FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
  - Airtime fairness
- Configuring security
  - WPA2 Security
    - Configuring WPA2-Personal security
    - Configuring WPA2-Enterprise SSID
  - WPA3 Security
    - Generating SAE-PK private key and password
  - MPSK profiles
  - Captive Portal Security
  - Adding a MAC filter
  - Limiting the number of clients
  - Enabling multicast enhancement
  - Replacing WiFi certificate
  - Configuring WiFi with WSSO using Windows NPS and user groups
  - Enabling Beacon Protection
- Defining SSID groups
- Configuring dynamic user VLAN assignment
  - VLAN assignment by RADIUS
  - VLAN assignment by Name Tag
  - VLAN assignment by FortiAP group
  - VLAN assignment by VLAN pool
- Configuring wireless NAC support
- Configuring user authentication
  - Custom RADIUS NAS-ID
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
  - Configuring L3 Roaming for Tunnel Mode SSIDs
  - Configuring L3 Roaming for Bridge Mode SSIDs
- Advanced Wireless Features
  - Operations Profiles Entry
  - Connectivity Profiles Entry
  - Protection Profiles Entry
  - Advanced SSID options
  - Advanced WiFi Settings options
- Configuring UNII-4 5GHz radio bands
- Configuring Agile Multiband Operation
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
  - Configure automatic AP reboot
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
- Configure FortiAP MIMO values
- Configure Fortinet external antenna parameters for specific FortiAPs
- Configure third-party antennas in select FortiAP models
- Configure FortiAP USB port status
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 configuration
Wireless network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
- How to implement multi-processing for large-scale FortiAP management
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling FortiAP port access
- Configuring 802.1X supplicant on LAN
- Configure NAS-Filter-Rule attribute to set up dACL
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
- Enabling AP scan channel lists to optimize foreground scanning
- Optimizing memory storage by limiting monitoring data
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
FortiWiFi unit as a wireless client
- Configuring a FortiWiFi unit as a wireless client
- Enabling EAP/TLS authentication on a FortiWiFi unit in client mode
- Configuring WPA3 security modes on FortiWiFi units operating in client mode
WiFi maps
Bluetooth Low Energy scan
- BLE Real-Time-Location Services
- Eddystone BLE beacon profile integration
Support for location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
- Disabling 802.11d for client backward compatibility
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.4.5 FortiWiFi and FortiAP Configuration Guide

7.4.5

Optimizing memory storage by limiting monitoring data

You can optimize memory storage in the FortiGate wireless controller and improve CAPWAP stability by limiting the data stored from rogue APs, station capabilities, rogue stations and Bluetooth devices.

CLI commands

The following CLI commands limit the amount of information stored in the FortiGate.

config wireless-controller global
  set max-sta-cap <integer>
  set max-sta-cap-wtp <integer>
  set max-rogue-ap <integer>
  set max-rogue-ap-wtp <integer>
  set max-rogue-sta <integer>
  set max-ble-device <integer>
end

max-sta-cap	Maximum number of station cap stored on the controller (default = 0).
max-sta-cap-wtp	Maximum number of station cap's wtp info stored on the controller (1 - 8, default = 8).
max-rogue-ap	Maximum number of rogue APs stored on the controller (default = 0).
max-rogue-ap-wtp	Maximum number of rogue AP's wtp info stored on the controller (1 - 16, default = 16).
max-rogue-sta	Maximum number of rogue stations stored on the controller (default = 0).
max-ble-device	Maximum number of BLE devices stored on the controller (default = 0).

The following CLI commands have been added to clean up data and reduce the amount of information stored in the FortiGate.

config wireless-controller timer
  set sta-cap-cleanup <integer>
  set rogue-ap-cleanup <integer>
  set rogue-sta-cleanup <integer>
  set ble-device-cleanup <integer>
end

sta-cap-cleanup	Time period in minutes to keep station capability data after it is gone (default = 0).
rogue-ap-cleanup	Time period in minutes to keep rogue AP after it is gone (default = 0).
rogue-sta-cleanup	Time period in minutes to keep rogue station after it is gone (default = 0).
ble-device-cleanup	Time period in minutes to keep BLE device after it is gone (default = 60).

If 0 is set, it means there is no limit placed.

Example memory optimization configuration:

Using the FortiGate CLI, enter diagnose wireless-controller wlac -c stats to check the number of rogue APs.

diagnose wireless-controller wlac -c stats
cw_rbtts_sta_cap_tree                   : cnt=524416     mem=(     248B,     130MB) tmo=0      max_cnt=524416,524416
cw_sta_cap_wtp_tree                     : cnt=668740     mem=(     296B,     197MB)
cw_rbtts_ap_rogue_tree                  : cnt=8511       mem=(     560B,       4MB) tmo=0      max_cnt=65664,65664
cw_ap_rogue_wtp_tree                    : cnt=133761     mem=(     408B,      54MB)
cw_rbtts_sta_rogue_tree                 : cnt=6177       mem=(     232B,       1MB) tmo=0      max_cnt=528384,528384
cw_ble_dev_tree                         : cnt=1920       mem=(     232B,       0MB) tmo=60     max_cnt=131200,131200

The number of rogue APs is 8511.

Check the current amount of memory used in the FortiGate:

get system performance status 
......
Memory: 49539060k total, 26111804k used (52.7%), 22613800k free (45.6%), 813456k freeable (1.7%)
......

The amount of memory used is 52.7%.

Configure the FortiGate CLI to set maximum limits and timers on stored data:

config wireless-controller global
  set max-sta-cap 10
  set max-sta-cap-wtp 1
  set max-rogue-ap 10
  set max-rogue-ap-wtp 1
  set max-rogue-sta 10
  set max-ble-device 10
end
config wireless-controller timer
  set sta-cap-cleanup 2
  set rogue-ap-cleanup 2
  set rogue-sta-cleanup 2
  set ble-device-cleanup 2
end

Verify that rogue AP limits are successful configured by using diagnose wireless-controller wlac -c stats.

diagnose wireless-controller wlac -c stats
cw_rbtts_sta_cap_tree                   : cnt=10         mem=(     248B,       0MB) tmo=2      max_cnt=10,524416
cw_sta_cap_wtp_tree                     : cnt=10         mem=(     296B,       0MB)
cw_rbtts_ap_rogue_tree                  : cnt=10         mem=(     560B,       0MB) tmo=2      max_cnt=10,65664
cw_ap_rogue_wtp_tree                    : cnt=10         mem=(     408B,       0MB)
cw_rbtts_sta_rogue_tree                 : cnt=3          mem=(     232B,       0MB) tmo=2      max_cnt=10,528384
cw_ble_dev_tree                         : cnt=10         mem=(     232B,       0MB) tmo=2      max_cnt=10,131200

The number of rogue APs decreased to 10, the same as the maximum number set.

Check the current memory used:

get system performance status
......
Memory: 49539060k total, 25568512k used (51.6%), 23156900k free (46.7%), 813648k freeable (1.7%)
......

The amount of memory used decreased to 51.6%.

To verify cleanup timers:

This example verifies the cleanup timer configured for rogue-ap-cleanup. In this example, the rogue AP's data should be cleaned up after 2 minutes.

Verify that the cleanup timers are successfully configured with diagnose wireless-controller wlac -c ap-rogue.

diagnose wireless-controller wlac -c ap-rogue
CMWP AP: vf                bssid ssid       ch rate  sec            signal noise  age   sta mac              wtp cnt   ici   b
w sgi band                  freq(MHz)
UNNN AP: 1     e0:23:ff:4a:83:c0 FOS_Device 6  286   WPA2 Enterprise   -31 -95    2     00:00:00:00:00:00    1   /1   none   2
0 0  11AXGHE20               -
 N              FP234FTF21003786 FOS_Device 6  286   WPA2 Enterprise   -31 -95    2     10.131.0.120:5246 -2  11

In this example, the FortiAP was turned off after 2 seconds when the age was at 2.

Enter diagnose wireless-controller wlac -c ap-rogue again to check the rogue AP data.

diag wir wlac -c ap-rogue
CMWP AP: vf               bssid ssid        ch  rate  sec            signal noise  age   sta mac              wtp cnt   ici   b
w sgi band                 freq(MHz)
UNNN AP: 1    e0:23:ff:4a:83:c0 FOS_Device  6   286   WPA2 Enterprise   -31 -95    122   00:00:00:00:00:00    1   /1   none   2
0 0  11AXGHE20               -
 N             FP234FTF21003786 FOS_Device  6   286   WPA2 Enterprise   -31 -95    122   10.131.0.120:5246 -2  11

The rogue AP age is now 122 (or 122 seconds). The rogue AP data was held for 2 minutes, matching the value set under rogue-ap-cleanup. After 2 minutes have elapsed, the data will no longer be stored.

Optimizing memory storage by limiting monitoring data

CLI commands

The following CLI commands limit the amount of information stored in the FortiGate.

config wireless-controller global
  set max-sta-cap <integer>
  set max-sta-cap-wtp <integer>
  set max-rogue-ap <integer>
  set max-rogue-ap-wtp <integer>
  set max-rogue-sta <integer>
  set max-ble-device <integer>
end

max-sta-cap	Maximum number of station cap stored on the controller (default = 0).
max-sta-cap-wtp	Maximum number of station cap's wtp info stored on the controller (1 - 8, default = 8).
max-rogue-ap	Maximum number of rogue APs stored on the controller (default = 0).
max-rogue-ap-wtp	Maximum number of rogue AP's wtp info stored on the controller (1 - 16, default = 16).
max-rogue-sta	Maximum number of rogue stations stored on the controller (default = 0).
max-ble-device	Maximum number of BLE devices stored on the controller (default = 0).

The following CLI commands have been added to clean up data and reduce the amount of information stored in the FortiGate.

config wireless-controller timer
  set sta-cap-cleanup <integer>
  set rogue-ap-cleanup <integer>
  set rogue-sta-cleanup <integer>
  set ble-device-cleanup <integer>
end

sta-cap-cleanup	Time period in minutes to keep station capability data after it is gone (default = 0).
rogue-ap-cleanup	Time period in minutes to keep rogue AP after it is gone (default = 0).
rogue-sta-cleanup	Time period in minutes to keep rogue station after it is gone (default = 0).
ble-device-cleanup	Time period in minutes to keep BLE device after it is gone (default = 60).

If 0 is set, it means there is no limit placed.

Example memory optimization configuration:

Using the FortiGate CLI, enter diagnose wireless-controller wlac -c stats to check the number of rogue APs.

diagnose wireless-controller wlac -c stats
cw_rbtts_sta_cap_tree                   : cnt=524416     mem=(     248B,     130MB) tmo=0      max_cnt=524416,524416
cw_sta_cap_wtp_tree                     : cnt=668740     mem=(     296B,     197MB)
cw_rbtts_ap_rogue_tree                  : cnt=8511       mem=(     560B,       4MB) tmo=0      max_cnt=65664,65664
cw_ap_rogue_wtp_tree                    : cnt=133761     mem=(     408B,      54MB)
cw_rbtts_sta_rogue_tree                 : cnt=6177       mem=(     232B,       1MB) tmo=0      max_cnt=528384,528384
cw_ble_dev_tree                         : cnt=1920       mem=(     232B,       0MB) tmo=60     max_cnt=131200,131200

The number of rogue APs is 8511.

Check the current amount of memory used in the FortiGate:

get system performance status 
......
Memory: 49539060k total, 26111804k used (52.7%), 22613800k free (45.6%), 813456k freeable (1.7%)
......

The amount of memory used is 52.7%.

Configure the FortiGate CLI to set maximum limits and timers on stored data:

config wireless-controller global
  set max-sta-cap 10
  set max-sta-cap-wtp 1
  set max-rogue-ap 10
  set max-rogue-ap-wtp 1
  set max-rogue-sta 10
  set max-ble-device 10
end
config wireless-controller timer
  set sta-cap-cleanup 2
  set rogue-ap-cleanup 2
  set rogue-sta-cleanup 2
  set ble-device-cleanup 2
end

Verify that rogue AP limits are successful configured by using diagnose wireless-controller wlac -c stats.

diagnose wireless-controller wlac -c stats
cw_rbtts_sta_cap_tree                   : cnt=10         mem=(     248B,       0MB) tmo=2      max_cnt=10,524416
cw_sta_cap_wtp_tree                     : cnt=10         mem=(     296B,       0MB)
cw_rbtts_ap_rogue_tree                  : cnt=10         mem=(     560B,       0MB) tmo=2      max_cnt=10,65664
cw_ap_rogue_wtp_tree                    : cnt=10         mem=(     408B,       0MB)
cw_rbtts_sta_rogue_tree                 : cnt=3          mem=(     232B,       0MB) tmo=2      max_cnt=10,528384
cw_ble_dev_tree                         : cnt=10         mem=(     232B,       0MB) tmo=2      max_cnt=10,131200

The number of rogue APs decreased to 10, the same as the maximum number set.

Check the current memory used:

get system performance status
......
Memory: 49539060k total, 25568512k used (51.6%), 23156900k free (46.7%), 813648k freeable (1.7%)
......

The amount of memory used decreased to 51.6%.

To verify cleanup timers:

This example verifies the cleanup timer configured for rogue-ap-cleanup. In this example, the rogue AP's data should be cleaned up after 2 minutes.

Verify that the cleanup timers are successfully configured with diagnose wireless-controller wlac -c ap-rogue.

diagnose wireless-controller wlac -c ap-rogue
CMWP AP: vf                bssid ssid       ch rate  sec            signal noise  age   sta mac              wtp cnt   ici   b
w sgi band                  freq(MHz)
UNNN AP: 1     e0:23:ff:4a:83:c0 FOS_Device 6  286   WPA2 Enterprise   -31 -95    2     00:00:00:00:00:00    1   /1   none   2
0 0  11AXGHE20               -
 N              FP234FTF21003786 FOS_Device 6  286   WPA2 Enterprise   -31 -95    2     10.131.0.120:5246 -2  11

In this example, the FortiAP was turned off after 2 seconds when the age was at 2.

Enter diagnose wireless-controller wlac -c ap-rogue again to check the rogue AP data.

diag wir wlac -c ap-rogue
CMWP AP: vf               bssid ssid        ch  rate  sec            signal noise  age   sta mac              wtp cnt   ici   b
w sgi band                 freq(MHz)
UNNN AP: 1    e0:23:ff:4a:83:c0 FOS_Device  6   286   WPA2 Enterprise   -31 -95    122   00:00:00:00:00:00    1   /1   none   2
0 0  11AXGHE20               -
 N             FP234FTF21003786 FOS_Device  6   286   WPA2 Enterprise   -31 -95    122   10.131.0.120:5246 -2  11

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

FortiWiFi and FortiAP Configuration Guide

Optimizing memory storage by limiting monitoring data

Optimizing memory storage by limiting monitoring data

CLI commands

Example memory optimization configuration:

To verify cleanup timers:

Optimizing memory storage by limiting monitoring data

Optimizing memory storage by limiting monitoring data

CLI commands

Example memory optimization configuration:

To verify cleanup timers: