Allow users to select individual security profiles in bridged SSID 7.0.2
When configuring an SSID in bridge mode, users can select individual security profiles instead of a security profile group. This applies to models in the FAP-U series that can perform UTM on the FortiAP itself.
|
The security profile type must enabled in System > Feature Visibility to make the option visible in the GUI. |
In the following example, individual antivirus, web filter, application control, and intrusion prevention profiles are applied to a bridge mode SSID.
To apply security profiles to an SSID in the GUI:
-
Go to WiFi & Switch Controller > SSIDs, and click Create New > SSID or edit an existing SSID.
-
In the WiFi Settings section, enable Security Profiles.
-
Enable the desired security profile types and select a profile from the corresponding dropdown.
-
Edit the other settings as needed.
-
Click OK. The list of applied security profiles is visible in the SSID table.
To apply security profiles to an SSID in the CLI:
-
Configure the VAP:
config wireless-controller vap edit "utm_br1" set ssid "FOS_utm_bridge" set local-bridging enable set utm-status enable set ips-sensor "wifi-default" set application-list "wifi-default" set antivirus-profile "wifi-default" set webfilter-profile "wifi-default" set scan-botnet-connections block next end -
Assign the VAP to a managed FAP-U device.
-
Configure the FortiAP profile:
config wireless-controller wtp-profile edit "FAPU431F-default" config radio-1 set band 802.11ax-5G set vap-all manual set vaps "utm_br1" end config radio-2 set band 802.11ax,n,g-only set vap-all manual set vaps "utm_br1" end next end -
Configure the managed FortiAP settings:
config wireless-controller wtp edit "PU431F5E19000000" set admin enable set wtp-profile "FAPU431F-default" config radio-1 end config radio-2 end next end
-
-
On the FortiAP, verify that the UTM profiles have been pushed from the FortiGate:
# utm_diag cfg show -v LogServer: :0 UploadInterval: 60 ----------------------------------------------------------- SSID: FOS_utm_bridge IPS: enabled Name: wifi-default Sensor: 1 RuleID: LocaFilter: all SeveFilter: medium high critical ProtFilter: all OSFilter: all AppFilter: all LogOption: enabled Action: default ApplicationControl: enabled Name: wifi-default AppBlkPageOption: enabled OtherAppActionOption: pass UnknownAppActionOption: pass DeepAppCtrlOption: disabled UnknownAppLogOption: disabled OtherAppLogOption: disabled SpecialOptions: AllowDNS: enabled AllowICMP: disabled AllowHTTP: disabled AllowSSL: disabled Sensor: 1 RuleID: CatNum: SubCatNum: Popularity: 1 2 3 4 5 ProtocolFilter: all VendorFilter: all TechFilter: all BehaviorFilter: all RuleParams: SessionTTL: 0 LogOption: disabled Action: pass AntiVirus: enabled Name: wifi-default HTTP: scan SMTP: scan POP3: scan IMAP: scan FTP: scan LogOption: enabled WebFilter: enabled Name: wifi-default FtgdOption: enabled InvalidURLOption: enabled PostAction: disabled CategoryFilters: 0 - Unrated: monitor 2 - Alternative Beliefs: block 7 - Abortion: block 8 - Other Adult Materials: block 9 - Advocacy Organizations: block 11 - Gambling: block 12 - Extremist Groups: block 13 - Nudity and Risque: block 14 - Pornography: block 15 - Dating: block 16 - Weapons (Sales): block 26 - Malicious Websites: block 57 - Marijuana: block 61 - Phishing: block 63 - Sex Education: block 64 - Alcohol: block 65 - Tobacco: block 66 - Lingerie and Swimsuit: block 67 - Sports Hunting and War Games: block 86 - Spam URLs: block 88 - Dynamic DNS: block 90 - Unknown: block 91 - Unknown: block Botnet: enabled Name: utm_br1 Mode: block ScanProtOptions: enabled Name: FOS_utm_bridge MaxAVScanFileSize: 10 CheckHttpsCert: enabled GraywareOption: enabled LogOption: enabled