Chapter 8 – Deploying Wireless Networks

Option to disable automatic registration of unknown FortiAPs (272368)

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator’s authorization. Optionally, you can disable this automatic registration function. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface. Disable automatic registration in the CLI like this:


config system interface edit port15

set ap-discover disable end


Automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually. This feature is available only on network interfaces designated as Dedicated to Extension Device.


To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable end


To enable automatic authorization per-interface

config system interface edit port15

set auto-auth-extension-device enable end


In the GUI, the Automatically authorize devices option is available when Addressing Mode is set to

Dedicated to Extension Device.


Control WIDS client deauthentication rate for DoS attack (285674 278771)

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A new WIDS Profile option in the CLI limits the deauthentication rate.


config wireless-controller wids-profile edit default

set deauth-unknown-src-thresh 10 end

The range is 1 to 65,535 deathorizations per second. 0 means no limit. The default is 10.


Prevent DHCP starvation (285521)

The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from depleting the DHCP address pool by making multiple requests. Add this option as follows:


config wireless-controller vap edit “wifi”

append broadcast-suppression dhcp-starvation end



Prevent ARP Poisoning (285674)

The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from spoofing ARP messages. Add this option as follows:


config wireless-controller vap edit “wifi”

append broadcast-suppression arp-poison end


Suppress all other multicast/broadcast packets (282404)

The SSID broadcast-suppression field in the CLI contains several options for specific multicast and broadcast packet types. Two new options suppress multicast (mc) and broadcast (bc) packets that are not covered by any of the specific options.


config wireless-controller vap edit “wifi”

append broadcast-suppression all-other-mc all-other-bc end


A new configurable timer flushes the wireless station presence cache (283218)

The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit.

The timer is one of the wireless controller timers and it can be set in the CLI. For example:


config wireless-controller timers set sta-locate-timer 1800


The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 seconds) because that could cause duplicate logs to be generated.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU