Advanced Wireless Features
By default, the FortiGate GUI hides advanced features to simplify the site layout. You can go to System > Feature Visibility to enable different types advanced features, including Advanced Wireless Features.
After enabling Advanced Wireless Features, several entries in the Navigation bar will change names.
-
Operations Profiles Entry: FortiAP, QoS, and FortiAP Configuration.
-
Connectivity Profiles Entry: MPSK and Bonjour.
-
Protection Profiles Entry: WIDS and L3 Firewall (also known as L3 Access Control List configurations for FortiAPs).
- Additional advanced options for wireless features under the SSIDs and WiFi Settings entries are visible.
SSIDs > Edit Interface: Voice-Enterprise, Multiband operation, Fast BSS transition, Probe response suppression, Sticky client removal, multicast enhancement, IGMP snooping, Radio sensitivity, Airtime weight, QoS profile, and L3 firewall profile.
WiFi Settings: Duplicate SSID, DARRP, Phishing SSID detection, and SNMP settings.
|
Note that this guide is intended to be used when Advanced Wireless Features is disabled, and therefore uses the default entry names. If a topic covers a feature that requires Advanced Wireless Features to be enabled, it will specify users must first enable Advanced Wireless Features. |
To enable Advanced Wireless Features - GUI
- From the FortiOS GUI, go to System > Feature Visibility.
-
Under the Additional Features column, locate and enable Advanced Wireless Features.
-
Click Apply.
The Navigation bar reloads with the new features visible.
To enable Advanced Wireless Features - CLI:
config system settings
set gui-advanced-wireless-features enable
end
Operations Profiles Entry
When you enable Advanced Wireless Features, FortiAP Profiles is renamed to Operation Profiles and contains additional tabs that enable you to manage QoS and FortiAP Configuration profiles.
FortiAP Profile Advanced Settings
When you create or edit a FortiAP profile, you can configure additional advanced settings.
These fields correspond to the following CLI settings:
|
FortiAP Profiles > New/Edit FortiAP Profile Advanced Settings |
config wireless-controller wtp-profile edit <name> |
|
|
DTLS Policy |
set dtls-policy {option1}, {option2}, …
|
|
|
Maximum client count |
set max-clients {integer}
|
|
|
Handoff RSSI |
set handoff-rssi {integer}
|
|
|
Handoff threshold |
set handoff-sta-thresh {integer}
|
|
|
LED usage |
set led-state [enable|disable] set led-schedules <name1>, <name2>, ... |
led-schedules shown when led-state set to enable |
QoS Profiles
You can create or edit Quality of Service (QoS) profiles by clicking the QoS Profiles tab.
Click Create new to create a QoS profile.
These fields correspond to the following CLI settings:
|
QoS Profiles > New/Edit QoS Profile |
config wireless-controller qos-profile |
|
| Name | edit <name> |
|
| Comment | set comment {string}
|
|
| Maximum uplink bandwidth for SSIDs | set uplink {integer}
|
|
| Maximum downlink bandwidth for SSIDs | set downlink {integer}
|
|
| Maximum uplink bandwidth for clients | set uplink-sta {integer}
|
|
| Maximum downlink bandwidth for clients | set downlink-sta {integer}
|
|
| Client rate burst | set burst [enable|disable] |
|
| WMM Control | set wmm [enable|disable] |
|
| U-APSD power save mode | set wmm-uapsd [enable|disable] |
|
| Call admission control | set call-admission-control [enable|disable] |
|
| Maximum VoWLAN phones count | set call-capacity {integer}
|
Shown when call-admission-control set to enable |
| Bandwidth admission control | set bandwidth-admission-control [enable|disable] |
|
| Maximum bandwidth capacity (Kbps) | set bandwidth-capacity {integer}
|
Shown when bandwidth-admission-control set to enable |
| DSCP mapping | set dscp-wmm-mapping [enable|disable] |
|
| Voice access | set dscp-wmm-vo <id1>, <id2>, … |
Shown when dscp-wmm-mapping set to enable |
| Video access | set dscp-wmm-vi <id1>, <id2>, … |
Shown when dscp-wmm-mapping set to enable |
| Best effort access | set dscp-wmm-be <id1>, <id2>, … |
Shown when dscp-wmm-mapping set to enable |
| Background access | set dscp-wmm-bk <id1>, <id2>, … |
Shown when dscp-wmm-mapping set to enable |
| DSCP marking | set wmm-dscp-marking [enable|disable] |
|
| Voice access | set wmm-vo-dscp {integer}
|
Shown when wmm-dscp-marking set to enable |
| Video access | set wmm-vi-dscp {integer}
|
Shown when wmm-dscp-marking set to enable |
| Best effort access | set wmm-be-dscp {integer}
|
Shown when wmm-dscp-marking set to enable |
| Background access | set wmm-bk-dscp {integer}
|
Shown when wmm-dscp-marking set to enable |
FortiAP Configuration Profiles
You can create or edit FortiAP Configuration Profile for managing local FortiAP configuration by clicking the FortiAP Configuration Profiles tab.
Click Create new to create a FortiAP Configuration profile.
These fields correspond to the following CLI settings:
|
FortiAP Configuration Profiles > New/Edit FortiAP Configuration Profile |
config wireless-controller apcfg-profile |
|
|
Name |
edit <name> |
|
|
Comment |
set comment {var-string}
|
|
|
FortiAP family |
set ap-family [fap|fap-u|...] |
|
|
Command list > New / Edit Command |
config command-list |
|
|
ID |
edit <id> |
|
|
Name |
set name {string}
|
|
|
Type |
set type [non-password|password] |
|
|
Value |
set value {string} / set passwd-value {password}
|
|
|
Wireless controller |
||
|
Waiting time |
set ac-timer {integer}
|
|
|
Type |
set ac-type [default|specify|...] |
|
|
IP |
set ac-ip {ipv4-address}
|
Shown when ac-type set to specify |
|
Port |
set ac-port {integer}
|
Shown when ac-type set to specify |
Connectivity Profiles Entry
You can access Connectivity Profiles to manage your MPSK and Bonjour profiles.
MPSK Profiles
After you click Connectivity Profile, the MPSK Profiles tab loads by default. From there you can create or edit MPSK profiles to manage multiple pre-shared keys.
Click Create new to create an MPSK profile.
From there you can create and add MPSK groups and determine how you want to add your MPSK keys.
These fields correspond to the following CLI settings:
|
MPSK Profiles > New / Edit MPSK Profile |
config wireless-controller mpsk-profile |
|
|
Name |
edit <name> |
|
|
Maximum concurrent client count |
set mpsk-concurrent-clients {integer}
|
|
|
MPSK Group List > New/Edit MPSK Group |
config mpsk-group |
|
|
Name |
edit <name> |
|
|
VLAN type |
set vlan-type [no-vlan|fixed-vlan] |
|
|
VLAN ID |
set vlan-id {integer}
|
Shown when vlan-type set to fixed-vlan |
|
MPSK key list > New / Edit MPSK Key |
config mpsk-key |
|
|
Name |
edit <name> |
|
|
Comment |
set comment {var-string}
|
|
|
Pre-shared key |
set passphrase {password}
|
|
|
MAC address |
set mac {mac-address}
|
|
|
Client limit type |
set concurrent-client-limit-type [default|unlimited|...] |
|
|
Client limit |
set concurrent-clients {integer}
|
Shown when concurrent-client-limit-type set to specified |
|
MPSK schedule |
set mpsk-schedules <name1>, <name2>, … |
|
Bonjour Profiles
Bonjour is Apple's zero configuration networking protocol. Bonjour profiles allow APs and FortiAPs to connect to networks using Bonjour. You can create or edit Bonjour profiles by clicking the Bonjour Profiles tab.
Click Create new to create a Bonjour profile.
From there you can create and add policies that determine which services you want to advertise across the network.
These fields correspond to the following CLI settings:
|
Bonjour Profiles > New/Edit Bonjour Profile |
config wireless-controller bonjour-profile |
|
Name |
edit <name> |
|
Comment |
set comment {string}
|
|
Policy list > New/Edit Bonjour Policy |
config policy-list |
|
Policy ID |
edit <policy-id> |
|
Description |
set description {string}
|
|
Source VLAN |
set from-vlan {string}
|
|
Destination VLAN |
set to-vlan {string}
|
|
Services |
set services {option1}, {option2}, …
|
Protection Profiles Entry
When you enable Advanced Wireless Features, WIDS Profiles is renamed to Protection Profiles and contains additional tabs that enable you to manage L3 Firewall Profiles.
WIDS Profiles
After you click Protection Profiles, the WIDS Profiles tab loads by default. From there you can create or edit WIDS profiles to configure the type of security threats you want to monitor.
L3 Firewall Profile
You can create or edit L3 Firewall Profiles to configure the WiFi bridge access control list by clicking the L3 Firewall Profiles tab.
Click Create new to create a L3 Firewall profile.
From there, you can create IPv4 or IPv6 rule lists to allow or deny traffic that matches the configured policy.
These fields correspond to the following CLI settings:
|
L3 Firewall Profiles > New/Edit L3 Firewall Profile |
config wireless-controller access-control-list |
|
Name |
edit <name> |
|
Comment |
set comment {string}
|
|
IPv4 rule list > New/Edit IPv4 Rule |
config layer3-ipv4-rules |
|
ID |
edit <rule-id> |
|
Comment |
set comment {string}
|
|
Source address |
set srcaddr {user}
|
|
Source port |
set srcport {integer}
|
|
Destination address |
set dstaddr {user}
|
|
Destination port |
set dstport {integer}
|
|
IANA protocol number |
set protocol {integer}
|
|
Action |
set action [allow|deny] |
|
IPv6 rule list > New/Edit IPv6 Rule |
config layer3-ipv6-rules |
|
ID |
edit <rule-id> |
|
Comment |
set comment {string}
|
|
Source address |
set srcaddr {user}
|
|
Source port |
set srcport {integer}
|
|
Destination address |
set dstaddr {user}
|
|
Destination port |
set dstport {integer}
|
|
IANA protocol number |
set protocol {integer}
|
|
Action |
set action [allow|deny] |
Advanced SSID options
When you create or edit an SSID, you can configure additional advanced settings.
These fields correspond to the following CLI settings:
|
Edit Interface > Advanced Settings |
config wireless-controller vap edit <name> |
|
Voice-Enterprise |
set voice-enterprise [disable|enable] |
|
Multiband operation |
set mbo [disable|enable] |
|
Fast BSS transition |
set fast-bss-transition [disable|enable] |
|
Probe response suppression |
set probe-resp-suppression [enable|disable] |
|
Sticky client removal |
set sticky-client-remove [enable|disable] |
|
Multicast enhancement |
set multicast-enhance [enable|disable] |
|
ICMP snooping |
set igmp-snooping [enable|disable] |
|
Radio sensitivity |
set radio-sensitivity [enable|disable] |
|
Airtime weight |
set atf-weight {integer}
|
|
QoS profile |
set qos-profile {string}
|
|
L3 firewall profile |
set access-control-list {string}
|
Advanced WiFi Settings options
More options are exposed on WiFi Settings page, including Duplicate SSID, DARRP related settings, Phishing SSID detection setting, and SNMP settings.
These fields correspond to the following CLI settings:
|
WiFi Settings |
config wireless-controller setting |
|
|
Duplicate SSID |
set duplicate-ssid [enable|disable] |
|
|
DARRP optimization interval (seconds) |
set darrp-optimize {integer}
|
|
|
DARRP optimization schedule |
set darrp-optimize-schedules <name1>, <name2>, … |
|
|
Phishing SSID detection setting |
set phishing-ssid-detect [enable|disable] |
|
|
SNMP settings |
config wireless-controller snmp |
|
|
Engine ID |
set engine-id {string}
|
|
|
Contact information |
set contact-info {string}
|
|
|
CPU usage threshold |
set trap-high-cpu-threshold {integer}
|
|
|
Memory usage threshold |
set trap-high-mem-threshold {integer}
|
|
|
User list > New/Edit SNMP User |
config user |
|
|
Name |
edit <name> |
|
|
Current SNMP user |
set status [enable|disable] |
|
|
Queries |
set queries [enable|disable] |
|
|
Traps |
set trap-status [enable|disable] |
|
|
Authentication |
set security-level [no-auth-no-priv|auth-no-priv|...] |
|
|
Authentication protocol |
set auth-proto [md5|sha] |
Shown when authentication setting enabled |
|
Authentication password |
set auth-pwd {password}
|
Shown when authentication setting enabled |
|
Privacy |
set priv-proto [aes|des|...] |
Shown when authentication setting enabled |
|
Privacy password |
set priv-pwd {password}
|
Shown when authentication setting enabled |
|
Notify host IP |
set notify-hosts {ipv4-address}
|
|
|
Community list > New/Edit SNMP Community |
config community |
|
|
ID |
edit <id> |
|
|
Name |
set name {string}
|
|
|
Current SNMP community |
set status [enable|disable] |
|
|
V1 queries |
set query-v1-status [enable|disable] |
|
|
V2c queries |
set query-v2c-status [enable|disable] |
|
|
V1 traps |
set trap-v1-status [enable|disable] |
|
|
V2c traps |
set trap-v2c-status [enable|disable] |
|
|
Host list > New/Edit Host List |
config hosts |
|
|
ID |
edit <id> |
|
|
IP |
set ip {user}
|