FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
  - Airtime fairness
- Configuring security
  - Captive Portal Security
  - WPA2 Security
    - Configuring WPA2-Personal security
    - Configuring WPA2-Enterprise SSID
  - WPA3 Security
  - Adding a MAC filter
  - Limiting the number of clients
  - Enabling multicast enhancement
  - Replacing WiFi certificate
  - Configuring WiFi with WSSO using Windows NPS and user groups
- Defining SSID groups
- Configuring dynamic user VLAN assignment
  - VLAN assignment by RADIUS
  - VLAN assignment by Name Tag
  - VLAN assignment by FortiAP group
  - VLAN assignment by VLAN pool
- Configuring wireless NAC support
- Configuring user authentication
  - Custom RADIUS NAS-ID
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
  - Configuring L3 Roaming for Tunnel Mode SSIDs
  - Configuring L3 Roaming for Bridge Mode SSIDs
- Advanced Wireless Features
- Configuring UNII-4 5GHz radio bands
- Configuring Agile Multiband Operation
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
- Configure FortiAP MIMO values
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 configuration
WiFi network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
- How to implement multi-processing for large-scale FortiAP management
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling console port access
- Configuring 802.1X supplicant on LAN
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
- Enabling AP scan channel lists to optimize foreground scanning
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
FortiWiFi unit as a wireless client
- Configuring a FortiWiFi unit as a wireless client
- Enabling EAP/TLS authentication on a FortiWiFi unit in client mode
WiFi maps
Bluetooth Low Energy scan
- Pole Star NAO Cloud service integration
- Eddystone BLE beacon profile integration
Support for location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
- Disabling 802.11d for client backward compatibility
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.4.1 FortiWiFi and FortiAP Configuration Guide

7.4.1

FortiAP unit firmware upgrade

There are multiple ways you can upgrade the FortiAP unit firmware:

You can enable newly discovered FortiAPs to be automatically upgraded to the latest compatible firmware. This happens once after the FortiAP is authorized by the WiFi controller.
You can enable automatic firmware updates on your FortiGate which checks for patch upgrades for your FortiGates, FortiSwitches, and FortiAPs. If a compatible upgrade is available, FortiGate automatically downloads and installs them at a scheduled time.
You can manually view and upgrade the FortiAP firmware from the FortiGate unit.

Checking the FortiAP unit firmware version

To view the list of FortiAP units that the FortiGate unit manages, go to WiFi and Switch Controller > Managed FortiAPs. The OS Version column shows the current firmware version running on each AP.

Enabling automatic FortiAP upgrade after authorization

You can enable the automatic federated upgrade of a FortiAP unit upon discovery and authorization by the WiFi controller. When you enable this feature, newly discovered FortiAPs are automatically upgraded to the latest compatible firmware from FortiGuard Distribution Service (FDS).

To enable automatic FortiAP upgrade - GUI:

Go to WiFI & Switch Controller > WiFi Settings and enable FortiAP auto firmware provisioning.
Click Apply.
Connect and authorize a FortiAP.

The FortiAP will be upgraded to the latest compatible firmware from FDS.

To enable automatic FortiAP upgrade - CLI:

Enable firmware-provision-on-authorization via the CLI:

config wireless-controller setting
  set firmware-provision-on-authorization enable
  set darrp-optimize-schedules "default-darrp-optimize"
end

Connect and authorize a FortiAP.

The FortiAP will be upgraded to the latest compatible firmware from FDS.

When firmware-provision-on-authorization is enabled, any new FortiAPs that are authorized will automatically have firmware-provision-latest set to once.

Enabling automatic firmware updates

Automatic firmware updates will upgrade your FortiGates, FortiSwitches, and FortiAPs at a scheduled time.

When you enable automatic firmware updates, it upgrades the FortiAP directly to the target version and does not follow an upgrade path. Refer to the Supported Upgrade Path documentation to ensure you follow the proper upgrade path.

To enable automatic firmware updates - GUI:

Go to System > Firmware & Registration and click Automatic patch upgrades disabled.
Select Enable automatic patch upgrades for vX.X.
Select a date and time for when you want to schedule your upgrade.
Click OK.

To enable automatic firmware updates - CLI:

Enable automatic firmware upgrade and schedule a day and time to upgrade.

config system fortiguard
  set auto-firmware-upgrade enable
  set auto-firmware-upgrade-day sunday monday tuesday wednesday thursday friday saturday
  set auto-firmware-upgrade-delay 0
  set auto-firmware-upgrade-start-hour 17
  set auto-firmware-upgrade-end-hour 19
end

The auto-upgrade time is scheduled daily, between 5:00 p.m. and 7:00 p.m.

Upgrading FortiAP firmware from the FortiGate unit

You can manually upgrade the FortiAP firmware using either the GUI or the CLI. Only the CLI method can update all FortiAP units at once.

To upgrade FortiAP unit firmware - GUI:

Go to WiFi and Switch Controller > Managed FortiAPs.
Right-click the FortiAP unit in the list and select Upgrade.
or
Click the row of the FortiAP that you want to upgrade, and click Edit. In Firmware, click Upgrade.
You can upgrade using FortiGuard, or select Browse and locate the firmware upgrade file.
Click Upgrade.
When the upgrade process completes, select OK.
The FortiAP unit restarts.

To upgrade FortiAP unit firmware - CLI:

Upload the FortiAP image to the FortiGate unit.
For example, the Firmware file is FAP_22A_v4.3.0_b0212_fortinet.out and the server IP address is 192.168.0.100.
execute wireless-controller upload-wtp-image tftp FAP_22A_v4.3.0_b0212_fortinet.out 192.168.0.100
If your server is FTP, change tftp to ftp, and if necessary add your user name and password at the end of the command.
Verify that the image is uploaded:
execute wireless-controller list-wtp-image
Upgrade the FortiAP units:
exec wireless-controller reset-wtp all
If you want to upgrade only one FortiAP unit, enter its serial number instead of all.

Upgrading FortiAP firmware from the FortiAP unit

You can connect to a FortiAP unit's internal CLI to update its firmware from a TFTP server on the same network. This method does not require access to the wireless controller.

Place the FortiAP firmware image on a TFTP server on your computer.
Connect the FortiAP unit to a separate private switch or hub or directly connect to your computer via a cross-over cable.
Change your computer IP address to 192.168.1.3.
Using SSH, connect to IP address 192.168.1.2.
This IP address is overwritten if the FortiAP is connected to a DHCP environment. Ensure that the FortiAP unit is in a private network with no DHCP server.
Login with the username "admin" and no password.
Enter the following command.
For example, the FortiAP image file name is FAP_22A_v4.3.0_b0212_fortinet.out.
restore FAP_22A_v4.3.0_b0212_fortinet.out 192.168.1.3