FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
  - Airtime fairness
- Configuring security
- Defining SSID groups
- Configuring dynamic user VLAN assignment
- Configuring wireless NAC support
- Configuring user authentication
  - Custom RADIUS NAS-ID
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
  - Configuring L3 Roaming for Tunnel Mode SSIDs
  - Configuring L3 Roaming for Bridge Mode SSIDs
- Advanced Wireless Features
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 configuration
WiFi network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
- How to implement multi-processing for large-scale FortiAP management
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Bluetooth Low Energy scan
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling console port access
- Configuring 802.1X supplicant on LAN
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
FortiWiFi unit as a wireless client
- FortiWiFi unit in client mode
- Configuring a FortiWiFi unit as a wireless client
WiFi maps
Support for location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
- Disabling 802.11d for client backward compatibility
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.2.4 FortiWiFi and FortiAP Configuration Guide

7.2.4

Local bridge mode SSID IPv6 traffic

In the following example, FortiAP S221E is managed by FortiGate 100D through a local NATed switch and broadcasts local bridge mode SSID:FOS_QA_100D-LB-IPv6.

To configure a WiFi client accessing IPv6 local bridge mode traffic:

In FortiOS, create a local bridge mode VAP:

config wireless-controller vap
    edit "test1"
        set ssid "FOS_QA-100D-LB-IPv6"
        set passphrase ********
        set local-bridging enable
        set schedule "always"
    next
end

Create an IPv6 DHCP server for the local NATed switch (FortiWiFi 60E is used in this example):

config system interface
    edit "internal6"
        set vdom "vdom1"
        set ip 2.2.3.1 255.255.255.0
        set allowaccess ping https http fabric
        set type physical
        set snmp-index 18
        config ipv6
            set ip6-address 2001:100:122:130::1/64
            set ip6-allowaccess ping https http fabric
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-other-flag enable
        end
    next
end

config system dhcp6 server
    edit 1
        set subnet 2001:100:122:130::/64
        set interface "internal6"
        config ip-range
            edit 1
                set start-ip 2001:100:122:130::200
                set end-ip 2001:100:122:130::300
            next
        end
    next
end

Create an IPv6 policy for the local NATed switch:

config firewall policy6
    edit 2
        set name "ipv6"
        set uuid 56368fc6-3268-51ea-a791-91a6ab82a109
        set srcintf "internal6"
        set dstintf "internal7"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Verify the IPv6 address in the station list:

In the FortiGate CLI:

# diagnose wireless-controller wlac -d sta online   
    vf=4 wtp=3 rId=2 wlan=test1 vlan_id=0 ip=2.2.3.3 ip6=2001:100:122:130::200 mac=f0:98:9d:76:64:c4 vci= host=iPhoneX user= group= signal=-41 noise=-105 idle=18 bw=0 use=5 chan=36 radio_type=11AC security=wpa2_only_personal mpsk=default encrypt=aes cp_authed=no online=yes mimo=2
                ip6=fe80::82a:9eba:69c5:5454,13, *2001:100:122:130::200,2,

In the FortiAP CLI:

FortiAP-S221E # sta
wlan10 (FOS_QA-100D-LB-IPv6) client count 1
    MAC:f0:98:9d:76:64:c4 ip:2.2.3.3 ip_proto:dhcp ip_age:8 host:iPhoneX vci:
                          ip6:fe80::82a:9eba:69c5:5454 ip6_proto:arp ip6_age:1 ip6_rx:12
                          ip6:2001:100:122:130::200 ip6_proto:dhcp ip6_age:8 ip6_rx:2
        vlanid:0 Auth:Yes channel:36 rate:173Mbps rssi:64dB idle:0s
        Rx bytes:26654 Tx bytes:27949 Rx rate:78Mbps Tx rate:173Mbps Rx last:0s Tx last:0s
        AssocID:1 Mode:  Normal Flags:1000000b PauseCnt:0
        KEY type=aes_ccm pad=0 keyix=65535 keylen=16 flags=3(xmit recv) RSC=0 TSC=0
            83 25 7e 72   d2 b1 d2 ef   30 9f 6e 9f   50 e5 6f 5a
            00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
            00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
        KEY type=aes_ccm pad=0 keyix=1 keylen=16 flags=83(xmit recv dflt) RSC=0 TSC=0
            1f 25 64 3e   02 4d e2 f1   2c b0 5e 03   ed 99 a4 47
            00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
            00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
FortiAP-S221E #

FortiAP-S221E # usta

WTP daemon STA info:

 1/1   f0:98:9d:76:64:c4 00:00:00:00:00:00 vId=0    type=wl----sta,  vap=wlan10,FOS_QA-100D-LB-IPv6(0) mpsk=default  ip=2.2.3.3/1  host=iPhoneX vci= os=iOS
                          ip6=fe80::82a:9eba:69c5:5454/2 rx=12
                          ip6=2001:100:122:130::200/1 rx=2
                          replycount=0000000000000002

Total STAs: 1

In the FortiOS GUI, go to WiFi and Switch Controller > WiFi Clients. The address is displayed in the IPv6 Global Unicast Address and IPv6 Unique Local Address columns.

Local bridge mode SSID IPv6 traffic

In the following example, FortiAP S221E is managed by FortiGate 100D through a local NATed switch and broadcasts local bridge mode SSID:FOS_QA_100D-LB-IPv6.

To configure a WiFi client accessing IPv6 local bridge mode traffic:

In FortiOS, create a local bridge mode VAP:

config wireless-controller vap
    edit "test1"
        set ssid "FOS_QA-100D-LB-IPv6"
        set passphrase ********
        set local-bridging enable
        set schedule "always"
    next
end

Create an IPv6 DHCP server for the local NATed switch (FortiWiFi 60E is used in this example):

config system interface
    edit "internal6"
        set vdom "vdom1"
        set ip 2.2.3.1 255.255.255.0
        set allowaccess ping https http fabric
        set type physical
        set snmp-index 18
        config ipv6
            set ip6-address 2001:100:122:130::1/64
            set ip6-allowaccess ping https http fabric
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-other-flag enable
        end
    next
end

config system dhcp6 server
    edit 1
        set subnet 2001:100:122:130::/64
        set interface "internal6"
        config ip-range
            edit 1
                set start-ip 2001:100:122:130::200
                set end-ip 2001:100:122:130::300
            next
        end
    next
end

Create an IPv6 policy for the local NATed switch:

config firewall policy6
    edit 2
        set name "ipv6"
        set uuid 56368fc6-3268-51ea-a791-91a6ab82a109
        set srcintf "internal6"
        set dstintf "internal7"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Verify the IPv6 address in the station list:

In the FortiGate CLI:

# diagnose wireless-controller wlac -d sta online   
    vf=4 wtp=3 rId=2 wlan=test1 vlan_id=0 ip=2.2.3.3 ip6=2001:100:122:130::200 mac=f0:98:9d:76:64:c4 vci= host=iPhoneX user= group= signal=-41 noise=-105 idle=18 bw=0 use=5 chan=36 radio_type=11AC security=wpa2_only_personal mpsk=default encrypt=aes cp_authed=no online=yes mimo=2
                ip6=fe80::82a:9eba:69c5:5454,13, *2001:100:122:130::200,2,

In the FortiAP CLI:

FortiAP-S221E # sta
wlan10 (FOS_QA-100D-LB-IPv6) client count 1
    MAC:f0:98:9d:76:64:c4 ip:2.2.3.3 ip_proto:dhcp ip_age:8 host:iPhoneX vci:
                          ip6:fe80::82a:9eba:69c5:5454 ip6_proto:arp ip6_age:1 ip6_rx:12
                          ip6:2001:100:122:130::200 ip6_proto:dhcp ip6_age:8 ip6_rx:2
        vlanid:0 Auth:Yes channel:36 rate:173Mbps rssi:64dB idle:0s
        Rx bytes:26654 Tx bytes:27949 Rx rate:78Mbps Tx rate:173Mbps Rx last:0s Tx last:0s
        AssocID:1 Mode:  Normal Flags:1000000b PauseCnt:0
        KEY type=aes_ccm pad=0 keyix=65535 keylen=16 flags=3(xmit recv) RSC=0 TSC=0
            83 25 7e 72   d2 b1 d2 ef   30 9f 6e 9f   50 e5 6f 5a
            00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
            00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
        KEY type=aes_ccm pad=0 keyix=1 keylen=16 flags=83(xmit recv dflt) RSC=0 TSC=0
            1f 25 64 3e   02 4d e2 f1   2c b0 5e 03   ed 99 a4 47
            00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
            00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
FortiAP-S221E #

FortiAP-S221E # usta

WTP daemon STA info:

 1/1   f0:98:9d:76:64:c4 00:00:00:00:00:00 vId=0    type=wl----sta,  vap=wlan10,FOS_QA-100D-LB-IPv6(0) mpsk=default  ip=2.2.3.3/1  host=iPhoneX vci= os=iOS
                          ip6=fe80::82a:9eba:69c5:5454/2 rx=12
                          ip6=2001:100:122:130::200/1 rx=2
                          replycount=0000000000000002

Total STAs: 1

In the FortiOS GUI, go to WiFi and Switch Controller > WiFi Clients. The address is displayed in the IPv6 Global Unicast Address and IPv6 Unique Local Address columns.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

FortiWiFi and FortiAP Configuration Guide

Local bridge mode SSID IPv6 traffic

Local bridge mode SSID IPv6 traffic

To configure a WiFi client accessing IPv6 local bridge mode traffic:

Local bridge mode SSID IPv6 traffic

Local bridge mode SSID IPv6 traffic

To configure a WiFi client accessing IPv6 local bridge mode traffic: