Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Configure Agile Multiband Operation

    Configure Agile Multiband Operation

    The Wi-Fi Alliance Agile Multiband Operation (MBO) feature enables better use of Wi-Fi network resources in roaming decisions and improves overall performance. This enhancement allows the FortiGate to push the MBO configuration to managed APs, which adds the MBO information element to the beacon and probe response for 802.11ax. 

    config wireless-controller vap
    edit <name>
        set mbo {enable | disable}
        set gas-comeback-delay <integer>
        set gas-fragmentation-limit <integer>
        set mbo-cell-data-conn-pref {excluded | prefer-not | prefer-use}
    next
end

    mbo {enable | disable}

    Enable/disable Multiband Operation (default = disable).

    gas-comeback-delay <integer>

    GAS comeback delay in milliseconds (100 - 10000, default = 500, 0 = special).

    gas-fragmentation-limit <integer>

    GAS fragmentation limit (512 - 4096, default = 1024).

    mbo-cell-data-conn-pref {excluded | prefer-not | prefer-use}

    MBO cell data connection preference:

    • excluded: Wi-Fi Agile Multiband AP does not want the Wi-Fi Agile Multiband STA to use the cellular data connection.
    • prefer-not: Wi-Fi Agile Multiband AP prefers that the Wi-Fi Agile Multiband STA should not use cellular data connection.
    • prefer-use: Wi-Fi Agile Multiband AP prefers that the Wi-Fi Agile Multiband STA should use cellular data connection.
    To configure MBO for an 802.11ax FortiAP:
    1. Configure MBO on the VAP:
      config wireless-controller vap
    edit "FOS-QA"
        set max-clients 15
        set ssid "FOS-QAehta-01"
        set pmf enable
        set pmf-assoc-comeback-timeout 8
        set mbo enable
        set gas-comeback-delay 0
        set gas-fragmentation-limit 2048
        set mbo-cell-data-conn-pref prefer-use
        set passphrase <somepassword>
        set schedule "always"
        set target-wake-time disable
        set igmp-snooping enable
        unset broadcast-suppression
        set mu-mimo disable
        set quarantine disable
        set dhcp-option82-insertion enable
        set qos-profile "test"
    next
end
    2. Enable the VAP on a WTP profile:
      config wireless-controller wtp-profile
    edit "FAP234F-default"
        config platform
            set type 234F
            set ddscan enable
        end
        set ble-profile "new"
        set wan-port-mode wan-lan
        config lan
            set port-mode bridge-to-ssid
            set port-ssid "16sep"
        end
        set handoff-sta-thresh 55
        set ip-fragment-preventing tcp-mss-adjust icmp-unreachable
        set allowaccess https ssh snmp
        set poe-mode high
        set frequency-handoff enable
        set ap-handoff enable
        config radio-1
            set band 802.11ax
            set short-guard-interval enable
            set auto-power-level enable
            set auto-power-high 21
            set auto-power-low 1
            set darrp enable
            set vap-all manual
            set vaps "FOS-QA"
            set channel "1" "6" "11"
        end
        config radio-2
            set band 802.11ax-5G
            set short-guard-interval enable
            set auto-power-level enable
            set auto-power-low 1
            set darrp enable
            set vap-all manual
            set vaps "FOS-QA"
            set channel "36" "40" "44" "48" "149" "153" "157" "161" "165"
        end
        config radio-3
            set mode monitor
            set wids-profile "default"
        end
        config lbs
            set station-locate enable
        end
    next
end
    3. Verify the MBO settings are pushed to the FortiAP:
      # diagnose debug application wpad 255
21176.239 Received data - hexdump(len=153):
    13 02 00 00 00 00 00 00 00 00 00 00 B0 01 A5 C0   ................
    7E 14 01 00 04 D5 90 E9 F4 E0 46 50 34 33 31 46   ~.........FP431F
    54 46 32 30 30 30 30 30 31 35 00 00 00 00 00 00   TF20000015......
    80 18 39 91 FF 7F 00 00 00 E2 C2 90 07 E0 32 AC   ..9...........2.
    FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00   ................
    00 00 00 00 00 00 00 00 78 BF E1 15 00 00 00 00   ........x.......
    00 00 01 00 31 00 00 00 D0 00 3C 00 04 D5 90 E9   ....1.....<.....
    F4 E0 A0 51 0B 4A 84 F4 FF FF FF FF FF FF A0 03   ...Q.J..........
    04 0A 00 6C 02 00 00 10 00 00 01 02 00 10 01 DD   ...l............
    DD 06 00 50 6F 9A 12 01 02                        ...Po....
21176.239 HOSTAPD: <0>192.165.1.176:5246<1-0>  entering state RUN
mgmt::action
: GAS: GAS Initial Request from a0:51:0b:4a:84:f4 (dialog token 0)
ANQP: 1 Info IDs requested in Query list
ANQP: Unsupported WFA vendor type 18
ANQP: Locally generated ANQP responses - hexdump(len=0):
ANQP: Initial response (no comeback)
21176.239 Sending data - hexdump(len=141):
    0C 03 00 00 00 00 00 00 00 00 00 00 B0 01 A5 C0   ................
    7E 14 01 00 04 D5 90 E9 F4 D0 00 00 00 00 00 00   ~...............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    4. On the FortiAP, verify the MBO settings are pushed from the FortiGate:
      # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  0 WLAN Id  0 FOS-QAehta-01 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan00, vap=0x12b8018, bssid=e0:23:ff:b2:18:70
           11ax high-efficiency=enabled target-wake-time=disabled bss-color=0 partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=enabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=disabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=enabled, dhcp_option82_circuit_id=disable, dhcp_option82_remote_id=disable
           access_control_list=disabled
           bc_suppression=
           auth=WPA2, PSK, AES WPA keyIdx=4, keyLen=16, keyStatus=1, gTsc=000000000000
           key=dee8be7d 3675eda2 7123f695 1d740319
           pmf=required
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled mbo=enabled
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00,
           ratelimit(Kbps): ul=100 dl=0 ul_user=0 dl_user=0 burst=disabled

-------------------------------VAP Configuration    2----------------------------
Radio Id  1 WLAN Id  0 FOS-QAehta-01 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan10, vap=0x12b8860, bssid=e0:23:ff:b2:18:78
           11ax high-efficiency=enabled target-wake-time=disabled bss-color=0 partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=enabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=disabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=enabled, dhcp_option82_circuit_id=disable, dhcp_option82_remote_id=disable
           access_control_list=disabled
           bc_suppression=
           auth=WPA2, PSK, AES WPA keyIdx=4, keyLen=16, keyStatus=1, gTsc=000000000000
           key=6042ccb8 66c18743 18cdb5d0 12f9c0fc
           pmf=required
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled mbo=enabled
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00,
           ratelimit(Kbps): ul=100 dl=0 ul_user=0 dl_user=0 burst=disabled

-------------------------------Total    2 VAP Configurations----------------------------
    5. Verify the beacon frames in the packet captures:

    Previous
    Next

    Configure Agile Multiband Operation

    Configure Agile Multiband Operation

    The Wi-Fi Alliance Agile Multiband Operation (MBO) feature enables better use of Wi-Fi network resources in roaming decisions and improves overall performance. This enhancement allows the FortiGate to push the MBO configuration to managed APs, which adds the MBO information element to the beacon and probe response for 802.11ax. 

    config wireless-controller vap
    edit <name>
        set mbo {enable | disable}
        set gas-comeback-delay <integer>
        set gas-fragmentation-limit <integer>
        set mbo-cell-data-conn-pref {excluded | prefer-not | prefer-use}
    next
end

    mbo {enable | disable}

    Enable/disable Multiband Operation (default = disable).

    gas-comeback-delay <integer>

    GAS comeback delay in milliseconds (100 - 10000, default = 500, 0 = special).

    gas-fragmentation-limit <integer>

    GAS fragmentation limit (512 - 4096, default = 1024).

    mbo-cell-data-conn-pref {excluded | prefer-not | prefer-use}

    MBO cell data connection preference:

    • excluded: Wi-Fi Agile Multiband AP does not want the Wi-Fi Agile Multiband STA to use the cellular data connection.
    • prefer-not: Wi-Fi Agile Multiband AP prefers that the Wi-Fi Agile Multiband STA should not use cellular data connection.
    • prefer-use: Wi-Fi Agile Multiband AP prefers that the Wi-Fi Agile Multiband STA should use cellular data connection.
    To configure MBO for an 802.11ax FortiAP:
    1. Configure MBO on the VAP:
      config wireless-controller vap
    edit "FOS-QA"
        set max-clients 15
        set ssid "FOS-QAehta-01"
        set pmf enable
        set pmf-assoc-comeback-timeout 8
        set mbo enable
        set gas-comeback-delay 0
        set gas-fragmentation-limit 2048
        set mbo-cell-data-conn-pref prefer-use
        set passphrase <somepassword>
        set schedule "always"
        set target-wake-time disable
        set igmp-snooping enable
        unset broadcast-suppression
        set mu-mimo disable
        set quarantine disable
        set dhcp-option82-insertion enable
        set qos-profile "test"
    next
end
    2. Enable the VAP on a WTP profile:
      config wireless-controller wtp-profile
    edit "FAP234F-default"
        config platform
            set type 234F
            set ddscan enable
        end
        set ble-profile "new"
        set wan-port-mode wan-lan
        config lan
            set port-mode bridge-to-ssid
            set port-ssid "16sep"
        end
        set handoff-sta-thresh 55
        set ip-fragment-preventing tcp-mss-adjust icmp-unreachable
        set allowaccess https ssh snmp
        set poe-mode high
        set frequency-handoff enable
        set ap-handoff enable
        config radio-1
            set band 802.11ax
            set short-guard-interval enable
            set auto-power-level enable
            set auto-power-high 21
            set auto-power-low 1
            set darrp enable
            set vap-all manual
            set vaps "FOS-QA"
            set channel "1" "6" "11"
        end
        config radio-2
            set band 802.11ax-5G
            set short-guard-interval enable
            set auto-power-level enable
            set auto-power-low 1
            set darrp enable
            set vap-all manual
            set vaps "FOS-QA"
            set channel "36" "40" "44" "48" "149" "153" "157" "161" "165"
        end
        config radio-3
            set mode monitor
            set wids-profile "default"
        end
        config lbs
            set station-locate enable
        end
    next
end
    3. Verify the MBO settings are pushed to the FortiAP:
      # diagnose debug application wpad 255
21176.239 Received data - hexdump(len=153):
    13 02 00 00 00 00 00 00 00 00 00 00 B0 01 A5 C0   ................
    7E 14 01 00 04 D5 90 E9 F4 E0 46 50 34 33 31 46   ~.........FP431F
    54 46 32 30 30 30 30 30 31 35 00 00 00 00 00 00   TF20000015......
    80 18 39 91 FF 7F 00 00 00 E2 C2 90 07 E0 32 AC   ..9...........2.
    FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00   ................
    00 00 00 00 00 00 00 00 78 BF E1 15 00 00 00 00   ........x.......
    00 00 01 00 31 00 00 00 D0 00 3C 00 04 D5 90 E9   ....1.....<.....
    F4 E0 A0 51 0B 4A 84 F4 FF FF FF FF FF FF A0 03   ...Q.J..........
    04 0A 00 6C 02 00 00 10 00 00 01 02 00 10 01 DD   ...l............
    DD 06 00 50 6F 9A 12 01 02                        ...Po....
21176.239 HOSTAPD: <0>192.165.1.176:5246<1-0>  entering state RUN
mgmt::action
: GAS: GAS Initial Request from a0:51:0b:4a:84:f4 (dialog token 0)
ANQP: 1 Info IDs requested in Query list
ANQP: Unsupported WFA vendor type 18
ANQP: Locally generated ANQP responses - hexdump(len=0):
ANQP: Initial response (no comeback)
21176.239 Sending data - hexdump(len=141):
    0C 03 00 00 00 00 00 00 00 00 00 00 B0 01 A5 C0   ................
    7E 14 01 00 04 D5 90 E9 F4 D0 00 00 00 00 00 00   ~...............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    4. On the FortiAP, verify the MBO settings are pushed from the FortiGate:
      # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  0 WLAN Id  0 FOS-QAehta-01 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan00, vap=0x12b8018, bssid=e0:23:ff:b2:18:70
           11ax high-efficiency=enabled target-wake-time=disabled bss-color=0 partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=enabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=disabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=enabled, dhcp_option82_circuit_id=disable, dhcp_option82_remote_id=disable
           access_control_list=disabled
           bc_suppression=
           auth=WPA2, PSK, AES WPA keyIdx=4, keyLen=16, keyStatus=1, gTsc=000000000000
           key=dee8be7d 3675eda2 7123f695 1d740319
           pmf=required
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled mbo=enabled
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00,
           ratelimit(Kbps): ul=100 dl=0 ul_user=0 dl_user=0 burst=disabled

-------------------------------VAP Configuration    2----------------------------
Radio Id  1 WLAN Id  0 FOS-QAehta-01 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan10, vap=0x12b8860, bssid=e0:23:ff:b2:18:78
           11ax high-efficiency=enabled target-wake-time=disabled bss-color=0 partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=enabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=disabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=enabled, dhcp_option82_circuit_id=disable, dhcp_option82_remote_id=disable
           access_control_list=disabled
           bc_suppression=
           auth=WPA2, PSK, AES WPA keyIdx=4, keyLen=16, keyStatus=1, gTsc=000000000000
           key=6042ccb8 66c18743 18cdb5d0 12f9c0fc
           pmf=required
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled mbo=enabled
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00,
           ratelimit(Kbps): ul=100 dl=0 ul_user=0 dl_user=0 burst=disabled

-------------------------------Total    2 VAP Configurations----------------------------
    5. Verify the beacon frames in the packet captures:

    Previous
    Next