Fortinet white logo
Fortinet white logo

Administration Guide

FortiAP profiles

FortiAP profiles

FortiAP profiles define radio settings for FortiAP models. The profile specifies details such as the operating mode of the device, SSIDs, and transmit power. Custom AP profiles can be created as needed for new devices.

You can assign AP profiles to FortiAP devices in the Managed FortiAPs menu. See Assigning profiles to FortiAP devices.

Click View All Profiles to display all FortiAP profiles configured in the ADOM in the FortiAP Profiles table, including custom AP profiles.

Note

FortiManager includes Fortinet recommended factory default FortiAP profiles that you can activate and use in your environment. See Using Fortinet recommended profiles.

To view FortiAP profiles:
  1. If using ADOMs, ensure that you are in the correct ADOM.

  2. Go to AP Manager > Operation Profiles > FortiAP Profiles.

    The following options are available in the toolbar and right-click menu:

    Create New

    Create a new AP profile.

    Edit

    Edit the selected AP profile.

    Delete

    Delete the selected AP profile.

    Clone

    Clone the selected AP profile.

    Where Used

    View where the selected AP profile is used.

    Import

    Import AP profiles from a connected FortiGate (toolbar only).

To create custom FortiAP profiles:
  1. If using ADOMs, ensure that you are in the correct ADOM.

  2. Go to AP Manager > Operation Profiles > FortiAP Profiles.

  3. In the toolbar, click Create New.

    The Create New AP Profile pane opens.

  4. Enter the following information, and click OK to create the AP profile:

    Name

    Type a name for the profile.

    Comment

    Optionally, enter comments.

    Platform

    Select the platform that the profile will apply to from the dropdown list.

    Indoor / Outdoor

    Select Default (Indoor), Indoor, or Outdoor. The selection can affect the available channels due to regulatory rules.

    Country / Region

    Select the country or region from the drop-down list.

    FortiAP Configuration Profile

    Optionally, enable the toggle to select a FortiAP configuration profile.

    AP Login Password

    Set, leave unchanged (default), or empty the AP login password.

    Administrative Access

    Allow management access to the managed AP via telnet, http, https, and/or ssh.

    Client Load Balancing

    Select the client load balancing methods to use: Frequency Handoff and/or AP Handoff.

    Bluetooth Profile

    If available for the platform, select a profile from the list or click the plus (+) to create a new Bluetooth profile.

    See Bluetooth profiles.

    Radio 1 & 2

    Configure the radio settings. The Radio 2 settings will only appear if the selected platform has two radios.

    Mode

    Select the radio operation mode:

    • Disabled: The radio is disabled. No further radio settings are available.
    • Access Point: The device is an access point. See options below.
    • Dedicated Monitor: The device is a dedicated monitor. See options below.
    • SAM: The device is a station that can connect to a neighboring AP for connectivity and health check. See options below.

    Mode = Access Point

    WIDS Profile

    Select a WIDS profile from the dropdown list. See WIDS profiles.

    Radio Resource Provision

    Select to enable radio resource provisioning.

    This feature measures utilization and interference on the available channels and selects the clearest channel at each access point.

    ARRP Profile

    Select an Automatic Radio Resource Provisioning (ARRP) profile. See ARRP profiles.

    This option is only available if Radio Resource Provision is enabled.

    Band

    Select the wireless protocol from the dropdown list. The available bands depend on the selected platform.

    In two radio devices, both radios cannot use the same band.

    Channel Width

    Select 20MHz or 40MHz channel width.

    This option is only available for 802.11n bands.

    Channel Plan

    Select Three Channels or Four Channels to select predefined channels. Select Custom to specify custom channels.

    Channels

    Available when Channel Plan is set to Custom. Select the channel or channels to include. The available channels depend on the selected platform and band.

    Short Guard Interval

    Select to enable the short guard interval.

    This option is only available for 802.11n bands.

    Transmit Power Mode

    Select Percent or dBm to specify the minimum and maximum power levels by percent or dBm.

    Select Auto to specify a range of dBm and allow the level to be automatically set within the range.

    Transmit Power

    If Transmit Power Mode is Percent or dBm, specify the percentage or dBm of the total available power.

    If Transmit Power Mode is Auto, enter the power low and high values in dBm.

    SSIDs

    Choose the SSID profiles that APs using this profile will broadcast. You can select Tunnel or Bridge to choose them automatically, or Manual to select the SSIDs manually.

    • Tunnel: Available tunnel-mode SSIDs are automatically assigned to this radio.

    • Bridge: Available bridge-mode SSIDs are automatically assigned to this radio.

    • Manual: Manually select which available SSIDs and SSID groups to assign to this radio.

    Note

    Tunnel and Bridge mode automatically assign corresponding SSID profiles that are on the FortiGate to the AP. SSID profiles on FortiManager are not pushed to the FortiGate when using these modes.

    Manual mode is the only mode that will distribute an SSID profile to the FortiGate.

    Monitor Channel Utilization

    Enable/disable monitoring channel utilization.

    Mode = Dedicated Monitor

    WIDS Profile

    Select a WIDS profile from the dropdown list. See WIDS profiles.

    Mode = SAM

    SSID

    Enter the SSID for the WiFi network.

    BSSID

    Enter the BSSID for the WiFi network.

    Security Type

    Select Open, WPA/WPA2 Personal, or WPA/WPA2 Enterprise for the WiFi network.

    WiFi Username

    Enter the WiFi username.

    This option is only available if Security Type = WPA/WPA2 Enterprise.

    WiFi Password

    Enter the WiFi password.

    This option is not available if Security Type = Open.

    Captive Portal Authentication

    Enable/disable captive portal authentication.

    This option is not available if Security Type = WPA/WPA2 Enterprise.

    Test Type

    Select ping or Iperf for the SAM test type.

    Test Server Type

    Select ip or fqdn for the SAM server type.

    Test Server

    Enter the SAM IP address or the FQDN according to the Test Server Type.

    Iperf Server Port

    Enter the Iperf service port number.

    Iperf Protocol

    Select UDP or TCP for the Iperf test protocol.

    Report Interval (seconds)

    Enter the SAM report interval in seconds (60-864000, default = 0). Enter 0 for a one-time report.

    LAN Configuration

    Port ESL Mode

    Select Offline, NAT to WAN, Bridge to WAN, or Bridge to SSID.

    Port ESL SSID

    Available when Port ESL Mode is set to Bridge to SSID. Select the SSID.

    Handoff STA Thresh

    Threshold value for AP handoff (default = 55).

    WAN Port Mode

    Enable/disable using a WAN port as a LAN port. Select wan-lan or wan-only (default = wan-only).

    ESL SES Dongle Configuration

    APC FQDN

    Enter the FQDN of the ESL SES-imagotag Access Point Controller (APC).

    Location Based Services

    FortiPresence

    Mode

    Select the FortiPresence mode:

    • Disable
    • Foreign channels only
    • Foreign and home channels

    Project name

    The FortiPresence project name.

    Password

    FortiPresence secret password.

    FortiPresence Server Type

    Select IP or FQDN.

    FortiPresence server IP/FQDN

    FortiPresence server IP address or FQDN.

    FortiPresence server port

    FortiPresence server UDP listening port (default = 3000).

    Report rogue APs

    Enable/disable FortiPresence reporting of Rogue APs.

    Report unassociated clients

    Enable/disable FortiPresence reporting of unassociated devices.

    Report transmit frequency (in seconds)

    FortiPresence report transmit frequency, in seconds (5 - 65535, default = 30).

    Ekahau blink

    Enable/disable Ekahau blink location based services.

    RTLS controller server IP

    Enter the realtime location services (RTLS) controller server IP address.

    RTLS controller server port

    The RTLS controller server port (default = 8569).

    Ekahau tag MAC address

    Enter the Ekahau tag MAC address.

    AeroScout

    Enable/disable AeroScout location based services.

    AeroScout server IP

    Enter the AeroScout server IP address.

    AeroScout server port

    Enter the AeroScout server port.

    MU mode dilution factor

    Enter the MU mode dilution factor (default = 20).

    MU mode dilution timeout

    Enter the MU mode dilution timeout (default = 5).

    Locate WiFi clients when not connected

    Enable/disable locating WiFi client when they are not connected.

    Advanced Options

    Expand to display and set the advanced options. Hover the mouse over the i icon to view a tooltip of each advanced option.

    For more information, refer to the FortiOS CLI Reference.

You can edit, delete, clone and import existing profiles, as well as see where the profile is being used.

To edit a profile:
  1. Select the profile to edit.
  2. In the toolbar, click Edit.

    Alternatively, you can right-click the profile and select Edit, or double-click a profile.

  3. Edit the settings as required.
  4. Click OK to apply your changes.
To delete profiles:
  1. Select the profile(s) to be deleted.
  2. In the toolbar, click Delete.

    Alternatively, right-click the profile and select Delete.

  3. Click OK.
To clone a profile:
  1. Select a profile in the list.
  2. In the toolbar, click Clone.

    Alternatively, right-click a profile and select Clone.

  3. Edit the name of the profile, then edit the remaining settings as required.
  4. Click OK to clone the profile.
To import a profile:
  1. In the toolbar, click Import.

    The Import dialog opens.

  2. From the FortiGate dropdown, select a device. The list will include all of the devices in the current ADOM.
  3. From the Profiles dropdown, select a profile.
  4. Click OK.
To view where a profile is used:
  1. Select the profile.
  2. In the toolbar, click More > Where Used.

    Alternatively, you can right-click the profile and select Where Used.

    The Where <profile name> is used pane opens.

  3. Click Close.
Note

AP profiles can also be imported through the Device Manager. See Importing AP profiles and FortiSwitch templates.

FortiAP profiles

FortiAP profiles

FortiAP profiles define radio settings for FortiAP models. The profile specifies details such as the operating mode of the device, SSIDs, and transmit power. Custom AP profiles can be created as needed for new devices.

You can assign AP profiles to FortiAP devices in the Managed FortiAPs menu. See Assigning profiles to FortiAP devices.

Click View All Profiles to display all FortiAP profiles configured in the ADOM in the FortiAP Profiles table, including custom AP profiles.

Note

FortiManager includes Fortinet recommended factory default FortiAP profiles that you can activate and use in your environment. See Using Fortinet recommended profiles.

To view FortiAP profiles:
  1. If using ADOMs, ensure that you are in the correct ADOM.

  2. Go to AP Manager > Operation Profiles > FortiAP Profiles.

    The following options are available in the toolbar and right-click menu:

    Create New

    Create a new AP profile.

    Edit

    Edit the selected AP profile.

    Delete

    Delete the selected AP profile.

    Clone

    Clone the selected AP profile.

    Where Used

    View where the selected AP profile is used.

    Import

    Import AP profiles from a connected FortiGate (toolbar only).

To create custom FortiAP profiles:
  1. If using ADOMs, ensure that you are in the correct ADOM.

  2. Go to AP Manager > Operation Profiles > FortiAP Profiles.

  3. In the toolbar, click Create New.

    The Create New AP Profile pane opens.

  4. Enter the following information, and click OK to create the AP profile:

    Name

    Type a name for the profile.

    Comment

    Optionally, enter comments.

    Platform

    Select the platform that the profile will apply to from the dropdown list.

    Indoor / Outdoor

    Select Default (Indoor), Indoor, or Outdoor. The selection can affect the available channels due to regulatory rules.

    Country / Region

    Select the country or region from the drop-down list.

    FortiAP Configuration Profile

    Optionally, enable the toggle to select a FortiAP configuration profile.

    AP Login Password

    Set, leave unchanged (default), or empty the AP login password.

    Administrative Access

    Allow management access to the managed AP via telnet, http, https, and/or ssh.

    Client Load Balancing

    Select the client load balancing methods to use: Frequency Handoff and/or AP Handoff.

    Bluetooth Profile

    If available for the platform, select a profile from the list or click the plus (+) to create a new Bluetooth profile.

    See Bluetooth profiles.

    Radio 1 & 2

    Configure the radio settings. The Radio 2 settings will only appear if the selected platform has two radios.

    Mode

    Select the radio operation mode:

    • Disabled: The radio is disabled. No further radio settings are available.
    • Access Point: The device is an access point. See options below.
    • Dedicated Monitor: The device is a dedicated monitor. See options below.
    • SAM: The device is a station that can connect to a neighboring AP for connectivity and health check. See options below.

    Mode = Access Point

    WIDS Profile

    Select a WIDS profile from the dropdown list. See WIDS profiles.

    Radio Resource Provision

    Select to enable radio resource provisioning.

    This feature measures utilization and interference on the available channels and selects the clearest channel at each access point.

    ARRP Profile

    Select an Automatic Radio Resource Provisioning (ARRP) profile. See ARRP profiles.

    This option is only available if Radio Resource Provision is enabled.

    Band

    Select the wireless protocol from the dropdown list. The available bands depend on the selected platform.

    In two radio devices, both radios cannot use the same band.

    Channel Width

    Select 20MHz or 40MHz channel width.

    This option is only available for 802.11n bands.

    Channel Plan

    Select Three Channels or Four Channels to select predefined channels. Select Custom to specify custom channels.

    Channels

    Available when Channel Plan is set to Custom. Select the channel or channels to include. The available channels depend on the selected platform and band.

    Short Guard Interval

    Select to enable the short guard interval.

    This option is only available for 802.11n bands.

    Transmit Power Mode

    Select Percent or dBm to specify the minimum and maximum power levels by percent or dBm.

    Select Auto to specify a range of dBm and allow the level to be automatically set within the range.

    Transmit Power

    If Transmit Power Mode is Percent or dBm, specify the percentage or dBm of the total available power.

    If Transmit Power Mode is Auto, enter the power low and high values in dBm.

    SSIDs

    Choose the SSID profiles that APs using this profile will broadcast. You can select Tunnel or Bridge to choose them automatically, or Manual to select the SSIDs manually.

    • Tunnel: Available tunnel-mode SSIDs are automatically assigned to this radio.

    • Bridge: Available bridge-mode SSIDs are automatically assigned to this radio.

    • Manual: Manually select which available SSIDs and SSID groups to assign to this radio.

    Note

    Tunnel and Bridge mode automatically assign corresponding SSID profiles that are on the FortiGate to the AP. SSID profiles on FortiManager are not pushed to the FortiGate when using these modes.

    Manual mode is the only mode that will distribute an SSID profile to the FortiGate.

    Monitor Channel Utilization

    Enable/disable monitoring channel utilization.

    Mode = Dedicated Monitor

    WIDS Profile

    Select a WIDS profile from the dropdown list. See WIDS profiles.

    Mode = SAM

    SSID

    Enter the SSID for the WiFi network.

    BSSID

    Enter the BSSID for the WiFi network.

    Security Type

    Select Open, WPA/WPA2 Personal, or WPA/WPA2 Enterprise for the WiFi network.

    WiFi Username

    Enter the WiFi username.

    This option is only available if Security Type = WPA/WPA2 Enterprise.

    WiFi Password

    Enter the WiFi password.

    This option is not available if Security Type = Open.

    Captive Portal Authentication

    Enable/disable captive portal authentication.

    This option is not available if Security Type = WPA/WPA2 Enterprise.

    Test Type

    Select ping or Iperf for the SAM test type.

    Test Server Type

    Select ip or fqdn for the SAM server type.

    Test Server

    Enter the SAM IP address or the FQDN according to the Test Server Type.

    Iperf Server Port

    Enter the Iperf service port number.

    Iperf Protocol

    Select UDP or TCP for the Iperf test protocol.

    Report Interval (seconds)

    Enter the SAM report interval in seconds (60-864000, default = 0). Enter 0 for a one-time report.

    LAN Configuration

    Port ESL Mode

    Select Offline, NAT to WAN, Bridge to WAN, or Bridge to SSID.

    Port ESL SSID

    Available when Port ESL Mode is set to Bridge to SSID. Select the SSID.

    Handoff STA Thresh

    Threshold value for AP handoff (default = 55).

    WAN Port Mode

    Enable/disable using a WAN port as a LAN port. Select wan-lan or wan-only (default = wan-only).

    ESL SES Dongle Configuration

    APC FQDN

    Enter the FQDN of the ESL SES-imagotag Access Point Controller (APC).

    Location Based Services

    FortiPresence

    Mode

    Select the FortiPresence mode:

    • Disable
    • Foreign channels only
    • Foreign and home channels

    Project name

    The FortiPresence project name.

    Password

    FortiPresence secret password.

    FortiPresence Server Type

    Select IP or FQDN.

    FortiPresence server IP/FQDN

    FortiPresence server IP address or FQDN.

    FortiPresence server port

    FortiPresence server UDP listening port (default = 3000).

    Report rogue APs

    Enable/disable FortiPresence reporting of Rogue APs.

    Report unassociated clients

    Enable/disable FortiPresence reporting of unassociated devices.

    Report transmit frequency (in seconds)

    FortiPresence report transmit frequency, in seconds (5 - 65535, default = 30).

    Ekahau blink

    Enable/disable Ekahau blink location based services.

    RTLS controller server IP

    Enter the realtime location services (RTLS) controller server IP address.

    RTLS controller server port

    The RTLS controller server port (default = 8569).

    Ekahau tag MAC address

    Enter the Ekahau tag MAC address.

    AeroScout

    Enable/disable AeroScout location based services.

    AeroScout server IP

    Enter the AeroScout server IP address.

    AeroScout server port

    Enter the AeroScout server port.

    MU mode dilution factor

    Enter the MU mode dilution factor (default = 20).

    MU mode dilution timeout

    Enter the MU mode dilution timeout (default = 5).

    Locate WiFi clients when not connected

    Enable/disable locating WiFi client when they are not connected.

    Advanced Options

    Expand to display and set the advanced options. Hover the mouse over the i icon to view a tooltip of each advanced option.

    For more information, refer to the FortiOS CLI Reference.

You can edit, delete, clone and import existing profiles, as well as see where the profile is being used.

To edit a profile:
  1. Select the profile to edit.
  2. In the toolbar, click Edit.

    Alternatively, you can right-click the profile and select Edit, or double-click a profile.

  3. Edit the settings as required.
  4. Click OK to apply your changes.
To delete profiles:
  1. Select the profile(s) to be deleted.
  2. In the toolbar, click Delete.

    Alternatively, right-click the profile and select Delete.

  3. Click OK.
To clone a profile:
  1. Select a profile in the list.
  2. In the toolbar, click Clone.

    Alternatively, right-click a profile and select Clone.

  3. Edit the name of the profile, then edit the remaining settings as required.
  4. Click OK to clone the profile.
To import a profile:
  1. In the toolbar, click Import.

    The Import dialog opens.

  2. From the FortiGate dropdown, select a device. The list will include all of the devices in the current ADOM.
  3. From the Profiles dropdown, select a profile.
  4. Click OK.
To view where a profile is used:
  1. Select the profile.
  2. In the toolbar, click More > Where Used.

    Alternatively, you can right-click the profile and select Where Used.

    The Where <profile name> is used pane opens.

  3. Click Close.
Note

AP profiles can also be imported through the Device Manager. See Importing AP profiles and FortiSwitch templates.