Chapter 20 – Managing a FortiSwitch with a FortiGate

Configuration Steps

Configuration consists of the following major steps:

1. Configure “auto-discovery-fortilink enable” on the FortiSwitch ports that you will connect to FGT2. This step is not required if the port is auto-fortilink by default.

2. Add cable connections from FGT2 to the directly-connected FortiSwitches (exact duplicate of FGT1 to the FortiSwitches)

3. Connect HA cables between FGT1 and FGT2

4. At FGT1: configure FortiGate High Availability using the GUI. For additional information, refer to the High Availability chapter in the FortiOS Handbook.

5. At FGT2: Configure FortiGate High Availability using the CLI from the console port. The following parameters must be identical to FGT1:

  • HA-mode
  • Priority
  • Group Name and Password

6. At this point, the FGT1 synchronizes with FGT2. This takes several minutes.

7. Verify the configuration at FGT2 using the following commands:

get ha status

get system ha status

 

Adding a Switch to Existing HA FortiGates (single FortiLinks)

Connect one FortiSwitch port to each of the FortiGate units. On FGT1, follow the same FortiLink configuration steps as for the non-HA configuration. FGT1 synchronizes the configuration with FGT2.

 

Configuration Steps

1. Configure two FortiSwitch ports as “auto-discovery-fortilink enable”. This step is not required for any port is auto- fortilink by default.

2. Connect one port to FGT1 and the other port to FGT2.

– The FGT1 and FGT2 port numbers must be identical For example:

– FortiSwitch port21 and port22 connect to FGT1 port4 and FGT2 port4

3. At FGT1, perform the steps to configure FortiLink (as described in FortiLink Configuration):

a. Change an internal port to be the FortiLink port

b. Authorize the FortiSwitch

4. At FGT2, run the command “get switch-controller managed-switch” to verify that the FGT1 configuration was synchronized successfully

 

Adding a Switch to Existing FGT HA setup (Fortilink LAGs)

In this configuration, connect two FortiSwitch ports to each FortiGate unit. Enter the configuration commands on FGT1 (same commands as for the non-HA configuration). The HA feature synchronizes the configuration to FGT2.

 

Configuration Steps

1. Configure four FortiSwitch ports as “auto-discovery-fortilink enable”. This step is not required for any port is auto- fortilink by default.

2. Connect two ports to FGT1 and the other ports to FGT2

– the FGT1 and FGT2 port numbers must be the same. For example:

– FortiSwitch port21 and port22 connect to FGT1 port4 and port5 and FortiSwitch port23 and port24 connect to

FGT2 port4 and port5

3. At FGT1, configure the Fortilink LAG (as described in FortiLink Configuration):

a. Create the FortiLink LAG interface and add the physical ports as members

b. Authorize the FortiSwitch

4. At FGT2, run command “get switch-controller managed-switch” to verify that the FGT1 configuration was synchronized successfully

 

(Optional) Test the HA Capability

Warning: the following is a destructive test that simulates a FortiGate failure. You should conduct this test only in a lab or test network, not in a production network:

1. Disconnect power from FGT1 to simulate failure

2. From the FGT2 UI:

Check Wifi and Switch Controller > Managed FortiSwitch

3. FortiSwitch is now visible from the management interface on FGT2

 

Optional Setup Tasks

This section describes the following tasks:

  • Configuring FortiSwitch Management Port
  • Converting to FortiSwitch Standalone Mode

 

Configuring FortiSwitch Management Port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

 

Using the FortiSwitch Web-based Manager

1. Go to Routing

2. Under Static Routes, click Create New

3. Enter the following fields in the New Static Route form:

a. Destination: enter a subnetwork and mask b. Device: select the management interface c.  Gateway: enter the gateway IP address

 

Using the FortiSwitch CLI

Enter the following commands:

config router static edit 1

set device mgmt

set gateway <router IP address>

set dst <router subnet> <subnet mask>

end end

In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:

config router static edit 1

set device mgmt

set gateway 192.168.0.10

set dst 192.168.0.0 255.255.0.0 end

end

 

Converting to FortiSwitch Standalone Mode

If a FortiSwitch is operating in managed mode, follow these instructions to convert it to standalone mode.

1. From the switch CLI:

config system global

set mgmt-mode local end

NOTE: FortiSwitch will reboot when you issue the above command.

2. From the FortiGate, use the web-based manager or CLI to perform the following commands before the switch reboot has completed:

 

Using the Web-based manager

a. Navigate to WiFi & Switch Controller > Managed FortiSwitch.

b. Right-click on the switch and select Deauthorize.

 

Using the CLI

config switch-controller managed-switch edit <switch-id>

set fsw-wan1-admin disable end

end

 

VLAN Configuration

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic (traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs).

From the FortiGate, you can centrally configure and manage VLANs for the managed FortiSwitches.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in Fortilink mode. The switch supports up to 1023 user-defined VLANs. The user can assign a VLAN number (in the range 1-4095) to each of the VLANs.

You can configure the default VLAN for each port. You can also configure a set of allowed VLANs for each port.

 

FortiSwitch VLANs Display

The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.

The following figure shows the VLAN page:

Each entry in the VLAN list displays the following information:

  • Name – name of the VLAN
  • VLAN ID – the VLAN number.
  • IP/Netmask – Address and mask of the subnetwork that corresponds to this VLAN
  • Access
  • Ref – how many interfaces reference this VLAN.

 

Creating VLANs

Setting up a VLAN requires:

  • Creating the VLAN.
  • Assigning FortiSwitch ports to the VLAN.

 

Using the web-based manager

Creating the VLAN

1. Go to WiFi & Switch Controller > FortiSwitch VLANs and select Create New. Change the following settings:

Interface Name             VLAN name

VLAN ID                        Enter a number (1-4094)

Color                             Choose a unique color for each VLAN, for ease of visual display.

IP/Network Mask         IP address and network mask for this VLAN.

1. Enable DHCP Server. Set the IP range.

2. Select OK.

 

Assigning FortiSwitch Ports to the VLAN

1. Go to WiFi & Switch Controller > FortiSwitch Ports

2. Click the rows for ports to select them.

3. Right-click and select Assign VLANS > Native VLAN. Select a VLAN from the list.

The selected ports on the FortiSwitch have now been assigned to the selected VLAN.

4. Right-click and select Assign VLANS > Allowed VLANs .

5. In the dialog box, select an allowed VLAN. Click the + icon to add another allowed VLAN.

The allowed VLANs have now been assigned to the selected ports.

 

Using the CLI

1. Create the marketing VLAN.

config switch-controller vlan edit <vlan name>

set vlanid <1-4094>

set color <1-32>

end

2. Set the VLAN’s IP address.

config system interface edit <vlan name>

set ip <IP address> <Network mask>

end

3. Enable a DHCP Server.

config system dhcp server edit 1

set default-gateway <IP address>

set dns-service default set interface <vlan name>

config ip-range

set start-ip <IP address>

set end-ip <IP address>

end

set netmask <Network mask>

end

4. Assign ports to the VLAN.

config switch-controller managed-switch edit <Switch ID>

config ports

edit <port name>

end

set vlan <vlan name>

set allowed-vlans <vlan name>

next end

 

 

FortiSwitch POE Configuration

You can configure the FortiSwitch POE settings from the FortiGate using the FortiGate web-based manager or CLI commands.

 

FortiSwitch Ports Display

The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 108D-POE:

The switch faceplate displays:

  • the active ports (green)
  • the POE-enabled ports (blue rectangle)
  • the FortiLink port (link icon)

The POE Status displays the total power budget, and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:

Each entry in the port list displays the following information:

  • Port status (red for down, green for up)
  • Port name
  • Native VLAN
  • Allowed VLANs
  • POE status

 

Configuring Ports Using the Web Manager

You can use the web manager to enable or disable POE on a port.

 

Enable or Disable POE on a port

Follow these instructions to configure POE on a port:

1. Navigate to WiFi & Switch Controller > FortiSwitch Ports

2. Click on a row to select the port.

3. Right-click the row, select POE and select Enable POE or Disable POE

Note: when you select a row in the port table, you can also use the Assign VLANs and PoE menus (located just below the page banner), instead of the right-click menu, to configure the values.

 

Configuring Ports Using the CLI

The following port CLI commands are available:

  • Set port speed.
  • Set port admin status
  • Configure vlan on the port
  • Enable or Disable the POE power on a per-port basis (available starting in FortiSwitchOS 3.3.0)

 

Port commands

config switch-controller managed-switch edit <switch>

config ports edit <port>

speed <speed> status {down | up} vlan <vlan_id>

poe-status {enable | disable}

 

POE commands

The following POE CLI commands are available starting in FortiSwitchOS 3.3.0:

  • lReset any POE port (by toggling the power OFF and then ON)
  • Display general POE status

 

Reset any POE port (by toggling the power OFF and then ON)

execute switch-controller poe-reset <fortiswitch-id> <port>

 

 

Display general POE status

get switch-controller <fortiswitch-id> <port>

The following example displays the POE status for port 6 on the specified switch:

 

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V Current: 78mA

 

Troubleshooting

If the FortiGate does not establish the Fortilink connection with the switch, perform the following troubleshooting checks.

 

Troubleshooting FortiLink Issues

 

Check the FortiGate configuration

Using the FortiGate GUI, check the FortiLink interface configuration:

1. In Network > Interfaces, double-click the interface used for FortiLink.

2. Ensure that Dedicated to Extension Device is set for this interface.

Using the FortiGate CLI, Verify that you have configured the DHCP and NTP settings correctly. Enter the following commands:

1. Verify that the NTP server is enabled, and the Fortilink interface has been added to the list:

show system ntp

2. Ensure that the DHCP server on the Fortilink interface is configured correctly:

show system dhcp

 

Check the FortiSwitch configuration

Use the following FortiSwitch CLI commands to check the FortiSwitch configuration:

1. Verify that the switch system time matches the time on the FortiGate:

get system status

2. Verify that FortiGate has sent an IP address to the FortiSwitch.

Typically, the IP address will be in the range of 169.254.x.x:

get system interfaces

3. Verify that you can ping the FortiGate IP address:

exec ping x.x.x.x

 

Scenarios

This chapter contains practical examples of how to use the FortiSwitch unit to manage a network. The scenarios are as follows:

  • Scenario 1: Creating the marketing VLAN
  • Scenario 2: Allowing access to specific users on the marketing VLAN
  • Scenario 3: Adding a specific device to the marketing VLAN

The Example Network

All the scenarios are interrelated and are used to manage an example network with the following attributes:

  • The FortiSwitch unit used is a FortiSwitch-224D-POE, serial number FS224D3W14000370.
  • The FortiSwitch unit’s port 24 connects to port1 on the FortiGate unit.
  • The LAN is divided into four distinct VLANs, configured as follows:

 

VLAN IP Device(s) Port(s) Policy ID(s)   GUI Color
 

marketing

 

172.20.120.10/255.255.255.0

 

marketing PCs, marketing laptop

 

3-6

 

2, 3

 

accounting

 

172.20.130.10/255.255.255.0

 

accounting PCs

 

21

 

4

 

voip

 

172.20.140.10/255.255.255.0

 

VoIP phone

 

10

 

5

 

access_

point

 

172.20.150.10/255.255.255.0

 

FortiAP

 

1

 

6

 

  • There are six devices that connect directly to the FortiSwitch unit’s ports using Ethernet cables: the 3 marketing PCs, the marketing laptop, the VoIP phone, and the FortiAP unit.
  • The accounting VLAN connects to the FortiSwitch using an SFP port.
  • There are three marketing employees (Jane Smith, Tom Brown, Bob Lee) who will use the marketing VLAN using the marketing PCs.
  • The MAC address of the marketing laptop is 01:23:45:67:89:ab.
  • The IP range for the VoIP phone is 10.10.10.10-10.10.10.50.
  • The FortiAP unit is a FortiAP-11C, serial number FAP11C3X12000412.

 

Scenario 1: Creating the Marketing VLAN

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic (traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs).

For example, if a company has one LAN which is to be used for both the marketing and the accounting department, this LAN can be segmented into two VLANs. This allows the traffic from each department to be isolated, so information packets sent to the marketing department are only sent on the marketing VLAN. It also allowed different policies to be created, so that security can be increased for the accounting department without also increasing it for the marketing department.

The following instructions will create a VLAN to be used by the marketing team for network and Internet access. The marketing team PCs will connect to ports 3-6 on the FortiSwitch.

 

Using the web-based manager

 

Creating the VLAN

1. Go to WiFi & Switch Controller > FortiSwitch VLANs and select Create New. Change the following settings:

Interface Name             marketing

VLAN ID                        Enter a number (1-4094)

Color                             Choose a unique color for each VLAN, for ease of visual display.

IP/Network Mask         172.20.120.10/255.255.255.0

1. Enable DHCP Server. Set the IP range to 172.20.120.11-172.20.120.254.

2. Select OK.

The entry marketing is now shown on the list of VLANs. A marketing interface has also been added, which can be seen by going to Network > Interfaces.

 

Assigning FortiSwitch Ports to the VLAN

1. Go to WiFi & Switch Controller > FortiSwitch Ports

2. Click the rows for ports 3-6 to select them.

3. Right-click and select Assign VLANS > Native VLAN. Select a VLAN from the list.

Ports 3-6 on the FortiSwitch have now been assigned to the selected VLAN and will appear in red

 

Using the CLI

1. Create the marketing VLAN.

config switch-controller vlan edit marketing

set vlanid 4 set color 32

end

2. Set the VLAN’s IP address.

config system interface edit marketing

set ip 172.20.120.14 255.255.255.0

end

3. Enable a DHCP Server.

config system dhcp server edit 1

set default-gateway 172.20.120.10 set dns-service default

set interface marketing config ip-range

set start-ip 172.20.120.11 set end-ip 172.20.120.254

end

set netmask 255.255.255.0

end

4. Assign ports 3-6 to the VLAN.

config switch-controller managed-switch edit FS224D3W14000370

config ports edit port3

set vlan marketing next

edit port4

set vlan marketing next

edit port5

set vlan marketing next

edit port6

end

set vlan marketing next

end

 

Setting up a security policy for the VLAN

The following instructions configure a basic security policy for the marketing VLAN that will allow all traffic from the marketing VLAN to have access to the Internet.

 

Using the web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New. Change the following settings:

Incoming Interface                 marketing

Source                                     all

Outgoing Interface                 wan1

Destination Address              all

Schedule                                 always

Service                                     ALL

Action                                      ACCEPT

Enable NAT                             Enable

Fixed Port

IP Pool Configuration

Security Profiles

Logging Options                   Log all Sessions

2. Select OK.

With this security policy in place, all computers connected to the marketing VLAN can now access the Internet.

 

Using the CLI

Create a security policy for the marketing VLAN.

config security policy edit 2

set srcintf marketing set dstintf wan1

set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

end

set logtraffic all set nat enable

 

Scenario 2: Allowing access to specific users on the marketing VLAN

In Scenario 1, the policy for the marketing VLAN will be altered so that different users have different access. The firewall policy will be created so that all three marketing employees (Jane Smith, Tom Brown, Bob Lee) have user accounts. These accounts will be put into one of two groups: full-time and part-time. Full-time employees will always have network access, while part-time employees will only have access on Mondays, Wednesdays and Fridays. This policy will apply to each user when they use any of the PCs that connect to the marketing VLAN through ports 3, 4, 5 or 6 on the FortiSwitch.

Creating a policy to match scenario 1 requires:

  • Creating users.
  • Creating groups.
  • Creating a schedule.
  • Configuring the firewall policies.

 

Using the web-based manager

Creating a User Group

1. Go to User & Device > User Groups and select Create New.

2. Name the user group parttime.

3. Set Type as Firewall.

4. Select OK.

The entry parttime will now appear on the user group list. Repeat these steps to create another user group, named full-time.

 

Creating a User

1. Go to User & Device > User Definition. Select Create New.

2. Use the User Creation Wizard to create a user. In part 1, select Local User.

3. In part 2, change the following settings:

User Name                    blee

Password                      password

4. In part 3, enter the email address blee@example.com

5. In part 4, select Enable and User Group. Set parttime as the group.

6. Select Done.

The entry blee will now appear in the user list. Repeat these steps to create user accounts tbrown and jsmitand add both of these accounts to the full-time group.

Creating a Schedule

1. Go to Policy & Objects > Schedules. Select Create New and then select Recurring.

2. Change the following settings:

Name                             part-time_schedule

Day of the Week          Monday, Wednesday, Friday

3. Select OK.

The entry parttime schedule will now appear on the schedules list.

 

Configuring the Firewall Policy

1. Go to Policy & Objects > IPv4 Policy and select the policy for the marketing VLAN. Select Edit.

2. Set the policy to use the following the following settings, allowing access for part-time employees:

Incoming Interface         marketing

Source Address              all

Source User(s)                 part-time

Outgoing Interface         wan1

Destination Address       all

Schedule                          part-time_schedule

Service                             ALL

Action                               ACCEPT

Enable NAT                      Enable

Logging Options            Log all Sessions

3. Select OK.

4. Go to Policy & Objects > IPv4 Policy and create a new policy.

5. Change the following settings to set access for full-time employees:

 

  Incoming Interface marketing
Source Address all
Source User(s) full-time
Outgoing Interface wan1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
Enable NAT Enable
Logging Options Log all Sessions
 

6.

 

Select OK.

 

You have now finished creating the policies that matches scenario 1. These policies will apply to all three users

when they use any of the PCs that connect to the marketing VLAN.

 

Using the CLI

1. Create the 3 users.

config user local edit blee

set type password set passwd password

next

edit tbrown

set type password set passwd password

next

edit jsmith

set type password set passwd password

end

2. Create the 2 user groups and add the users to them.

config user group edit part-time

set group-type firewall set member blee

next

edit full-time

set group-type firewall set member tbrown jsmith

end

3. Create the schedule for part-time employees.

config firewall schedule recurring edit part-time_schedule

set day monday wednesday friday

end

4. Add user authentication to the firewall policy for the marketing VLAN.

config firewall policy edit 2

set identity-based enable config identity-based-policy

edit 1

set schedule part-time_schedule set logtraffic all

set groups part-time set dstaddr all

set service ALL

next edit 2

set schedule always set logtraffic all set groups full-time set dstaddr all

set service ALL

end

end

 

 

Scenario 3: Adding a specific device to the marketing VLAN

In Scenario 2, a new policy will be created for the marketing VLAN that will be used by the marketing laptop. This policy will affect the marketing laptop that is used periodically for tasks such as boardroom presentations or for guests, tasks for which the laptop requires Internet access. The laptop will access the Internet by connecting to the marketing VLAN through ports 3, 4, 5 or 6 on the FortiSwitch. Adding a new policy for the laptop will allow it to connect without requiring user authentication and will also limit the scope of the device’s access.

Creating a policy to match scenario 2 requires:

  • Assigning a reserve IP to the laptop.
  • Creating a firewall address for the reserve IP.
  • Creating a firewall policy that uses the reserve IP.

 

Using the web-based manager

Assigning a Reserve IP to the Laptop

1. Go to Network > Interfaces and select marketing.

2. Under DHCP Server, expand the Advanced options.

3. In the MAC Address Access Control List and select Create New.

4. Change the following settings:

MAC                              01:23:45:67:89:ab

IP                                   172.20.120.254

Action                           Reserve IP

 

Creating a Firewall Address for the Reserve IP

1. Go to Policy & Objects > Addresses and select Create New.

2. Change the following settings:

Category                       Address

Name                             marketing_laptop

Type                              IP/Netmask

Subnet/IP Range         172.20.120.254

Interface                       marketing

 

Configuring a Firewall Policy

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Change the following settings:

Incoming Interface           marketing

Source Address                marketing_laptop

Outgoing Interface           wan1

Destination Address         all

Schedule                            always

Service                               HTTP HTTPS DNS

Action                                 ACCEPT

Enable NAT                        Enabled

Logging Options              Log all Sessions

3. Select OK.

4. In the policy list, select the column on the far left for the new policy (usually Seq #) and drag the policy above the previous policy for the marketing VLAN. This will ensure that the laptop will be identified through this policy.

You have now finished creating a policy that matches scenario 2. This policy will apply to anyone who uses the laptop to connect to the marketing VLAN using an Ethernet cable.

 

Using the CLI

1. Assign a reserve IP to the laptop.

config system dhcp server edit 2

config reserved-address edit 1

set action reserved set ip 172.20.120.254

set mac 01:23:45:67:89:ab

end

end

2. Create a firewall address for the reserve IP.

config firewall address edit marketing_laptop

set subnet 172.20.120.254

end

3. Create a firewall policy for the marketing VLAN that uses the reserve IP.

config firewall policy edit 3

set srcintf marketing set dstintf wan1

set srcaddr marketing_laptop set dstaddr all

set action accept set schedule always

set service HTTP HTTPS DNS

set logtraffic all set nat enable

end

4. Place the new firewall policy at the top of the policy list.

config firewall policy move 2 after 3

end

 

Address Name             marketing VLAN

Type                              Subnet

Subnet/IP Range         172.20.120.14/255.255.255.0

Interface                       marketing

Name                                   marketing-remote

Enable Tunnel Mode        Enable

Enable Split Tunneling    Disable

IP Pools                              SSLVPN_TUNNEL_ADDR1

Enable Web Mode             Enable

Incoming Interface           ssl.root (sslvpn tunnel interface)

Source Address               marketing_laptop

Outgoing Interface           marketing

Destination Address        all

Schedule                           always

Service                               ALL

Action                                ACCEPT

Enable NAT                       Enabled

Logging Options             Log all Sessions

Incoming Interface          ssl.root (sslvpn tunnel interface)

Source Address               marketing_laptop

Outgoing Interface          wan1

Destination Address       all

Schedule                           always

Service                              HTTP HTTPS DNS

Action                                ACCEPT

Enable NAT                       Enabled

Logging Options             Log all Sessions

 

The FortiClient SSL VPN tunnel client will also need to be configured, in order for the Tom Brown to connect to the SSL VPN tunnel.

The SFP ports should only be used to connect UL-listed optical transceiver products, rated Laser Class 1.33V DC.

SFP ports are only available on certain FortiSwitch models. SFP ports are also shared with Ethernet ports and so when an SFP port is used, the Ethernet port with the same number cannot be.

 

Name                             accounting

Color

IP/Network Mask         172.20.130.15/255.255.255.0

Incoming Interface           accounting

Source Address                all

Outgoing Interface           wan1

Destination Address         all

Schedule                            always

Service                               ALL

Action                                 ACCEPT

Enable NAT                        Enabled

Logging Options              Log all Sessions

Name                             voip

Color

IP/Network Mask         172.20.140.16/255.255.255.0

Category                       Address

Name                             voip

Color

Type                              IP Range

Subnet/IP Range         10.10.10.10-10.10.10.50

Interface                       voip

Incoming Interface             voip

Source Address                  voip_phone

Outgoing Interface             wan1

Destination Address           all

Schedule                              always

Service                                 SIP

Action                                   ACCEPT

Enable NAT                          Enabled

Logging Options                Log all Sessions

Name                             access_point

Color

IP/Network Mask         172.20.150.17/255.255.255.0

DHCP Server                Enable

Name                             WLAN

Type                              WiFi SSID

Traffic Mode                 Tunnel to Wireless Controller

IP/Network Mask         172.20.150.17/255.255.255.0

DHCP Server                Enabled

SSID                              wireless

Preshared Key            password

Incoming Interface      access_point

Outgoing Interface      wan1

DestinatioAddresall

Schedule                      always

Service                          HTTP HTTPS DNS

Action                           ACCEPT

Enable NAT                  Enabled

Logging Options         Log all Sessions


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.