Assignment by FortiAP Group

In this example, VLAN 101, 102, or 103 is assigned depending on the AP’s FortiAP Group.

config wireless-controller vap edit wlan

set vlan-pooling wtp-group config vlan-pool

edit 101

set wtp-group wtpgrp1 next

edit 102

set wtp-group wtpgrp2 next

edit 101

set wtp-group wtpgrp3 end

end end

 

Load Balancing

The vlan-pooling type can be either of these:

• round–robin – from the VLAN pool, choose the VLAN with the smallest number of clients
• hash – choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID’s static VLAN ID setting is used. In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap

edit wlan

set vlan-pooling round-robin config vlan-pool

edit 101 next

edit 102 next

edit 103 end

end end

 

 

Option to disable automatic registration of unknown FortiAPs (272368)

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator’s authorization. Optionally, you can disable this automatic registration function. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface. Disable automatic registration in the CLI like this:

config system interface edit port15

set ap-discover disable end

 

Automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually. This feature is available only on network interfaces designated as Dedicated to Extension Device.

 

To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable end

 

To enable automatic authorization per-interface

config system interface edit port15

set auto-auth-extension-device enable end

 

In the GUI, the Automatically authorize devices option is available when Addressing Mode is set to

Dedicated to Extension Device.

 

Control WIDS client deauthentication rate for DoS attack (285674 278771)

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A new WIDS Profile option in the CLI limits the deauthentication rate.

config wireless-controller wids-profile edit default

set deauth-unknown-src-thresh 10 end

The range is 1 to 65,535 deathorizations per second. 0 means no limit. The default is 10.

 

Prevent DHCP starvation (285521)

The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from depleting the

DHCP address pool by making multiple requests. Add this option as follows:

config wireless-controller vap edit “wifi”

append broadcast-suppression dhcp-starvation end

 

Prevent ARP Poisoning (285674)

The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from spoofing ARP

messages. Add this option as follows:

config wireless-controller vap edit “wifi”

append broadcast-suppression arp-poison end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!