DOCUMENT LIBRARY

FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
- Configuring security
- Defining SSID groups
- Configuring dynamic user VLAN assignment
- Configuring wireless NAC support
- Configuring user authentication
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
  - Configuring L3 Roaming for Tunnel Mode SSIDs
  - Configuring L3 Roaming for Bridge Mode SSIDs
- Advanced Wireless Features
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 configuration
WiFi network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Bluetooth Low Energy scan
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling console port access
- Configuring 802.1X supplicant on LAN
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
FortiWiFi unit as a wireless client
- FortiWiFi unit in client mode
- Configuring a FortiWiFi unit as a wireless client
WiFi maps
Support for location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
- Disabling 802.11d for client backward compatibility
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.2.1 FortiWiFi and FortiAP Configuration Guide

7.2.1

WiFi network with wired LAN configuration

This section includes the following topics:

How to combine a WiFi network and wired LAN with a software switch

A WiFi network can be combined with a wired LAN so that WiFi and wired clients are on the same subnet. This is a convenient configuration for users.

Software switches are only available if your FortiGate is in Interface mode.

Wireless Mesh features cannot be used in conjunction with this configuration because they enable the FortiAP Local Bridge option.

To create the WiFi network and wired LAN configuration, you need to:

Configure the SSID so that traffic is tunneled to the WiFi controller.
Configure a software switch interface on the FortiGate unit with the WiFi and internal network interface as members.
Configure Captive Portal security for the software switch interface.

To configure the SSID - GUI

Go to WiFi and Switch Controller > SSIDs and select Create New.

Complete the following fields:

Interface name	A name for the new WiFi interface.
Traffic Mode	Local bridge with FortiAP interface.
SSID	The SSID visible to users.
Security Mode	Configure security as you would for a regular WiFi network.
Pre-shared Key	A network access key for the SSID.

Click OK.
Go to WiFi and Switch Controller > Managed FortiAPs, select the FortiAP unit for editing.
Authorize the FortiAP unit.
The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

To configure the SSID - CLI

This example creates a WiFi interface “homenet_if” with SSID “homenet” using WPA-Personal security, passphrase “Fortinet1234”.

config wireless-controller vap

edit "homenet_if"

set vdom "root"

set ssid "homenet"

set security wpa-personal

set passphrase "Fortinet1234"

end

config wireless-controller wtp

edit FAP22B3U11005354

set admin enable

set vaps "homenet_if"

end

To configure the FortiGate software switch - GUI

Go to Network > Interfaces and select Create New > Interface.

Complete the following fields:

Interface Name	A name for the new interface. For example, `homenet_nw`.
Type	Software Switch
Physical Interface Members	Add homenet_if and the internal network interface.
Addressing mode	Select Manual and enter an address, for example `172.16.96.32/255.255.255.0`
DHCP Server	Enable and configure an address range for clients.
Security Mode	Select Captive Portal. Add the permitted User Groups.

Select OK.

To configure the FortiGate software switch - CLI

config system interface

edit homenet_nw

set ip 172.16.96.32 255.255.255.0

set type switch

set security-mode captive-portal

set security-groups "Guest-group"

end

config system interface

edit homenet_nw

set member "homenet_if" "internal"

end

VLAN configuration

If your environment uses VLAN tagging, you assign the SSID to a specific VLAN in the CLI. See Reserved VLAN IDs. For example, to assign the homenet_if interface to VLAN 100, enter:

config wireless-controller vap

edit "homenet_if"

set vlanid 100

end

Additional configuration

The configuration described above provides communication between WiFi and wired LAN users only. To provide access to other networks, create appropriate firewall policies between the software switch and other interfaces.

WiFi network with wired LAN configuration

This section includes the following topics:

How to combine a WiFi network and wired LAN with a software switch

A WiFi network can be combined with a wired LAN so that WiFi and wired clients are on the same subnet. This is a convenient configuration for users.

Software switches are only available if your FortiGate is in Interface mode.

Wireless Mesh features cannot be used in conjunction with this configuration because they enable the FortiAP Local Bridge option.

To create the WiFi network and wired LAN configuration, you need to:

Configure the SSID so that traffic is tunneled to the WiFi controller.
Configure a software switch interface on the FortiGate unit with the WiFi and internal network interface as members.
Configure Captive Portal security for the software switch interface.

To configure the SSID - GUI

Go to WiFi and Switch Controller > SSIDs and select Create New.

Complete the following fields:

Interface name	A name for the new WiFi interface.
Traffic Mode	Local bridge with FortiAP interface.
SSID	The SSID visible to users.
Security Mode	Configure security as you would for a regular WiFi network.
Pre-shared Key	A network access key for the SSID.

Click OK.
Go to WiFi and Switch Controller > Managed FortiAPs, select the FortiAP unit for editing.
Authorize the FortiAP unit.
The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

To configure the SSID - CLI

This example creates a WiFi interface “homenet_if” with SSID “homenet” using WPA-Personal security, passphrase “Fortinet1234”.

config wireless-controller vap

edit "homenet_if"

set vdom "root"

set ssid "homenet"

set security wpa-personal

set passphrase "Fortinet1234"

end

config wireless-controller wtp

edit FAP22B3U11005354

set admin enable

set vaps "homenet_if"

end

To configure the FortiGate software switch - GUI

Go to Network > Interfaces and select Create New > Interface.

Complete the following fields:

Interface Name	A name for the new interface. For example, `homenet_nw`.
Type	Software Switch
Physical Interface Members	Add homenet_if and the internal network interface.
Addressing mode	Select Manual and enter an address, for example `172.16.96.32/255.255.255.0`
DHCP Server	Enable and configure an address range for clients.
Security Mode	Select Captive Portal. Add the permitted User Groups.

Select OK.

To configure the FortiGate software switch - CLI

config system interface

edit homenet_nw

set ip 172.16.96.32 255.255.255.0

set type switch

set security-mode captive-portal

set security-groups "Guest-group"

end

config system interface

edit homenet_nw

set member "homenet_if" "internal"

end

VLAN configuration

If your environment uses VLAN tagging, you assign the SSID to a specific VLAN in the CLI. See Reserved VLAN IDs. For example, to assign the homenet_if interface to VLAN 100, enter:

config wireless-controller vap

edit "homenet_if"

set vlanid 100

end

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

FortiWiFi and FortiAP Configuration Guide

WiFi network with wired LAN configuration

WiFi network with wired LAN configuration

How to combine a WiFi network and wired LAN with a software switch

To configure the SSID - GUI

To configure the SSID - CLI

To configure the FortiGate software switch - GUI

To configure the FortiGate software switch - CLI

VLAN configuration

Additional configuration

WiFi network with wired LAN configuration

WiFi network with wired LAN configuration

How to combine a WiFi network and wired LAN with a software switch

To configure the SSID - GUI