Fortinet black logo

FortiWiFi and FortiAP Cookbook

Home FortiAP / FortiWiFi 6.4.0 FortiWiFi and FortiAP Cookbook

UTM security profile groups on FortiAP-S

6.4.0
6.4.0
6.2.0
Copy Link
Copy Doc ID daf31b55-67cc-11ea-9384-00505692583a:424956
Download PDF

UTM security profile groups on FortiAP-S

This guide provides instructions for simple configuration of security profile groups for FortiAP, including creating security profile groups and selecting profile groups for the SSID.

Note

This feature only works for local bridge SSIDs.
To configure UTM security profile groups on the FortiWiFi and FortiAP GUI:
  1. Create a security profile group:
    1. Go to WiFi & Switch Controller > Security Profile Groups, then click Create New.
    2. Enter the desired interface name. Configure logging as desired.
    3. Enable Antivirus, Web Filter, Application, IPS, or Botnet, then select the desired profile.
  2. Create a local bridge mode SSID and enable security profile groups:
    1. Go to WiFi & Switch Controller > SSID. Select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Bridge.
    3. In the SSID field, enter the desired SSID name. Configure security as desired.
    4. Enable Security Profile Group, then select the group created in step 1.
    5. Click OK.
  3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:
    1. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
    2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    4. Click OK.
To configure UTM security profile groups using the FortiWiFi and FortiAP CLI:
  1. Create a security profile group:

    config wireless-controller utm-profile

    edit "wifi-UTM"

    set ips-sensor "default"

    set application-list "default"

    set antivirus-profile "default"

    set webfilter-profile "default"

    set scan-botnet-connections block

    next

    end

  2. Create a local bridge mode SSID and enable security profile groups:

    config wireless-controller vap

    edit "wifi-vap"

    set ssid "SSID-UTM"

    set passphrase 12345678

    set local-bridging enable

    set schedule "always"

    set utm-profile "wifi-UTM"

    next

    end

  3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:

    config wireless-controller wtp

    edit "FP320C3X14000640"

    set admin enable

    set wtp-profile "FAP320C-default"

    next

    end

    config wireless-controller wtp-profile

    edit "FAP320C-default"

    config radio-1

    set vap-all disable

    set vaps "wifi-vap"

    end

    config radio-2

    set vap-all disable

    set vaps "wifi-vap"

    end

    next

    end

Previous
Next

UTM security profile groups on FortiAP-S

This guide provides instructions for simple configuration of security profile groups for FortiAP, including creating security profile groups and selecting profile groups for the SSID.

Note

This feature only works for local bridge SSIDs.
To configure UTM security profile groups on the FortiWiFi and FortiAP GUI:
  1. Create a security profile group:
    1. Go to WiFi & Switch Controller > Security Profile Groups, then click Create New.
    2. Enter the desired interface name. Configure logging as desired.
    3. Enable Antivirus, Web Filter, Application, IPS, or Botnet, then select the desired profile.
  2. Create a local bridge mode SSID and enable security profile groups:
    1. Go to WiFi & Switch Controller > SSID. Select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Bridge.
    3. In the SSID field, enter the desired SSID name. Configure security as desired.
    4. Enable Security Profile Group, then select the group created in step 1.
    5. Click OK.
  3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:
    1. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
    2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    4. Click OK.
To configure UTM security profile groups using the FortiWiFi and FortiAP CLI:
  1. Create a security profile group:

    config wireless-controller utm-profile

    edit "wifi-UTM"

    set ips-sensor "default"

    set application-list "default"

    set antivirus-profile "default"

    set webfilter-profile "default"

    set scan-botnet-connections block

    next

    end

  2. Create a local bridge mode SSID and enable security profile groups:

    config wireless-controller vap

    edit "wifi-vap"

    set ssid "SSID-UTM"

    set passphrase 12345678

    set local-bridging enable

    set schedule "always"

    set utm-profile "wifi-UTM"

    next

    end

  3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:

    config wireless-controller wtp

    edit "FP320C3X14000640"

    set admin enable

    set wtp-profile "FAP320C-default"

    next

    end

    config wireless-controller wtp-profile

    edit "FAP320C-default"

    config radio-1

    set vap-all disable

    set vaps "wifi-vap"

    end

    config radio-2

    set vap-all disable

    set vaps "wifi-vap"

    end

    next

    end

Previous
Next