Fortinet black logo

Administration Guide

Home FortiManager 6.0.0 Administration Guide
6.0.0
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.7
5.2.6
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3.0
4.2.9
4.2.8
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.1.0
4.0.3
4.0.2
4.0.1
4.0.0

SSIDs

SSIDs

To view SSIDs and SSID groups, go to AP Manager > WiFi Profiles, and select SSID in the tree menu.

The following options are available in the toolbar and right-click menu:

Create New

Create a new SSID or SSID group.

Edit

Edit the selected SSID or group.

Delete

Delete the selected SSID or group.

Clone

Clone the selected SSID or group.

Import

Import SSIDs from a connected FortiGate (toolbar only).

When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel to Wireless Controller, Local bridge with FortiAP's Interface, or Mesh Downlink.

To create a new SSID (Tunnel to Wireless Controller):
  1. On the SSID pane, click Create New > SSID in the toolbar, or select it from the right-click menu. The Create New SSID Profile windows opens.

  2. Enter the following information, then click OK to create the new tunnel to wireless controller SSID:

    Name

    Type a name for the SSID.

    Traffic Mode

    Select Tunnel to Wireless Controller from the dropdown list.

    Common Interface Settings

    Select to apply common interface settings for this SSID on all FortiAPs to which this template is applied. Common settings include IP addresses, administrative access, and DHCP settings.

    IP/Netmask

    Type the IP address and netmask.

    IPv6 Address

    Type the IPv6 address.

    Administrative Access

    Select the allowed administrative service protocols from: HTTPS, HTTP, PING, FMG-Access, SSH, SNMP, TELNET, Auto IPsec Request, and FCT-Access.

    IPv6 Administrative Access

    Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING, FMG-Access, SSH, SNMP, TELNET, and CAPWAP.

    Enable DHCP

    Select to enable and configure DHCP.

    This option is only available if Common Interface Settings is enabled.

    Note: If Mode is Relay, only the DHCP Server IP and Type settings are available.

    Address Range

    Enter the DHCP address range.

    This option is only available when Mode is set to Server.

    Netmask

    Enter the netmask.

    This option is only available when Mode is set to Server.

    Default Gateway

    Select Same As Interface IP if the default gateway is the same as the interface IP, or select Specify and type a new gateway IP address.

    This option is only available when Mode is set to Server.

    DNS Server

    Select Same As System DNS if the DNS server is the same as the system DNS, or select Specify and type a DNS server address.

    This option is only available when Mode is set to Server.

    Mode

    Select Server or Relay.

    DHCP Server IP

    Enter the DHCP server IP address.

    This option is only available if Mode is set to Relay.

    MAC Address Access Control List

    The MAC address control list allows you to view the MAC addresses and their actions. It includes a default entry for unknown MAC addresses.

    • Click Create New to create a new IP MAC binding.
    • Select an address then click Edit to edit the MAC address.
    • Select an address or addresses then click Delete to delete the selected items. The unknown MAC address cannot be deleted.

    This option is only available if Mode is set to Server.

    Type

    Select Regular or IPsec.

    Lease Time

    Enter the lease time, in seconds.

    WiFi Settings

    SSID

    Type the wireless service set identifier (SSID), or network name, for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

    Security Mode

    Select a security mode. The options are:

    WPA/WPA2-PERSONAL WPA2-ONLY-PERSONAL
    WPA/WPA2-ENTERPRISE WPA2-ONLY-ENTERPRISE
    Captive Portal WPA/WPA2 Personal with Captive Portal
    OPEN WPA2 Personal with Captive Portal

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    This option is only available when the security mode includes WPA or WPA2 personal.

    Authentication

    Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.

    This option is only available when the security mode includes WPA or WPA2 enterprise.

    Portal Type

    Select the portal type, one of: Authentication, Disclaimer + Authentication, Disclaimer Only, or Email Collection.

    This option is only available when the security mode includes captive portal.

    Authentication Portal

    Select Local or External. If External is selected, enter the URL of the portal.

    This option is only available when the portal type includes authentication.

    User Groups

    Select the user group to add from the dropdown list. Select the plus symbol to add multiple groups.

    This option is only available when the portal type includes authentication.

    Exempt Sources

    Select exempt sources to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Devices

    Select exempt devices to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Destinations

    Select exempt destinations to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Services

    Select exempt services to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Customize Portal Messages

    Select to allow for customized portal messages. Portal messages cannot be customized until after the interface has been created.

    This option is only available when the portal type includes disclaimer or email collection.

    Redirect after Captive Portal

    Select Original Request or Specific URL. If Specific URL is selected, enter the redirect URL.

    This option is only available when the security mode includes captive portal.

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

    Block Intra-SSID Traffic

    Select to block intra-SSID traffic.

    Split Tunneling

    Select to enable split tunneling.

    Maximum Clients

    Select to limit the concurrent WiFi clients that can connect to the SSID. If selected, type the desired maximum number of clients.

    Optional VLAN ID

    Select the VLAN ID in the text field using the arrow keys. Select 0 if VLANs are not used.

    VLAN Pool

    Select AP groups to add to the VLAN pool

    Device Detection

    Select to detect and identify devices connecting to the SSID.

    Add New Devices to Vulnerability Scan List

    Select to add new devices to the vulnerability scan list.

    Advanced Options

    broadcast-ssid

    Enable/disable SSID broadcast in the beacon.

    encrypt

    Select the data encryption protocol: TKIP, AES, or TKIP-AES.
To create a new SSID (Local bridge with FortiAP's Interface):
  1. On the SSID pane, click Create New > SSID in the toolbar.
  2. Enter the following information, then click OK to create the new local bridge SSID:

    Name

    Type a name for the SSID.

    Traffic Mode

    Select Local bridge with FortiAP’s Interface from the dropdown list.

    WiFi Settings

    SSID

    Type the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

    Security Mode

    Select a security mode. The options are:

    WPA/WPA2-PERSONAL WPA-ONLY-ENTERPRISE
    WPA/WPA2-ENTERPRISE WPA2-ONLY-PERSONAL
    OPEN WPA2-ONLY-ENTERPRISE
    WPA-ONLY-PERSONAL

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    This option is only available when the security mode includes WPA or WPA2 personal.

    Authentication

    Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.

    This option is only available when the security mode is includes WPA or WPA2 enterprise.

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

    Maximum Clients

    Select to limit the concurrent WiFi clients that can connect to the SSID. If selected, type the desired maximum number of clients. Type 0 for no limit.

    Optional VLAN ID

    Select the VLAN ID in the text field using the arrow keys. Select 0 if VLANs are not used.

    VLAN Pool

    Select AP groups to add to the VLAN pool

    Device Detection

    Select to detect and identify devices connecting to the SSID.

    Add New Devices to Vulnerability Scan List

    Select to add new devices to the vulnerability scan list.

    Advanced Options

    broadcast-ssid

    Enable/disable SSID broadcast in the beacon.

    encrypt

    Select the data encryption protocol: TKIP, AES, or TKIP-AES.
To create a SSID (Mesh Downlink):
  1. On the SSID pane, click Create New > SSID in the toolbar.
  2. Enter the following information, then click OK to create the SSID:

    Name

    Type a name for the SSID.

    Traffic Mode

    Select Mesh Downlink from the dropdown list.

    WiFi Settings

    SSID

    Type the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

    Security Mode

    Select a security mode. The options are:

    WPA/WPA2-PERSONAL WPA-ONLY-PERSONAL
    OPEN WPA2-ONLY-PERSONAL

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

    Maximum Clients

    Select to limit the concurrent WiFi clients that can connect to the SSID. If selected, type the desired maximum number of clients. Type 0 for no limit.

    Device Detection

    Select to detect and identify devices connecting to the SSID.

    Add New Devices to Vulnerability Scan List

    Select to add new devices to the vulnerability scan list.

    Advanced Options

    broadcast-ssid

    Enable/disable SSID broadcast in the beacon.

    encrypt

    Select the data encryption protocol: TKIP, AES, or TKIP-AES.
  3. Click OK to create the SSID.
To create a new SSID group:
  1. On the SSID pane, click Create New > SSID Group in the toolbar. The Create New SSID Group windows opens.
  2. Enter a name for the group in the Name field.
  3. Optionally, enter a brief description of the group in the Comment box.
  4. Optionally, add SSIDs to the group in the Members field.
  5. Click OK to create the SSID group.
To edit an SSID or groups:
  1. Either double-click on an SSID, select as SSID and then click Edit in the toolbar, or right-click then select Edit from the menu. The Edit SSIDor Edit SSID Group window opens.
  2. Edit the settings as required. The SSID name and traffic mode cannot be edited.
  3. Click OK to apply your changes.
To delete SSIDs or groups:
  1. Select the SSIDs and groups that you would like to delete.
  2. Either click Delete in the toolbar, or right-click and select Delete.
  3. Click OK in the confirmation dialog box to delete the selected SSIDs and groups.

    Deleting a group does not delete the SSIDs that are in the group.

To clone an SSID or group:
  1. Either select an SSID or group and click Clone in the toolbar, or right-click on the SSID or group name, and select Clone. The Clone SSID or Clone SSID Group dialog box opens.
  2. Edit the settings as required. An SSID's traffic mode cannot be edited.
  3. Click OK to clone the SSID.
To import an SSID:
  1. Click Import in the toolbar. The Import dialog box opens.
  2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
  3. Select the SSID or SSIDs to be imported from the Profile dropdown list.
  4. Click OK to import the SSID or SSIDs.
Previous
Next

SSIDs

To view SSIDs and SSID groups, go to AP Manager > WiFi Profiles, and select SSID in the tree menu.

The following options are available in the toolbar and right-click menu:

Create New

Create a new SSID or SSID group.

Edit

Edit the selected SSID or group.

Delete

Delete the selected SSID or group.

Clone

Clone the selected SSID or group.

Import

Import SSIDs from a connected FortiGate (toolbar only).

When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel to Wireless Controller, Local bridge with FortiAP's Interface, or Mesh Downlink.

To create a new SSID (Tunnel to Wireless Controller):
  1. On the SSID pane, click Create New > SSID in the toolbar, or select it from the right-click menu. The Create New SSID Profile windows opens.

  2. Enter the following information, then click OK to create the new tunnel to wireless controller SSID:

    Name

    Type a name for the SSID.

    Traffic Mode

    Select Tunnel to Wireless Controller from the dropdown list.

    Common Interface Settings

    Select to apply common interface settings for this SSID on all FortiAPs to which this template is applied. Common settings include IP addresses, administrative access, and DHCP settings.

    IP/Netmask

    Type the IP address and netmask.

    IPv6 Address

    Type the IPv6 address.

    Administrative Access

    Select the allowed administrative service protocols from: HTTPS, HTTP, PING, FMG-Access, SSH, SNMP, TELNET, Auto IPsec Request, and FCT-Access.

    IPv6 Administrative Access

    Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING, FMG-Access, SSH, SNMP, TELNET, and CAPWAP.

    Enable DHCP

    Select to enable and configure DHCP.

    This option is only available if Common Interface Settings is enabled.

    Note: If Mode is Relay, only the DHCP Server IP and Type settings are available.

    Address Range

    Enter the DHCP address range.

    This option is only available when Mode is set to Server.

    Netmask

    Enter the netmask.

    This option is only available when Mode is set to Server.

    Default Gateway

    Select Same As Interface IP if the default gateway is the same as the interface IP, or select Specify and type a new gateway IP address.

    This option is only available when Mode is set to Server.

    DNS Server

    Select Same As System DNS if the DNS server is the same as the system DNS, or select Specify and type a DNS server address.

    This option is only available when Mode is set to Server.

    Mode

    Select Server or Relay.

    DHCP Server IP

    Enter the DHCP server IP address.

    This option is only available if Mode is set to Relay.

    MAC Address Access Control List

    The MAC address control list allows you to view the MAC addresses and their actions. It includes a default entry for unknown MAC addresses.

    • Click Create New to create a new IP MAC binding.
    • Select an address then click Edit to edit the MAC address.
    • Select an address or addresses then click Delete to delete the selected items. The unknown MAC address cannot be deleted.

    This option is only available if Mode is set to Server.

    Type

    Select Regular or IPsec.

    Lease Time

    Enter the lease time, in seconds.

    WiFi Settings

    SSID

    Type the wireless service set identifier (SSID), or network name, for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

    Security Mode

    Select a security mode. The options are:

    WPA/WPA2-PERSONAL WPA2-ONLY-PERSONAL
    WPA/WPA2-ENTERPRISE WPA2-ONLY-ENTERPRISE
    Captive Portal WPA/WPA2 Personal with Captive Portal
    OPEN WPA2 Personal with Captive Portal

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    This option is only available when the security mode includes WPA or WPA2 personal.

    Authentication

    Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.

    This option is only available when the security mode includes WPA or WPA2 enterprise.

    Portal Type

    Select the portal type, one of: Authentication, Disclaimer + Authentication, Disclaimer Only, or Email Collection.

    This option is only available when the security mode includes captive portal.

    Authentication Portal

    Select Local or External. If External is selected, enter the URL of the portal.

    This option is only available when the portal type includes authentication.

    User Groups

    Select the user group to add from the dropdown list. Select the plus symbol to add multiple groups.

    This option is only available when the portal type includes authentication.

    Exempt Sources

    Select exempt sources to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Devices

    Select exempt devices to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Destinations

    Select exempt destinations to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Services

    Select exempt services to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Customize Portal Messages

    Select to allow for customized portal messages. Portal messages cannot be customized until after the interface has been created.

    This option is only available when the portal type includes disclaimer or email collection.

    Redirect after Captive Portal

    Select Original Request or Specific URL. If Specific URL is selected, enter the redirect URL.

    This option is only available when the security mode includes captive portal.

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

    Block Intra-SSID Traffic

    Select to block intra-SSID traffic.

    Split Tunneling

    Select to enable split tunneling.

    Maximum Clients

    Select to limit the concurrent WiFi clients that can connect to the SSID. If selected, type the desired maximum number of clients.

    Optional VLAN ID

    Select the VLAN ID in the text field using the arrow keys. Select 0 if VLANs are not used.

    VLAN Pool

    Select AP groups to add to the VLAN pool

    Device Detection

    Select to detect and identify devices connecting to the SSID.

    Add New Devices to Vulnerability Scan List

    Select to add new devices to the vulnerability scan list.

    Advanced Options

    broadcast-ssid

    Enable/disable SSID broadcast in the beacon.

    encrypt

    Select the data encryption protocol: TKIP, AES, or TKIP-AES.
To create a new SSID (Local bridge with FortiAP's Interface):
  1. On the SSID pane, click Create New > SSID in the toolbar.
  2. Enter the following information, then click OK to create the new local bridge SSID:

    Name

    Type a name for the SSID.

    Traffic Mode

    Select Local bridge with FortiAP’s Interface from the dropdown list.

    WiFi Settings

    SSID

    Type the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

    Security Mode

    Select a security mode. The options are:

    WPA/WPA2-PERSONAL WPA-ONLY-ENTERPRISE
    WPA/WPA2-ENTERPRISE WPA2-ONLY-PERSONAL
    OPEN WPA2-ONLY-ENTERPRISE
    WPA-ONLY-PERSONAL

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    This option is only available when the security mode includes WPA or WPA2 personal.

    Authentication

    Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.

    This option is only available when the security mode is includes WPA or WPA2 enterprise.

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

    Maximum Clients

    Select to limit the concurrent WiFi clients that can connect to the SSID. If selected, type the desired maximum number of clients. Type 0 for no limit.

    Optional VLAN ID

    Select the VLAN ID in the text field using the arrow keys. Select 0 if VLANs are not used.

    VLAN Pool

    Select AP groups to add to the VLAN pool

    Device Detection

    Select to detect and identify devices connecting to the SSID.

    Add New Devices to Vulnerability Scan List

    Select to add new devices to the vulnerability scan list.

    Advanced Options

    broadcast-ssid

    Enable/disable SSID broadcast in the beacon.

    encrypt

    Select the data encryption protocol: TKIP, AES, or TKIP-AES.
To create a SSID (Mesh Downlink):
  1. On the SSID pane, click Create New > SSID in the toolbar.
  2. Enter the following information, then click OK to create the SSID:

    Name

    Type a name for the SSID.

    Traffic Mode

    Select Mesh Downlink from the dropdown list.

    WiFi Settings

    SSID

    Type the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

    Security Mode

    Select a security mode. The options are:

    WPA/WPA2-PERSONAL WPA-ONLY-PERSONAL
    OPEN WPA2-ONLY-PERSONAL

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

    Maximum Clients

    Select to limit the concurrent WiFi clients that can connect to the SSID. If selected, type the desired maximum number of clients. Type 0 for no limit.

    Device Detection

    Select to detect and identify devices connecting to the SSID.

    Add New Devices to Vulnerability Scan List

    Select to add new devices to the vulnerability scan list.

    Advanced Options

    broadcast-ssid

    Enable/disable SSID broadcast in the beacon.

    encrypt

    Select the data encryption protocol: TKIP, AES, or TKIP-AES.
  3. Click OK to create the SSID.
To create a new SSID group:
  1. On the SSID pane, click Create New > SSID Group in the toolbar. The Create New SSID Group windows opens.
  2. Enter a name for the group in the Name field.
  3. Optionally, enter a brief description of the group in the Comment box.
  4. Optionally, add SSIDs to the group in the Members field.
  5. Click OK to create the SSID group.
To edit an SSID or groups:
  1. Either double-click on an SSID, select as SSID and then click Edit in the toolbar, or right-click then select Edit from the menu. The Edit SSIDor Edit SSID Group window opens.
  2. Edit the settings as required. The SSID name and traffic mode cannot be edited.
  3. Click OK to apply your changes.
To delete SSIDs or groups:
  1. Select the SSIDs and groups that you would like to delete.
  2. Either click Delete in the toolbar, or right-click and select Delete.
  3. Click OK in the confirmation dialog box to delete the selected SSIDs and groups.

    Deleting a group does not delete the SSIDs that are in the group.

To clone an SSID or group:
  1. Either select an SSID or group and click Clone in the toolbar, or right-click on the SSID or group name, and select Clone. The Clone SSID or Clone SSID Group dialog box opens.
  2. Edit the settings as required. An SSID's traffic mode cannot be edited.
  3. Click OK to clone the SSID.
To import an SSID:
  1. Click Import in the toolbar. The Import dialog box opens.
  2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
  3. Select the SSID or SSIDs to be imported from the Profile dropdown list.
  4. Click OK to import the SSID or SSIDs.
Previous
Next