Provides a layer of security for wireless management frames by ensuring that traffic comes from legitimate sources. Network attackers and malicious entities are unable to disrupt legitimate wireless connections by sending spoofed clear text wireless management frames.

• Disable - Disables the usage of 802.11w management protection frames.

• Optional - Allows wireless clients that do not support 802.11w along with those that support 802.11w to associate with the SSID.

• Required - Allows only those wireless clients to associate with the SSID that support 802.11w and prevents clients that do not support 802.11w from associating.

• PMF Association Comeback Timeout (seconds) - Specifies the time which an associated client must wait before the association can be tried again when first denied. The valid range is 1 -20 seconds with a default value of 1 second.

• PMF SA Query Retry Timeout (milliseconds) - Specifies the amount of time the controller waits for a response from the wireless client for the query process. If there is no response from the client, it is dis-associated. The supported values are 100, 200, 300, 400, and 500 milliseconds with a default value of 200 milliseconds

Note: Any change in the PMF configuration requires the controller to delete and then add the SSID. This disrupts existing connections.

This feature allows faster roaming for Wi-Fi clients by enabling swift BSS transitions between APs. This minimizes delay caused due to a client transitioning from one BSS to another in a multi-AP deployment.

• Mobility Domain ID – This parameter acts as a network identifier. The clients attempt 802.11r enabled roaming only when the same mobility domain ID is configured for both the networks. The valid range is 1 to 65535 and the default is 1000.
• R0 Key Lifetime – This parameter indicates the duration after which the R0 key in the FortiAP expires. For WPA/WPA2 PSK authentication methods, the R0 key is derived from the PSK and for enterprise, it is derived after the EAP handshake with the RADIUS server is complete. The valid range is 1 to 65535 minutes and the default is 480 minutes.

Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.

• Applicable only on downlink traffic.

• Applicable only on data, management and control functions are excluded.

• Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.

• Applicable on all authentication modes.

Airtime Fairness is supported with FOS 6.2.0 and on all FortiAP-S and FortiAP-W2 models.
Note: Enable ATF processing on desired radios in AP Platform Profile.

Suppresses the transmission of specific broadcast traffic to secure the wireless network and optimize airtime usage. When the received broadcast traffic exceeds the threshold, the interface discards it until the broadcast traffic drops below a specific threshold.
Since broadcast packets sent to wireless clients connected to a FortiAP occupy valuable airtime, unnecessary and potentially detrimental packets can impact network throughput.
By default, ARP Replies, ARPs For Known Clients, DHCP Uplink, DHCP Downlink, and DHCP Unicast broadcast suppression is enabled. The following methods are supported.

• ARP Poison - Suppress ARP poison attacks from malicious Wi-Fi clients. Prevent malicious WiFi clients from spoofing ARP packets.
• ARP Proxy - Suppress ARP request packets broadcast by the Ethernet downlink to known Wi-Fi clients. Instead, send ARP reply packets to the Ethernet uplink, as a proxy for Wi-Fi clients.
• ARP Replies - Suppress ARP reply packets broadcast by Wi-Fi clients. Instead, forward the ARP packets as unicast packets to the clients with target MAC addresses.
• ARPs For Known Clients - Suppress ARP request packets broadcast to known Wi-Fi clients. Instead, forward ARP packets as unicast packets to the known clients.
• ARPs For Unknown Clients - Suppress ARP request packets broadcast to unknown Wi-Fi clients.
• DHCP Uplink - Suppress DHCP discovery and request packets broadcast by Wi-Fi clients. Forward DHCP packets to the Ethernet uplink only. Prevent malicious Wi-Fi clients from acting as DHCP servers.
• DHCP Downlink - Suppress DHCP packets broadcast by the Ethernet downlink to Wi-Fi clients. Prevent malicious Wi-Fi clients from acting as DHCP servers.
• DHCP Unicast - Convert downlink broadcast DHCP messages to unicast messages.
• DHCP Starvation - Suppress DHCP starvation attacks from malicious Wi-Fi clients. Prevent malicious Wi-Fi clients from depleting the DHCP address pool.
• IPv6 - Suppress IPv6 broadcast packets. This is useful when the network is configured to support only IPv4.
• NetBIOS Name Services - Suppress NetBIOS name services packets with UDP port 137.
• NetBIOS Datagram - Suppress NetBIOS datagram services packets with UDP port 138.
• All Other Broadcast - Suppress broadcast packets not covered by any of the specific options.
• All Other Multicast - Suppress multicast packets not covered by any of the specific options.

To block intra-SSID network traffic.

Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
FortiLAN Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.

• Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.

• Tunnel Fallback Interval: The time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 0 to 65535 seconds; default is 7200 seconds.

DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
Note: This feature is supported with FOS 6.2.0 and above.

• Circuit ID: The AP information is inserted in the following formats:
  • Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
  • Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".

  Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".

• Remote ID: The MAC address of the client device is inserted in the following format:
  Style-1 - ASCII string composed of the client MAC address. For example,"00:12:F2:00:00:59".