Fortinet black logo

SD-Branch Retail Playbook

Home FortiGate / FortiOS 6.4.0 SD-Branch Retail Playbook

Integrated Wireless

6.4.0
6.4.0
Copy Link
Copy Doc ID 2e714811-545f-11eb-b9ad-00505692583a:259215
Download PDF

Integrated Wireless

Topology

On the SD-Branch, the FortiGate acts as the wireless controller to manage the FortiAP(s) on that site. Depending on the size of the store, this may mean the deployment of more than one FortiAP. As such, consider the different topologies outlined in the links below.

  • Wired Network topology: FortiAP unit can be connected to the FortiGate unit using a Direct, Switched, or Connection-over-WAN deployment.

  • Wireless mesh topology: A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

Getting Started

Once you have chosen the topology, you can configure the basic settings. Continuing with our earlier example, each branch may require a guest network for visitors, and a private network for employee devices. The following guide describes how to launch a wireless network for employees and guests.

SSID Authentication

While the above outlines a basic deployment scenario, in practice it is important apply strong security to each wireless network that is being accessed. To apply WPA2-Enterprise authentication with RADIUS authentication to an employee SSID, refer to the following topics.

To apply WPA2-Personal with a Pre-shared key or to deploy captive portal for the Guest SSID, refer to the following topics.

Another method is to apply a Multiple Pre-shared Key (MPSK) for your wireless access. In this method, batch PSKs can be generated and applied to groups. These groups can also have dynamic VLAN assignment to segment the users. The keys can be exported to CSV for administration. To learn more, refer to the following topic.

To configure a walled garden that allows users to access certain websites such as the company and store webpage without authentication, refer to the following topic.

Optimization

Once authentication is configured and clients are able to connect to your wireless networks, you may want to perform some optimization to provide the best experience to your users. One optimization to consider is enabling DARRP (Distributed Automatic Radio Resource Provisioning). Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications based on various parameters including total RSSI, Noise Floor, Channel Load, Spectral RSSI and more. Refer to the following topic for more information.

Furthermore, these additional optimizations help control the more granular settings such as ignoring weak signals, disabling low data rates, enabling frequency band load-balancing and more.

Fortinet Security Fabric

The key advantage of a single vendor solution is the tight integration between products offered by Fortinet's Security Fabric. The fabric allows users to easily manage and log in to each device. It also enables a single pane view of the wireless network, users, and devices connected to each SSID.

To monitor the health of your wireless network, navigate to your FortiGate's Dashboard > WiFi page. This default dashboard displays a quick overview of various widgets such as FortiAP Status, Channel Utilization, Clients By FortiAP, Signal Strength and more.

To view detailed drill-down information about the connected devices, expand a widget such as Signal Strength.

You can also view WiFi clients from the WiFi & Switch Controller > WiFi Clients page.

To view the health of the FortiAP and perform diagnostics, right-click a device from the FortiAP Status monitor, or Managed FortiAPs page to access the Diagnostics and Tools page.

To review the capabilities of different monitors on the FortiGate, and new features introduced in FortiOS 6.4., visit the following pages:

Wireless Orchestration and monitoring

From an orchestration perspective, the FortiManager AP Manager allows the APs controlled by your FortiGates to be managed from the FortiManager. The AP Manager also allows you to authorize and install APs, monitor connected clients and perform spectrum analysis on the managed APs.

The Wireless Manager (FortiWLM) management extension further enhances the monitoring capabilities by allowing you to group together wireless controllers, access points and stations in order to view cumulative statistics for the group. This includes Network Summary, AP Group Summary, Station Group, Application monitoring and more.

To learn about these features, visit the links below.

Previous
Next

Integrated Wireless

Topology

On the SD-Branch, the FortiGate acts as the wireless controller to manage the FortiAP(s) on that site. Depending on the size of the store, this may mean the deployment of more than one FortiAP. As such, consider the different topologies outlined in the links below.

  • Wired Network topology: FortiAP unit can be connected to the FortiGate unit using a Direct, Switched, or Connection-over-WAN deployment.

  • Wireless mesh topology: A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

Getting Started

Once you have chosen the topology, you can configure the basic settings. Continuing with our earlier example, each branch may require a guest network for visitors, and a private network for employee devices. The following guide describes how to launch a wireless network for employees and guests.

SSID Authentication

While the above outlines a basic deployment scenario, in practice it is important apply strong security to each wireless network that is being accessed. To apply WPA2-Enterprise authentication with RADIUS authentication to an employee SSID, refer to the following topics.

To apply WPA2-Personal with a Pre-shared key or to deploy captive portal for the Guest SSID, refer to the following topics.

Another method is to apply a Multiple Pre-shared Key (MPSK) for your wireless access. In this method, batch PSKs can be generated and applied to groups. These groups can also have dynamic VLAN assignment to segment the users. The keys can be exported to CSV for administration. To learn more, refer to the following topic.

To configure a walled garden that allows users to access certain websites such as the company and store webpage without authentication, refer to the following topic.

Optimization

Once authentication is configured and clients are able to connect to your wireless networks, you may want to perform some optimization to provide the best experience to your users. One optimization to consider is enabling DARRP (Distributed Automatic Radio Resource Provisioning). Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications based on various parameters including total RSSI, Noise Floor, Channel Load, Spectral RSSI and more. Refer to the following topic for more information.

Furthermore, these additional optimizations help control the more granular settings such as ignoring weak signals, disabling low data rates, enabling frequency band load-balancing and more.

Fortinet Security Fabric

The key advantage of a single vendor solution is the tight integration between products offered by Fortinet's Security Fabric. The fabric allows users to easily manage and log in to each device. It also enables a single pane view of the wireless network, users, and devices connected to each SSID.

To monitor the health of your wireless network, navigate to your FortiGate's Dashboard > WiFi page. This default dashboard displays a quick overview of various widgets such as FortiAP Status, Channel Utilization, Clients By FortiAP, Signal Strength and more.

To view detailed drill-down information about the connected devices, expand a widget such as Signal Strength.

You can also view WiFi clients from the WiFi & Switch Controller > WiFi Clients page.

To view the health of the FortiAP and perform diagnostics, right-click a device from the FortiAP Status monitor, or Managed FortiAPs page to access the Diagnostics and Tools page.

To review the capabilities of different monitors on the FortiGate, and new features introduced in FortiOS 6.4., visit the following pages:

Wireless Orchestration and monitoring

From an orchestration perspective, the FortiManager AP Manager allows the APs controlled by your FortiGates to be managed from the FortiManager. The AP Manager also allows you to authorize and install APs, monitor connected clients and perform spectrum analysis on the managed APs.

The Wireless Manager (FortiWLM) management extension further enhances the monitoring capabilities by allowing you to group together wireless controllers, access points and stations in order to view cumulative statistics for the group. This includes Network Summary, AP Group Summary, Station Group, Application monitoring and more.

To learn about these features, visit the links below.

Previous
Next