Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Creating a FortiAP profile

Creating a FortiAP profile

A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two or more radio transceivers, making it possible to provide 2.4 GHz 802.11b/g/n, 5 GHz 802.11a/n, or 6 GHz 802.11ax service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

You can modify existing FortiAP profiles or create new ones of your own.

To configure a FortiAP profile - GUI:
  1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
  2. Enter a Name for the FortiAP Profile.
  3. Configure the following options:

    Platform

    Select the FortiWiFi or FortiAP model to which this profile applies.

    If you selected a WiFi 6E capable model, select a Platform mode:

    • Single 5G - Only one radio operates on the 5GHz 802.11ax/ac/n/a band.
    • Dual 5G - Two radios operate on the 5GHz 802.11ax/ac/n/a band and dedicated scanning is always disabled.
    Indoor/Outdoor Select where the FortiAP is being installed. You can override the default designation of the FortiAP to change the available channels based on your region.
    Country/Region

    Select the country or region to apply the Country Code for where the FortiAP will be used.

    Split Tunneling Subnets

    If split tunneling is used, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.

    AP login password

    Select if you want set a new AP login password or leave the password unchanged.

    Administrative access

    Select which types of administrative access you want to allow for the FortiAP:

    • HTTPS
    • SSH
    • SNMP
    Client load balancing

    Select a handoff type as needed (see Wireless client load balancing for high-density deployments).

    802.1X authentication

    Enable if you want to configure the FortiAP to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP (see Configuring 802.1X supplicant on LAN).

    UNII-4 5GHz band channels

    Only available on G-series models.

    Enable if you want to use UNII-4 5GHz band channels (see Configuring UNII-4 5GHz radio bands).

  4. For each radio, enter:

    Mode

    Select the type of mode:

    • Disabled – The radio is disabled.
    • Access Point – The platform is an access point.
    • Dedicated Monitor – The platform is a dedicated monitor. See Wireless network monitoring.

    WIDS profile

    Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless Intrusion Detection System.

    Radio resource
    provision

    Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions. See Understanding Distributed Radio Resource Provisioning.

    Band

    Select the wireless protocols that you want to support. The available choices depend on the radio's capabilities. Where multiple protocols are supported, the letter suffixes are combined: "802.11g/b" means 802.11g and 802.11b.

    Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

    Channel width

    Select channel width for 802.11ac or 802.11n on 5 GHz.

    Channel plan

    Select if you want to automatically configure a Channel plan or if want to select custom channels.

    • Three Channels – Automatically selects channel 1, 6, and 11.

    • Four Channels – Automatically selects channels 1, 4, 8, and 11.

    • Custom – Select custom channels.

    Channels

    Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

    For 5GHz radios, clicking Set Channels loads a channel selector panel where you can select individual channels.

    • Toggle DFS Channels – Select DFS channels.
    • Toggle Weather Radar Channels – Select Weather Radar channels.

    The channel chart also shows channel availability for 40MHz or 80MHz channel-bonding.

    Short guard
    interval

    Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

    Transmit power mode

    Select how you want to determine transmit power:

    • Percent – Transmit power is determined by multiplying set percentage with maximum available power determined by region and FortiAP device.
    • dBm – Transmit power is set using a dBm value.
    • Auto – Specify a range of dBm values and the power is set automatically.

    Transmit power

    Specify either the minimum and maximum Transmit power levels in dBm or as a percentage.

    SSIDs

    Select a traffic mode for SSIDs.

    • Tunnel – Available tunnel-mode SSIDs are automatically assigned to this radio.
    • Bridge – Available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
    • Manual – Manually select which available SSIDs and SSID groups to assign to this radio.

    Monitor channel utilization

    Select to enable monitoring channel utilization.

  5. Radio 2 and 3 settings are available for FortiAP models with multiple radios.

  6. In Syslog profile, enable if you want your FortiAPs to send logs to a syslog server (see Configuring a Syslog profile).
  7. Click OK.
To configure a FortiAP profile - CLI:

This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

config wireless-controller wtp-profile

edit "guest_prof"

config platform

set type 220B

end

config radio-1

set mode ap

set band 802.11g

set vap-all enable

end

config radio-2

set mode ap

set band 802.11g

set vaps example_wlan

end

end

Creating a FortiAP profile

Creating a FortiAP profile

A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two or more radio transceivers, making it possible to provide 2.4 GHz 802.11b/g/n, 5 GHz 802.11a/n, or 6 GHz 802.11ax service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

You can modify existing FortiAP profiles or create new ones of your own.

To configure a FortiAP profile - GUI:
  1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
  2. Enter a Name for the FortiAP Profile.
  3. Configure the following options:

    Platform

    Select the FortiWiFi or FortiAP model to which this profile applies.

    If you selected a WiFi 6E capable model, select a Platform mode:

    • Single 5G - Only one radio operates on the 5GHz 802.11ax/ac/n/a band.
    • Dual 5G - Two radios operate on the 5GHz 802.11ax/ac/n/a band and dedicated scanning is always disabled.
    Indoor/Outdoor Select where the FortiAP is being installed. You can override the default designation of the FortiAP to change the available channels based on your region.
    Country/Region

    Select the country or region to apply the Country Code for where the FortiAP will be used.

    Split Tunneling Subnets

    If split tunneling is used, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.

    AP login password

    Select if you want set a new AP login password or leave the password unchanged.

    Administrative access

    Select which types of administrative access you want to allow for the FortiAP:

    • HTTPS
    • SSH
    • SNMP
    Client load balancing

    Select a handoff type as needed (see Wireless client load balancing for high-density deployments).

    802.1X authentication

    Enable if you want to configure the FortiAP to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP (see Configuring 802.1X supplicant on LAN).

    UNII-4 5GHz band channels

    Only available on G-series models.

    Enable if you want to use UNII-4 5GHz band channels (see Configuring UNII-4 5GHz radio bands).

  4. For each radio, enter:

    Mode

    Select the type of mode:

    • Disabled – The radio is disabled.
    • Access Point – The platform is an access point.
    • Dedicated Monitor – The platform is a dedicated monitor. See Wireless network monitoring.

    WIDS profile

    Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless Intrusion Detection System.

    Radio resource
    provision

    Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions. See Understanding Distributed Radio Resource Provisioning.

    Band

    Select the wireless protocols that you want to support. The available choices depend on the radio's capabilities. Where multiple protocols are supported, the letter suffixes are combined: "802.11g/b" means 802.11g and 802.11b.

    Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

    Channel width

    Select channel width for 802.11ac or 802.11n on 5 GHz.

    Channel plan

    Select if you want to automatically configure a Channel plan or if want to select custom channels.

    • Three Channels – Automatically selects channel 1, 6, and 11.

    • Four Channels – Automatically selects channels 1, 4, 8, and 11.

    • Custom – Select custom channels.

    Channels

    Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

    For 5GHz radios, clicking Set Channels loads a channel selector panel where you can select individual channels.

    • Toggle DFS Channels – Select DFS channels.
    • Toggle Weather Radar Channels – Select Weather Radar channels.

    The channel chart also shows channel availability for 40MHz or 80MHz channel-bonding.

    Short guard
    interval

    Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

    Transmit power mode

    Select how you want to determine transmit power:

    • Percent – Transmit power is determined by multiplying set percentage with maximum available power determined by region and FortiAP device.
    • dBm – Transmit power is set using a dBm value.
    • Auto – Specify a range of dBm values and the power is set automatically.

    Transmit power

    Specify either the minimum and maximum Transmit power levels in dBm or as a percentage.

    SSIDs

    Select a traffic mode for SSIDs.

    • Tunnel – Available tunnel-mode SSIDs are automatically assigned to this radio.
    • Bridge – Available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
    • Manual – Manually select which available SSIDs and SSID groups to assign to this radio.

    Monitor channel utilization

    Select to enable monitoring channel utilization.

  5. Radio 2 and 3 settings are available for FortiAP models with multiple radios.

  6. In Syslog profile, enable if you want your FortiAPs to send logs to a syslog server (see Configuring a Syslog profile).
  7. Click OK.
To configure a FortiAP profile - CLI:

This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

config wireless-controller wtp-profile

edit "guest_prof"

config platform

set type 220B

end

config radio-1

set mode ap

set band 802.11g

set vap-all enable

end

config radio-2

set mode ap

set band 802.11g

set vaps example_wlan

end

end