Fortinet black logo

FortiLAN Cloud User Guide

Advanced Settings

Copy Link
Copy Doc ID 3ec13da5-0452-11ed-bb32-fa163e15d75b:744374

Advanced Settings

With a FortiAP advanced management license, you can enable the following advanced settings.

Field

Description

Radio Sensitivity (Rx-SOP) The Receiver Start of Packet (Rx-SOP) configures a threshold to allow FortiAPs to adjust the SSID cell size. The radio discards all received wireless frames with minimum WiFi signal lesser than the configured threshold value. Adjusted cell size ensures that wireless clients are connected to the nearest FortiAP at highest possible data rates and distant clients do not deprive other clients of airtime.
The valid range of signal strength is -95 to -20 dBm with a default value of -79 dBm for 2.4GHz and -76 dBm for 5GHz.
Probe Response Suppression Restricts distant wireless clients from connecting to the FortiAP if the received signal strength is less than the configured threshold. The FortiAP does not send any probe response to these distant wireless clients and responds to the probe requests sent from nearby clients only. The valid range of signal strength is -95 to -20 dBm with a default value of -80 dBm.
Sticky Clients Removal De-authenticates sticky wireless clients (distant clients that stick to the FortiAP) if the signal strength is less than the configured threshold. The valid range of signal strength is -95 to -20 dBm with a default value of -79 dBm for 2.4GHz and -76 dBm for 5GHz.
Protected Management Frames (802.11w)

Provides a layer of security for wireless management frames by ensuring that traffic comes from legitimate sources. Network attackers and malicious entities are unable to disrupt legitimate wireless connections by sending spoofed clear text wireless management frames.

  • Disable - Disables the usage of 802.11w management protection frames.

  • Optional - Allows wireless clients that do not support 802.11w along with those that support 802.11w to associate with the SSID.

  • Required - Allows only those wireless clients to associate with the SSID that support 802.11w and prevents clients that do not support 802.11w from associating.

  • PMF Association Comeback Timeout (seconds) - Specifies the time which an associated client must wait before the association can be tried again when first denied. The valid range is 1 -20 seconds with a default value of 1 second.

  • PMF SA Query Retry Timeout (milliseconds) - Specifies the amount of time the controller waits for a response from the wireless client for the query process. If there is no response from the client, it is dis-associated. The supported values are 100, 200, 300, 400, and 500 milliseconds with a default value of 200 milliseconds

Note: Any change in the PMF configuration requires the controller to delete and then add the SSID. This disrupts existing connections.

Fast BSS Transition (802.11r)

This feature allows faster roaming for Wi-Fi clients by enabling swift BSS transitions between APs. This minimizes delay caused due to a client transitioning from one BSS to another in a multi-AP deployment.

  • Mobility Domain ID – This parameter acts as a network identifier. The clients attempt 802.11r enabled roaming only when the same mobility domain ID is configured for both the networks. The valid range is 1 to 65535 and the default is 1000.
  • R0 Key Lifetime – This parameter indicates the duration after which the R0 key in the FortiAP expires. For WPA/WPA2 PSK authentication methods, the R0 key is derived from the PSK and for enterprise, it is derived after the EAP handshake with the RADIUS server is complete. The valid range is 1 to 65535 minutes and the default is 480 minutes.
Voice Enterprise (802.11kv)
  • This feature provides support for network assisted roaming based on 802.11k and 802.11v standards.

    802.11k network assisted roaming allows a potential roaming wireless client to collect from its current AP the list of compatible neighbour APs. This saves the wireless client from performing full scan on both bands. The wireless client selects and moves to the optimal neighbour AP from the list. The 802.11k also provides support for Radio Resource Management (RRM) such as APs querying the associated wireless clients for beacon reports and perceived RSSI used to prepare the compatible neighbour AP list for wireless clients.

    802.11v network assisted roaming allows the wireless network to send requests to associated clients, recommending better APs to associate with while roaming. This is beneficial for both load balancing and in guiding clients with poor connectivity.
    The BSS Transition feature allows the roaming client to initiate a BSS transition query to the associated AP for a candidate list of other APs it can re-associate with, the associated AP responds with a BSS transition request containing the requested AP list. The AP can also send an unsolicited BSS transition request to the client. The client can accept the request and re-associate with the suggested APs or it can reject the request and continue its association with the current AP.
  • Airtime Fairness Weight (%)

    Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
    Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
    Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.

    • Applicable only on downlink traffic.

    • Applicable only on data, management and control functions are excluded.

    • Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.

    • Applicable on all authentication modes.

    Airtime Fairness is supported with FOS 6.2.0 and on all FortiAP-S and FortiAP-W2 models.
    Note: Enable ATF processing on desired radios in AP Platform Profile.

    Broadcast Suppression

    Suppresses the transmission of specific broadcast traffic to secure the wireless network and optimize airtime usage. When the received broadcast traffic exceeds the threshold, the interface discards it until the broadcast traffic drops below a specific threshold.
    Since broadcast packets sent to wireless clients connected to a FortiAP occupy valuable airtime, unnecessary and potentially detrimental packets can impact network throughput.
    By default, ARP Replies, ARPs For Known Clients, DHCP Uplink, DHCP Downlink, and DHCP Unicast broadcast suppression is enabled. The following methods are supported.

    • ARP Poison - Suppress ARP poison attacks from malicious Wi-Fi clients. Prevent malicious WiFi clients from spoofing ARP packets.
    • ARP Proxy - Suppress ARP request packets broadcast by the Ethernet downlink to known Wi-Fi clients. Instead, send ARP reply packets to the Ethernet uplink, as a proxy for Wi-Fi clients.
    • ARP Replies - Suppress ARP reply packets broadcast by Wi-Fi clients. Instead, forward the ARP packets as unicast packets to the clients with target MAC addresses.
    • ARPs For Known Clients - Suppress ARP request packets broadcast to known Wi-Fi clients. Instead, forward ARP packets as unicast packets to the known clients.
    • ARPs For Unknown Clients - Suppress ARP request packets broadcast to unknown Wi-Fi clients.
    • DHCP Uplink - Suppress DHCP discovery and request packets broadcast by Wi-Fi clients. Forward DHCP packets to the Ethernet uplink only. Prevent malicious Wi-Fi clients from acting as DHCP servers.
    • DHCP Downlink - Suppress DHCP packets broadcast by the Ethernet downlink to Wi-Fi clients. Prevent malicious Wi-Fi clients from acting as DHCP servers.
    • DHCP Unicast - Convert downlink broadcast DHCP messages to unicast messages.
    • DHCP Starvation - Suppress DHCP starvation attacks from malicious Wi-Fi clients. Prevent malicious Wi-Fi clients from depleting the DHCP address pool.
    • IPv6 - Suppress IPv6 broadcast packets. This is useful when the network is configured to support only IPv4.
    • NetBIOS Name Services - Suppress NetBIOS name services packets with UDP port 137.
    • NetBIOS Datagram - Suppress NetBIOS datagram services packets with UDP port 138.
    • All Other Broadcast - Suppress broadcast packets not covered by any of the specific options.
    • All Other Multicast - Suppress multicast packets not covered by any of the specific options.
    L3 Firewall Profile Create L3 Firewall rules. For more information, see Adding an L3 Firewall Profile.

    Block intra-SSID traffic

    To block intra-SSID network traffic.

    Tunnel Settings

    Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
    FortiLAN Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.

    • Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.

    • Tunnel Fallback Interval: The time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 0 to 65535 seconds; default is 7200 seconds.

    DHCP Option 82

    DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
    The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
    Note: This feature is supported with FOS 6.2.0 and above.

      • Circuit ID: The AP information is inserted in the following formats:
      • Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
      • Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".
      • Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".

    • Remote ID: The MAC address of the client device is inserted in the following format:
      Style-1 - ASCII string composed of the client MAC address. For example,"00:12:F2:00:00:59".

    Radio and Rates Optional Settings

    Customize the 2.4 GHz and 5 GHz rate settings.

    Advanced Settings

    With a FortiAP advanced management license, you can enable the following advanced settings.

    Field

    Description

    Radio Sensitivity (Rx-SOP) The Receiver Start of Packet (Rx-SOP) configures a threshold to allow FortiAPs to adjust the SSID cell size. The radio discards all received wireless frames with minimum WiFi signal lesser than the configured threshold value. Adjusted cell size ensures that wireless clients are connected to the nearest FortiAP at highest possible data rates and distant clients do not deprive other clients of airtime.
    The valid range of signal strength is -95 to -20 dBm with a default value of -79 dBm for 2.4GHz and -76 dBm for 5GHz.
    Probe Response Suppression Restricts distant wireless clients from connecting to the FortiAP if the received signal strength is less than the configured threshold. The FortiAP does not send any probe response to these distant wireless clients and responds to the probe requests sent from nearby clients only. The valid range of signal strength is -95 to -20 dBm with a default value of -80 dBm.
    Sticky Clients Removal De-authenticates sticky wireless clients (distant clients that stick to the FortiAP) if the signal strength is less than the configured threshold. The valid range of signal strength is -95 to -20 dBm with a default value of -79 dBm for 2.4GHz and -76 dBm for 5GHz.
    Protected Management Frames (802.11w)

    Provides a layer of security for wireless management frames by ensuring that traffic comes from legitimate sources. Network attackers and malicious entities are unable to disrupt legitimate wireless connections by sending spoofed clear text wireless management frames.

    • Disable - Disables the usage of 802.11w management protection frames.

    • Optional - Allows wireless clients that do not support 802.11w along with those that support 802.11w to associate with the SSID.

    • Required - Allows only those wireless clients to associate with the SSID that support 802.11w and prevents clients that do not support 802.11w from associating.

    • PMF Association Comeback Timeout (seconds) - Specifies the time which an associated client must wait before the association can be tried again when first denied. The valid range is 1 -20 seconds with a default value of 1 second.

    • PMF SA Query Retry Timeout (milliseconds) - Specifies the amount of time the controller waits for a response from the wireless client for the query process. If there is no response from the client, it is dis-associated. The supported values are 100, 200, 300, 400, and 500 milliseconds with a default value of 200 milliseconds

    Note: Any change in the PMF configuration requires the controller to delete and then add the SSID. This disrupts existing connections.

    Fast BSS Transition (802.11r)

    This feature allows faster roaming for Wi-Fi clients by enabling swift BSS transitions between APs. This minimizes delay caused due to a client transitioning from one BSS to another in a multi-AP deployment.

    • Mobility Domain ID – This parameter acts as a network identifier. The clients attempt 802.11r enabled roaming only when the same mobility domain ID is configured for both the networks. The valid range is 1 to 65535 and the default is 1000.
    • R0 Key Lifetime – This parameter indicates the duration after which the R0 key in the FortiAP expires. For WPA/WPA2 PSK authentication methods, the R0 key is derived from the PSK and for enterprise, it is derived after the EAP handshake with the RADIUS server is complete. The valid range is 1 to 65535 minutes and the default is 480 minutes.
    Voice Enterprise (802.11kv)
  • This feature provides support for network assisted roaming based on 802.11k and 802.11v standards.

    802.11k network assisted roaming allows a potential roaming wireless client to collect from its current AP the list of compatible neighbour APs. This saves the wireless client from performing full scan on both bands. The wireless client selects and moves to the optimal neighbour AP from the list. The 802.11k also provides support for Radio Resource Management (RRM) such as APs querying the associated wireless clients for beacon reports and perceived RSSI used to prepare the compatible neighbour AP list for wireless clients.

    802.11v network assisted roaming allows the wireless network to send requests to associated clients, recommending better APs to associate with while roaming. This is beneficial for both load balancing and in guiding clients with poor connectivity.
    The BSS Transition feature allows the roaming client to initiate a BSS transition query to the associated AP for a candidate list of other APs it can re-associate with, the associated AP responds with a BSS transition request containing the requested AP list. The AP can also send an unsolicited BSS transition request to the client. The client can accept the request and re-associate with the suggested APs or it can reject the request and continue its association with the current AP.
  • Airtime Fairness Weight (%)

    Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
    Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
    Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.

    • Applicable only on downlink traffic.

    • Applicable only on data, management and control functions are excluded.

    • Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.

    • Applicable on all authentication modes.

    Airtime Fairness is supported with FOS 6.2.0 and on all FortiAP-S and FortiAP-W2 models.
    Note: Enable ATF processing on desired radios in AP Platform Profile.

    Broadcast Suppression

    Suppresses the transmission of specific broadcast traffic to secure the wireless network and optimize airtime usage. When the received broadcast traffic exceeds the threshold, the interface discards it until the broadcast traffic drops below a specific threshold.
    Since broadcast packets sent to wireless clients connected to a FortiAP occupy valuable airtime, unnecessary and potentially detrimental packets can impact network throughput.
    By default, ARP Replies, ARPs For Known Clients, DHCP Uplink, DHCP Downlink, and DHCP Unicast broadcast suppression is enabled. The following methods are supported.

    • ARP Poison - Suppress ARP poison attacks from malicious Wi-Fi clients. Prevent malicious WiFi clients from spoofing ARP packets.
    • ARP Proxy - Suppress ARP request packets broadcast by the Ethernet downlink to known Wi-Fi clients. Instead, send ARP reply packets to the Ethernet uplink, as a proxy for Wi-Fi clients.
    • ARP Replies - Suppress ARP reply packets broadcast by Wi-Fi clients. Instead, forward the ARP packets as unicast packets to the clients with target MAC addresses.
    • ARPs For Known Clients - Suppress ARP request packets broadcast to known Wi-Fi clients. Instead, forward ARP packets as unicast packets to the known clients.
    • ARPs For Unknown Clients - Suppress ARP request packets broadcast to unknown Wi-Fi clients.
    • DHCP Uplink - Suppress DHCP discovery and request packets broadcast by Wi-Fi clients. Forward DHCP packets to the Ethernet uplink only. Prevent malicious Wi-Fi clients from acting as DHCP servers.
    • DHCP Downlink - Suppress DHCP packets broadcast by the Ethernet downlink to Wi-Fi clients. Prevent malicious Wi-Fi clients from acting as DHCP servers.
    • DHCP Unicast - Convert downlink broadcast DHCP messages to unicast messages.
    • DHCP Starvation - Suppress DHCP starvation attacks from malicious Wi-Fi clients. Prevent malicious Wi-Fi clients from depleting the DHCP address pool.
    • IPv6 - Suppress IPv6 broadcast packets. This is useful when the network is configured to support only IPv4.
    • NetBIOS Name Services - Suppress NetBIOS name services packets with UDP port 137.
    • NetBIOS Datagram - Suppress NetBIOS datagram services packets with UDP port 138.
    • All Other Broadcast - Suppress broadcast packets not covered by any of the specific options.
    • All Other Multicast - Suppress multicast packets not covered by any of the specific options.
    L3 Firewall Profile Create L3 Firewall rules. For more information, see Adding an L3 Firewall Profile.

    Block intra-SSID traffic

    To block intra-SSID network traffic.

    Tunnel Settings

    Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
    FortiLAN Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.

    • Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.

    • Tunnel Fallback Interval: The time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 0 to 65535 seconds; default is 7200 seconds.

    DHCP Option 82

    DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
    The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
    Note: This feature is supported with FOS 6.2.0 and above.

      • Circuit ID: The AP information is inserted in the following formats:
      • Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
      • Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".
      • Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".

    • Remote ID: The MAC address of the client device is inserted in the following format:
      Style-1 - ASCII string composed of the client MAC address. For example,"00:12:F2:00:00:59".

    Radio and Rates Optional Settings

    Customize the 2.4 GHz and 5 GHz rate settings.