Fortinet black logo

Handbook

Configuring FortiGate before deploying remote APs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:290341
Download PDF

Configuring FortiGate before deploying remote APs

Before you can deploy your remote FortiAPs, you must perform the following actions on your FortiGate:

  1. Configuring the FortiGate interface
  2. Creating a FortiAP profile for teleworkers
  3. Enabling split tunneling on SSIDs
  4. Encrypting CAPWAP communication

Configuring the FortiGate interface

  1. On the external facing interface that the FortiAP will connect over the internet to, enable CAPWAP:

Creating a FortiAP profile for teleworkers

We recommend creating a separate FortiAP profile for teleworkers so you can apply split tunneling and encryption to devices in that profile.

To enable split tunneling options

By default, split tunneling options are not visible in the FortiGate GUI and must be made visible from the CLI.

  1. From the FortiGate CLI, enter the following to display the options on the GUI:

    config system settings

    set gui-fortiap-split-tunneling enable

    end

  2. Once you enable the split tunneling option, return to the FortiGate GUI and create the FortiAP profile.
To create a FortiAP profile

Once you enable split tunneling options in the GUI, you can create a FortiAP profile for teleworkers and apply it. In the FortiAP profile, you can also specify the SSIDs that the FortiAP will broadcast.

  1. Go to WiFi & Switch Controller > FortiAP Profiles and create the FortiAP profile for your remote workers.
  2. Set an AP login password so users at remote sites cannot log in to the unit with default credentials.
  3. In the newly visible Split Tunneling section, enable Include Local Subnet as needed.

    The behavior for this option varies depending on which split tunnel method you configure. See Configuring split tunnel behavior for more details.

  4. Enable Split Tunneling Subnet(s) and enter IP subnets as needed.

    The behavior for this option varies depending on which split tunnel method you configure. See Configuring split tunnel behavior for more details.

  5. In SSIDs, you can select Manual to limit which SSIDs can be used at the remote teleworker's site instead of exposing all corporate SSIDs in a potentially unsecure location.
  6. When you are finished configuring the profile, click OK.

For more comprehensive instructions on how to create a FortiAP profile, refer to Creating a FortiAP profile in the FortiOS Configuration Guide.

Configuring split tunnel behavior

Once you enable split tunneling and create a FortiAP profile, you can further configure how split tunneling is handled in each profile.

There are two methods the FortiAP can use to tunnel networks from the remote AP:

  • Tunnel: Define the subnets in the profile that you want to tunnel to the FortiGate. These are usually the IP subnets that contain internal corporate applications such as file shares.

    Uncheck the Include Local Subet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site.

  • Local: Define the subnets that you do not want to be tunneled back to the FortiGate. Use this method if you want all traffic to be inspected by the FortiGate, including traffic destined for the internet. This method is more secure but can add latency to the user's internet browsing.

    Check the Include Local Subnet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site

To configure split tunnel behavior
  1. From the FortiGate CLI, enter the following commands to change the split tunneling behavior in a FortiAP profile:

    config wireless-controller wtp-profile

    edit <teleworker_profile_name>

    set split-tunneling-acl-path {tunnel | local}

    end

    end

Enabling split tunneling on SSIDs

Once you create your FortiAP profile, you need to enable split tunneling on the SSIDs you want to use on the remote APs.

To enable split tunneling on SSIDs
  1. Go to WiFi & Switch Controller > SSIDs and edit the SSIDs the remote AP will use.
  2. Enable Split tunneling.
  3. Click OK.

Encrypting CAPWAP communication

The default DTLS setting for CAPWAP communication over the internet is clear-text, meaning it's non-encrypted. You can enable IPSEC or DTLS for more security. IPSEC is preferred for most modern FortiGates because the NP6 and SOC3/4 SPUs can offload IPSEC data more efficiently than DTLS.

For more information about each encryption method, see WiFi data channel encryption.

To enable encryption
  1. From the FortiGate CLI, enter the following commands to edit the FortiAP profile:

    config wireless-controller wtp-profile

    edit <teleworker_profile_name>

    set dtls-policy {clear-text | dtls-enabled | ipsec-vpn}

    end

    end

Configuring FortiGate before deploying remote APs

Before you can deploy your remote FortiAPs, you must perform the following actions on your FortiGate:

  1. Configuring the FortiGate interface
  2. Creating a FortiAP profile for teleworkers
  3. Enabling split tunneling on SSIDs
  4. Encrypting CAPWAP communication

Configuring the FortiGate interface

  1. On the external facing interface that the FortiAP will connect over the internet to, enable CAPWAP:

Creating a FortiAP profile for teleworkers

We recommend creating a separate FortiAP profile for teleworkers so you can apply split tunneling and encryption to devices in that profile.

To enable split tunneling options

By default, split tunneling options are not visible in the FortiGate GUI and must be made visible from the CLI.

  1. From the FortiGate CLI, enter the following to display the options on the GUI:

    config system settings

    set gui-fortiap-split-tunneling enable

    end

  2. Once you enable the split tunneling option, return to the FortiGate GUI and create the FortiAP profile.
To create a FortiAP profile

Once you enable split tunneling options in the GUI, you can create a FortiAP profile for teleworkers and apply it. In the FortiAP profile, you can also specify the SSIDs that the FortiAP will broadcast.

  1. Go to WiFi & Switch Controller > FortiAP Profiles and create the FortiAP profile for your remote workers.
  2. Set an AP login password so users at remote sites cannot log in to the unit with default credentials.
  3. In the newly visible Split Tunneling section, enable Include Local Subnet as needed.

    The behavior for this option varies depending on which split tunnel method you configure. See Configuring split tunnel behavior for more details.

  4. Enable Split Tunneling Subnet(s) and enter IP subnets as needed.

    The behavior for this option varies depending on which split tunnel method you configure. See Configuring split tunnel behavior for more details.

  5. In SSIDs, you can select Manual to limit which SSIDs can be used at the remote teleworker's site instead of exposing all corporate SSIDs in a potentially unsecure location.
  6. When you are finished configuring the profile, click OK.

For more comprehensive instructions on how to create a FortiAP profile, refer to Creating a FortiAP profile in the FortiOS Configuration Guide.

Configuring split tunnel behavior

Once you enable split tunneling and create a FortiAP profile, you can further configure how split tunneling is handled in each profile.

There are two methods the FortiAP can use to tunnel networks from the remote AP:

  • Tunnel: Define the subnets in the profile that you want to tunnel to the FortiGate. These are usually the IP subnets that contain internal corporate applications such as file shares.

    Uncheck the Include Local Subet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site.

  • Local: Define the subnets that you do not want to be tunneled back to the FortiGate. Use this method if you want all traffic to be inspected by the FortiGate, including traffic destined for the internet. This method is more secure but can add latency to the user's internet browsing.

    Check the Include Local Subnet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site

To configure split tunnel behavior
  1. From the FortiGate CLI, enter the following commands to change the split tunneling behavior in a FortiAP profile:

    config wireless-controller wtp-profile

    edit <teleworker_profile_name>

    set split-tunneling-acl-path {tunnel | local}

    end

    end

Enabling split tunneling on SSIDs

Once you create your FortiAP profile, you need to enable split tunneling on the SSIDs you want to use on the remote APs.

To enable split tunneling on SSIDs
  1. Go to WiFi & Switch Controller > SSIDs and edit the SSIDs the remote AP will use.
  2. Enable Split tunneling.
  3. Click OK.

Encrypting CAPWAP communication

The default DTLS setting for CAPWAP communication over the internet is clear-text, meaning it's non-encrypted. You can enable IPSEC or DTLS for more security. IPSEC is preferred for most modern FortiGates because the NP6 and SOC3/4 SPUs can offload IPSEC data more efficiently than DTLS.

For more information about each encryption method, see WiFi data channel encryption.

To enable encryption
  1. From the FortiGate CLI, enter the following commands to edit the FortiAP profile:

    config wireless-controller wtp-profile

    edit <teleworker_profile_name>

    set dtls-policy {clear-text | dtls-enabled | ipsec-vpn}

    end

    end