WiFi 6E capable model, select a Platform mode:

    • Single 5G - Only one radio operates on the 5GHz 802.11ax/ac/n/a band.
    • Dual 5G - Two radios operate on the 5GHz 802.11ax/ac/n/a band and dedicated scanning is always disabled.
  4. In Indoor/Outdoor, select where the FortiAP is being installed. You can override the default designation of the FortiAP to change the available channels based on your region.
  5. Select the Country/Region for the FortiAP Profile.
  6. If split tunneling is used, in Split Tunneling Subnets, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.
  7. In Client load balancing, select a handoff type as needed (see Wireless client load balancing for high-density deployments).
  8. In 802.1X authentication, enable if you want to configure the FortiAP to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP (see Configuring 802.1X supplicant on LAN).
  9. For each radio, enter:
  10. Mode

    Select the type of mode:

    • Disabled – the radio is disabled.
    • Access Point – the platform is an access point.
    • Dedicated Monitor – the platform is a dedicated monitor. See Wireless network monitoring.

    WIDS profile

    Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless Intrusion Detection System.

    Radio resource
    provision

    Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions. See Understanding Distributed Radio Resource Provisioning.

    Band

    Select the wireless protocols that you want to support. The available choices depend on the radio’s capabilities. Where multiple protocols are supported, the letter suffixes are combined: “802.11g/b” means 802.11g and 802.11b.

    Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

    Channel width

    Select channel width for 802.11ac or 802.11n on 5 GHz.

    Channel plan

    Select if you want to automatically configure a Channel plan or if want to select custom channels.

    • Three Channels – Automatically selects channel 1, 6, and 11.

    • Four Channels – Automatically selects channels 1, 4, 8, and 11.

    • Custom – Select custom channels.

    Channels

    Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

    For 5GHz radios, clicking Set Channels loads a channel selector panel where you can select individual channels.

    • Toggle DFS Channels – Select DFS channels.
    • Toggle Weather Radar Channels – Select Weather Radar channels.

    The channel chart also shows channel availability for 40MHz or 80MHz channel-bonding.

    Short guard
    interval

    Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

    Transmit power mode

    Select how you want to determine transmit power:

    • Percent – Transmit power is determined by multiplying set percentage with maximum available power determined by region and FortiAP device.
    • dBm – Transmit power is setting using a dBm value.
    • Auto – Set a range of dBm values and the power is set automatically.

    Transmit power

    Specify either the minimum and maximum Transmit power levels in dBm or as a percentage.

    SSIDs

    Select a traffic mode for SSIDs.

    • Tunnel – available tunnel-mode SSIDs are automatically assigned to this radio.
    • Bridge – available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
    • Manual – manually select which available SSIDs and SSID groups to assign to this radio.

    Monitor channel utilization

    Select to enable monitoring channel utilization.

    Radio 2 settings are available only for FortiAP models with dual radios.

  11. In Syslog profile, enable if you want to your FortiAPs to send logs to a syslog server (see Configuring a Syslog profile).
  12. Click OK.
To configure a FortiAP profile - CLI

This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

config wireless-controller wtp-profile

edit guest_prof

config platform

set type 220B

end

config radio-1

set mode ap

set band 802.11g

set vap-all enable

end

config radio-2

set mode ap

set band 802.11g

set vaps example_wlan

end

end