Configure Controller Parameters From the CLI
Reset System and System Passwords from the CLI
The passwords for the system users “admin’ and “guest” can be reset to their default values during a system boot. When the controller prompts “accepting reset request” displays, type pass to reset the passwords.
To reset the settings for the entire system to their default values, type reset at the reset system values prompt.
Limit Wireless Client Access to the Controller From the CLI
Administrators wishing to block access to the controller management utilities for wireless clients can do so with the no management access command. When wireless management access is blocked, all packets sent to the controller by wireless clients are dropped except for those used for Captive Portal.
To remove wireless access to the controller, enter the command: controller(config)# no management wireless
To check the management status, use the show controller command. The line near the bottom of the output, Management by wireless stations: will show either an on or off value.
mc3200# show controller
Global Controller Parameters
Controller ID : 1
Description : controller Host Name : MC3200 Uptime : 05d:17h:10m:59s
Location :
Contact :
Operational State : Enabled
Availability Status : Online
Alarm State : Major
Automatic AP Upgrade : on
Virtual IP Address : 172.29.0.137
Virtual Netmask : 255.255.192.0
Default Gateway : 172.29.0.1
DHCP Server : 10.0.0.240
Statistics Polling Period (seconds)/0 disable Polling : 60
Audit Polling Period (seconds)/0 disable Polling : 60
Software Version : 6.0.SR1‐4
Network Device Id : 00:90:0b:23:2e:d3 System Id : 08659559054A Default AP Init Script :
DHCP Relay Passthrough : on
Controller Model : MC3200
Region Setting : Unknown
Country Setting : United States Of America
Manufacturing Serial # : 4911MC32009025
Management by wireless stations : on
Controller Index : 0
FastPath Mode : on
Bonding Mode : single
Station Aging Out Period(minutes) : 2
Configure Controller Parameters From the CLI
Roaming Domain State : disable Layer3 Routing Mode : off
To re-enable access to wireless clients, use the management wireless command: controller(config)# management wireless
Limit Wired Client Access to the Controller With QoS Rules
To control access to the controller from wired network devices, you can configure rule-based IP ACL lists using the qosrules command. This section provides qosrule examples for several types of configurations.
The following is an example that blocks management access (on TCP and UDP) to the controller (at 192.168.1.2) for all devices except the host at 192.168.1.7. Notice that match tags are enabled when srcip, dstip, srcport, dstport, netprotocol, or packet min-length is configured for a rule.
Allow the host 192.168.1.7 to access the controller with TCP/UDP:
controller(config)# qosrule 20 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# srcip 192.168.1.7 controller(config‐qosrule)# srcip‐match controller(config‐qosrule)# srcmask 255.255.255.255 controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action forward controller(config‐qosrule)# end
controller(config)# qosrule 21 netprotocol 17 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# srcip 192.168.1.7 controller(config‐qosrule)# srcip‐match controller(config‐qosrule)# srcmask 255.255.255.255 controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action forward controller(config‐qosrule)# end
The following qosrules allow wireless clients to access the controller on TCP ports 8080/8081 if using the Captive Portal feature.
controller(config)# qosrule 22 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match
controller(config‐qosrule)# srcip <subnet of wireless clients> controller(config‐qosrule)# srcip‐match
controller(config‐qosrule)# srcmask <netmask of wireless clients>
controller(config‐qosrule)# dstport‐match on controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# dstport 8080 controller(config‐qosrule)# action forward controller(config‐qosrule)# end
controller(config)# qosrule 23 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match
controller(config‐qosrule)# srcip <subnet of wireless clients> controller(config‐qosrule)# srcmask <netmask of wireless clients> controller(config‐qosrule)# dstport‐match on controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# dstport 8081 controller(config‐qosrule)# action forward controller(config‐qosrule)# end
The following qosrules block all hosts from accessing the Controller using TCP/UDP.
controller(config)# qosrule 24 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action drop controller(config‐qosrule)# end
controller(config)# qosrule 25 netprotocol 17 qosprotocol none controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action drop controller(config‐qosrule)# end
Configuring UDP Broadcast From the CLI
You can enable all UDP ports at once with the CLI commands for upstream and downstream traffic. Fortinet does not recommend that you enable this feature on a production network because it could lead to broadcast storms leading to network outages. This feature is provided for testing purposes only.
Configure Controller Parameters From the CLI
You need to assign each ESS (see the chapter “Configuring an ESS.”) to a specific VLAN (see the chapter “Configuring VLANs.”) before enabling all UDP broadcast ports. Having multiple ESS’s in the default VLAN and enabling all UDP broadcast ports does not work.
To configure UDP broadcast upstream/downstream for all ports, use these two CLI commands:
default# configure terminal default(config)# ip udp‐broadcast upstream all‐ports selected default(config)# ip udp‐broadcast downstream all‐ports on default(config)# end
To display configured UDP broadcast upstream/downstream for all ports, use these two CLI commands:
default# show ip udp‐broadcast upstream all‐ports
Upstream UDP Broadcast All Ports
UDP All Ports : on default#
default# show ip udp‐broadcast downstream all‐ports
Downstream UDP Broadcast All Ports
UDP All Ports : selected default#
To view the currently configured broadcast ports for either upstream or downstream, use show ip udp-broadcast [downstream/downstream-bridged/upstream/upstream-bridged].
Configure Time Services From the CLI
We recommend that you configure controllers to synchronize their system clock with a Network Time Protocol (NTP) server. This ensures the system time is accurate and standardized with other systems. Accurate and standardized system time is important for alarms, traces, syslog, and applications such as cryptography that use timestamps as a parameter for key management and lifetime control. An accurate clock is also necessary for intrusion detection, isolation and logging, as well as network monitoring, measurement, and control.
During the initial system configuration, the setup script prompts for an IP address of an NTP server. If you do not supply an IP address of an NTP server at that time, or if you wish to change an assigned server at a later time, you can use the ntp server followed by the ntp sync commands.
- To set up automatic periodic synchronizing with the configured NTP server, use the command start-ntp.
There are several NTP servers that can be designated as the time server. The site www.ntp.org provides a list of servers that can be used.
To set a server as an NTP server, use the command:
ntp server ip-address
where ip-address is the IP address of the NTP server providing clock synchronization.
Configure a Controller Index with the CLI
To configure a controller index from CLI, using the following commands
ramecntrl(0)# configure terminal ramecntrl(0)(config)# controller‐index 22 ramecntrl(0)(config)# exit
Note that changing the index causes a controller to reboot.