Statistics
WiFi client monitor
The following shows a simple network topology when using FortiAPs with FortiGate:
To view connected WiFi clients on the FortiGate unit, go to Monitor> WiFi Client Monitor. The following columns display:
| Column | Description | |
| SSID | SSID that the client connected to, such as the tunnel, bridge, or mesh. | |
| FortiAP | Serial number of the FortiAP unit that the client connected to. | |
| User | Username if using WPA enterprise authentication. | |
| IP | IP address assigned to the wireless client. | |
| Device | Wireless client device type. | |
| Channel | FortiAP operation channel. | |
| Auth | Authentication type used. | |
| Channel | WiFi radio channel in use. | |
| Column | Description | |
| Bandwidth Tx/Rx | Client received and transmitted bandwidth in Kbps. | |
| Signal Strength/Noise | Signal-to-noise ratio in decibels calculated from signal strength and noise level. | |
| Association Time | How long the client has been connected to this AP. | |
| Device OS | Wireless device OS. | |
| Manufacturer | Wireless device manufacturer. | |
| MIMO | Wireless device MIMO information. | |
WiFi health monitor
The following shows a simple network topology when using FortiAPs with FortiGate:
The Monitor> WiFi Health Monitor page displays the following charts: l Active Clients: Currently active clients on each FortiAP
- AP Status: APs by status, sorted by those that have been up for over 24 hours, rebooted in the past 24 hours, and down/missing
- Channel Utilization: Allow users to view 10-20 most and least utilized channels for each AP radio and a third histogram view showing utilization counts
- Client Count: Shows client count overtime. Can view forthe past hour, day, or30 days.
- Login Failures: Time, SSID, hostname, and username forfailed login attempts. The widget also displays the AP name and group of FortiAP units with failed login attempts.
- Top Wireless Interference: Separate widgets for2.4 GHz and 5 GHz bands. This requires spectrum analysis to be enabled on the radios.
WiFi maps
WiFi maps allow you to place FortiAP units on a map, such as an office floor plan. This allows you to know where the FortiAPs are and get their operating statuses at a glance.
To configure WiFi maps on the FortiOS GUI:
- Create a WiFi map:
- In FortiOS, go to WiFi & Switch Controller> WiFi Maps.
- Click the Add Map
- Specify the desired map name.
- Upload the image file.
- If desired, enable the Image grayscale
- Set the Image opacity.
- Place the FortiAP units on the map:
- Unlock the map by clicking the lock icon in the top left corner.
- Click Unplaced AP(s) beside the lock icon. This displays a list of candidate APs.
- Drag and drop the candidate FortiAPs from the list to the map as desired.
- Once all desired FortiAPs have been placed on the map, lock the map.
- Hover the cursor over a FortiAP icon to view the operating data per FortiAP unit.
- To configure AP settings, click the FortiAP icon for that unit.
- You can show numerical operating data on the FortiAP icons such as the client count, channel, operating TX power, and channel utilization using the options in the dropdown list above the map.
To configure WiFi maps using the FortiOS CLI:
You can only upload the WiFi map image file using the FortiOS CLI.
config wireless-controller region edit <MAP_NAME> set grayscale enable|disable set opacity 100 <0-100>
next
end
config wireless-controller wtp edit <FAP_SN> set region <MAP_NAME set region-x “0.419911” <0-1> set region-y “0.349466” <0-1>
next
end
Fortinet Security Fabric
The following shows a simple network topology when using FortiAP as part of the Security Fabric:
The Security Fabric > Settings page on the root FortiGate lists all FortiAP devices on the CSF root and leaf.
The Security Fabric > Physical Topology view on the root FortiGate shows the devices in the Security Fabric and the devices they are connected to.
Wireless security
Enabling rogue AP scan
The guide provides simple configuration instructions for enabling ap-scan on FortiAP. The steps include creating a WIDS profile and selecting the WIDS profile on the managed FortiAP.
To enable rogue AP scan on the FortiOS GUI:
- Create a WIDS profile:
- In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
- Enable Enable Rogue AP Detection.
- Complete the configuration, then click OK.
- Select the WIDS profile for the managed FortiAP:
- Go to WiFi & Switch Controller> FortiAP Profiles.
- Select the FortiAP profile applied to the managed FortiAP, then click Edit.
- Enable WIDS Profile. Select the profile created in step 1. Click OK.
To enable rogue AP scan using the FortiOS CLI:
- Create a WIDS profile:
config wireless-controller wids-profile edit “example-wids-profile” set ap-scan enable
next
end
- Select the WIDS profile for the managed FortiAP:
config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>
end
set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n
set wids-profile “example-wids-profile” set vap-all disable
end config radio-2 set band 802.11ac set vap-all disable
end
next
end
Enabling rogue AP suppression
The guide provides simple configuration instructions for suppressing rogue APs on FortiAP. The steps include creating a WIDS profile and suppressing rogue APs.
To enable rogue AP suppression on the FortiOS GUI:
- Create a WIDS profile:
- In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
- For SensorMode, select Foreign and Home Channels.
- Enable Enable Rogue AP Detection.
- Complete the configuration, then click OK.
- Select the WIDS profile for the managed FortiAP. The monitoring radio must be in Dedicated Monitor mode:
- Go to WiFi & Switch Controller> FortiAP Profiles.
- Select the FortiAP profile applied to the managed FortiAP, then click Edit.
- Select Dedicated Monitor on Radio 1 or Radio 2.
- Enable WIDS Profile. Select the profile created in step 1. Click OK.
- Suppress FortiAP:
- Go to Monitor> Rogue AP Monitor.
- Right-click the desired SSID, then select Mark as Rogue.
- Right-click the SSID again, then select Suppress AP.
To enable rogue AP scan using the FortiOS CLI:
- Create a WIDS profile:
config wireless-controller wids-profile edit “example-wids-profile” set sensor-mode both set ap-scan enable
next
end
- Select the WIDS profile for the managed FortiAP:
config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>
end config radio-1 set mode monitor
set wids-profile “example-wids-profile”
end
next
end
- Suppress FortiAP:
config wireless-controller ap-status edit 1 set bssid 90:6c:ac:da:a7:f1 set ssid “example-SSID” set status suppressed
next
end
Wireless Intrusion Detection System
The guide provides simple configuration instructions for enabling a Wireless Intrusion Detection System (WIDS) profile on FortiAP.
To enable a WIDS profile on the FortiOS GUI:
- Create a WIDS profile:
- In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
- In the Name field, enter the desired name.
- Under Intrusion Detection Settings, enable all intrusion types as desired.
- Complete the configuration, then click OK.
- Select the WIDS profile for the managed FortiAP:
- Go to WiFi & Switch Controller> FortiAP Profiles.
- Select the FortiAP profile applied to the managed FortiAP, then click Edit.
- Enable WIDS Profile. Select the profile created in step 1. Click OK.
To enable a WIDS profile using the FortiOS CLI:
config wireless-controller wtp-profile edit “example-FAP-profile”
config platform set type <FAP-model-number>
end
set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n
set wids-profile “example-wids-profile” set vap-all disable
end config radio-2 set band 802.11ac
set wids-profile “example-wids-profile” set vap-all disable
end
next
end