Quantcast
Channel: Fortinet GURU
Viewing all 2380 articles
Browse latest View live

Wireless network examples

$
0
0

Wireless network examples

This chapter provides an example wireless network configuration.

Basic wireless network A more complex example

Basic wireless network

This example uses automatic configuration to set up a basic wireless network.

To configure this wireless network, you must:

l Configure authentication for wireless users l Configure the SSID (WiFi network interface) l Add the SSID to the FortiAP Profile l Configure the firewall policy l Configure and connect FortiAP units

Configuring authentication for wireless users

You need to configure user accounts and add the users to a user group. This example shows only one account, but multiple accounts can be added as user group members.

To configure a WiFi user – web-based manager

  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click
  5. Make sure that Enable is selected and then click Create.

To configure the WiFi user group – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name wlan_users
Type Firewall
Members Add users.

To configure a WiFi user and the WiFi user group – CLI

config user user edit “user01”

Basic wireless network

set type password set passwd “asdf12ghjk”

end

config user group edit “wlan_users” set member “user01”

end

Configuring the SSID

First, establish the SSID (network interface) for the network. This is independent of the number of physical access points that will be deployed. The network assigns IP addresses using DHCP.

To configure the SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
Interface Name                                  example_wifi_if
Traffic Mode                                      Tunnel to Wireless Controller
IP/Network Mask                                10.10.110.1/24
Administrative Access                      Ping (to assist with testing)
DHCP Server                                     Enable
Address Range 10.10.110.2 – 10.10.110.199
Netmask 255.255.255.0
Default Gateway Same As Interface IP
DNS Server Same as System DNS
SSID                                                 example_wifi
Security Mode                                   WPA2 Enterprise
Authentication                                  Local, select wlan_users user group.
Leave other settings at their default values.

To configure the SSID – CLI

config wireless-controller vap edit example_wifi_if set ssid “example_wifi” set broadcast-ssid enable set security wpa-enterprise set auth usergroup set usergroup wlan_users set schedule always

end config system interface

Basic wireless network

edit example_wifi_if set ip 10.10.110.1 255.255.255.0

end

config system dhcp server edit 0 set default-gateway 10.10.110.1

set dns-service default set interface “example_wifi_if” config ip-range edit 1 set end-ip 10.10.110.199 set start-ip 10.10.110.2

end

set netmask 255.255.255.0

end

Adding the SSID to the FortiAP Profile

The radio portion of the FortiAP configuration is contained in the FortiAP Profile. By default, there is a profile for each platform (FortiAP model). You can create additional profiles if needed. The SSID needs to be specified in the profile.

To add the SSID to the FortiAP Profile – web-based manager

  1. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your model of FortiAP unit.
  2. In Radio 1 and Radio 2, add example_wifi in SSID.
  3. Select OK.

Configuring security policies

A security policy is needed to enable WiFi users to access the Internet on port1. First you create firewall address for the WiFi network, then you create the example_wifi to port1 policy.

To create a firewall address for WiFi users – web-based manager

  1. Go to Policy & Objects > Addresses.
  2. Select Create New > Address, enter the following information and select OK.
Name wlan_user_net
Type IP/Netmask
Subnet / IP Range 10.10.110.0/24
Interface example_wifi_if
Show in Address List Enabled

To create a firewall address for WiFi users – CLI

config firewall address edit “wlan_user_net” set associated-interface “example_wifi_if”

Basic wireless network

set subnet 10.10.110.0 255.255.255.0

end

To create a security policy for WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policyand select Create New.
  2. Enter the following information and select OK:
Incoming Interface                  example_wifi_if
Source Address                      wlan_user_net
Outgoing Interface                  port1
Destination Address                All
Schedule                                always
Service                                   ALL
Action                                    ACCEPT
NAT                                       ON. Select Use Destination Interface Address (default).
Leave other settings at their default values.

To create a firewall policy for WiFi users – CLI

config firewall policy edit 0 set srcintf “example_wifi” set dstintf “port1” set srcaddr “wlan_user_net” set dstaddr “all” set schedule always set service ALL set action accept set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Network Mask to

Basic wireless network

192.168.8.1/255.255.255.0.

  1. Select OK.

This procedure automatically configures a DHCP server for the AP units.

To configure the interface for the AP unit – CLI

config system interface edit port3 set mode static

set ip 192.168.8.1 255.255.255.0

end

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0 set interface port3 config exclude-range edit 1 set end-ip 192.168.8.1 set start-ip 192.168.8.1

end

config ip-range edit 1 set end-ip 192.168.8.254 set start-ip 192.168.8.2

end set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

To connect a FortiAP unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If FortiAP units are connected but cannot be recognized, try disabling VCI-Match in the DHCP server settings.

  1. When the FortiAP unit is listed, select the entry to edit it. The Edit Managed Access Point window opens.
  2. In State, select
  3. In FortiAP Profile, select the default profile for the FortiAP model.
  4. Select OK.
  5. Repeat Steps 2 through 8 for each FortiAP unit.

To connect a FortiAP unit – CLI

  1. Connect the FortiAP unit to port 3.
  2. Enter config wireless-controller wtp

 

  1. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22B3U10600118 ] wtp-id: FAP22B3U10600118

  1. Edit the discovered FortiAP unit like this:

edit FAP22B3U10600118 set admin enable

end

  1. Repeat Steps 2 through 4 for each FortiAP unit.

A more complex example

This example creates multiple networks and uses custom AP profiles.

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

Configuration

To configure these wireless networks, you must:

  • Configure authentication for wireless users l Configure the SSIDs (network interfaces) l Configure the AP profile l Configure the WiFi LAN interface and a DHCP server
  • Configure firewall policies

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

To configure a WiFi user – web-based manager

  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click Next.
  5. Make sure that Enable is selected and then click Create.

To configure the user group for employee access – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name employee-group
Type Firewall
Members Add users.

To configure a WiFi user and the user group for employee access – CLI

config user user edit “user01” set type password set passwd “asdf12ghjk”

end

config user group edit “employee-group” set member “user01”

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

To configure the FortiGate unit to access the guest RADIUS server – web-based manager

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK:
Name                                     guestRADIUS
Primary Server IP/Name          10.11.102.100
Primary Server Secret             grikfwpfdfg
Secondary Server IP/Name      Optional
Secondary Server Secret         Optional
Authentication Scheme          Use default, unless server requires otherwise.
Leave other settings at their default values.

To configure the FortiGate unit to access the guest RADIUS server – CLI

config user radius

edit guestRADIUS

set auth-type auto set server 10.11.102.100 set secret grikfwpfdfg

end

To configure the user group for guest access – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name guest-group
Type Firewall
Members Leave empty.
  1. Select Create new.
  2. Enter:
Remote Server Select guestRADIUS.
Groups Select wireless
  1. Select OK.

To configure the user group for guest access – CLI

config user group

edit “guest-group” set member “guestRADIUS” config match

edit 0

set server-name “guestRADIUS” set group-name “wireless”

end end

The user authentication setup will be complete when you select the guest-group user group in the SSID configuration.

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

To configure the employee SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
Interface Name                       example_inc
Traffic Mode                           Tunnel to Wireless Controller
IP/Netmask                             10.10.120.1/24
Administrative Access            Ping (to assist with testing)
Enable DHCP                          Enable
  Address Range                     10.10.120.2 – 10.10.120.199
  Netmask                               255.255.255.0
  Default Gateway                   Same As Interface IP
  DNS Server                           Same as System DNS
SSID                                       example_inc
Security Mode                        WPA/WPA2-Enterprise
Authentication                        Select Local, then select employee-group.
Leave other settings at their default values.

To configure the employee SSID – CLI

config wireless-controller vap edit example_inc set ssid “example_inc” set security wpa-enterprise set auth usergroup set usergroup employee-group set schedule always

end

config system interface edit example_inc set ip 10.10.120.1 255.255.255.0

end

config system dhcp server edit 0

set default-gateway 10.10.120.1 set dns-service default set interface example_inc config ip-range

edit 1

set end-ip 10.10.120.199 set start-ip 10.10.120.2

end

set lease-time 7200 set netmask 255.255.255.0

end

To configure the example_guest SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New.
  2. Enter the following information and select OK:
Name                                     example_guest
IP/Netmask                             10.10.115.1/24
Administrative Access            Ping (to assist with testing)
Enable DHCP                          Enable
  Address Range                     10.10.115.2 – 10.10.115.50
  Netmask                               255.255.255.0
  Default Gateway                    Same as Interface IP
  DNS Server                           Same as System DNS
SSID                                       example_guest
Security Mode                        Captive Portal
Portal Type                             Authentication
Authentication Portal              Local
User Groups                           Select guest-group
Leave other settings at their default values.

To configure the example_guest SSID – CLI

config wireless-controller vap edit example_guest

set ssid “example_guest” set security captive-portal set selected-usergroups guest-group set schedule always

end

config system interface

edit example_guest

set ip 10.10.115.1 255.255.255.0

end

config system dhcp server edit 0 set default-gateway 10.10.115.1 set dns-service default set interface “example_guest” config ip-range

edit 1 set end-ip 10.10.115.50 set start-ip 10.10.115.2

end

set lease-time 7200 set netmask 255.255.255.0

end

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

To configure the FortiAP Profile – web-based manager

  1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.
  2. Enter the following information and select OK:
Name example_AP
Platform FAP220B
Radio 1
  Mode Access Point
  Band 802.11n
  Channel Select 1, 6, and 11.
  Tx Power 100%
  SSID Select SSIDs and select example_inc and example_guest.
Radio 2
  Mode Access Point
  Band 802.11n_5G
  Channel Select all.
  Tx Power 100%
  SSID Select SSIDs and select example_inc.

To configure the AP Profile – CLI

config wireless-controller wtp-profile edit “example_AP” config platform set type 220B

end config radio-1 set ap-bgscan enable set band 802.11n set channel “1” “6” “11” set vaps “example_inc” “example_guest”

end config radio-2 set ap-bgscan enable set band 802.11n-5G

set channel “36” “40” “44” “48” “149” “153” “157” “161” “165” set vaps “example_inc” end

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

To create firewall addresses for employee and guest WiFi users

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.
Address Name employee-wifi-net
Type Subnet / IP Range
Subnet / IP Range 10.10.120.0/24
Interface example_inc
  1. Select Create New, enter the following information and select OK.
Address Name guest-wifi-net
Type Subnet / IP Range
Subnet / IP Range 10.10.115.0/24
Interface example_guest

To create firewall policies for employee WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_inc
Source Address employee-wifi-net
Outgoing Interface port1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT Enable NAT
  1. Optionally, select security profile for wireless users.
  2. Select OK.
  3. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the ExampleCo private network.

To create firewall policies for employee WiFi users – CLI

config firewall policy edit 0 set srcintf “employee_inc” set dstintf “port1” set srcaddr “employee-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable set schedule “always” set service “ANY”

next edit 0 set srcintf “employee_inc” set dstintf “internal” set srcaddr “employee-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable set schedule “always” set service “ANY”

end

To create a firewall policy for guest WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_guest
Source Address guest-wifi-net
Outgoing Interface port1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT Enable NAT
  1. Optionally, select UTM and set up UTM features for wireless users.
  2. Select OK.

To create a firewall policy for guest WiFi users – CLI

config firewall policy edit 0 set srcintf “example_guest” set dstintf “port1” set srcaddr “guest-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP-220A unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Netmask to

192.168.8.1/255.255.255.0.

This step automatically configures a DHCP server for the AP units.

  1. Select OK.

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0

end

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0 set interface port3 config ip-range

edit 1 set end-ip 192.168.8.9 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

To connect a FortiAP-220A unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.

  1. When the FortiAP unit is listed, select the entry to edit it. The Edit Managed Access Point window opens.
  2. In State, select
  3. In the AP Profile, select [Change] and then select the example_AP
  4. Select OK.
  5. Repeat Steps 2 through 8 for each FortiAP unit.

To connect a FortiAP-220A unit – CLI

  1. Connect the FortiAP unit to port 3.
  2. Enter:

config wireless-controller wtp

  1. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22A3U10600118 ] wtp-id: FAP22A3U10600118

  1. Edit the discovered FortiAP unit like this:

edit FAP22A3U10600118 set admin enable set wtp-profile example_AP

end

  1. Repeat Steps 2 through 4 for each FortiAP unit.

 


Managing a FortiAP with FortiCloud

$
0
0

Managing a FortiAP with FortiCloud

This chapter provides a few FortiCloud-managed FortiAP configuration examples.

FortiCloud-managed FortiAP WiFi

FortiCloud-managed FortiAP WiFi without a key

You can register for a free FortiCloud account at www.forticloud.com.

For a video tutorial of how to configure and manage a FortiAP-S device from FortiCloud, follow the link below:

l How to configure and Manage FortiAP-S from FortiCloud

FortiCloud-managed FortiAP WiFi

In this example, you use FortiCloud to configure a single FortiAP-221C, creating a working WiFi network without a FortiGate unit.

FortiCloud remote management is supported on FortiAP models 221C and 320C.

For this configuration, the FortiAP-221C unit is running version 5.2 firmware. You will create a simple network that uses WPA-Personal authentication.

You can register for a free FortiCloud account at www.forticloud.com.

To create the WiFi network without a FortiGate unit, you must:

l Add your FortiAP to FortiCloud l Configure the SSID l Configure the AP platform profile l Deploy the AP with the profile

Adding your FortiAP to FortiCloud

You need to add the FortiAP unit to your FortiCloud account. This is done through a unique key that can be found under the FortiAP unit.

To add a FortiAP to FortiCloud

  1. Connect the FortiAP Ethernet interface to a network that provides access to the Internet.
  2. Open a web browser and navigate to the FortiCloud main page and select + AP Network.
  3. Enter an AP Network Name and AP Password. This password is used to locally log in to the AP as the administrator. It will be set to all APs in this AP network.
  4. Set the correct Time Zone and select Submit.

Configuring the SSID

You must establish the SSID (network interface) for the WiFi network.

FortiCloud-managed FortiAP WiFi without a key                                                    Managing a FortiAP with FortiCloud

To configure the SSID

  1. Select the FortiAP you just created from the home page. You will then be prompted to add an SSID for the AP Network.

In the interface, this is under Configure > SSIDs.

  1. In Access Control, enter the name of your SSID, set Authentication to WPA2-Personal, enter the Preshared Key, and select Next.
  2. In Security, enable security features as required (select from AntiVirus, Intrusion Prevention, Block Botnet, Web Access, and Application Control) and select Next.
  3. In Availability, make sure to leave 5 GHz enabled, configure a schedule as required, and select Next.
  4. Review your SSID in Preview, then select Apply.

Configuring the AP platform profile

The radio portion of the FortiAP configuration is contained in the FortiAP platform profile. By default, there is a profile for each platform (FortiAP model). The SSID needs to be specified in the profile.

To configure the AP profile

  1. Go to Configure > AP Profile and edit the AP Profile for your FortiAP model (mouse-over the AP Profile to reveal the Edit button).
  2. Enable the SSID configured earlier for both Radio 1 and Radio 2, for 5GHz coverage.

Deploying the AP with the platform profile

With the SSID and platform profile configured, you must deploy the AP by entering the FortiCloud key for the FortiAP.

To deploy the AP

  1. Go to Configure > Deploy APs. Here you will be prompted to enter the FortiCloud key, which can be found on the same label as the FortiAP unit’s serial number, and select Submit.

If you have a FortiAP model that does not include a FortiCloud key, you can still add the device to the network. To learn how, see the FortiCloud-managed FortiAP WiFi without a key configuration.

  1. In Set Platform Profiles, select the platform profile you created earlier and select Next.
  2. Follow the rest of the deployment wizard. Select Submit when completed.

You will now be able to connect to the wireless network and browse the Internet. On the FortiCloud website, go to Monitor > Report where you can view monitoring information such as Traffic by Period, Client Count by Period, and more.

FortiCloud-managed FortiAP WiFi without a key

You can manage your FortiAP-based wireless network with FortiCloud even if your FortiAP has no FortiCloud key.

Managing a FortiAP with FortiCloud                                                    FortiCloud-managed FortiAP WiFi without a key

For this example, you will need to have already pre-configured your FortiAP unit with your FortiCloud account credentials. For more information on how to do this, or if your FortiAP has a FortiCloud key (on the serial number label), see the FortiCloud-managed FortiAP WiFi configuration.

You can register for a free FortiCloud account at www.forticloud.com.

To create the WiFi network without a FortiCloud key, you must:

l Configure the FortiAP unit l Add the FortiAP unit to your FortiCloud account l Configure the FortiAP

Configuring the FortiAP unit

You need to connect and configure the FortiAP unit through the web-based manager of the FortiGate.

To configure the FortiAP unit – web-based manager

  1. Connect your computer to the FortiAP Ethernet port. The FortiAP’s default IP address is 192.168.1.2. The computer should have an address on the same subnet, 192.168.1.3 for example.
  2. Using a browser, log in to the FortiAP as admin. Leave the password field empty.
  3. In WTP-Configuration, select FortiCloud and enter your FortiCloud credentials. Select Apply.

The FortiAP is now ready to connect to FortiCloud via the Internet.

Adding the FortiAP unit to your FortiCloud account

The FortiAP must be added to the FortiCloud account that has a WiFi network already configured for it.

For an example of creating a WiFi network on FortiCloud, see FortiCloud-managed FortiAP WiFi on page 148.

To add the FortiAP to FortiCloud

  1. Connect the FortiAP Ethernet cable to a network that connects to the Internet.

Restore your computer to its normal network configuration and log on to FortiCloud.

  1. From the Home screen, go to Inventory > AP Inventory. Your FortiAP should be listed.
  2. Then go back to the Home screen, select your AP network, and go to Deploy APs.
  3. Select your listed FortiAP and select Next.
  4. Make sure your platform profile is selected from the dropdown menu, and select Next.
  5. In Preview, select Deploy.

The device will now appear listed under Access Points.

You will now be able to connect to the wireless network and browse the Internet. On the FortiCloud website, go to Monitor > Report where you can view monitoring information such as Traffic by Period, Client Count by Period, and more.

Using a FortiWiFi unit as a client

$
0
0

Using a FortiWiFi unit as a client

A FortiWiFi unit by default operates as a wireless access point. But a FortiWiFi unit can also operate as a wireless client, connecting the FortiGate unit to another wireless network.

Use of client mode Configuring client mode

Use of client mode

In client mode, the FortiWiFi unit connects to a remote WiFi access point to access other networks or the Internet. This is most useful when the FortiWiFi unit is in a location that does not have a wired infrastructure.

For example, in a warehouse where shipping and receiving are on opposite sides of the building, running cables might not be an option due to the warehouse environment. The FortiWiFi unit can support wired users using its Ethernet ports and can connect to another access point wirelessly as a client. This connects the wired users to the network using the 802.11 WiFi standard as a backbone.

Note that in client mode the FortiWiFi unit cannot operate as an AP. WiFi clients cannot see or connect to the FortiWifi unit in Client mode.

Using a FortiWiFi unit as a client                                                                                                 Use of client mode

FortiWiFi unit in Client mode

Configuring client mode                                                                                          Using a FortiWiFi unit as a client

Configuring client mode

To set up the FortiAP unit as a WiFi client, you must use the CLI. Before you do this, be sure to remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and so on.

To configure wireless client mode

  1. Change the WiFi mode to client.

In the CLI, enter the following commands:

config system global set wireless-mode client

end

Respond “y” when asked if you want to continue. The FortiWiFi unit will reboot.

  1. Configure the WiFi interface settings.

For example, to configure the client for WPA-Personal authentication on the our_wifi SSID with passphrase justforus, enter the following in the CLI:

config system interface edit wifi set mode dhcp config wifi-networks edit 0 set wifi-ssid our_wifi set wifi-security wpa-personal set wifi-passphrase “justforus”

end

end

The WiFi interface client_wifi will receive an IP address using DHCP.

  1. Configure a wifi to port1 policy.

You can use either CLI or web-based manager to do this. The important settings are:

Incoming Interface (srcintf) wifi
Source Address (srcaddr) all
Outgoing Interface (dstintf) port1
Destination Address (dstaddr) all
Schedule always
Service ALL
Action ACCEPT
Enable NAT Selected

Support for location-based services

$
0
0

Support for location-based services

FortiOS supports location-based services by collecting information about WiFi devices near FortiGate-managed access points, even if the devices don’t associate with the network.

Overview

Configuring location tracking

Viewing device location data on the FortiGate unit

Overview

WiFi devices broadcast packets as they search for available networks. The FortiGate WiFi controller can collect information about the interval, duration, and signal strength of these packets. The Euclid Analytics service uses this information to track the movements of the device owner. A typical application of this technology is to analyze shopper behavior in a shopping center. Which stores do people walk past? Which window displays do they stop to look at? Which stores do they enter and how long do they spend there? The shoppers are not personally identified, each is known only by the MAC address of their WiFi device.

After enabling location tracking on the FortiGate unit, you can confirm that the feature is working by using a specialized diagnostic command to view the raw tracking data. The Euclid Analytics service obtains the same data in its proprietary format using a JSON inquiry through the FortiGate unit’s web-based manager interface.

Configuring location tracking

You can enable location tracking in any FortiAP profile, using the CLI. Location tracking is part of location-based services. Set the station-locate field to enable. For example:

config wireless-controller wtp-profile edit “FAP220B-locate” set ap-country US config platform set type 220B

end config lbs set station-locate enable

end

end

Automatic deletion of outdated presence data

The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit.

The timer is one of the wireless controller timers and it can be set in the CLI. For example:

Viewing device location data on the FortiGate unit                                                  Support for location-based services

config wireless-controller timers set sta-locate-timer 1800

end

The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 seconds) because that could cause duplicate logs to be generated.

FortiPresence push REST API

When the FortiGate is located on a private IP network, the FortiPresence server cannot poll the FortiGate for information. Instead, the FortiGate must be configured to push the information to the FortiPresence server.

Enter the following command:

config wireless-controller wtp-profile edit “FP223B-GuestWiFi” config lbs set fortipresence {enable | disable} set fortipresence-server <ip-address> Default is 3000. set fortipresence-port <port> set fortipresence-secret <password> set fortipresence-project <name> set fortipresence-frequency <5-65535> Default is 30. set fortipresence-rogue {enable | disable} Enable/disable reporting of Rogue APs. set fortipresence-unassoc {enable | disable} Enable/disable reporting of unassociated devices.

end

end

Viewing device location data on the FortiGate unit

You can use the FortiGate CLI to list located devices. This is mainly useful to confirm that the location data feature is working, You can also reset device location data.

To list located devices diag wireless-controller wlac -c sta-locate

To reset device location data diag wireless-controller wlac -c sta-locate-reset

Example output

The following output shows data for three WiFi devices.

FWF60C3G11004319 # diagnose wireless-controller wlac -c sta-locate sta_mac vfid rid base_mac freq_lst frm_cnt frm_fst frm_last intv_sum intv2_sum intv3_ sum intv_min intv_max signal_sum signal2_sum signal3_sum sig_min sig_max sig_fst sig_last ap

00:0b:6b:22:82:61 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 257 708 56 651 1836 6441 0 12 -21832

1855438 -157758796 -88 -81 -84 -88 0

Support for location-based services                                                  Viewing device location data on the FortiGate unit

00:db:df:24:1a:67 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 42 1666 41 1625 97210 5831613 0 60 -3608 310072 -26658680 -90 -83 -85 -89 0

10:68:3f:50:22:29 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 102 1623 58 1565 94136 5664566 0 60 -8025 631703 -49751433 -84 -75 -78 -79 0

The output for each device appears on two lines. The first line contains only the device MAC address and the VLAN ID. The second line begins with the ID (serial number) of the FortiWiFi or FortiAP unit that detected the device, the AP’s MAC address, and then the fields that the Euclid service uses. Because of its length, this line wraps around and displays as multiple lines.

Troubleshooting FortiAP shell command through CAPWAP control tunnel

$
0
0

FortiAP shell command through CAPWAP control tunnel

Very often, the FortiAP in the field is behind a NAT device, and access to the FortiAP through Telnet or SSH is not available. As a troubleshooting enhancement, this feature allows an AP shell command up to 127-bytes sent to

the FAP, and FAP will run this command, and return the results to the controller using the CAPWAP tunnel.

The maximum output from a command is limited to 4M, and the default output size is set to 32K.

The FortiAP will only report running results to the controller after the command is finished. If a new command is sent to the AP before the previous command is finished, the previous command will be canceled.

Enter the following:

diag w-c wlac wtpcmd wtp_ip wtp_port cmd [cmd-to-ap] cmd: run,show,showhex,clr,r&h,r&sh

  • cmd-to-ap: any shell commands, but AP will not report results until the command is finished on the AP l run: controller sends the ap-cmd to the FAP to run l show: show current results reported by the AP in text l showhex: show current results reported by the AP in hex l clr: clear reported results

 

Signal strength

  • r&s: run/show l r&sh: run/showhex

Troubleshooting Signal strength issues

$
0
0

Signal strength issues

Poor signal strength is possibly the most common customer complaint. Below you will learn where to begin identifying and troubleshooting poor signal strength, and learn what information you can obtain from the customer to help resolve signal strength issues.

Asymmetric power issue

Asymmetric power issues are a typical problem. Wireless is two-way communication; high power access points (APs) can usually transmit a long distance, however, the client’s ability to transmit is usually not equal to that of the AP and, as such, cannot return transmission if the distance is too far.

Measuring signal strength in both directions

To solve an asymmetric power issue, measure the signal strength in both directions. APs usually have enough power to transmit long distances, but sometimes battery-powered clients have a reply signal that has less power, and therefore the AP cannot detect their signal.

It is recommended that you match the transmission power of the AP to the least powerful wireless client—around 10 decibels per milliwatt (dBm) for iPhones and 14dBm for most laptops.

Even if the signal is strong enough, other devices may be emitting radiation as well, causing interference. To identify the difference, read the client Rx strength from the FortiGate GUI (under Monitor > WiFi Client Monitor) or CLI.

The Signal Strength/Noise value provides the received signal strength indicator (RSSI) of the wireless client.

For example, A value of -85dBm to -95dBm is equal to about 10dB levels; this is not a desirable signal strength.

In the following screenshot, one of the clients is at 18dB, which is getting close to the perimeter of its range.

Signal strength issues

You can also confirm the transmission (Tx) power of the controller on the AP profile (wtp-profile) and the FortiAP (iwconfig), and check the power management (auto-Tx) options.

Controller configured transmitting power – CLI:

config wireless-controller wtp-profile config <radio> show

(the following output is limited to power levels) auto-power-level : enable auto-power-high : 17 auto-power-low : 10

Actual FortiAP transmitting power – CLI:

iwconfig wlan00

Result:

wlan00 IEEE 802.11ng ESSID:”signal-check”

Mode:Master Frequency:2.412 GHz Access Point:<MAC add>

Bit Rate:130 Mb/s Tx-Power=28 dBm

Using FortiPlanner PRO with a site survey

The most thorough method to solve signal strength issues is to perform a site survey. To this end, Fortinet offers the FortiPlanner, downloadable at http://www.fortinet.com/resource_center/product_downloads.html.

Signal strength

Sample depiction of a site survey using FortiPlanner

The site survey provides you with optimal placement for your APs based on the variables in your environment. You must provide the site survey detailed information including a floor plan (to scale), structural materials, and more. It will allow you to place the APs on the map and adjust the radio bands and power levels while providing you with visual wireless coverage.

Below is a list of mechanisms for gathering further information on the client for Rx strength. The goal is to see how well the client is receiving the signal from the AP. You can also verify FortiAP signal strength on the client using WiFi client utilities, or third party utilities such as InSSIDer or MetaGeek Chanalyzer. You can get similar tools from the app stores on Android and iOS devices.

  • Professional Site Survey software (Ekahau, Airmagnet survey Pro, FortiPlanner) l InSSIDer l On Windows: “netsh wlan show networks mode=bssid” (look for the BSSID, it’s in % not in dBm!) l On MacOS: Use the “airport” command:

“/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport” airport –s | grep <the_bssid> (live scan each time)

  • On Droid: WiFiFoFum

Frequency interference

If the wireless signal seems to be strong but then periodically drops, this may be a symptom of frequency interference. Frequency interference is when another device also emits radio frequency using the same channel, co-channel, or adjacent channel, thereby overpowering or corrputing your signal. This is a common problem on a 2.4GHz network.

There are two types of interference: coherent and non-coherent.

 

Throughput

  • Coherent interference: a result of another device using the same channel as your AP, or poor planning of a wireless infrastructure (perhaps the other nearby APs are using the same channel or the signal strength is too high).
  • Non-coherent interference: a result of other radio signals such as bluetooth, microwave, cordless phone, or (as in medical environments) x-ray machines.

Most common and simple solution for frequency interference is to change your operation channel. Typically, the channel can be set from 1 to 11 for the broadcast frequency, although you should always use channels 1, 6, and 11 on the 2.4GHz band.

Another solution, if it’s appropriate for your location, is to use the 5GHz band instead.

MetaGeek Chanalyzer

You can perform a site survey using spectrum analysis at various points in your environment looking for signal versus interference/noise. MetaGeek Chanalyzer is an example of a third party utility which shows a noise threshold.

Note that a signal of -95dBm or less will be ignored by Fortinet wireless adapters.

Troubleshooting Throughput issues

$
0
0

Throughput issues

Sometimes communication issues can be caused by low performance.

Testing the link

You can identify delays or lost packets by sending ping packets from your wireless client. If there is more than 10ms of delay, there may be a problem with your wireless deployment, such as:

l a weak transmit signal from the client (the host does not reach the AP) l the AP utilization is too high (your AP could be saturated with connected clients) l interference (third party signal could degrade your AP or client’s ability to detect signals between them) l weak transmit power from the AP (the AP does not reach the host) — not common in a properly deployed network, unless the client is too far away

Throughput

Keep in mind that water will also cause a reduction in radio signal strength for those making use out of outdoor APs or wireless on a boat.

Performance testing

If the FortiAP gives bad throughput to the client, the link may drop. The throughput or performance can be measured on your smartphone with third party applications tool such as iPerf and jPerf.

Measuring file transfer speed

Another way to get a sense of your throughput issues is to measure the speed of a file transfer on your network. Create a test file at a specific size and measure the speed at which Windows measures the transfer. The command below will create a 50MB file.

l fsutil file createnew test.txt 52428800

The following image shows a network transfer speed of just over 24Mbps. The theoretical speed of 802.11g is 54Mbps, which is what this client is using. A wireless client is never likely to see the theoretical speed.

TKIP limitation

If you find that throughput is a problem, avoid WPA security encrypted with Temporal Key Integrity Protocol (TKIP) as it supports communications only at 54Mbps. Use WPA-2 AES instead.

Speeds are very much based on what the client computer can handle as well. The maximum client connection rate of 130Mbps is for 2.4GHz on a 2×2, or 300Mbps for 5Ghz on a 2×2 (using shortguard and channel bonding enabled).

If you want to get more than 54Mbps with 802.11n, do not use legacy TKIP, use CCMP instead. This is standard for legacy compatibility.

Preventing IP fragmentation in CAPWAP

TKIP is not the only possible source of decreased throughput. When a wireless client sends jumbo frames using a CAPWAP tunnel, it can result in data loss, jitter, and decreased throughput.

Using the following commands you can customize the uplink rates and downlink rates in the CAPWAP tunnel to prevent fragmentation and avoid data loss.

config wireless-controller wtp edit new-wtp

(in 5.4, you must enable override-ip-fragment: set override-ip-fragment enable) set ip-fragment-preventing [tcp-mss-adjust | icmp-unreachable]

set tun-mtu-uplink [0 | 576 | 1500] set tun-mtu-downlink [0 | 576 | 1500]

end

end

The default value is 0, however the recommended value will depend on the type of traffic. For example, IPsec in tunnel mode has 52 bytes of overhead, so you might use 1400 or less for uplink and downlink.

Slowness in the DTLS response

It’s important to know all the elements involved in the CAPWAP association:

l Request l Response l DTLS l Join l Configuration

All of these are bidirectional. So if the DTLS response is slow, this might be the result of a configuration error. This issue can also be caused by a certificate during discovery response. You can read more about this in RFC 5416.

Troubleshooting Connection issues

$
0
0

Connection issues

If the client has a connectivity issue that is not due to signal strength, the solution varies by the symptom.

Client connection issues

  1. If client is unable to connect to FortiAP:
    • Make sure the client’s security and authentication settings match with FortiAP and check the certificates as well. l Try upgrading the Wi-Fi adapter driver and FortiGate/FortiAP firmware. l If other clients can connect, it could be interoperability; run debug commands and sniffer packets.
    • Look for rogue suppression by sniffing the wireless traffic and looking for the disconnect in the output (using the AP or wireless packet sniffer). l Try changing the IEEE protocol from 802.11n to 802.11bg or 802.11a only.
  2. If the client drops and reconnects:

Connection

  • The client might be de-authenticating periodically. Check the sleep mode on the client. l The issue could be related to power-saver settings. The client may need to udpate drivers.
  • The issue could also be caused by flapping between APs. Check the roaming sensitivity settings on the client or the preferred wireless network settings on the client—if another WiFi network is available, the client may connect to it if it is a preferred network. Also, check the DHCP configuration as it may be an IP conflict.
  1. If the client drops and never connects:
    • It could have roamed to another SSID, so check the standby and sleep modes. l You may need to bring the interface up and down.
  2. If the client connects, but no IP address is acquired by the client:
    • Check the DHCP configuration and the network. l It could be a broadcast issue, so check the WEP encryption key and set a static IP address and VLANs.

Debug

You should also enable client debug on the controller for problematic clients to see the stage at which the client fails to connect. Try to connect from the problematic client and run the following debug command, which allows you to see the four-way handshake of the client association: diagnose wireless-controller wlac sta_filter <client MAC address> 2

Example of a successful client connection:

The following is a sample debug output for the above command, with successful association/DHCP phases and PSK key exchange (identified in color):

FG600B3909600253 #

91155.197 <ih> IEEE 802.11 mgmt::assoc_req <== 30:46:9a:f9:fa:34 vap signal-check rId 0 wId 0 00:09:0f:f3:20:45 91155.197 <ih> IEEE 802.11 mgmt::assoc_resp ==> 30:46:9a:f9:fa:34 vap signal-check rId 0 wId 0 00:09:0f:f3:20:45 resp 0

91155.197 <cc> STA_CFG_REQ(15) sta 30:46:9a:f9:fa:34 add ==> ws (0-192.168.35.1:5246) rId 0 wId 0

91155.197 <dc> STA add 30:46:9a:f9:fa:34 vap signal-check ws (0-192.168.35.1:5246) rId 0 wId 0 bssid 00:09:0f:f3:20:45 NON-AUTH

91155.197 <cc> STA add 30:46:9a:f9:fa:34 vap signal-check ws (0-192.168.35.1:5246) rId 0 wId 0 00:09:0f:f3:20:45 sec WPA2 AUTO auth 0

91155.199 <cc> STA_CFG_RESP(15) 30:46:9a:f9:fa:34 <== ws (0-192.168.35.1:5246) rc 0 (Success)

91155.199 <eh> send 1/4 msg of 4-Way Handshake

91155.199 <eh> send IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=95 replay cnt 1

91155.199 <eh> IEEE 802.1X (EAPOL 99B) ==> 30:46:9a:f9:fa:34 ws (0-192.168.35.1:5246) rId 0 wId 0 00:09:0f:f3:20:45

91155.217 <eh> IEEE 802.1X (EAPOL 121B) <== 30:46:9a:f9:fa:34 ws (0-192.168.35.1:5246) rId 0 wId 0 00:09:0f:f3:20:45

91155.217 <eh> recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=117

91155.217 <eh> recv EAPOL-Key 2/4 Pairwise replay cnt 1

91155.218 <eh> send 3/4 msg of 4-Way Handshake

91155.218 <eh> send IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=175 replay cnt 2

91155.218 <eh> IEEE 802.1X (EAPOL 179B) ==> 30:46:9a:f9:fa:34 ws (0-192.168.35.1:5246) rId 0 wId 0 00:09:0f:f3:20:45

91155.223 <eh> IEEE 802.1X (EAPOL 99B) <== 30:46:9a:f9:fa:34 ws (0-192.168.35.1:5246) rId 0 wId 0 00:09:0f:f3:20:45

91155.223 <eh> recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=95

91155.223 <eh> recv EAPOL-Key 4/4 Pairwise replay cnt 2

91155.223 <dc> STA chg 30:46:9a:f9:fa:34 vap signal-check ws (0-192.168.35.1:5246) rId 0 wId 0 bssid 00:09:0f:f3:20:45 AUTH

91155.224 <cc> STA chg 30:46:9a:f9:fa:34 vap signal-check ws (0-192.168.35.1:5246) rId 0 wId 0 00:09:0f:f3:20:45 sec WPA2 AUTO auth 1

91155.224 <cc> STA_CFG_REQ(16) sta 30:46:9a:f9:fa:34 add key (len=16) ==> ws (0192.168.35.1:5246) rId 0 wId 0

91155.226 <cc> STA_CFG_RESP(16) 30:46:9a:f9:fa:34 <== ws (0-192.168.35.1:5246) rc 0 (Success)

91155.226 <eh> ***pairwise key handshake completed*** (RSN)

91155.257 <dc> DHCP Request server 0.0.0.0 <== host ADMINFO-FD4I2HK mac 30:46:9a:f9:fa:34 ip 172.16.1.16

91155.258 <dc> DHCP Ack server 172.16.1.1 ==> host mac 30:46:9a:f9:fa:34 ip 172.16.1.16 mask 255.255.255.0 gw 172.16.1.1

where:

l orange represents the association phase, l blue represents the PSK exchange, l and green represents the DHCP phase.

It is important to note the messages for a correct association phase, four-way handshake, and DHCP phase.

FortiAP connection issues

Clients are not the only device that can fail to connect, of course. A communication problem could arise from the FortiAP.

Some examples include:

  • The FortiAP is not connecting to the wireless controller. l One FortiAP intermittently disconnects and re-connects. l All FortiAPs intermittently disconnect and re-connect. l Unable to Telnet to FortiAP from controller/administrator workstation.

In the above cases:

  • Check networking on the distribution system for all related FortiAPs.
  • Check the authorization status of managed APs from the wireless controller.
  • Restart the cw_acd process (Note: All APs will drop if you do this, and you may be troubleshooting just one AP).
  • Check the controller crash log for any wireless controller daemon crash using the following command:

diagnose debug crashlog read

Debug

For a quick assessment of the association communication between the controller and the FortiAP, run the following sniffer command to see if you can verify that the AP is communicating to the controller by identifying the CAPWAP communication: diagnose sniff packet <interface_name> “port 5246” 4

If you do not see this communication, then you can investigate the network or the settings on the AP to see why it is not reaching the controller.

The following command allows you to collect verbose output from the sniff that can be converted to a PCAP and viewed in Wireshark.

Connection

diagnose sniff packet <interface_name> “port 5246” 6 o l

The image below shows the beginning of the AP’s association to the controller. You can see the discovery Request and Response at the top.

Throughout debugging it is recommended to:

  • Enable Telnet login to the FortiAP device so that you can log in and issue local debugging commands:

config wireless-controller wtp edit “<FortiAP_serial_number>” set override-allowaccess {disable|enable}

set allowaccess {telnet | http | https | ssh}

end l Try to connect to the wireless controller from the problematic FortiAP to verify routes exist.

  • Enable wtp (FortiAP) debugging on the wireless controller for problematic FortiAPs to determine the point at which the FortiAP fails to connect:

diag wireless-controller wlac wtp_filter FP112B3X13000193 0-192.168.6.8:5246 2

(replace the serial number and IP address of the FortiAP) di de console timestamp en di de application cw_acd 0x7ff di de en

Example of a successful AP and controller association:

The previous debug command provides similar output to the sample debug message below for a successful association between the FortiAP and the wireless controller. This includes the elements of the CAPWAP protocol; the Request, Response, DTLS, Join, and Configuration (identified in color). All of these are bi-directional, so if the DTLS response is slow, it may be an example of a configuration error.

56704.575 <msg> DISCOVERY_REQ (12) <== ws (0-192.168.35.1:5246) 56704.575 <msg> DISCOVERY_RESP (12) ==> ws (0-192.168.35.1:5246) 56707.575 <msg> DISCOVERY_REQ (13) <== ws (0-192.168.35.1:5246)

56707.575 <msg> DISCOVERY_RESP (13) ==> ws (0-192.168.35.1:5246) 56709.577 <aev> – CWAE_INIT_COMPLETE ws (0-192.168.35.1:5246)

56709.577 <aev> – CWAE_LISTENER_THREAD_READY ws (0-192.168.35.1:5246)

56709.577 <fsm> old CWAS_START(0) ev CWAE_INIT_COMPLETE(0) new CWAS_IDLE(1)

56709.577 <fsm> old CWAS_IDLE(1) ev CWAE_LISTENER_THREAD_READY(1) new CWAS_DTLS_SETUP(4)

56709.623 <aev> – CWAE_DTLS_PEER_ID_RECV ws (0-192.168.35.1:5246)

56709.623 <aev> – CWAE_DTLS_AUTH_PASS ws (0-192.168.35.1:5246)

56709.623 <aev> – CWAE_DTLS_ESTABLISHED ws (0-192.168.35.1:5246)

56709.623 <fsm> old CWAS_DTLS_SETUP(4) ev CWAE_DTLS_PEER_ID_RECV(7) new CWAS_DTLS_ AUTHORIZE(2)

56709.623 <fsm> old CWAS_DTLS_AUTHORIZE(2) ev CWAE_DTLS_AUTH_PASS(3) new CWAS_DTLS_CONN(5)

56709.623 <fsm> old CWAS_DTLS_CONN(5) ev CWAE_DTLS_ESTABLISHED(8) new CWAS_JOIN(7)

56709.625 <msg> JOIN_REQ (14) <== ws (0-192.168.35.1:5246)

56709.625 <aev> – CWAE_JOIN_REQ_RECV ws (0-192.168.35.1:5246)

56709.626 <fsm> old CWAS_JOIN(7) ev CWAE_JOIN_REQ_RECV(12) new CWAS_JOIN(7)

56709.629 <msg> CFG_STATUS (15) <== ws (0-192.168.35.1:5246)

56709.629 <aev> – CWAE_CFG_STATUS_REQ ws (0-192.168.35.1:5246)

56709.629 <fsm> old CWAS_JOIN(7) ev CWAE_CFG_STATUS_REQ(13) new CWAS_CONFIG(8)

56710.178 <msg> CHG_STATE_EVENT_REQ (16) <== ws (0-192.168.35.1:5246)

56710.178 <aev> – CWAE_CHG_STATE_EVENT_REQ_RECV ws (0-192.168.35.1:5246)

56710.178 <fsm> old CWAS_CONFIG(8) ev CWAE_CHG_STATE_EVENT_REQ_RECV(23) new CWAS_DATA_ CHAN_SETUP(10)

56710.220 <aev> – CWAE_DATA_CHAN_CONNECTED ws (0-192.168.35.1:5246)

56710.220 <msg> DATA_CHAN_KEEP_ALIVE <== ws (0-192.168.35.1:5246)

56710.220 <aev> – CWAE_DATA_CHAN_KEEP_ALIVE_RECV ws (0-192.168.35.1:5246)

56710.220 <msg> DATA_CHAN_KEEP_ALIVE ==> ws (0-192.168.35.1:5246)

56710.220 <fsm> old CWAS_DATA_CHAN_SETUP(10) ev CWAE_DATA_CHAN_CONNECTED(32) new CWAS_ DATA_CHECK(11)

56710.220 <aev> – CWAE_DATA_CHAN_VERIFIED ws (0-192.168.35.1:5246)

56710.220 <fsm> old CWAS_DATA_CHECK(11) ev CWAE_DATA_CHAN_KEEP_ALIVE_RECV(35) new CWAS_ DATA_CHECK(11)

56710.220 <fsm> old CWAS_DATA_CHECK(11) ev CWAE_DATA_CHAN_VERIFIED(36) new CWAS_RUN(12)

56710.228 <msg> WTP_EVENT_REQ (17) <== ws (0-192.168.35.1:5246)

56710.228 <aev> – CWAE_WTP_EVENT_REQ_RECV ws (0-192.168.35.1:5246)

56710.228 <fsm> old CWAS_RUN(12) ev CWAE_WTP_EVENT_REQ_RECV(42) new CWAS_RUN(12)

56710.230 <msg> CFG_UPDATE_RESP (1) <== ws (0-192.168.35.1:5246) rc 0 (Success)

56710.230 <aev> – CWAE_CFG_UPDATE_RESP_RECV ws (0-192.168.35.1:5246)

56710.230 <msg> WTP_EVENT_REQ (18) <== ws (0-192.168.35.1:5246)

56710.230 <aev> – CWAE_WTP_EVENT_REQ_RECV ws (0-192.168.35.1:5246)

56710.230 <fsm> old CWAS_RUN(12) ev CWAE_CFG_UPDATE_RESP_RECV(37) new CWAS_RUN(12)

56710.230 <fsm> old CWAS_RUN(12) ev CWAE_WTP_EVENT_REQ_RECV(42) new CWAS_RUN(12)

56710.231 <msg> WTP_EVENT_REQ (19) <== ws (0-192.168.35.1:5246)

56710.231 <aev> – CWAE_WTP_EVENT_REQ_RECV ws (0-192.168.35.1:5246)

56710.231 <fsm> old CWAS_RUN(12) ev CWAE_WTP_EVENT_REQ_RECV(42) new CWAS_RUN(12)

56710.232 <msg> CFG_UPDATE_RESP (2) <== ws (0-192.168.35.1:5246) rc 0 (Success)

56710.232 <aev> – CWAE_CFG_UPDATE_RESP_RECV ws (0-192.168.35.1:5246)

56710.232 <fsm> old CWAS_RUN(12) ev CWAE_CFG_UPDATE_RESP_RECV(37) new CWAS_RUN(12)

56710.233 <msg> WTP_EVENT_REQ (20) <== ws (0-192.168.35.1:5246)

56710.233 <aev> – CWAE_WTP_EVENT_REQ_RECV ws (0-192.168.35.1:5246)

56710.233 <fsm> old CWAS_RUN(12) ev CWAE_WTP_EVENT_REQ_RECV(42) new CWAS_RUN(12)

56712.253 < . > AC (2) -> WTP (0-192.168.35.1:5246) State: CWAS_RUN (12) accept 3 live 3 dbg 00000000 pkts 12493 0 56715.253 < . > AC (2) -> WTP (0-192.168.35.1:5246) State: CWAS_RUN (12) accept 3 live 6 dbg 00000000 pkts 12493 0 56718.253 < . > AC (2) -> WTP (0-192.168.35.1:5246) State: CWAS_RUN (12) accept 3 live 9 dbg 00000000 pkts 12493 0

56719.253 <aev> – CWAE_AC_ECHO_INTV_TMR_EXPIRE ws (0-192.168.35.1:5246)

56719.253 <fsm> old CWAS_RUN(12) ev CWAE_AC_ECHO_INTV_TMR_EXPIRE(39) new CWAS_RUN(12)

 

General problems

56719.576 <msg> ECHO_REQ (21) <== ws (0-192.168.35.1:5246)

56719.576 <aev> – CWAE_ECHO_REQ_RECV ws (0-192.168.35.1:5246)

56719.577 <fsm> old CWAS_RUN(12) ev CWAE_ECHO_REQ_RECV(27) new CWAS_RUN(12)

where:

l orange represents the Discovery phase, l blue indicates that the control channels have been established using DTLS, l green represents the access point Discovery and Join phase, l purple represents the Clear Text channel, l and pink indicates that the FortiAP successfully connected to the wireless controller.


Troubleshooting General problems

$
0
0

General problems

Not all WiFi problems are related to signal strength, interference, or misconfiguration. The following OSI model identifies some of the more common issues per layer.

Best practices for troubleshooting vary depending on the affected layer (see below).

Common sources of wireless issues

Best practices for Layer 1

Common physical layer issues include:

  • Weak received signal, l WiFi capability: 802.11b, 1×1, 2×2, l Co-channel WiFi interference, General problems
  • Side band WiFi interference, l Non 802.11 noise (microwave ovens…).

To avoid physical layer issues:

  • Determine RST (Receiver Sensitivity Threshold) for your device, or use -70dBm as a rule of thumb.
  • Match AP TX output power to the client TX output power. l Note: iPhone TX power is only 10dBm.
  • Use DFS (Dynamic Frequency Selection) for high performance data 20/40 MHz. l Use 5GHz UNII-1 & 3 (Non-DFS) bands with static channel assignment for latency-sensitive applications. l Do not use 40MHz channels in 2.4 GHz band (channel bonding is not allowed in FortiOS).

Best practices for Layer 2

Common data link (MAC) layer issues include:

  • Too many clients on a single channel (CSMA/CA) backoff, l Too many high-priority traffic clients (WMM), l Incorrect password or encryption settings, l Too many beacons (in dense installs).

To avoid data link layer issues:

  • Only use CCMP/AES (WPA2) encryption (not TKIP).
  • In high density deployments, turn off SSID broadcast or turn down SSID rates. Review and possibly reduce the beacon interval. l Determine the best cell size for applications:
  • For few users and low bandwidth latency sensitive applications, use high transmit power to create larger cells.
  • For high performance/high capacity installations, use lower transmit power to create smaller cells (set FortiPlanner at 10dBm TX power), but bear in mind that this will require more roaming.

Cells and co-channel interference

In high density deployments, multiple APs are used, and each one services an area called a cell. However, these cells can cause interference with each other. This is a common problem. The radio signal from one AP interferes with, or cancels out, the radio signal from another AP.

In the following diagram, note the interference zone created by one radio, causing interference on its neighbouring APs.

The interference zone can be twice the radius of the signal, and the signal at its edge can be -67dBm.

General problems

Reducing co-channel interference

For best results, use a ‘honeycomb’ pattern as a deployment strategy. The idea is to stagger repeated channels furthest from each other to avoid interference.

Best practices for Layer 3 and above

For TCP/IP layers and above, a common source of latency, or slowness in the wireless traffic, is too many broadcasts or multicasts. These types of issues can result from non-business and/or unwanted traffic.

To resolve issues at the TCP/IP layer and above:

Packet sniffer

  • Identify business-critical applications.
  • Use Application Control, Web Filtering, Traffic Shaping, and QoS to prioritize applications.
  • Identify unwanted traffic, high-bandwidth web-related traffic, and use Security Profiles. l Use the traffic shaper on a policy to rate-limit this traffic.

These configurations are performed directly on the FortiGate.

Troubleshooting Packet sniffer

$
0
0

Packet sniffer

Capturing the traffic between the controller and the FortiAP can help you identify most FortiAP and client connection issues.

This section describes the following recommended packet sniffing techniques:

l CAPWAP packet sniffer l Wireless traffic packet sniffer

CAPWAP packet sniffer

The first recommended technique consists of sniffing the CAPWAP traffic.

  • Enable plain control on the controller and on the FortiAP to capture clear control traffic on UDP port 5246.
  • On the controller: diagnose wireless-controller wlac plain-ctl <FortiAP_serial_number> 1

Result:

WTP 0-FortiAP2223X11000107 Plain Control: enabled l On the FortiAP: cw_diag plain-ctl 1

Result:

Current Plain Control: enabled

Note that some issues are related to the keep-alive for control and data channel.

  • Data traffic on UDP port 5247 is not encrypted. The data itself is encrypted by the wireless security mechanism.

Data traffic is helpful to troubleshoot most of the issues related to station association, EAP authentication, WPA key exchange, roaming, and FortiAP configuration.

You can also set up a host or server to which you can forward the CAPWAP traffic:

  1. Configure the host/server to which CAPWAP traffic is forwarded: diagnose wireless-controller wlac sniff-cfg <Host_IP_address> 88888

Result:

Current Sniff Server: 192.168.25.41, 23352

  1. Choose which traffic to capture, the interface to which the FortiAP is connected, and the FortiAP’s serial number: diagnose wireless-controller wlac sniff <interface_name> <FortiAP_serial_number> 2

Result:

Packet sniffer

WTP 0-FortiAP2223X11000107 Sniff: intf port2 enabled (control and data message)

In the above syntax, the ‘2’ captures the control and data message—’1′ would capture only the control message, and ‘0’ would disable it.

  1. Run Wireshark on the host/server to capture CAPWAP traffic from the controller. l Decode the traffic as IP to check inner CAPWAP traffic.

Example CAPWAP packet capture

The following image shows an example of a CAPWAP packet capture, where you can see: the Layer 2 header; the sniffed traffic encapsulated into Internet Protocol for transport; CAPWAP encapsulated into UDP for sniffer purpose and encapsulated into IP; CAPWAP control traffic on UDP port 5246; and CAPWAP payload.

Wireless traffic packet sniffer

The second recommended technique consists of sniffing the wireless traffic directly ‘on the air’ using your FortiAP.

Wireless traffic packet capture

Packet captures are useful for troubleshooting all wireless client related issues because you can verify data rate and 802.11 parameters, such as radio capabilities, and determine issues with wireless signal strength, interference, or congestion on the network.

A radio can only capture one frequency at a time; one of the radios is set to sniffer mode depending on the traffic or channel required. You must use two FortiAPs to capture both frequencies at the same time. l Set a radio on the FortiAP to monitor mode.

Packet sniffer

iwconfig wlan10

Result:

wlan10 IEEE 802.11na    ESSID:””

Mode:Monitor Frequency:5.18 GHz Access Point: Not-Associated l The capture file is stored under the temp directory as wl_sniff.pcap

/tmp/wl_sniff.cap

  • Remember that the capture file is only stored temporarily. If you want to save it, upload it to a TFTP server before rebooting or changing the radio settings. l The command cp wl_sniff.cap newname.pcap allows you to rename the file.
  • Rather than TFTP the file, you can also log in to the AP and retrive the file via the web interface. Move the file

using the command: mv name /usr/www

You can verify the file was moved using the command cd/usr/www and then browsing to: <fortiAP_

IP>/filename

Syntax

The following syntax demonstrates how to set the radio to sniffer mode (configurable from the CLI only). Sniffer mode provides options to filter for specific traffic to capture. Notice that you can determine the buffer size, which channel to sniff, the AP’s MAC address, and select if you want to sniff the beacons, probes, controls, and data channels.

configure wireless-controller wtp-profile edit <profile_name> configure <radio> set mode sniffer set ap-sniffer-bufsize 32 set ap-sniffer-chan 1 set ap-sniffer-addr 00:00:00:00:00:00 set ap-sniffer-mgmt-beacon enable set ap-sniffer-mgmt-probe enable set ap-sniffer-mgmt-other enable set ap-sniffer-ctl enable set ap-sniffer-data enable

end

end

Once you’ve performed the previous CLI configuration, you’ll be able to see the packet sniffer mode selected in the GUI dashboard under WiFi & Switch Controller > FortiAP Profiles and WiFi & Switch Controller > Managed FortiAPs. Bear in mind that if you change the mode from the GUI, you’ll have to return to the CLI to re-enable the Sniffer mode.

To disable the sniffer profile in the CLI, use the following commands:

config wireless-controller wtp-profile edit <profile_name> config <radio> set ap-sniffer-mgmt-beacon disable set ap-sniffer-mgmt-probe disable set ap-sniffer-mgmt-other disable set ap-sniffer-ctl disable set ap-sniffer-data disable end

Useful debugging commands

end

Example AP packet capture

The following image shows an example of the AP packet capture. Note the capture header showing channel 36; the beacon frame; the source, destination, and BSSID of the beacon frame; and the SSID of the beacon frame.

Troubleshooting Useful debugging commands

$
0
0

Useful debugging commands

For a comprehensive list of useful debug options you can use the following help commands on the controller:

diagnose wireless-controller wlac help

(this command lists the options available that pertain to the wireless controller)

diagnose wireless-controller wlwtp help

(this command lists the options available that pertain to the AP)

Useful debugging commands

Sample outputs

Syntax

diagnose wireless-controller wlac -c vap

(this command lists the information about the virtual access point, including its MAC address, the BSSID, its

SSID, the interface name, and the IP address of the APs that are broadcasting it)

Result:

bssid              ssid intf     vfid:ip-port rId wId

00:09:0f:d6:cb:12 Office Office ws (0-192.168.3.33:5246) 0 0

00:09:0f:e6:6b:12 Office Office ws (0-192.168.1.61:5246) 0 0

06:0e:8e:27:dc:48 Office Office  ws (0-192.168.3.36:5246) 0 0

0a:09:0f:d6:cb:12 public publicAP ws (0-192.168.3.33:5246) 0 1

Syntax

diagnose wireless-controller wlac -c darrp

(this command lists the information pertaining to the radio resource provisioning statistics, including the AP serial number, the number of channels set to choose from, and the operation channel. Note that the 5GHz band is not available on these APs listed)

Result:

wtp_id           rId base_mac          index nr_chan vfid 5G oper_chan age
FAP22A3U10600400 0 00:09:0f:d6:cb:12 0    3       0    No 1         87588
FW80CM3910601176 0 06:0e:8e:27:dc:48 1     3      0    No 6         822

 

Reference

$
0
0

Reference

This chapter provides some reference information pertaining to wireless networks.

FortiAP web-based manager

Wireless radio channels

WiFi event types

FortiAP CLI

FortiAP web-based manager

FortiAP web-based manager

You can access the FortiAP unit’s built-in web-based manager. This is useful to adjust settings that are not available through the FortiGate unit’s WiFi Controller. Logging into the FortiAP web-based manager is similar to logging into the FortiGate web-based manager.

System Information

Status

The Status section provides information about the FortiAP unit.

You can:

  • Select Change to change the Host Name. l Select Update in Firmware Version to upload a new FortiAP firmware file from your computer.
  • Select Change Password to change the administrator password. l Select Backup to save the current FortiAP configuration as a file on your computer. l Select Restore to load a configuration into your FortiAP unit from a file on your computer.

Network Configuration

Select DHCP or select Static and specify the IP address, netmask, and gateway IP address. Administrative Access settings affect access after the FortiAP has been authorized. By default, HTTP access needed to access the FortiAP web-based manager is enabled, but Telnet access is not enabled.

Connectivity

These settings determine how the FortiAP unit connects to the FortiGate WiFi controller.

FortiAP web-based manager

Uplink Ethernet – wired connection to the FortiGate unit (default)

Mesh – WiFi mesh connection

Ethernet with mesh backup support

Mesh AP SSID Enter the SSID of the mesh root. Default: fortinet.mesh.root
Mesh AP Password Enter password for the mesh SSID.
Ethernet Bridge Bridge the mesh SSID to the FortiAP Ethernet port.

This is available only whe Uplink is Mesh.

WTP Configuration

AC Discovery Type settings affect how the FortiAP unit discovers a FortiGate WiFi controller. By default, this is set to Auto which causes the FortiAP unit to cycle through all of the discovery methods until successful. For more information see Controller discovery methods.

AC Discovery Type Static, DHCP, DNS, Broadcast, Multicast, Auto
AC Control Port Default port is 5246.
AC IP Address 1

AC IP Address 2

AC IP Address 3

You enter up to three WiFi controller IP addresses for static discovery. Routing must be properly configured in both directions.
AC Host Name 1

AC Host Name 2

AC Host Name 3

As an alternetive to AC IP addresses, you can enter their fully qualified domain names (FQDNs).
AC Discovery

Multicast

Address

224.0.1.140
AC Discovery

DHCP Option

Code

When using DHCP discovery, you can configure the DHCP server to provide the controller address. By default the FortiAP unit expects this in option 138.

AC Data Channel Security by default accepts either DTLS-encrypted or clear text data communication with the WiFi controller. You can change this setting to require encryption or to use clear text only.

Wireless Information

The Wireless Information page provides current information about the operation of the radios and the type Uplink in use.

Wireless radio channels

Wireless radio channels

IEEE 802.11a/n channels

The following table lists the channels supported on FortiWiFi products that support the IEEE 802.11a and 802.11n wireless standards. 802.11a is available on FortiWiFi models 60B and higher. 802.11n is available on FortiWiFi models 80CM and higher.

All channels are restricted to indoor usage except in the Americas, where both indoor and outdoor use is permitted on channels 52 through 64 in the United States.

IEEE 802.11a/n (5-GHz Band) channel numbers

Channel number Frequency (MHz) Regulatory Areas

Americas Europe

Taiwan Singapore Japan
34 5170
36 5180          •               •
38 5190
40 5200          •               •           •                •
42 5210
44 5220          •               •           •                •
46 5230
48 5240          •               •           •                •
149 5745
153 5765
157 5785
161 5805
165 5825

IEEE 802.11b/g/n channel numbers

The following table lists IEEE 802.11b/g/n channels. All FortiWiFi units support 802.11b and 802.11g. Newer models also support 802.11n.

Wireless radio channels

Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.

IEEE 802.11b/g/n (2.4-GHz Band) channel numbers
Channel number Frequency (MHz) Regulatory Areas

Americas EMEA

Israel Japan
1 2412          •                   • indoor
2 2417          •                   • indoor
3 2422          •                   • indoor
4 2427          •                   • indoor
5 2432          •                   •
6 2437          •                   •
7 2442          •                   •
8 2447          •                   •
9 2452          •                   •
10 2457          •                   •
11 2462          •                   •
12 2467
13 2472
14 2484 b only

View all Country & Regcodes/Regulatory Domains

The following CLI command can be entered to view a list of the Country & Regcodes/Regulatory Domains supported by Fortinet:

cw_diag -c all-countries

Below is a table showing a sample of the list displayed by entering this command:

Country-code Region-code Domain ISO-name Name
0                      A                    FCC3 & FCCA                      NA             NO_COUNTRY_SET

WiFi event types

Country-code Region-code Domain ISO-name Name
8                        W                   NULL1 & WORLD AL              ALBANIA
12                      W                   NULL1 & WORLD DZ              ALGERIA
16                      A                    FCC3 & FCCA AS              AMERICAN SAMOA
              …                    …                               …         …                             …

WiFi event types

Event type Description
rogue-ap-detected A rogue AP has been detected (generic).
rogue-ap-off-air A rogue AP is no longer detected on the RF side.
rogue-ap-on-wire A rogue AP has been detected on wire side (connected to AP or controller L2 network).
rogue-ap-off-wire A rogue AP is no longer detected on wire.
rogue-ap-on-air A rogue AP has been detected on the RF side.
fake-ap-detected A rogue AP broadcasting on the same SSIDs that you have in your managed APs has been detected.
fake-ap-on-air The above fake AP was detected on the RF side.

FortiAP CLI

The FortiAP CLI controls radio and network operation through the use of variables manipulated with the cfg command. There are also diagnostic commands.

The cfg command include the following

cfg -s List variables.
cfg -a var=value Add or change a variable value.
cfg -c Commit the change to flash.
cfg -x Reset settings to factory defaults.

 

cfg -r var Remove variable.
cfg -e Export variables.
cfg -h Display help for all commands.

The configuration variables are:

Var Description and Values
AC_CTL_PORT WiFi Controller control (CAPWAP) port. Default 5246.
AC_DATA_CHAN_SEC Data channel security.

0 – Clear text

1 – DTLS (encrypted)

2 – Accept either DTLS or clear text (default)

AC_DISCOVERY_TYPE 1 – Static. Specify WiFi Controllers

2 – DHCP

3 – DNS

5 – Broadcast

6 – Multicast

0 – Cycle through all of the discovery types until successful.

AP_IPADDR

AP_NETMASK

IPGW

These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC.

Default 192.168.1.2 255.255.255.0, gateway 192.168.1.1.

AC_HOSTNAME_1

AC_HOSTNAME_2

AC_HOSTNAME_3

WiFi Controller host names for static discovery.
AC_IPADDR_1

AC_IPADDR_2

AC_IPADDR_3

WiFi Controller IP addresses for static discovery.
AC_DISCOVERY_DHCP_OPTION_CODE Option code for DHCP server. Default 138.
AC_DISCOVERY_MC_ADDR Multicast address for controller discovery. Default 224.0.1.140.

 

Var Description and Values
ADDR_MODE How the FortiAP unit obtains its IP address and netmask.

DHCP – FortiGate interface assigns address.

STATIC – Specify in AP_IPADDR and AP_NETMASK.

Default is DHCP.

ADMIN_TIMEOUT Administrative timeout in minutes. Applies to Telnet and web-based manager sessions. Default is 5 minutes.
AP_MGMT_VLAN_ID Non-zero value applies VLAN ID for unit management.

Default: 0.

AP_MODE FortiAP operating mode.

0 – Thin AP (default)

2 – Unmanaged Site Survey mode. See SURVEY variables.

BAUD_RATE Console data rate: 9600, 19200, 38400, 57600, or 115200 baud.
DNS_SERVER DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned.
FIRMWARE_UPGRADE Default is 0.
HTTP_ALLOW Access to FortiAP web-based manager 1 – Yes (default), 0 – No.
LED_STATE Enable/disable status LEDs.

0 – LEDs enabled, 1 – LEDs disabled, 2 – follow AC setting.

LOGIN_PASSWD Administrator login password. By default this is empty.
STP_MODE Spanning Tree Protocol. 0 is off. 1 is on.
TELNET_ALLOW By default (value 0), Telnet access is closed when the FortiAP unit is authorized. Set value to 1 to keep Telnet always available.
WTP_LOCATION Optional string describing AP location.
Mesh variables

 

Var Description and Values
MESH_AP_BGSCAN Enable or disable background mesh root AP scan.

0 – Disabled

1 – Enabled

MESH_AP_BGSCAN_RSSI If the root AP’s signal is weak, and lower than the received signal strength indicator (RSSI) threshold, the WiFi driver will immediately start a new round scan and ignore the configured MESH_AP_BGSCAN_PERIOD delays. Set the value between 0-127.

After the new round scan is finished, a scan done event is passed to wtp daemon to trigger roaming.

MESH_AP_BGSCAN_PERIOD Time in seconds that a delay period occurs between scans. Set the value between 1-3600.
MESH_AP_BGSCAN_IDLE Time in milliseconds. Set the value between 0-1000.
MESH_AP_BGSCAN_INTV Time in milliseconds between channel scans. Set the value between 200-16000.
MESH_AP_BGSCAN_DUR Time in milliseconds that the radio will continue scanning the channel. Set the value between 10-200.
MESH_AP_SCANCHANLIST Specify those channels to be scanned.
MESH_AP_TYPE Type of communication for backhaul to controller:

0 – Ethernet (default)

1 – WiFi mesh

2 – Ethernet with mesh backup support

MESH_AP_SSID SSID for mesh backhaul. Default: fortinet.mesh.root
MESH_AP_BSSID WiFi MAC address
MESH_AP_PASSWD Pre-shared key for mesh backhaul.
MESH_ETH_BRIDGE 1 – Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1.

0 – No WiFi-Ethernet bridge (default).

Var                                                                 Description and Values
MESH_MAX_HOPS                      Maximum number of times packets can be passed from node to node on the mesh. Default is 4.
The following factors are summed and the FortiAP associates with the lowest scoring mesh AP.
MESH_SCORE_HOP_WEIGHT                Multiplier for number of mesh hops from root. Default 50.
MESH_SCORE_CHAN_WEIGHT              AP total RSSI multiplier. Default 1.
MESH_SCORE_RATE_WEIGHT              Beacon data rate multiplier. Default 1.
 Band weight (0 for 2.4GHz, 1 for 5GHz) multiplier. Default

MESH_SCORE_BAND_WEIGHT

100.

MESH_SCORE_RSSI_WEIGHT              AP channel RSSI multiplier. Default 100.
Survey variables
SURVEY_SSID                        SSID to broadcast in site survey mode (AP_MODE=2).
SURVEY_TX_POWER                     Transmitter power in site survey mode (AP_MODE=2).
SURVEY_CH_24                        Site survey transmit channel for the 2.4Ghz band (default

6).

Site survey transmit channel for the 5Ghz band (default

SURVEY_CH_50

36).

SURVEY_BEACON_INTV                  Site survey beacon interval. Default 100msec.
cw_diag help Display help for all diagnose commands.
cw_diag uptime Show daemon uptime.
cw_diag –tlog <on|off> Turn on/off telnet log message.
cw_diag –clog <on|off> Turn on/off console log message.
cw_diag 38400 | baudrate [9600 | 19200 | 57600 | 115200] Set the console baud rate.

Previously, FortiAP accepted Telnet and HTTP connection to any virtual interfaces that have an IP address. For security reasons, Telnet and HTTP access are now limited to br0 or br.vlan for AP_MGMT_VLAN_ID.

Diagnose commands include:

 

cw_diag plain-ctl [0|1] Show or change current plain control setting.
cw_diag sniff-cfg ip port Set sniff server ip and port.
cw_diag sniff [0|1|2] Enable/disable sniff packet.
cw_diag stats wl_intf Show wl_intf status.
cw_diag admin-timeout [30] Set shell idle timeout in minutes.
cw_diag -c wtp-cfg Show current wtp config parameters in control plane.
cw_diag -c radio-cfg Show current radio config parameters in control plane.
cw_diag -c vap-cfg Show current vaps in control plane.
cw_diag -c ap-rogue Show rogue APs pushed by AC for on-wire scan.
cw_diag -c sta-rogue Show rogue STAs pushed by AC for on-wire scan.
cw_diag -c arp-req Show scanned arp requests.
cw_diag -c ap-scan Show scanned APs.
cw_diag -c sta-scan Show scanned STAs.
cw_diag -c sta-cap Show scanned STA capabilities.
cw_diag -c wids Show scanned WIDS detections.
cw_diag -c darrp Show darrp radio channel.
cw_diag -c mesh Show mesh status.
cw_diag -c mesh-veth-acinfo Show mesh veth ac info, and mesh ether type.
cw_diag -c mesh-veth-vap Show mesh veth vap.
cw_diag -c mesh-veth-host Show mesh veth host.
cw_diag -c mesh-ap Show mesh ap candidates.
cw_diag -c scan-clr-all Flush all scanned AP/STA/ARPs.
cw_diag -c ap-suppress Show suppressed APs.
cw_diag -c sta-deauth De-authenticate an STA.

Link aggregation can also be set in the CLI. Link aggregation is used to combine multiple network connections in parallel in order to increase throughput beyond what a single connection could sustain.

  • FortiAP 320B and 320C models are supported. l FortiAP 112B and 112D models cannot support link aggregation.
  • NPI FAP-S3xxCR and “wave2” FAP/FAP-S models will have link aggregation feature via synchronization with regular FortiAP trunk build.

What’s New In FortiOS 5.6.1

$
0
0

Executive Summary

This chapter briefly highlights some of the higher profile new FortiOS 5.6 features, some of which have been enhanced for FortiOS 5.6.1.

Security Fabric enhancements

Security Fabric features and functionality continue to evolve. New features include improved performance and integration, a security audit function that finds possible problems with your network and recommends solutions, security fabric dashboard widgets, improved device detection, and the remote login to other FortiGates on the fabric. See New Security Fabric features on page 20.

Security Fabric Audit

The Security Fabric Audit allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance. See Security Fabric Audit and Fabric Score on page 32.

Re-designed Dashboard

The Dashboard has been enhanced to show more information with greater flexibility and more functionality. See New Dashboard Features on page 40 for details.

NGFW Policy Mode

You can operate your FortiGate in NGFW policy mode to simplify applying Application control and Web Filtering to firewall traffic. See NGFW Policy Mode (371602) on page 57.

Flow-based inspection with profile-based NGFW mode is the default inspection mode in FortiOS 5.6.

Transparent web proxy

In addition to the Explicit Web Proxy, FortiOS now supports a Transparent web proxy. You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

 

FortiOS 5.6.1 New Security Fabric features

$
0
0

New Security Fabric features

In FortiOS 5.6, the Security Fabric (previously known as the Cooperative Security Fabric) has been expanded in several ways to add more functionality and visibility.

One of the most important functional changes is that FortiAnalyzer is now a required part of the Security Fabric configuration. Also, two important new features, Security Fabric Audit and Fabric Score, have been added to provide a method to continually monitor and improve the Security Fabric configuration.

Many changes have been made through FortiView to improve the visibility of the Security Fabric. More information is now displayed and you can access downstream FortiGates directly from the root FortiGate’s FortiView display.

Other smaller improvements have been made throughout the Security Fabric, with a focus on improving communication between devices.

In FortiOS 5.6.1, the new updated GUI design consolidates the Security Fabric features together under a new menu and has many new topological changes to provide greater visibility into the connectivity of your networked devices. This includes adding more Fortinet products to the topology and widgets. Other topology improvements include enhanced IPsec VPN detection (which now includes detection of downstream FortiGates) and support for SD-WAN. Smaller changes have also been made to add more information to device tooltip alerts in the Physical and Logical Topology views.

Setting up the Security Fabric in FortiOS 5.6

See the following FortiGate Cookbook recipes to get started in setting up the Security Fabric in FortiOS 5.6:

l Installing a FortiGate in NAT/Route mode l Security Fabric installation

Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN interfaces

You can now enable FortiTelemetry for IPsec VPN interfaces. The Security Fabric can now detect the downstream FortiGate through the IPsec VPN interface. This allows you to send FortiTelemetry communication over a Gateway-to-Gateway IPsec VPN tunnel between two remote networks. One of the networks would contain the root FortiGate and the network at the other end of the IPsec VPN tunnel can connect to the root FortiGate’s Security Fabric.

In the GUI, to enable FortiTelemetry

  1. Go to Network > Interfaces and edit your IPsec VPN interface.
  2. Under Administrative Access enable FortiTelemetry.

 

New Security Fabric Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN features          interfaces

Your IPsec VPN interface will automatically be added to the FortiTelemetry enabled interface list under Security Fabric > Settings.

In the CLI, enter the following commands:

config system interface edit <vpn_name> set fortiheartbeat enable

end

Re-designed Security Fabric setup

A new updated GUI menu consolidates the Security Fabric features in one location. This includes Physical Topology, Logical Topology, Audit, and Settings. For more details, see the illustration below:

Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN interfaces New Security Fabric features

Improved Security Fabric Settings page

The Security Fabric Settings page has been updated to act as a centralized location for you to enable connectivity to other Fortinet products. Navigate to Security Fabric > Settings.

Changes to the Settings page include the following:

l The previous Enable Security Fabric option has been replaced with an option to enable FortiGate Telemetry. l The previous Downstream FortiGates option has been replaced with Topology to show multiple devices.

See the screen shot below:

Security Fabric dashboard widgets

Security Fabric dashboard widgets

New dashboard widgets for the Security Fabric put information about the status of the Security Fabric at your fingertips when you first log into your FortiGate.

The FortiGate dashboard widget has been updated to include the following Fortinet products: FortiGate (core), FortiAnalyzer (core), FortiSwitch, FortiClient, FortiSandbox, and FortiManager. See the screen shot below:

You can hover over the icons along the top of the Security Fabric widget to get a quick view of the status of the Security Fabric. Available information includes the FortiTelemetry status and the status of various components of in the Security Fabric.

The Security Fabric Score widget shows the Security Fabric Audit score for the Security Fabric and allows you to apply recommended changes right from the dashboard.

 

Physical and Logical FortiView improvements

Physical and Logical FortiView improvements

The FortiView Physical and Logical Topology pages now display the following improvements:

  • Shows both FortiGates in an HA configuration l Shows FortiAPs l Lists FortiAnalyzer and FortiSandbox as components of the Security Fabric l Highlights the current FortiGate l Displays Link Usage in different colors l Ranks Endpoints by FortiClient Vulnerability Score and by Threat Score ( see below, for more information) l Displays user avatars l Recognizes servers as a device type
  • Introduces a search bar to help locate specific devices in the Security Fabric

Updated Physical and Logical Topology legend

On the Physical Topology and Logical Topology pages, the Security Fabric legend has been updated. See the screenshot below:

Physical and Logical FortiView improvements

New option to minimize the Topology

This new feature allows you to minimize portions of the Physical and Logical Topology. This makes it easy to view your entire topology, or minimize portions to focus in on a specific area. See the screenshot below:

Security Fabric Topology shows new resource information alerts

The enhanced Security Fabric topology now shows CPU Usage and Memory Usage alerts in the device information tooltip. It also displays a warning if the FortiGate is in conserve mode. Note that the CPU usage, memory usage and conserve mode data are drawn from the data that was last loaded from the FortiGate, not real-time data.

You can see the new CPU Usage and Memory Usage fields shown in the tooltip below:

Physical and Logical FortiView improvements

The Conserve mode warning is shown below:

SD-WAN information added to Security Fabric topology

The Security Fabric topology now includes SD-WAN. Enhancements include greater visibility into where the data comes from and goes to, link saturation indicators, and detailed tooltip explanations. The following SD-WAN information has been integrated into the Security Fabric topology:

  • The tooltip for the SD-WAN interface now includes load balancing settings. l In the Security Fabric Logical Topology, SD-WAN and its interface members will appear above all interfaces.
  • If connected to an upstream FortiGate, one link between the exact SD-WAN member and the upstream FortiGate will appear.
  • If connected to a destination bubble, links between each enabled member and the destination bubble appear.
  • Interface bandwidth and link utilization for other interfaces (WAN role interface) have been temporarily removed and will be added back in later.
  • Fixes have been made to show vulnerabilities for multiple MAC addresses (402495) and to show the FortiSwitch serial and port (389158).

For more details see the screenshot below:

 

FortiCache support for the                      (435830)

SD-WAN Monitor Support added to Security Fabric (417210)

The Security Fabric now retrieves monitor information from all members of the Security Fabric and displays it in the GUI of the root FortiGate. Support was added for the Routing Monitor, DHCP Monitor and User Quarantine Monitor.

You can use the new drop down menu shown below to select the Security Fabric members:

FortiCache support for the Security Fabric (435830)

FortiGates in the Security Fabric can now use FortiCache as a remote cache service. Previously, FortiCache was supported via WCCP re-direct only, but now FortiGates can use it as a local cache rather than redirecting via WCCP.

In the GUI, follow the steps below:

  1. Go to Security Fabric > Settings and enable HTTP Service.

Enhanced Security Fabric audit tests for FortiGuard licenses (409156)

  1. Set Device Type to FortiCache and add the IP addresses of the FortiCache devices.
  2. You can also select Authentication and add a password if required. See the screenshot below:

In the CLI, enter the following commands:

config wanopt forticache-service set status enable

set local-cache-id <local-cache-id> set remote-forticache-id <remote-forticache-id> set remote-forticache-ip <remote-forticache-ip>

end

l status – Enable/disable using FortiCache as web-cache storage l disable – Use local disks as web-cache storage l enable – Use a remote FortiCache as web-cache storage l local-cache-id – The cache ID that this device uses to connect to the remote FortiCache l remote-forticache-id – The ID of the FortiCache that the device connects to l remote-forticache-ip – The IP address of the FortiCache the device connects to

Enhanced Security Fabric audit tests for FortiGuard licenses (409156)

The Security Fabric audit now has separate audit tests for FortiGuard licenses based on whether the FortiGuard license is valid, expired, never been activated, or temporarily unavailable. Previously, the audit test performed one batch test on all FortiGuard licenses, regardless of the status of the licenses. Recommendations for individual licenses are also provided in the GUI tooltips.

You can see the new breakdown of pass or fail actions shown below:

  • License valid = pass l License expired = fail l License never activated = fail
  • License is unavailable (connection issue with FortiGuard) = pass

If a required Feature Visibility is disabled, the audit test for it will not show vulnerabilities. The audit will show a score of zero (or a pass). Go to System > Feature Visibility (previously the Feature Select menu) to make any changes.

FortiClient Vulnerability Score

In the GUI, follow the steps below to check the status of your FortiGuard licenses:

  1. Go to Security Fabric > Audit to check the status of your FortiGuard licenses.
  2. Follow the steps in the Security Fabric Audit wizard.
  3. Expand Firmware & Subscriptions, and look at the FortiGuard License Subscriptions section to verify whether any recommended action is required. See the example below:

FortiClient Vulnerability Score

Endpoints in the Security Fabric topology are now ranked by their FortiClient Vulnerability Score. This score is calculated by the severity of vulnerabilities found on the endpoint:

l critical vulnerability = 100 points l high vulnerability = 50 points l medium vulnerability = 5 points l low vulnerability = 2 points l info vulnerability = 1 point

FortiView Consolidation

Information about the Security Fabric can now be seen throughout the FortiView dashboards on the upstream FortiGate, when the real-time view is used.

  • You can right-click on an entry and select View Aggregated Details to see more information.
  • The upstream FortiGate filters information to avoid counting traffic from the same hosts multiple times on each hop.

The upstream FortiGate also now has the option to end downstream FortiGate sessions or quarantine endpoints that connect to downstream FortiGates.

Remote login to downstream FortiGates

Remote login to downstream FortiGates

You can now log into downstream FortiGates from the upstream FortiGate, by right-clicking on the downstream FortiGate when viewing the Security Fabric’s topology using FortiView.

Logging Consolidation and Improvements

Several changes have been made to improve logging for a Security Fabric.

Sending all logs to a single FortiAnalyzer

By default, all FortiGates in the Security Fabric now send logs to a single FortiAnalyzer. The connection to the FortiAnalyzer is configured on the upstream FortiGate, then the settings are pushed to all other FortiGates.

In FortiOS 5.6, a FortiAnalyzer is required for the root FortiGate in the Security Fabric; however, downstream devices can be configured to use other logging methods through the CLI:

config system csf set logging-mode local

end

Data Exchange with FortiAnalyzer

The following information about the Security Fabric configuration is now sent to the FortiAnalyzer:

l Topology info l Interface roles l LAT / LNG info l Device asset tags Device Tree

Retrieving Monitor Information

Monitors on the upstream FortiGate, such as the VPN Monitor, Route Monitor, and User Quarantine, can now view the information from downstream devices. You can use the button in the top right corner of the screen to change the FortiGate information that is displayed.

Log Settings

Log statistics for each FortiGate in the Security Fabric are now shown when you go to Log & Report > Log Settings.

Device Tree

The entire Security Fabric tree is now updated upward, and each node has an updated state of the whole subtree. The content is saved in the local file and upon request from the GUI or a diagnose command (dia sys csf downstream) it can be retrieved.

 

What is the Security Fabric Audit?

Security Fabric Audit and Fabric Score

$
0
0

Security Fabric Audit and Fabric Score

This chapter contains information about the Security Fabric Audit and Fabric Score, which together provide a method to continually monitor and improve your Security Fabric’s configuration.

What is the Security Fabric Audit?

The Security Fabric Audit is a feature on your FortiGate that allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.

Why should you run a Security Fabric Audit?

Using the Security Fabric Audit helps you to tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network. Also, by checking your Security Fabric Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.

Running a Security Fabric Audit

The Security Fabric Audit can be found by going to Security Fabric > Audit. In the first step, all detected FortiGates are shown.

Running a Security Fabric Audit

In the second step, the audit is performed and a list of recommendations are shown. Two views are available: Failed or All Results. These views can be further segmented so that you view results from all FortiGates or just a specific unit.

In each view, a chart appears showing the results of individual checks. The following information is shown: the name and a description of the check, which FortiGate the check occurred on, the checks result on your overall security score, and any necessary recommendations.

If you hover the mouse over the Result for a check, you can get a breakdown on how this score was determined.

For more information about this, see “Security Fabric Score” on page 38.

Logging for the Security Fabric Audit

In Step Three of the Audit, Easy Apply recommendations are displayed and can be applied. By using Easy Apply, you can change the configuration of any FortiGate in the fabric.

For other recommendations, further action is required if you wish to follow the recommendation.

You can also view Audit recommendations for specific devices using the FortiView Topology consoles. If a recommendation is available for a device, a circle containing a number appears. The number shows how many recommendations are available, while the color of the circle shows the severity of the highest check that failed (red is critical, orange is high, yellow is medium, and blue is low).

Logging for the Security Fabric Audit

An event filter subtype is available for the Security Audit. Every time an audit is run, event logs are created on the root FortiGate that summarize the results of the audit, as well as details into the individual tests.

Security Fabric Audit Checks

Syntax

config log eventfilter set security-audit {enable | disable} (enabled by default)

end

Security Fabric Audit Checks

The Security Fabric Audit performs a variety of checks when analyzing your network. All checks are based on your current network configuration, using realtime monitoring. The Audit runs these checks across all FortiGates in the Security Fabric.

Firmware & Subscriptions

Easy Apply?
Recommendation
Run same version as root.
Register with FortiCare.
Renew subscriptions.
Upgrade FortiAP to recommended version.
Check
All FortiGates in the Security Fabric should run the same firmware version.
FortiGate should be registered with FortiCare.
All registered FortiGuard license subscriptions should be valid.
All FortiAPs should be running the latest firmware.
Severity
Critical
Critical
High
Low
Goal
Compatible Firmware
FortiCare Support
FortiGuard License Subscriptions
FortiAP Firmware Versions
No
No

No

No

FortiSwitch FirmwareAll FortiSwitches should beUpdate all FortiSwitches to use

LowNo

Versionsrunning the latest firmware.the latest firmware.

Internal Segmentation Firewall (ISFW)

Easy Apply?
Recommendation
Configure the interface role.
Enable device detection.
Check
All interfaces should be classified as either “LAN”, “WAN”, or “DMZ”.
Interfaces which are classified as “LAN” or “DMZ” should have device detection enabled.
Severity
High
High
Goal
Interface Classification
Device Discovery
Yes

Yes

 

Checks

Easy Apply?
Recommendation
Replace the device with a FortiGate.
Use FortiSwitch and FortiLink.
Install FortiAnalyzer for logging & reporting.
All servers should be moved to interfaces with role “DMZ”.
Review all IPv4 policies that haven’t been used in the last 90 days.
Check
No third party router or NAT devices should be detected in the network.
Non-FortiLink interfaces should not have multiple VLANs configured on them.
Logging and reporting should be done in a centralized place throughout the Security Fabric.
Servers should be placed behind interfaces classified as “DMZ”.
All IPv4 policies should be used.
Severity
Medium
Medium
High
Medium
Medium
Goal
Third Party Router & NAT Devices
VLAN Management
Centralized Logging & Reporting
LAN Segment
Unused Policies
No
No

No

No

No

Advanced Threat

Protection

High Suspicious files should be submitted to FortiSandbox or FortiSandbox Cloud for inspection. Configure AntiVirus profiles to send files to FortiSandbox or FortiSandbox Cloud for inspection. No

All discovered FortiAPs should     Authorize or disable

Unauthorized FortiAPs             Medium                                                                                                     Yes

be authorized or disabled.            unauthorized FortiAPs.

 
Unauthorized FortiSwitches
 
Medium
 
All discovered FortiSwitches should be authorized or disabled.
 
Authorize or disable unauthorized FortiSwitches.
 
Yes

Endpoint Compliance

Easy Apply?
Recommendation
Enable FortiTelemetry on “LAN” interfaces.
Register all devices via FortiClient.
Check
Interfaces which are classified as “LAN” should have

FortiTelemetry enabled.

All supported devices should be registered via FortiClient.
Severity
High
Medium
Goal
Endpoint Registration
FortiClient Protected
No

Yes

All registered FortiClientInvestigate non-compliant

FortiClient ComplianceMediumdevices should be compliantreason(s) for FortiClientNo with FortiClient profile.endpoints.

Security Fabric Audit Checks

 
Goal
FortiClient Vulnerabilities
 
Severity
Critical
 
Check
All registered FortiClient devices should have no critical vulnerabilities.
 
Recommendation
Have FortiClient fix the detected critical vulnerabilities.
 
Easy Apply?
No

Security Best Practices

Goal Severity Check Recommendation Easy Apply?
Yes
Enable HTTPS redirection globally.
Disable Telnet.
Interfaces which are classified as “WAN” should not allow

HTTP administrative access.

Interfaces which are classified as “WAN” should not allow

Telnet administrative access.

High
High
Unsecure Protocol – HTTP
Unsecure Protocol – Telnet

Yes

Valid HTTPS Certificate Administrative GUI Medium The administrative GUI should not be using a default built-in certificate. Acquire a certificate for your domain, upload it, and configure the administrative GUI to use it. No

Acquire a certificate for your

Valid HTTPS Certificate –                         SSL VPN should not be using a

Medium                                                      domain, upload it, and                 No

SSL VPN                                                default built-in certificate.

configure SSL VPN to use it.

 
Explicit Interface Policies
 
Low
 
Policies that allow traffic should not be using the “any” interface.
 
Change the policy to use a specific interface.
 
No

A password policy should beEnable a simple password

Admin Password PolicyMediumsetup for systempolicy for systemYes administrators.administrators.

Security Fabric Score

The Security Fabric Score widget has been added to the FortiGate Dashboard to give visibility into auditing trends. This widget uses information from the Security Fabric Audit to determine your score. Score can be positive or negative, with a higher score representing a more secure network.

Score is based on the number of checks failed and the severity of these checks. The weight for each severity level is as follows:

l Critical: 50 points l High: 25 points l Medium: 10 points l Low: 5 points

You get points for passing a test only when it passes for all FortiGates in your fabric. If this occurs, the score is calculated using this formula:

+Severity Weight x Secure FortiGate Multiplier

The Severity Weight is calculated as Severity divided by the number of FortiGates in the Fabric. The Secure FortiGate Multiplier is determined using logarithms and the number of FortiGates in the fabric. For example, if you have four FortiGates in your fabric that all pass the Compatible Firmware check, your score for each individual FortiGate is:

(50/4) x 1.292 = 16.2 points

If a test fails on any FortiGate in your Fabric, all other FortiGates that passed the check award 0 points. For the FortiGate the test failed on, the score is calculated using this formula:

-Severity Weight x Count

Count is the number of times the check failed during the audit. For example, if two critical FortiClient vulnerabilities are discovered during the Audit, your score for that check is:

-50 x 2 = -100 points

 

For checks that do not apply, your score does not change. For example, if you have no FortiAPs in the fabric, you will receive no points for the FortiAP Firmware Versions check.


New Dashboard Features

$
0
0

New Dashboard Features

The FortiOS 5.6 Dashboard has a new layout with a Network Operations Center (NOC) view with a focus on alerts. Widgets are interactive; by clicking or hovering over most widgets, the user can get additional information or follow links to other pages.

Enhancements to the GUI dashboard and its widgets are:

  • Multiple dashboard support. l VDOM and global dashboards. l Updated resize control for widgets.
  • Notifications moved to the top header bar (moved existing dashboard notifications to the header and added additional ones).
  • Reorganization of Add Widget l New Host Scan Summary widget.
  • New Vulnerabilities Summary widget that displays endpoint vulnerability information much like the FortiClient Enterprise Management Server (EMS) summary. l Multiple bug fixes.

Features that were only visible through old dashboard widgets have been placed elsewhere in the GUI:

  • Restore configuration. l Configuration revisions. l Firmware management. l Enabling / disabling VDOMs. l Changing inspection mode.
  • Changing operation mode. l Shutdown / restart device. l Changing hostname. l Changing system time.

The following widgets are displayed by default:

  • System Information l Licenses l FortiCloud l Security Fabric l Administrators
  • CPU l Memory l Sessions l Bandwidth
  • Virtual Machine (on VMs and new to FortiOS 5.6.1) The following optional widgets are available:
  • Interface Bandwidth l Disk Usage l Security Fabric Risk l Advanced Threat Protection Statistics l Log Rate l Session Rate l Sensor Information l HA Status l Host Scan Summary
  • Vulnerabilities Summary l FortiView (new to FortiOS 5.6.1) The following widgets have been removed:
  • CLI Console l Unit Operation l Alert Message Console

System Information

Licenses

Hovering over the Licenses widget will cause status information (and, where applicable, database information) on the licenses to be displayed for FortiCare Support, IPS & Application Control, AntiVirus, Web Filtering, Mobile Malware, and FortiClient. The image below shows FortiCare Support information along with the registrant’s company name and industry.

Clicking in the Licenses widget will provide you with links to other pages, such as System > FortiGuard or contract renewal pages.

FortiCloud

This widget displays FortiCloud status and provides a link to activate FortiCloud.

Security Fabric

The Security Fabric widget is documented in the Security Fabric section of the What’s New document.

Administrators

This widget allows you to view which administrators are logged in and how many sessions are active. The link directs you to a page displaying active administrator sessions.

CPU

The real-time CPU usage is displayed for different time frames.

Memory

Real-time memory usage is displayed for different time frames. Hovering over any point on the graph displays percentage of memory used along with a timestamp.

Sessions

Bandwidth

Virtual Machine

FortiOS 5.6.1 introduces a VM widget.

  • License status and type. l CPU allocation usage. l License RAM usage. l VMX license information (if the VM supports VMX). l If the VM license specifies ‘unlimited’ the progress bar is blank.
  • If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
  • Widget is shown by default in the dashboard of a FortiOS VM device. l Removed VM information from License widget at Global > Dashboard.
  • License info and Upload License button provided on page Global > System > FortiGuard.
  • Updated ‘Upload VM License’ page: l Added license RAM usage and VMX instance usage. l Replaced file input component.

 

FortiExplorer for iOS

FortiExplorer for iOS

$
0
0

FortiExplorer for iOS

A new iOS FortiExplorer app is available as of April 8, 2017.

FortExplorer for iOS is compatible with iPhone, iPad, and iPod Touch and supports configuration via REST API and display of FortiView and other security fabric components.

You can use FortiExplorer for iOS to perform most FortiOS configuration management tasks.

Advanced features will be available with the purchase of an add-on through the App Store. These paid features include the adding more than two devices and downloading firmware images from FortiCare.

With the release of FortiOS 5.6.1, FortiOS icons and colors are now exportable in the GUI shared project and FortiExplorer now uses these icons and colors. This change improves the icon colors only for the FortiExplorer GUI theme (seen only when accessing a web GUI page from within the FortiExplorer iOS app).

The images below offer a preview of a few of the new FortiExplorer iOS app’s screens.

FortiExplorer iOS, v 1.0 – Device Status                                        FortiExplorer iOS, v. 1.0 – Sources

FortiExplorer for iOS

FortiExplorer iOS, v.1.0 – Device Interfaces                                   FortiExplorer iOS, v.1.0 – Firmware

Using      Transparent

Transparent web proxy

$
0
0

Transparent web proxy (386474)

In addition to the Explicit Web Proxy, FortiOS now supports a Transparent web proxy. While it does not have as many features as Explicit Web Proxy, the transparent proxy has the advantage that nothing needs to be done on the user’s system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.

You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy. In previous versions of FortiOS, web authentication required using the explicit proxy.

Normal FortiOS authentication is IP address based. Users are authenticated according to their IP address and access is allowed or denied based on this IP address. On networks where authentication based on IP address will not work you can use the Transparent Web proxy to apply web authentication that is based on the user’s browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiGate from the same IP address.

Using the Transparent proxy

To implement the Transparent proxy, go to System > Settings and scroll down to Operations Settings and set the inspection mode to Proxy.

Then go to System > Feature Visibility and enable Explicit Proxy.

Then go to Security Profiles > Proxy Options, edit a proxy options profile and under Web Options enable HTTP Policy Redirect.

Then go to Policy & Objects > IPv4 Policy and create or edit a policy that accepts traffic that you want to apply web authentication to. This can be a general policy that accepts many different types of traffic as long as it also accepts the web traffic that you want to apply web authentication to.

Select a Security Profile and select the Proxy Options profile that you enabled HTTP Policy Redirect for.

 

Using the Transparent proxy

Then go to Policy & Objects > Proxy Policy create a Transparent Proxy policy to accept the traffic that you want to apply web authentication to. Set the Proxy Type to Transparent Web. The incoming interface, outgoing interface, destination address, and schedule should either match or be a subset of the same options defined in the IPv4 policy. Addresses added to the Source must match or be a subset of the source addresses added to the IPv4 policy. You can also add the users to be authenticated by the transparent policy to the source field.

Select other transparent policy options as required.

More about the transparent proxy

The following changes are incorporated into Transparent proxy, some of which affect Explicit Web Proxy as well.

Flat policies

The split policy feature has been removed. This will make the explicit policy more like the firewall policy.

Authentication

The new authentication design is intended to separate authentication from authorization. Authentication has been moved into a new table in the FortiOS. This leaves the authorization as the domain of the explicit proxy policy.

Previously, if authentication was to be used:

  1. The policy would be classified as an identity based policy
  2. The policy would be split to add the authentication parameters
  3. The authentication method would be selected
  4. The user/group would be configured Now:

The user/group is configured in the proxy policy

  1. A new authentication rule is added
  2. This option refers to the authentication scheme
  3. The authentication scheme has the details of the authentication method The new authentication work flow for Transparent Proxy:

Toggle the transparent-http-policy match:

config firewall profile-protocol-options edit <profile ID> config http set http-policy <enable|disable>

If disabled, everything works like before. If enabled, the authentication is triggered differently.

  • http-policy work flow:
  • For transparent traffic, if there is a regular firewall policy match, when the Layer 7 check option is enabled, traffic will be redirected to WAD for further processing.
  • For redirected traffic, layer 7 policy (HTTP policy) will be used to determine how to do security checks.
  • If the last matching factor is down to user ID, then it will trigger a new module to handle the L7 policy user authentication.
  • Then propagate learned user information back to the system so that it can be used to match traffic for L4 policy.

New Proxy Type

There is a new subcategory of proxy in the proxy policy called Transparent Web. The old Web Proxy is now referred to as Explicit Web Proxy.

  • This is set in the firewall policy l It is available when the HTTP policy is enabled in the profile-protocol options for the firewall policy l This proxy type supports OSI layer 7 address matching.
  • This proxy type should include a source address as a parameter l Limitations:
  • It can be used for HTTPS traffic, if deep scanning is not used l It only supports SNI address matching, i.e. domain names
  • It does not support header types of address matching l It only supports SSO authentication methods, no active authentication methods.

IP pools support

Proxies are now supported on outgoing IP pools.

SOCKSv5

SOCKSv5 authentication is now supported for explicit proxies.

To configure:

config authentication rule edit <name of rule> set protocol socks end

Forwarding

Proxies support URL redirect/forwarding. This allows a non-proxy forwarding server to be assigned a rule that will redirect web traffic from one URL to another, such as redirecting traffic destined for youtube.com to restrict.youtube.com.

l A new option called “Redirect URL” has been added to the policy l Traffic forwarding by VIP is supported

Support for explicit proxy address objects & groups into IPv4 firewall policies

This would allow the selection of web filter policy, SSL inspection policy, and proxy policy based on source IP + destination (address|explicit proxy object|category|group of any of those). This enables things like “do full SSL interception on www.google.com, but not the rest of the Search Engines category”.

Support application service in the proxy based on HTTP requests.

The application service can be configured using the following CLI commands:

config firewall service custom edit <name of service> set explicit-proxy enable set app-service-type <disable|app-id|app-category> set app-category <application category ID, integer> set application <application ID, integer> end

CLI Changes:

New
Previous
config firewall explicit-proxy-policy
config firewall explicit-proxy-address
config firewall explicit-proxy-addrgrp
config firewall proxy-address

config firewall proxy-policy

config firewall proxy-addrgrp

 
config firewall explicit-proxy-policy edit <policy ID> set proxy web end
 
config firewall proxy-policy edit <policy ID> set proxy explicit-web end

Removals:

l “split-policy” from firewall explicit-proxy-policy.

The previous method to set up a split policy was:

config firewall explicit-proxy-policy

edit 1 set proxy web set identity-based enable config identity-based-policy edit 1 set schedule “always” set utm-status enable set users “guest”

set profile-protocol-options “default” next

end

next

end

  • “auth relative” from firewall explicit-proxy-policy

The following attributes have been removed from firewall explicit-proxy-policy:

  • identity-based l ip-based l active-auth-method l sso-auth-method l require-tfa

Moves:

users and groups from firewall explicit-proxy-policy identity-based-policy to

config firewall proxy-policy edit 1 set groups <Group name> set users <User name> end Additions:

authentication scheme

config authentication scheme

edit <name> set method [ntlm|basic|digest|form|negotiate|fsso|rsso|none]

  • ntlm – NTLM authentication. l basic – Basic HTTP authentication. l digest – Digest HTTP authentication. l form – Form-based HTTP authentication. l negotiate – Negotiate authentication. l fsso – FSSO authentication.
  • rsso – RADIUS Single Sign-On authentication. l none – No authentication. authentication setting

config authentication setting set active-auth-scheme <string> set sso-auth-scheme <string> set captive-portal <string>

set captive-portal-port <integer value from 1 to 65535>

  • active-auth-scheme – Active authentication method. l sso-auth-scheme – SSO authentication method. l captive-portal – Captive portal host name. l captive-portal-port – Captive portal port number.

authentication rule

config authentication rule

edit <name of rule>

set status [enable|disable] set protocol [http|ftp|socks] set srcaddr <name of address object> set srcaddr6 <name of address object> set ip-based [enable|disable] set active-auth-method <string> set sso-auth-method <string> set web-auth-cookie [enable|disable] set transaction-based [enable|disable] set comments

  • status – Enable/disable auth rule status. l protocol – set protocols to be matched l srcaddr /srcaddr6 – Source address name. [srcaddr or srcaddr6(web proxy only) must be set]. l ip-based – Enable/disable IP-based authentication. l active-auth-method – Active authentication method.
  • sso-auth-method – SSO authentication method (require ip-based enabled) l web-auth-cookie – Enable/disable Web authentication cookie. l transaction-based – Enable/disable transaction based authentication. l comments – Comment.

NGFW Policy Mode (371602)      NGFW policy mode and NAT

NGFW Policy Mode

$
0
0

NGFW Policy Mode (371602)

You can operate your FortiGate or individual VDOMs in Next Generation Firewall (NGFW) Policy Mode.

You can enable NGFW policy mode by going to System > Settings, setting the Inspection mode to Flowbased and setting the NGFW mode to Policy-based. When selecting NGFW policy-based mode you also select the SSL/SSH Inspection mode that is applied to all policies

Flow-based inspection with profile-based NGFW mode is the default in FortiOS 5.6.

Or use the following CLI command:

config system settings set inspection-mode flow set policy-mode {standard | ngfw}

end

NGFW policy mode and NAT

If your FortiGate is operating in NAT mode, rather than enabling source NAT in individual NGFW policies you go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases you may only need one SNAT policy for each interface pair. For example, if you allow users on the internal network (connected to port1) to browse the Internet (connected to port2) you can add a port1 to port2 Central SNAT policy similar to the following:

Application control in NGFW policy mode                                                                      NGFW Policy Mode (371602)

Application control in NGFW policy mode

You configure Application Control simply by adding individual applications to security policies. You can set the action to accept or deny to allow or block the applications.

NGFW Policy Mode (371602)                                                                                     Web Filtering in NGFW mode

Web Filtering in NGFW mode

You configure Web Filtering by adding URL categories to security policies. You can set the action to accept or deny to allow or block the applications.

Other NGFW policy mode options                                                                                NGFW Policy Mode (371602)

Other NGFW policy mode options

You can also combine both application control and web filtering in the same NGFW policy mode policy. Also if the policy accepts applications or URL categories you can also apply Antivirus, DNS Filtering, and IPS profiles in NGFW mode policies as well a logging and policy learning mode.

 

New FortiView Endpoint Vulnerability Scanner chart (378647)                                  Other NGFW policy mode options

New FortiView Endpoint Vulnerability Scanner chart

$
0
0

New FortiView Endpoint Vulnerability Scanner chart (378647)

FortiOS 5.6.0 adds a new chart to illustrate Endpoint Control events: Endpoint Vulnerability.

This is a list/bubble chart, that tracks vulnerability events detected by the FortiClients running on all devices registered with the FortiGate. FortiView displays information about the vulnerability and the device on which it was detected.

Notes about the Endpoint Vulnerability Chart:

  • You can sort the list by Device or Vulnerability.
  • You can drill down into any device to see the Vulnerabilities detected. From there, you can drill down to see the exact Vulnerability Scan events that triggered the detection.
  • Select any Vulnerability Scan event to see the associated Log data.

Default FortClient profile                                                                       FortiClient Profile changes (386267, 375049)

Viewing all 2380 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>