FortiAP – Fortinet Cookbook

This collection of related recipes shows how to configure a Cooperative Security Fabric (CSF) – also known as a Fortinet Security Fabric – throughout your network, using a range of Fortinet products. This security fabric will link different security sensors and tools together to collect, coordinate, and respond to malicious behavior anywhere it occurs on your network in real time.

Below, you will find links to a number of Cookbook recipes. By using these recipes in the listed order, you can create a network similar to the one shown above.

This collection is a work-in-progress. Check back to see what new recipes have been added.

Between most steps are screenshots showing the FortiView Topology dashboards, introduced in FortiOS 5.4.1. These dashboards display the devices that make up your cooperative security fabric. The Physical Topology dashboard shows all access layer devices, while the Logical Topology dashboard displays information about the interface (logical or physical) that each device is connected to.

CSF is supported by the following Fortinet firmware:

FortiOS 5.4.1+
FortiSwitchOS 3.3+
FortiClient 5.4.1+

1. Installing a FortiGate in NAT/Route mode

In this recipe, you install the initial FortiGate, which will later be used as the Internet-facing, or upstream, FortiGate in the security fabric.

Because the CSF has not yet been enabled, the FortiView topology dashboards are not yet available.

2. Installing internal FortiGates and enabling a security fabric

In this recipe, two additional FortiGates are added to the network as an Internal Segmentation Firewalls (ISFWs). Once the FortiGates are installed, a security fabric is set up between them and the external FortiGate which was installed in the network previously.

In the example network, the Internet-facing FortiGate is called External, with two additional FortiGates, called Accounting and Marketing, configured as ISFWs. The FortiGates all appear in the FortiView toplogy dashboards on the External FortiGate.

Physical topology:

Logical topology:

3. High Availability with two FortiGates

In this recipe, the External FortiGate is set up as part of an High Availability (HA) cluster. This provides redundancy for the network in case one of the FortiGates in the cluster fails.

The topology dashboards do not show both FortiGates in the HA cluster. However, the name of the upstream FortiGate has changed to the name of the primary unit in the cluster (External-Primary).

Physical topology:

Logical topology:

4. Setting up an internal network with a managed FortiSwitch

In this recipe, two FortiSwitches are installed behind the ISFWs. The FortiSwitches are managed by the FortiGates and will be used to connect two internal networks that will be protected by the FortiGates.

The FortiSwitches now appears in the Physical Topology dashboard, provided the Access Device view is selected. The switches do not appear in the Logical Topology dashboard.

Physical topology:

Logical topology:

5. Adding endpoint control to a security fabric

In this recipe, a FortiClient profile is used to enforce endpoint control for devices that are connected to the CSF.

In the screenshots below, endpoint control has been applied to a PC on the Marketing Network. Also, the Marketing FortiSwitch now appears in the Logical Topology dashboard because traffic is flowing through it.

Physical topology:

Logical topology:

The post Cooperative Security Fabric appeared first on Fortinet Cookbook.

This is an example of wireless single sign-on (WSSO) with a FortiGate. The WiFi users are students at a school. They belong to a Windows Active Directory (AD) group called WiFiAccess. The Network Policy Server (NPS) or RADIUS server performs user authentication and passes the WiFi group attribute to the FortiGate so that the appropriate security policy is applied.

There is an alternative way to setup WiFi with WSSO. To learn more about it, see WiFi with WSSO using Windows NPS and FortiGate Groups

1. Registering the FortiGate as a RADIUS client on NPS
From the NPS, right click on RADIUS Clients, and create an entry for the FortiGate. Enter the FortiGate’s IP address. Enter the Shared secret (password).
2. Creating a Connection Request Policy
Right click Connection Request Policies under Policies and select New. Leave default values for Overview and Settings tab. Under Conditions tab, enter Client IPv4 Address as the FortiGate’s IP address.
3. Creating a Network Policy
Right click Network Policies under Policies and select New to create a new policy. Leave default values in Overview tab. In Conditions tab, click on Add, select Windows Group, then select Add. Finally Add Groups, then enter WiFiAccess, and select OK.
In Constraints tab, under Authentication Methods, click Add, then select Microsoft: Protected EAP (PEAP) then OK. Next select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), and finally select User can change password after it has expired and select OK.
In Settings tab, go to RADIUS Attributes > Vendor Specific, then click Add, select Custom under Vendor and Vendor Specific under Attributes select Add. On Attribute Information window, click Add, type 12356 next to Enter Vendor Code, next select Yes. It conforms. Click on Configure Attribute and a new window pops up, on Vendor-assigned attribute number enter 1, on Attribute format select String, and in Attribute value enter WiFi and select OK.
4. Configuring FortiGate to use the RADIUS server
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New DC-RADIUS. Enter the Domain Controller IP address and the Server Secret that you entered on NPS. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.
5. Configuring a user group on the FortiGate
Go to User & Device > User Groups. Create a group that matches the WiFi RADIUS attribute. Do not add any members or remote servers.
6. Creating an SSID with RADIUS authentication
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with RADIUS Server authentication, and choose DC-RADIUS.
7. Creating a security policy
Go to Policy & Objects > IPv4 Policy. Create a WiFi-to-Internet policy. Use WiFi group as the Source.
8. Results
Connect to the WiFi network, authenticate, and browse the Internet. Try this with a user that belongs to the WiFiAccess Windows AD Group.
Go to Monitor > Firewall User Monitor. You can see the User Name, User Group and verify that WSSO authentication Method was used.

The post WiFi with WSSO using Windows NPS and Attributes appeared first on Fortinet Cookbook.

This is an example of wireless single sign-on (WSSO) with a FortiGate. The WiFi users are students at a school. These users belong to a Windows Active Directory (AD) group called WiFiAccess. When users enter their WiFi username and password, the FortiGate checks the local group WiFi. Since the group has been set up with remote RADIUS server, the FortiGate performs user authentication against the Network Policy Server (NPS) or RADIUS server. If the user is authenticated successfully, the FortiGate will check for a policy that allows the WiFi group access.

There is an alternative way to setup WiFi with WSSO. To learn more about it, see WiFi with WSSO using Windows NPS and Attributes

1. Registering the FortiGate as a RADIUS client on NPS
From the NPS, right click on RADIUS Clients, and create an entry for the FortiGate. Enter the FortiGate’s IP address. Enter the Shared secret (password).
2. Creating a Connection Request Policy
Right click Connection Request Policies under Policies and select New. Leave default values for Overview and Settings tab. Under Conditions tab, enter Client IPv4 Address as the FortiGate’s IP address.
3. Creating a Network Policy
Right click Network Policies under Policies and select New to create a new policy. Leave default values in Overview tab. In Conditions tab, click on Add, select Windows Group, then select Add. Finally Add Groups, then enter WiFiAccess, and select OK.
In Constraints tab, under Authentication Methods, click Add, then select Microsoft: Protected EAP (PEAP) then OK. Next select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), and finally select User can change password after it has expired and select OK.
4. Configuring FortiGate to use the RADIUS server
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New DC-RADIUS. Enter the Domain Controller IP address and the Server Secret that you entered on NPS. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.
5. Configuring a user group on the FortiGate
Go to User & Device > User Groups. Create a group named WiFi. Click on Create New under Remote groups, then enter DC-RADIUS for Remote Server, and Any for Groups. Select OK, and OK again.
6. Creating an SSID with RADIUS authentication
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with Local authentication, and choose the local group WiFi.
7. Creating a security policy
Go to Policy & Objects > IPv4 Policy. Create a WiFi-to-Internet policy. Use WiFi group as the Source.
8. Results
Connect to the WiFi network, authenticate, and browse the Internet. Try this with a user that belongs to the WiFiAccess Windows AD Group.
Go to Monitor > Firewall User Monitor. You can see the User Name, User Group and verify that WSSO authentication Method was used.

The post WiFi with WSSO using Windows NPS and FortiGate Groups appeared first on Fortinet Cookbook.

Upgrading to 5.4

This table shows the upgrade path from earlier versions of the supported firmware to the latest version of FortiAP 5.4.

To make it easier to find the correct row for your upgrade, enter the current firmware version running on your FortiAP in the Search field. Only rows with the contents of the Search field will be shown.

Supported Upgrade Path to Latest FortiAP Version 5.4

Starting Version	Build #	Path
5.4.1	0339	Latest build
5.4.0	0327	>>	5.4.1

5.2.6	0262	>>	5.4.1
5.2.5	0254	>>	5.4.1
5.2.4	0245	>>	5.4.1
5.2.3	0234	>>	5.2.4	>>	5.4.1
5.2.2	0225	>>	5.2.4	>>	5.4.1
5.2.1	0216	>>	5.2.4	>>	5.4.1
5.2.0	0212	>>	5.2.4	>>	5.4.1

5.0.10	0098	>>	5.2.4	>>	5.4.1
5.0.9	0086	>>	5.2.3	>>	5.2.4	>>	5.4.1
5.0.8	0075	>>	5.2.2	>>	5.2.4	>>	5.4.1
5.0.7	0064	>>	5.2.0	>>	5.2.4	>>	5.4.1
5.0.6	0060	>>	5.2.0	>>	5.2.4	>>	5.4.1
5.0.5	0048	>>	5.0.7	>>	5.0.8	>>	5.0.9	>>	5.0.10	>>	5.2.0	>>	5.2.4	>>	5.4.1
5.0.4	0039	>>	5.0.7	>>	5.0.8	>>	5.0.9	>>	5.0.10	>>	5.2.0	>>	5.2.4	>>	5.4.1
5.0.3	0032	>>	5.0.7	>>	5.0.8	>>	5.0.9	>>	5.0.10	>>	5.2.0	>>	5.2.4	>>	5.4.1
5.0.2	0031	>>	5.0.7	>>	5.0.8	>>	5.0.9	>>	5.0.10	>>	5.2.0	>>	5.2.4	>>	5.4.1
5.0.1	0024	>>	5.0.7	>>	5.0.8	>>	5.0.9	>>	5.0.10	>>	5.2.0	>>	5.2.4	>>	5.4.1
5.0.0	0021	>>	5.0.7	>>	5.0.8	>>	5.0.9	>>	5.0.10	>>	5.2.0	>>	5.2.4	>>	5.4.1

A comprehensive post of all supported FortiOS versions, build numbers, and their supported upgrade pathways can be found here:

Supported Upgrade Paths – FortiOS

The post Supported Upgrade Paths – FortiAP appeared first on Fortinet Cookbook.

In this episode of FortiCast, Ben Wilson and Koroush Saraf discuss Wave 2 Wireless technology.

More Wave 2 Wireless Resources:

Subscribe to FortiCast

The post Episode 2: Wave 2 Wireless appeared first on Fortinet Cookbook.

Ben Wilson and Philip Keeley discus the key features of FortiCloud, our cloud-based management platform for FortiGate and FortiAP.

More FortiCloud resources

Subscribe to FortiCast

The post Episode 5: FortiCloud appeared first on Fortinet Cookbook.

In this video, you’ll learn how to setup accounts for guests to connect to your WiFi network for a limited amount of time. The accounts will allow guests to connect to your FortiGate’s WiFi network after authenticating using a captive portal.To make management easier, you’ll also create a separate administrative account for creating and managing guest accounts. In this example, a FortiAP in Tunnel mode is used to provide WiFi access to guests.

The recipe for this video is available here.

Watch more videos

The post Guest WiFi Accounts (Video) appeared first on Fortinet Cookbook.

In this video, you’ll learn how to set up a WiFi network with a FortiGate managing a FortiAP in Bridge mode.

The recipe for this video is available here.

Watch more videos

The post Setting up a WiFi bridge with FortiAP (Video) appeared first on Fortinet Cookbook.

Take our FortiCast feedback survey to help us improve the show!

In this episode, Ben Wilson and Perry Correll discuss using a Wireless Controller vs going Controller-less – is it just semantics or is there a difference?

Wireless Controller resources

Subscribe to FortiCast

The post Episode 9: Wireless Controller appeared first on Fortinet Cookbook.

In this recipe, you will set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6}

1. Connecting and authorizing the FortiAP unit
Go to Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16). Set Addressing Mode to Manual and set an IP/Network Mask. Under Administrative Access, enable CAPWAP and optionally enable PING to test your connection. Under Networked Devices, enable both Device Detection and Active Scanning.
Connect the FortiAP unit to the interface.
Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the in the State column. By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.
Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, hit the Refresh button and a will confirm that the device is authorized.
Make sure that your FortiAP is on the latest firmware. If the OS Version shows the message “A new firmware version is available,” then check the release notes for your product on the Fortinet Support Site.
You can download the firmware images from the Support Site to your Local Hard Disk, or you can select A new firmware version is available and download the latest version directly from FortiGuard.
2. Creating an SSID
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to Tunnel. Select an IP/Network Mask for the wireless interface and enable DHCP Server. Enable Device Detection and Active Scanning. Name the SSID (in the example, MyNewWiFi). Set the Security Mode as required and enter a secure Pre-shared Key. Enable Broadcast SSID.
3. Creating a custom FortiAP profile
Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile. Set Platform to the FortiAP model you are using (FAP221C in this recipe). Set the Country/Region and you have the option to set your AP Login Password. Make sure the Radio 1 is set to Access Point, and leave the SSID set to Auto.
Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP you added earlier. Select Assign Profile and set the FortiAP to use the new SSID profile (in the example, MyProfile). By default, the FortiGate assigns all SSIDs to this profile.
4. Allowing wireless access to the Internet
Go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Confirm that NAT is enabled.
5. Results
Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate traffic.
From the policy list page, right-click on your wireless policy and select Show in FortiView or go directly to FortiView > All Sessions.
You can view more details by selecting various tabs (Sources, Destinations, Applications, Countries, Sessions).

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.6 Handbook.

Note that some FortiGate models may not have the Active Scanning option, and it is not required for the recipe.

It may take a few minutes for the FortiAP to appear.

You can disable this in the CLI. See Deploying Wireless Networks.

Alternatively, select the FortiAP unit on the list and select Authorize from the top menu.

The SSID defaults to automatically assign Tunnel-mode SSIDs.

Located under Policy & Objects > IPv4 Policy.

The post Setting up WiFi with a FortiAP appeared first on Fortinet Cookbook.

In this example, you will set up a WiFi network with a FortiGate managing a FortiAP in Bridge mode.

You can configure a FortiAP unit in either Tunnel or Bridge mode. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic.

For information about using a FortiAP in Tunnel mode, see Setting up WiFi with a FortiAP.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6}

1. Connecting and authorizing the FortiAP unit
Go to Network > Interfaces and edit the lan interface. Set Addressing Mode to Manual and set an IP/Network Mask. Under Administrative Access, enable CAPWAP and optionally enable PING to test your connection. Enable the DHCP Server. Under Networked Devices, enable both Device Detection and Active Scanning.
Connect the FortiAP to the lan interface.
Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the in the State column. By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.
Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, hit the Refresh button and a will confirm that the device is authorized.
Verify that your FortiAP is on the latest firmware. If the OS Version shows that a newer firmware version is available, check the release notes for your product.
You can download the firmware images from the Support Site to your Local Hard Disk, or you can select A new firmware version is available and download the latest version directly from FortiGuard.
2. Creating an SSID
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to AP Bridge, creating a local bridge with the FortiAP’s interface. Configure the WiFi Settings as you would for a regular wireless network and set a secure Pre-shared Key.
3. Creating a custom FortiAP profile
Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile. Set Platform to the FortiAP model you are using (FAP221C). Select the Country/Region and you have the option change your AP Login Password. Under Radio 1, set the Mode to Access Point. Set SSID to use the new SSID profile (in the example, MyWiFi). Set Radio 2 to Disabled.
Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP. Select Assign Profile andset the FortiAP to use the new SSID profile (in the example, MyProfile).
4. Results
Connect to the SSID with a wireless device. After a connection is established, you can browse the Internet using the wireless network configured in this recipe.
On the policy list page, right-click on your lan to wan Internet access policy and click Show in FortiView.
Make sure to view the session details, including more information under the various tabs (Sources, Destination, Applications, Countries, Sessions).
Go to Log & Report > WiFi Events to see the detected client IP and authentication logs.
You can also go to Monitor > WiFi Client Monitor for user details and Monitor > WiFi Health Monitor for the AP Status.

For further reading, check out Wireless Networks in the FortiOS 5.6 Handbook.

Some FortiGates may not have an Active Scanning option and it is not required.

It may take a few minutes for the FortiAP to appear.

You can disable this in the CLI. See Deploying Wireless Networks.

Alternatively, select the FortiAP unit on the list and select Authorize from the top menu.

Unless you wish to use a second radio.

Located under Policy & Objects > IPv4 Policy.

The post Setting up a WiFi Bridge with a FortiAP appeared first on Fortinet Cookbook.

Send us your questions! We’re looking to do a Q&A episode of FortiCast and we need your help. If you have a question that needs an answer, email us at forticast@fortinet.com.

Learn all about the new features in FortiManager 5.6.

FortiManager 5.6 resources

FortiManager 5.6 documentation:
- Release Notes
- Upgrade Guide
- Administration Guide (PDF | HTML)
- CLI Reference (PDF | HTML)
FortiManager @ Fortinet.com

Subscribe to FortiCast

The post Episode 14: FortiManager 5.6 appeared first on Fortinet Cookbook.

In this recipe, you will configure a managed FortiAP to filter client devices based on MAC address. Only authorized devices will have access to the wireless network.

In the example, only a single device is authorized, but you can add devices as required.

PREP 15 mins COOK 1 min TOTAL 16 mins

1. Acquiring the MAC address
Acquire the MAC address of a particular device as follows: Windows device: Open the command prompt and type `ipconfig /all`. The MAC address of your Windows device is the Physical Address, under information about the wireless adapter. Mac OS X device: Open Terminal and type `ifconfig en1 \| grep ether`. Take note of the displayed MAC address. iOS device: Open Settings > General > About. The Wi-Fi Address is the MAC address of your iOS device. Android device: Open Settings > About Device > Status. Take note of the Wi-Fi MAC address of your Android device.
2. Creating the FortiAP interface
Go to Network > Interfaces and create an internal FortiAP interface. Set Addressing Mode to Manual and set an IP/Network Mask. Under Administrative Access, enable CAPWAP. Enable DHCP Server and set the Starting IP and End IP. Enable Device Detection and click OK.
3. Defining a device using its MAC address
Go to User & Device > Custom Devices & Groups and create a new device definition. Set MAC Address to the device’s address obtained in Step 1 and set the other fields as required.
4. Creating the new SSID
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to Tunnel. Select an IP/Network Mask for the wireless interface and enable DHCP Server. Enable Device Detection.
Under WiFi Settings, name the SSID (in the example, MySecureWiFi). Set the Security Mode as required and enter a secure Pre-shared Key. Enable Broadcast SSID. Under Filter clients by MAC Address, enable Local and select Add from device list. Add the device you configured in Step 3 and set its Action to Accept. Set the Action for Unknown MAC Addresses to Deny.
If you haven’t already, connect the FortiAP unit to the interface created in Step 2.
5. Managing the FortiAP
Go to WiFi & Switch Controller > Managed FortiAPs. If the FortiAP is not listed you may need to wait a few minutes. If the device still does not appear, select Create New > Managed AP. Once you enter the Serial Number, the default FortiAP Profile for that model is selected. Click OK.
6. Authorizing the managed FortiAP
Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, click Refresh and a will confirm that the device is authorized.
7. Editing the default FortiAP Profile
Go to WiFi & Switch Controller > FortiAP Profiles and Edit the default profile for your particular FortiAP model.
For all radios you wish to use, set the SSID to Manual and select the SSID created in Step 4.
8. Allowing wireless access to the Internet
Go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Enable NAT.
9. Results
Using the authorized device, connect to the broadcast SSID (in the example, MySecureWifi).
Go to Log & Report > WiFi Events and verify the authorized connection.
Attempt to connect using an unauthorized device and verify that the connection was rejected.
Go to Monitor > WiFi Client Monitor to view the status of the connected WiFi clients.

The FortiAP will be configured in Tunnel mode.

All times listed are approximations.

Note that some device types might be missing from this list. Furthermore, the instructions noted are relevant to the most recent operating systems at the time that this recipe was published. Older or newer operating systems may differ.

Optional: Enable PING for troubleshooting.

By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them, as indicated by the

in the State column.

The post Filtering WiFi clients by MAC address appeared first on Fortinet Cookbook.

In this recipe, you will learn how to monitor and suppress rogue access points (APs). A rogue AP is an unauthorized AP connected to your wired network (“on-wire”).

Before suppressing any AP, confirm that Rogue Suppression is compliant with the applicable laws and regulations of your region.

Discovered access points are listed in Monitor > Rogue AP Monitor. You can mark them as either Accepted or Rogue APs. While these designations help you track APs, they do not stop anyone from using these APs.

Other APs that are available in the same area as your APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. In general, you would only Mark as rogue the unauthorized APs that are on-wire.

For more information, refer to the FortiWiFi and FortiAP Configuration Guide.

PREP 1 mins COOK 10 min TOTAL 11 mins

1. Configuring rogue scanning
On the FortiGate, go to WiFi & Switch Controller > WIDS Profiles and edit the default profile. Enable Rogue AP Detection as shown.
2. Monitoring rogue APs
Go to Monitor > Rogue AP Monitor and view the table of APs found during scanning.
You can identify interfering APs in the Signal Interference column, indicated by the icon.
3. Suppressing rogue APs
To suppress a rogue AP, you must first mark the AP as rogue. Right-click the desired entry and select Mark as rogue.
Once the AP is marked, suppress it by highlighting the entry and selecting Suppress AP.
4. Reverting a suppressed AP
To revert a suppressed AP, highlight its entry and select Unsuppress AP as shown. The AP will remain identified as rogue.
To revert the rogue designation, right-click the entry and select Mark as unclassified.
An unclassified AP should appear with the icon in the State column.
5. Exempting an AP from rogue scanning
Go to WiFi & Switch Controller > WIDS Profiles and create a new WIDS profile that does not Enable Rogue AP Detection.
Go to WiFi & Switch Controller > FortiAP Profiles and select the desired FortiAP Profile. Enable WIDS Profile, select the profile you just created, and click OK.

Rogue AP Monitor icons

The icons in the Rogue AP Monitor table are defined below:

Column	Icon + Description
State	AP is detected but not yet classified. AP is accepted. AP is marked as rogue, but unsuppressed. AP is marked as rogue and suppressed.
Status	AP is online and active. AP is inactive.
Signal Interference	AP signal interferes with a managed AP. AP signal interference ranges from low (green) to high (red), measured in dBm.
On Wire	AP is a suspected rogue. AP is not a suspected rogue.

All times listed are approximations.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points through which they communicate. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

Mouse-over the icon to see which managed AP the interfering AP impacts.

In the example, the interfering AP may not pose a security threat; it is suppressed purely for demonstration.

The FortiAP Profile assigned to the AP that you wish to exempt from rogue scanning.

Use this status for APs that are an authorized part of your network or are neighboring APs that are not a security threat.

To see accepted APs in the list, select Show Accepted.

Use this status for unauthorized APs that On Wire status indicates are attached to your wired network(s).

Mouse-over the icon to see which managed AP.

Based on the ‘on-wire’ detection technique.

The post Monitoring and suppressing rogue APs appeared first on Fortinet Cookbook.

In this recipe, you will configure your FortiAP to broadcast the same SSID on both WiFi bands: 2.4GHz and 5GHz. This recipe also contains information about using client load balancing, if required.

This recipe requires using a FortiAP model with two radios. It also assumes that you have already configured a FortiAP in your network. For more information, see Setting up WiFi with a FortiAP (tunnel mode) or Setting up a WiFi bridge with a FortiAP (bridge mode).

1. Configuring the dual-band SSID
In this example, a FortiAP 221C is used to broadcast the dual-band SSID. For this model, Radio 1 broadcasts using the 2.4GHz band while Radio 2 uses the 5GHz band.
Go to WiFi & Switch Controller > FortiAP Profiles and create a FortiAP profile. Set Platform to the model of your FortiAP and set your Country/Region. Under Radio 1, set SSIDs to Manual and select your SSID.
Under Radio 2, set SSIDs to Manual and select your SSID.
Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP. Select Assign Profile and set the FortiAP to use your new profile.
The FortiAP is now listed with both Radio 1 and Radio 2 broadcasting the same SSID.
2. Results
Connect to the SSID from various devices. Go to WiFi & Switch Controller > Managed FortiAPs. Clients are shown connecting to the same SSID on both WiFi bands.
On the devices, you can also see that the same SSID is used on both bands (in this example, an Android device and Mac OS X computer are used).
3. (Optional) Adding client load balancing
In a dual-band SSID configuration, it is best to have as many clients as possible using the 5GHz band, leaving the 2.4GHz band for clients that do not support 5GHz. Because modern WiFi clients automatically choose the 5GHz band, client load balancing may not be necessary. However, if you notice that most clients are using the 2.4GHz band, you can use the frequency hand-off method of client load balancing (also known as band-steering), which encourages clients to use the 5GHz band if possible. It is also recommended to use FortiOS 5.6.2, which supports use of 802.11 k/v/r, which is also used by modern clients to select the appropriate AP and band.
Go to WiFi & Switch Controller > FortiAP Profiles and edit the FortiAP profile. Set Client Load Balancing to Frequency Handoff for both Radio 1 and Radio 2.

For further reading, check out Access point deployment in the FortiOS 5.6 Handbook.

When client load balancing is used, a message to the client from the AP, which can cause the client to search mode find other SSIDs. Because of this, it may take longer for clients to connect to the WiFi network.

The post Dual-band SSID with optional client load balancing appeared first on Fortinet Cookbook.

In this example, you will use FortiCloud to configure and manage a single FortiAP-224D, creating a working WiFi network without a FortiGate unit. You can register for a free FortiCloud account at www.forticloud.com.

You will create a simple network that uses WPA2-Personal authentication.

The FortiAP will self-configure.

PREP 13 mins COOK 2 min TOTAL 15 mins

1. Adding your FortiAP to FortiCloud
Visit www.forticloud.com and log in or select Create New Account.
From the FortiCloud home page, go to Inventory and select Import AP Key.
Input the FortiCloud Key and click Submit, then click OK.
Go to AP Network and select Add AP Network.
Enter an AP Network Name and select the desired Time Zone. Click Submit.
The new AP network appears on-screen. Click its icon on the left.
You are prompted to enter an SSID for this AP Network.
2. Configuring an SSID
Go to Configure and enter the SSID name and ensure that Enabled and Broadcast SSID are selected. Select WPA2-Personal Authentication and enter the Pre-shared Key. Click Next.
Select and configure the desired Security profiles and click Next.
Configure radio Availability as required. Otherwise, accept the default settings and click Next.
Preview the SSID configuration and click Apply.
The new SSID appears in the SSID list.
3. Deploying the FortiAP
Go to Deploy APs. Select the FortiAP you just added and click Next.
The correct Platform Profile should already be selected. Click Next.
No AP Folder has been configured. Click Next.
Allow Admin Access as required and enter the Admin password. Click Next.
Preview the deployment and then click Deploy.
Success! Click OK.
4. Connecting the FortiAP to the Internet
Connect the FortiAP ethernet interface to a network that provides Internet access. The FortiAP will self-configure.
5. Results
In FortiCloud, go to AP Network > [Your AP] > Monitor and verify that the AP Status is Up. You may need to click Refresh.
Using a wireless device and the pre-shared key, attempt to connect to the SSID you created in Step 2.
In FortiCloud, go to AP Network > [Your AP] > Monitor and highlight the Client tab.
Verify the wireless connection and details about the user’s connectivity.
For log information, go to AP Network > [Your AP] > Logs > Wireless logs.
View the event logs for wireless connections, including actions taken, time stamps, client MAC addresses, and more.
For report information, go to AP Network > [Your AP] > Reports and view the Traffic & Client Count by SSID and the Traffic & Client Count by AP (Top 10).

Note that not all FortiAP models support this method of self-configuration.

All times listed are approximations.

The FortiCloud Key is on the same label as the unit serial number.

This is the password users will have to enter to access the WiFi.

The post Managing a FortiAP with FortiCloud appeared first on Fortinet Cookbook.

In this recipe, you will set up a WiFi network with by adding a FortiAP in Tunnel mode to your network.

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

You can configure a FortiAP in either Tunnel mode (default) or Bridge mode. When a FortiAP is in Tunnel mode, a wireless-only subnet is used for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6 | 6.0}

1. Connecting and authorizing the FortiAP
To edit the interface that will connect to the FortiAP (in the example, port 22), go to Network > Interfaces. Set Role to LAN and Addressing Mode to Manual. Set IP/Network Mask to a private IP address (in the example 10.10.200.1/255.255.255.0). Under Administrative Access, enable CAPWAP. Enable DHCP Server. Under Networked Devices, enable Device Detection.
Connect the FortiAP unit to the interface.
To view the list of managed FortiAPs, go to WiFi & Switch Controller > Managed FortiAPs. The newFortiAP appears in the list but it is greyed out because it is not authorized. Select the FortiAP, and select Authorize.
After a few minutes, select Refresh. The FortiGate shows the FortiAP as authorized.
2. Creating an SSID
To create a new SSID to be broadcast for WiFi users, go to WiFi & Switch Controller > SSID. Set Traffic Mode to Tunnel and set IP/Network Mask to a private IP address (in the example 10.10.201.1/255.255.255.0). Enable DHCP Server and Device Detection.
Under WiFi Settings, name the SSID (in the example, Office-WiFi) and set a secure Pre-shared Key. Enable Broadcast SSID.
3. Creating a custom FortiAP profile
To create a new FortiAP profile, go to WiFi & Switch Controller > FortiAP Profiles. Set Platform to the FortiAP model you are using (in the example, FAP221C) and Country/Region to the appropriate location. Set an AP Login Password to secure the FortiAP. Under Radio 1, set Mode to Access Point and SSIDs to Manual. Add your new SSID.
To assign the new profile, go to WiFi & Switch Controller > Managed FortiAPs and right-click the FortiAP. Select Assign Profile and set the FortiAP to use the new profile.
4. Allowing wireless access to the Internet
To create a new policy for wireless Internet access, go to Policy & Objects > IPv4 Policy. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Enable NAT.
5. Results
Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate traffic.
To view the traffic using the wireless Internet access policy, go to FortiView > All Segments > Polices.
To view more information about this traffic, right-click the policy and select Drill Down to Details.

For further reading, check out Configuring a WiFi LAN in the FortiOS 6.0 Online Help.

If the FortiAP does not appear, wait a few minutes, then refresh the page.

If you are in the United States, you can use the default profile for your FortiAP model, which has Country/Region set to United States.

The post Setting up WiFi with a FortiAP appeared first on Fortinet Cookbook.

The basic FortiGate network collection is intended to help you go from having an unboxed FortiGate to a functional network that includes wired connections, WiFi, and remote access.

The list of recipes contains instructions on how to configure a FortiGate and set up a basic network. By using the recipes in order, you can create a network similar to the one shown above.

If any recipe in this collection does not fit your own network configuration, you can skip it and move on to the next recipe.

This collection is based on FortiOS 6.0.

1. Installing a FortiGate in NAT/Route mode

This recipe shows you how to install a single FortiGate in your network using NAT/Route mode, which is the most commonly used operation mode.

2. FortiGate registration and basic settings

This recipe shows you how to register your FortiGate and configure some of the basic FortiGate settings.

3. Logging FortiGate traffic and using FortiView

This recipe shows you how to configure the FortiGate’s log settings and also contains information about FortiView, the FortiOS log viewing tool.

4. Creating security policies

This recipe shows you how to create and order different security policies.

5. Setting up WiFi with FortiAP

This recipe shows you how to allow WiFi access by adding a FortiAP to your network.

6. SSL VPN using web and tunnel mode

This recipe shows you how to set-up an SSL VPN tunnel to allow remote users to access resources on the internal network.

The post Basic FortiGate network collection appeared first on Fortinet Cookbook.

In this example, a second FortiAP are used to extend the range of a WiFi network. The second FortiAP is connected to the FortiGate WiFi controller through a dedicated WiFi backhaul network. In this example, both FortiAPs provide the example-staff network to clients that are in range. More mesh-connected FortiAPs could be added to further expand...

The post Extending WiFi range with mesh topology appeared first on Fortinet Cookbook.

Upgrading to latest version The tables below show the upgrade paths from earlier versions of the supported firmware to the latest version of FortiAP, FortiAP-S, and FortiAP-W2. To make it easier to find the correct row for your upgrade, enter the current firmware version running on your device in the Search field. Only rows with...

The post Supported Upgrade Paths – FortiAP, FortiAP-S, and FortiAP-W2 appeared first on Fortinet Cookbook.

1. Installing a FortiGate in NAT/Route mode

2. Installing internal FortiGates and enabling a security fabric

3. High Availability with two FortiGates

4. Setting up an internal network with a managed FortiSwitch

5. Adding endpoint control to a security fabric

1. Registering the FortiGate as a RADIUS client on NPS

2. Creating a Connection Request Policy

3. Creating a Network Policy

4. Configuring FortiGate to use the RADIUS server

5. Configuring a user group on the FortiGate

6. Creating an SSID with RADIUS authentication

7. Creating a security policy

8. Results

1. Registering the FortiGate as a RADIUS client on NPS

2. Creating a Connection Request Policy

3. Creating a Network Policy

4. Configuring FortiGate to use the RADIUS server

5. Configuring a user group on the FortiGate

6. Creating an SSID with RADIUS authentication

7. Creating a security policy

8. Results

Upgrading to 5.4

Supported Upgrade Path to Latest FortiAP Version 5.4

Subscribe to FortiCast

Subscribe to FortiCast

Wireless Controller resources

Subscribe to FortiCast

1. Connecting and authorizing the FortiAP unit

2. Creating an SSID

3. Creating a custom FortiAP profile

4. Allowing wireless access to the Internet

5. Results

1. Connecting and authorizing the FortiAP unit

2. Creating an SSID

3. Creating a custom FortiAP profile

4. Results

FortiManager 5.6 resources

Subscribe to FortiCast

1. Acquiring the MAC address

2. Creating the FortiAP interface

3. Defining a device using its MAC address

4. Creating the new SSID

5. Managing the FortiAP

6. Authorizing the managed FortiAP

7. Editing the default FortiAP Profile

8. Allowing wireless access to the Internet

9. Results

1. Configuring rogue scanning

2. Monitoring rogue APs

3. Suppressing rogue APs

4. Reverting a suppressed AP

5. Exempting an AP from rogue scanning

Rogue AP Monitor icons

1. Configuring the dual-band SSID

2. Results

3. (Optional) Adding client load balancing

1. Adding your FortiAP to FortiCloud

2. Configuring an SSID

3. Deploying the FortiAP

4. Connecting the FortiAP to the Internet

5. Results

1. Connecting and authorizing the FortiAP

2. Creating an SSID

3. Creating a custom FortiAP profile

4. Allowing wireless access to the Internet

5. Results

1. Installing a FortiGate in NAT/Route mode

2. FortiGate registration and basic settings

3. Logging FortiGate traffic and using FortiView

4. Creating security policies

5. Setting up WiFi with FortiAP

6. SSL VPN using web and tunnel mode