Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support displaying details about wired clients connected to the FortiAP LAN port 7.2.4

    Support displaying details about wired clients connected to the FortiAP LAN port 7.2.4

    Note

    This information is also available in the FortiWiFi and FortiAP 7.2.4 Configuration Guide:

    This enhancement enables the FortiGate to display details about wired clients when they are connected to a FortiAP LAN port and both the FortiGate and FortiAP have WAN-LAN operation and LAN Port Mode options configured. The wired clients must be connected to FortiAP via the following:

    • Connected to the LAN port on FortiAP models with LAN and WAN ports.

    • Connected to the LAN2 port on FortiAP models with dual LAN1 and LAN2 ports.

      By default, LAN1 and LAN2 are direct pass-through ports and must be re-configured for WAN-LAN operation. See Configuring a port to WAN-LAN operation mode for more information.

    Important information such as the client's mode of connection, Tx/Rx rate, authentication status, OS details are pushed from the FortiAP to the FortiGate. The information is displayed in the FortiGate CLI using diagnose wireless-controller wlac -c lan-sta and in the FortiAP CLI using cw_diag -c k-lan-host.

    To see client application usage over bridge mode SSIDs, see Report wireless client app usage for clients connected to bridge mode SSIDs.

    To configure FortiAP models with dual LAN ports for WAN-LAN operation:

    1. Create a FortiAP profile on the FortiGate.

       config wireless-controller wtp-profile
  edit "231F-lann"
    config platform
      set type 231F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    config radio-1
      set band 802.11ax,n,g-only
    end
    config radio-2
      set band 802.11ax-5G
    end
    config radio-3
      set mode monitor
    end
  next
end

    2. Create an SSID for the FortiAP profile. You can create either a tunnel or bridge SSID.

      config wireless-controller vap
  edit "Example_SSID"
    set ssid "Example_SSID"
    set passphrase ENC *
    set schedule "always"
    set quarantine disable
  next
end

    3. In the FortiAP profile you created, configure WAN-LAN mode and then select a port mode option.

      Note: This example uses bridge-to-ssid as the port mode, but you can use other port modes such as nat-to-wan or bridge-to-wan for collecting wired client details.

      config wireless-controller wtp-profile
  edit "231F-lann"
    set wan-port-mode wan-lan
    config lan
      set port-mode bridge-to-ssid
      set port-ssid "Example_SSID"
    end
  next
end

    4. Apply the FortiAP profile to the FortiAP unit.

       config wireless-controller wtp
  edit "FP231FTF20007509"
    set admin enable
    set wtp-profile "231F-lann"
  next
end

    5. From the FortiAP CLI, execute the following commands to enable LAN-WAN mode.

      FortiAP-231F # cfg -a WANLAN_MODE=WAN-LAN
FortiAP-231F # cfg -c
    To display details about connected wired clients:

    Once the FortiGate and FortiAP have WAN-LAN operation and LAN Port Mode options configured, you can collect data about the connected wired clients.

    1. Connect a wired client to the FortiAP and connect the FortiAP to the FortiGate.

      Note

      The FortiAP LAN1 port must be connected to the FortiGate.

      The FortiAP LAN2 port must be connected to the wired clients, either directly to the LAN2 port or through a switch connected to LAN2.

    2. On the FortiAP CLI, run command cw_diag -c k-lan-host (or) lsta to verify collected wired client information.

      FortiAP-231F # lsta   
WTP Kernel LAN Hosts:
Idle timeout: 300
index= 0/ 1 pId= 0 mac=00:24:9b:79:df:48 vlanid=0 auth=No
       host_info=VAN-301127-PC1 vci=MSFT 5.0 os_info=Windows
       ip=95.1.1.2 ip_proto=arp ip_age=36
       ip6=fe80::ddaa:41b0:4633:30dd ip6_proto=arp ip6_age=4846 ip6_rx_pkts=666
       rx_bytes=7218797 rx_rate=64.00bps rx_pkts=33620 last_rx_age=21
       tx_bytes=15441777 tx_rate=48.00bps tx_pkts=29080 last_tx_age=11

Total LAN Hosts: 1

    3. Confirm that FortiGate has received the wired client details from the AP by running the diagnostic command diagnose wireless-controller wlac -c lan-sta.

      FortiGate-81E-POE (root) # diagnose wireless-controller wlac -c lan-sta
-------------------------------LAN STA    1----------------------------
LAN STA mac     : 00:24:9b:79:df:48 (0-1.1.1.2:5246)
    pId         : 0  BR-TO-TUN-SSID Example_SSID
    vlan        : 0
    macauth     : No
    ip          : 95.1.1.2  ARP  48 seconds
    ip6         : fe80::ddaa:41b0:4633:30dd  ARP  4945 seconds  666 pkts
    host info   : VAN-301127-PC1
    vci info    : MSFT 5.0
    os info     : Windows
    uplink      : 226.00bps 33637 pkts 7221244 bytes 9 seconds
    downlink    : 31.00bps 29085 pkts 15442358 bytes 9 seconds
-------------------------------Total    1 LAN STAs----------------------------
    Previous
    Next

    Support displaying details about wired clients connected to the FortiAP LAN port 7.2.4

    Support displaying details about wired clients connected to the FortiAP LAN port 7.2.4

    Note

    This information is also available in the FortiWiFi and FortiAP 7.2.4 Configuration Guide:

    This enhancement enables the FortiGate to display details about wired clients when they are connected to a FortiAP LAN port and both the FortiGate and FortiAP have WAN-LAN operation and LAN Port Mode options configured. The wired clients must be connected to FortiAP via the following:

    • Connected to the LAN port on FortiAP models with LAN and WAN ports.

    • Connected to the LAN2 port on FortiAP models with dual LAN1 and LAN2 ports.

      By default, LAN1 and LAN2 are direct pass-through ports and must be re-configured for WAN-LAN operation. See Configuring a port to WAN-LAN operation mode for more information.

    Important information such as the client's mode of connection, Tx/Rx rate, authentication status, OS details are pushed from the FortiAP to the FortiGate. The information is displayed in the FortiGate CLI using diagnose wireless-controller wlac -c lan-sta and in the FortiAP CLI using cw_diag -c k-lan-host.

    To see client application usage over bridge mode SSIDs, see Report wireless client app usage for clients connected to bridge mode SSIDs.

    To configure FortiAP models with dual LAN ports for WAN-LAN operation:

    1. Create a FortiAP profile on the FortiGate.

       config wireless-controller wtp-profile
  edit "231F-lann"
    config platform
      set type 231F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    config radio-1
      set band 802.11ax,n,g-only
    end
    config radio-2
      set band 802.11ax-5G
    end
    config radio-3
      set mode monitor
    end
  next
end

    2. Create an SSID for the FortiAP profile. You can create either a tunnel or bridge SSID.

      config wireless-controller vap
  edit "Example_SSID"
    set ssid "Example_SSID"
    set passphrase ENC *
    set schedule "always"
    set quarantine disable
  next
end

    3. In the FortiAP profile you created, configure WAN-LAN mode and then select a port mode option.

      Note: This example uses bridge-to-ssid as the port mode, but you can use other port modes such as nat-to-wan or bridge-to-wan for collecting wired client details.

      config wireless-controller wtp-profile
  edit "231F-lann"
    set wan-port-mode wan-lan
    config lan
      set port-mode bridge-to-ssid
      set port-ssid "Example_SSID"
    end
  next
end

    4. Apply the FortiAP profile to the FortiAP unit.

       config wireless-controller wtp
  edit "FP231FTF20007509"
    set admin enable
    set wtp-profile "231F-lann"
  next
end

    5. From the FortiAP CLI, execute the following commands to enable LAN-WAN mode.

      FortiAP-231F # cfg -a WANLAN_MODE=WAN-LAN
FortiAP-231F # cfg -c
    To display details about connected wired clients:

    Once the FortiGate and FortiAP have WAN-LAN operation and LAN Port Mode options configured, you can collect data about the connected wired clients.

    1. Connect a wired client to the FortiAP and connect the FortiAP to the FortiGate.

      Note

      The FortiAP LAN1 port must be connected to the FortiGate.

      The FortiAP LAN2 port must be connected to the wired clients, either directly to the LAN2 port or through a switch connected to LAN2.

    2. On the FortiAP CLI, run command cw_diag -c k-lan-host (or) lsta to verify collected wired client information.

      FortiAP-231F # lsta   
WTP Kernel LAN Hosts:
Idle timeout: 300
index= 0/ 1 pId= 0 mac=00:24:9b:79:df:48 vlanid=0 auth=No
       host_info=VAN-301127-PC1 vci=MSFT 5.0 os_info=Windows
       ip=95.1.1.2 ip_proto=arp ip_age=36
       ip6=fe80::ddaa:41b0:4633:30dd ip6_proto=arp ip6_age=4846 ip6_rx_pkts=666
       rx_bytes=7218797 rx_rate=64.00bps rx_pkts=33620 last_rx_age=21
       tx_bytes=15441777 tx_rate=48.00bps tx_pkts=29080 last_tx_age=11

Total LAN Hosts: 1

    3. Confirm that FortiGate has received the wired client details from the AP by running the diagnostic command diagnose wireless-controller wlac -c lan-sta.

      FortiGate-81E-POE (root) # diagnose wireless-controller wlac -c lan-sta
-------------------------------LAN STA    1----------------------------
LAN STA mac     : 00:24:9b:79:df:48 (0-1.1.1.2:5246)
    pId         : 0  BR-TO-TUN-SSID Example_SSID
    vlan        : 0
    macauth     : No
    ip          : 95.1.1.2  ARP  48 seconds
    ip6         : fe80::ddaa:41b0:4633:30dd  ARP  4945 seconds  666 pkts
    host info   : VAN-301127-PC1
    vci info    : MSFT 5.0
    os info     : Windows
    uplink      : 226.00bps 33637 pkts 7221244 bytes 9 seconds
    downlink    : 31.00bps 29085 pkts 15442358 bytes 9 seconds
-------------------------------Total    1 LAN STAs----------------------------
    Previous
    Next