UTM security profile groups on FortiAP-S

UTM security profile groups on FortiAP-S

This guide provides instructions for simple configuration of security profile groups for FortiAP, including creating security profile groups and selecting profile groups for the SSID.

To configure UTM security profile groups on the FortiOS GUI:

  1. Create a security profile group:
    1. Go to WiFi & Switch Controller> Security Profile Groups, then click Create New.
    2. Enter the desired interface name. Configure logging as desired.
    3. Enable Antivirus, Web Filter, Application, IPS, or Botnet, then select the desired profile.
  2. Create a local bridge mode SSID and enable security profile groups:
    1. Go to WiFi & Switch Controller> SSID. Select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Bridge.
    3. In the SSID field, enter the desired SSID name. Configure security as desired.
    4. Enable Security Profile Group, then select the group created in step 1.
    5. Click OK.
  3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C: Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
    1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
    3. Click OK.

To configure UTM security profile groups using the FortiOS CLI:

  1. Create a security profile group:

config wireless-controller utm-profile edit “wifi-UTM” set ips-sensor “default” set application-list “default” set antivirus-profile “default” set webfilter-profile “default” set scan-botnet-connections block

next

end

  1. Create a local bridge mode SSID and enable security profile groups:

config wireless-controller vap edit “wifi-vap” set ssid “SSID-UTM” set passphrase 12345678 set local-bridging enable set schedule “always” set utm-profile “wifi-UTM”

next

end

  1. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

This entry was posted in Administration Guides, FortiAP, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.