Support for location-based services
FortiOS supports location-based services by collecting information about WiFi devices near FortiGate-managed access points, even if the devices don’t associate with the network.
Overview
Configuring location tracking
Viewing device location data on the FortiGate unit
Overview
WiFi devices broadcast packets as they search for available networks. The FortiGate WiFi controller can collect information about the interval, duration, and signal strength of these packets. The Euclid Analytics service uses this information to track the movements of the device owner. A typical application of this technology is to analyze shopper behavior in a shopping center. Which stores do people walk past? Which window displays do they stop to look at? Which stores do they enter and how long do they spend there? The shoppers are not personally identified, each is known only by the MAC address of their WiFi device.
After enabling location tracking on the FortiGate unit, you can confirm that the feature is working by using a specialized diagnostic command to view the raw tracking data. The Euclid Analytics service obtains the same data in its proprietary format using a JSON inquiry through the FortiGate unit’s web-based manager interface.
Configuring location tracking
You can enable location tracking in any FortiAP profile, using the CLI. Location tracking is part of location-based services. Set the station-locate field to enable. For example:
config wireless-controller wtp-profile edit “FAP220B-locate” set ap-country US config platform set type 220B
end config lbs set station-locate enable
end
end
Automatic deletion of outdated presence data
The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit.
The timer is one of the wireless controller timers and it can be set in the CLI. For example:
config wireless-controller timers set sta-locate-timer 1800
end
The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 seconds) because that could cause duplicate logs to be generated.
FortiPresence push REST API
When the FortiGate is located on a private IP network, the FortiPresence server cannot poll the FortiGate for information. Instead, the FortiGate must be configured to push the information to the FortiPresence server.
Enter the following command:
config wireless-controller wtp-profile edit “FP223B-GuestWiFi” config lbs set fortipresence {enable | disable} set fortipresence-server <ip-address> Default is 3000. set fortipresence-port <port> set fortipresence-secret <password> set fortipresence-project <name> set fortipresence-frequency <5-65535> Default is 30. set fortipresence-rogue {enable | disable} Enable/disable reporting of Rogue APs. set fortipresence-unassoc {enable | disable} Enable/disable reporting of unassociated devices.
end
end
Viewing device location data on the FortiGate unit
You can use the FortiGate CLI to list located devices. This is mainly useful to confirm that the location data feature is working, You can also reset device location data.
To list located devices diag wireless-controller wlac -c sta-locate
To reset device location data diag wireless-controller wlac -c sta-locate-reset
Example output
The following output shows data for three WiFi devices.
FWF60C3G11004319 # diagnose wireless-controller wlac -c sta-locate sta_mac vfid rid base_mac freq_lst frm_cnt frm_fst frm_last intv_sum intv2_sum intv3_ sum intv_min intv_max signal_sum signal2_sum signal3_sum sig_min sig_max sig_fst sig_last ap
00:0b:6b:22:82:61 0
FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 257 708 56 651 1836 6441 0 12 -21832
1855438 -157758796 -88 -81 -84 -88 0
00:db:df:24:1a:67 0
FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 42 1666 41 1625 97210 5831613 0 60 -3608 310072 -26658680 -90 -83 -85 -89 0
10:68:3f:50:22:29 0
FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 102 1623 58 1565 94136 5664566 0 60 -8025 631703 -49751433 -84 -75 -78 -79 0
The output for each device appears on two lines. The first line contains only the device MAC address and the VLAN ID. The second line begins with the ID (serial number) of the FortiWiFi or FortiAP unit that detected the device, the AP’s MAC address, and then the fields that the Euclid service uses. Because of its length, this line wraps around and displays as multiple lines.