DOCUMENT LIBRARY

FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
  - Airtime fairness
- Configuring security
  - WPA2 Security
    - Configuring WPA2-Personal security
    - Configuring WPA2-Enterprise SSID
  - WPA3 Security
    - Generating SAE-PK private key and password
  - MPSK profiles
  - Captive Portal Security
  - Adding a MAC filter
  - Limiting the number of clients
  - Enabling multicast enhancement
  - Replacing WiFi certificate
  - Configuring WiFi with WSSO using Windows NPS and user groups
  - Enabling Beacon Protection
- Defining SSID groups
- Configuring dynamic user VLAN assignment
  - VLAN assignment by RADIUS
  - VLAN assignment by Name Tag
  - VLAN assignment by FortiAP group
  - VLAN assignment by VLAN pool
- Configuring wireless NAC support
- Configuring user authentication
  - Custom RADIUS NAS-ID
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
  - Configuring L3 Roaming for Tunnel Mode SSIDs
  - Configuring L3 Roaming for Bridge Mode SSIDs
- Advanced Wireless Features
  - Operations Profiles Entry
  - Connectivity Profiles Entry
  - Protection Profiles Entry
  - Advanced SSID options
  - Advanced WiFi Settings options
- Configuring UNII-4 5GHz radio bands
- Configuring Agile Multiband Operation
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
  - Configure automatic AP reboot
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
- Configure FortiAP MIMO values
- Configure Fortinet external antenna parameters for specific FortiAPs
- Configure third-party antennas in select FortiAP models
- Configure FortiAP USB port status
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 configuration
Wireless network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
- How to implement multi-processing for large-scale FortiAP management
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling FortiAP port access
- Configuring 802.1X supplicant on LAN
- Configure NAS-Filter-Rule attribute to set up dACL
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
- Enabling AP scan channel lists to optimize foreground scanning
- Optimizing memory storage by limiting monitoring data
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
FortiWiFi unit as a wireless client
- Configuring a FortiWiFi unit as a wireless client
- Enabling EAP/TLS authentication on a FortiWiFi unit in client mode
- Configuring WPA3 security modes on FortiWiFi units operating in client mode
WiFi maps
Bluetooth Low Energy scan
- Pole Star NAO Cloud service integration
- Eddystone BLE beacon profile integration
Support for location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
- Disabling 802.11d for client backward compatibility
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.4.4 FortiWiFi and FortiAP Configuration Guide

7.4.4

Monitoring FortiAP with SNMP

You can enable SNMP directly on FortiAP by implementing a SNMPD daemon/subagent on the FortiAP side.

To configure SNMP operation settings per VDOM:

config wireless-controller snmp
    set engine-id "fap-fortinet"
    set contact-info "user@example.com"
    set trap-high-cpu-threshold 80
    set trap-high-mem-threshold 80
    config community
        edit 1
            set name "fap-comm-1"
            set status enable
            set query-v1-status enable
            set query-v2c-status enable
            set trap-v1-status enable
            set trap-v2c-status enable
            config hosts
                edit 1
                    set ip 192.168.1.168 255.255.255.0
                next
            end
        next
    end
    config user
        edit "fap"
            set status enable
            set queries enable
            set trap-status enable
            set security-level no-auth-no-priv
            set notify-hosts 192.168.1.168
        next
    end
end

To allow SNMP access in FortiAP profiles or per FortiAP device:

config wireless-controller wtp-profile
    edit FAP423E-default
        append allowaccess snmp
    next
end

To disallow SNMP access in FortiAP profiles or per FortiAP device:

config wireless-controller wtp-profile
    edit FAP423E-default
        unselect allowaccess snmp
    next
end

FortiAP SNMP implementation

Simple Network Management Protocol (SNMP) queries and trap messages based on wireless-controller SNMP settings configured on FortiGate is supported on the following:

FortiAP-S and FortiAP-W2 version 6.2.0 and later.
FortiAP 6.4.3 and later.
FortiAP-U 6.0.4 and later.

All SNMP versions (v1, v2, and v3) are supported.

The local standalone mode does not support FortiAP direct SNMP.

The SNMP manager requires the following management information base (MIB) files:

FortiAP MIB
Fortinet Core MIB

Downloading the FortiAP MIB and Fortinet Core MIB files

To download the FortiAP SNMP MIB and Fortinet Core MIB files, perform the following steps:

Go to the Fortinet Support website.
Log in to your account. If you do not have an account, create one and then log in.
From the top banner, select Support > Firmware Download.
From Select Product drop-down, select FortiAP-S or FortiAP-W2, as applicable.
Click the Download tab.
Locate the v6.00 folder (or later) and then the 6.2 (or later) folder to match the firmware release running on your FortiAP-S or FortiAP-W2 device.
Navigate through the folders to find and then download the FORTINET-FORTIAP-MIB-buildxxxx.mib file.
From the Select Product drop-down, select FortiGate.
Click the Download tab.
Locate the v6.00 folder (or later) and then 6.2 (or later) folder to match the firmware release running on your FortiGate device.
Navigate through the folders to find and then download the FORTINET-CORE-MIB-buildxxxx.mib file.
Load the MIB files into your SNMP manager.

FortiAP SNMP trap messages

FortiAP-S and FortiAP-W2 can send the following trap messages to an SNMP manager or trap receiver:

Trap message	Description
fapDevUp	The specified FortiAP device is up.
fapCpuOverload	The CPU usage of the specified FortiAP has exceeded the configured threshold.
fapMemOverload	The memory usage of the specified FortiAP has exceeded the configured threshold.
fapDevDown	The specified FortiAP device is down.
fapAcConnected	FortiAP has connected to the specified AP controller (AC).

The following screenshot shows an SNMP trap receiver (SnmpB) that has received one fapDevUp trap message from a FortiAP unit (serial number: FP222E3X17000000).

FortiAP SNMP queries

From your SNMP manager, you can use the SNMP GET and SNMP WALK commands to query FortiAP for status information, variables values, SSID configuration, radio configuration, and so on. You can also use the SNMP SET command to configure local FortiAP variables.

Here is an example of polling FortiAP data using the snmpwalk command from a Linux OS computer:

$ snmpwalk -v2c -c public 10.0.28.2 .1

SNMPv2-MIB::sysDescr.0 = STRING: FortiAP-S223E

SNMPv2-MIB::sysObjectID.0 = OID: FORTINET-FORTIAP-MIB::fapHostName

DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (27486) 0:04:34.86

SNMPv2-MIB::sysContact.0 = STRING: user@example.com

SNMPv2-MIB::sysName.0 = STRING: FortiAP-S223E

SNMPv2-MIB::sysLocation.0 = STRING: N/A

IF-MIB::ifNumber.0 = INTEGER: 25

...

FORTINET-FORTIAP-MIB::fapVersion.0 = STRING: PS223E-v6.2-build0229

FORTINET-FORTIAP-MIB::fapSerialNum.0 = STRING: PS223E3X170000001

FORTINET-FORTIAP-MIB::fapHostName.0 = STRING: FortiAP-S223E

FORTINET-FORTIAP-MIB::fapRegionCode.0 = STRING: E

FORTINET-FORTIAP-MIB::fapBaseMacAddr.0 = STRING: 70:4c:a5:43:7b:8

FORTINET-FORTIAP-MIB::fapBiosVer.0 = STRING: 04000002

FORTINET-FORTIAP-MIB::fapBiosDataVer.0 = INTEGER: 3

FORTINET-FORTIAP-MIB::fapSysPartNum.0 = STRING: 20155-03

FORTINET-FORTIAP-MIB::fapWtpWanMode.0 = INTEGER: wanOnly(0)

FORTINET-FORTIAP-MIB::fapWtpApAddrMode.0 = INTEGER: dhcp(0)

FORTINET-FORTIAP-MIB::fapWtpApIpAddr.0 = STRING: "192.168.1.2"

FORTINET-FORTIAP-MIB::fapWtpApIpNetmask.0 = STRING: "255.255.255.0"

FORTINET-FORTIAP-MIB::fapWtpApIpGateway.0 = STRING: "192.168.1.1"

FORTINET-FORTIAP-MIB::fapWtpApMode.0 = INTEGER: thinAp(0)

...