Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Allow users to select individual security profiles in bridged SSID 7.0.2

When configuring an SSID in bridge mode, users can select individual security profiles instead of a security profile group. This applies to models in the FAP-U series that can perform UTM on the FortiAP itself.

Note

The security profile type must enabled in System > Feature Visibility to make the option visible in the GUI.

In the following example, individual antivirus, web filter, application control, and intrusion prevention profiles are applied to a bridge mode SSID.

To apply security profiles to an SSID in the GUI:
  1. Go to WiFi & Switch Controller > SSIDs, and click Create New > SSID or edit an existing SSID.

  2. In the WiFi Settings section, enable Security Profiles.

  3. Enable the desired security profile types and select a profile from the corresponding dropdown.

  4. Edit the other settings as needed.

  5. Click OK. The list of applied security profiles is visible in the SSID table.

To apply security profiles to an SSID in the CLI:
  1. Configure the VAP:

    config wireless-controller vap
        edit "utm_br1"
            set ssid "FOS_utm_bridge"
            set local-bridging enable
            set utm-status enable
            set ips-sensor "wifi-default"
            set application-list "wifi-default"
            set antivirus-profile "wifi-default"
            set webfilter-profile "wifi-default"
            set scan-botnet-connections block
        next
    end
  2. Assign the VAP to a managed FAP-U device.

    1. Configure the FortiAP profile:

      config wireless-controller wtp-profile
          edit "FAPU431F-default"
              config radio-1
                  set band 802.11ax-5G
                  set vap-all manual
                  set vaps "utm_br1"
              end
              config radio-2
                  set band 802.11ax,n,g-only
                  set vap-all manual
                  set vaps "utm_br1"
              end
          next
      end
    2. Configure the managed FortiAP settings:

      config wireless-controller wtp
          edit "PU431F5E19000000"
              set admin enable
              set wtp-profile "FAPU431F-default"
              config radio-1
              end
              config radio-2
              end
          next
      end
  3. On the FortiAP, verify that the UTM profiles have been pushed from the FortiGate:

    # utm_diag cfg show -v
    LogServer: :0
    UploadInterval: 60
    -----------------------------------------------------------
    SSID: FOS_utm_bridge
        IPS: enabled
            Name: wifi-default
            Sensor: 1
                RuleID: 
                LocaFilter: all 
                SeveFilter: medium high critical 
                ProtFilter: all 
                OSFilter: all 
                AppFilter: all 
                LogOption: enabled
                Action: default
        ApplicationControl: enabled
            Name: wifi-default
            AppBlkPageOption: enabled
            OtherAppActionOption: pass
            UnknownAppActionOption: pass
            DeepAppCtrlOption: disabled
            UnknownAppLogOption: disabled
            OtherAppLogOption: disabled
            SpecialOptions: 
                AllowDNS: enabled
                AllowICMP: disabled
                AllowHTTP: disabled
                AllowSSL: disabled
            Sensor: 1
                RuleID: 
                CatNum: 
                SubCatNum: 
                Popularity: 1 2 3 4 5 
                ProtocolFilter: all 
                VendorFilter: all 
                TechFilter: all 
                BehaviorFilter: all 
                RuleParams: 
                SessionTTL: 0
                LogOption: disabled
                Action: pass
        AntiVirus: enabled
            Name: wifi-default
            HTTP: scan
            SMTP: scan
            POP3: scan
            IMAP: scan
            FTP: scan
            LogOption: enabled
        WebFilter: enabled
            Name: wifi-default
            FtgdOption: enabled
            InvalidURLOption: enabled
            PostAction: disabled
            CategoryFilters:
                 0 - Unrated: monitor
                 2 - Alternative Beliefs: block
                 7 - Abortion: block
                 8 - Other Adult Materials: block
                 9 - Advocacy Organizations: block
                11 - Gambling: block
                12 - Extremist Groups: block
                13 - Nudity and Risque: block
                14 - Pornography: block
                15 - Dating: block
                16 - Weapons (Sales): block
                26 - Malicious Websites: block
                57 - Marijuana: block
                61 - Phishing: block
                63 - Sex Education: block
                64 - Alcohol: block
                65 - Tobacco: block
                66 - Lingerie and Swimsuit: block
                67 - Sports Hunting and War Games: block
                86 - Spam URLs: block
                88 - Dynamic DNS: block
                90 - Unknown: block
                91 - Unknown: block
        Botnet: enabled
            Name: utm_br1
            Mode: block
        ScanProtOptions: enabled
            Name: FOS_utm_bridge
            MaxAVScanFileSize: 10
            CheckHttpsCert: enabled
        GraywareOption: enabled
        LogOption: enabled

Allow users to select individual security profiles in bridged SSID 7.0.2

When configuring an SSID in bridge mode, users can select individual security profiles instead of a security profile group. This applies to models in the FAP-U series that can perform UTM on the FortiAP itself.

Note

The security profile type must enabled in System > Feature Visibility to make the option visible in the GUI.

In the following example, individual antivirus, web filter, application control, and intrusion prevention profiles are applied to a bridge mode SSID.

To apply security profiles to an SSID in the GUI:
  1. Go to WiFi & Switch Controller > SSIDs, and click Create New > SSID or edit an existing SSID.

  2. In the WiFi Settings section, enable Security Profiles.

  3. Enable the desired security profile types and select a profile from the corresponding dropdown.

  4. Edit the other settings as needed.

  5. Click OK. The list of applied security profiles is visible in the SSID table.

To apply security profiles to an SSID in the CLI:
  1. Configure the VAP:

    config wireless-controller vap
        edit "utm_br1"
            set ssid "FOS_utm_bridge"
            set local-bridging enable
            set utm-status enable
            set ips-sensor "wifi-default"
            set application-list "wifi-default"
            set antivirus-profile "wifi-default"
            set webfilter-profile "wifi-default"
            set scan-botnet-connections block
        next
    end
  2. Assign the VAP to a managed FAP-U device.

    1. Configure the FortiAP profile:

      config wireless-controller wtp-profile
          edit "FAPU431F-default"
              config radio-1
                  set band 802.11ax-5G
                  set vap-all manual
                  set vaps "utm_br1"
              end
              config radio-2
                  set band 802.11ax,n,g-only
                  set vap-all manual
                  set vaps "utm_br1"
              end
          next
      end
    2. Configure the managed FortiAP settings:

      config wireless-controller wtp
          edit "PU431F5E19000000"
              set admin enable
              set wtp-profile "FAPU431F-default"
              config radio-1
              end
              config radio-2
              end
          next
      end
  3. On the FortiAP, verify that the UTM profiles have been pushed from the FortiGate:

    # utm_diag cfg show -v
    LogServer: :0
    UploadInterval: 60
    -----------------------------------------------------------
    SSID: FOS_utm_bridge
        IPS: enabled
            Name: wifi-default
            Sensor: 1
                RuleID: 
                LocaFilter: all 
                SeveFilter: medium high critical 
                ProtFilter: all 
                OSFilter: all 
                AppFilter: all 
                LogOption: enabled
                Action: default
        ApplicationControl: enabled
            Name: wifi-default
            AppBlkPageOption: enabled
            OtherAppActionOption: pass
            UnknownAppActionOption: pass
            DeepAppCtrlOption: disabled
            UnknownAppLogOption: disabled
            OtherAppLogOption: disabled
            SpecialOptions: 
                AllowDNS: enabled
                AllowICMP: disabled
                AllowHTTP: disabled
                AllowSSL: disabled
            Sensor: 1
                RuleID: 
                CatNum: 
                SubCatNum: 
                Popularity: 1 2 3 4 5 
                ProtocolFilter: all 
                VendorFilter: all 
                TechFilter: all 
                BehaviorFilter: all 
                RuleParams: 
                SessionTTL: 0
                LogOption: disabled
                Action: pass
        AntiVirus: enabled
            Name: wifi-default
            HTTP: scan
            SMTP: scan
            POP3: scan
            IMAP: scan
            FTP: scan
            LogOption: enabled
        WebFilter: enabled
            Name: wifi-default
            FtgdOption: enabled
            InvalidURLOption: enabled
            PostAction: disabled
            CategoryFilters:
                 0 - Unrated: monitor
                 2 - Alternative Beliefs: block
                 7 - Abortion: block
                 8 - Other Adult Materials: block
                 9 - Advocacy Organizations: block
                11 - Gambling: block
                12 - Extremist Groups: block
                13 - Nudity and Risque: block
                14 - Pornography: block
                15 - Dating: block
                16 - Weapons (Sales): block
                26 - Malicious Websites: block
                57 - Marijuana: block
                61 - Phishing: block
                63 - Sex Education: block
                64 - Alcohol: block
                65 - Tobacco: block
                66 - Lingerie and Swimsuit: block
                67 - Sports Hunting and War Games: block
                86 - Spam URLs: block
                88 - Dynamic DNS: block
                90 - Unknown: block
                91 - Unknown: block
        Botnet: enabled
            Name: utm_br1
            Mode: block
        ScanProtOptions: enabled
            Name: FOS_utm_bridge
            MaxAVScanFileSize: 10
            CheckHttpsCert: enabled
        GraywareOption: enabled
        LogOption: enabled