Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Chapter 9 – Firewall

Chapter 9 – Firewall

“Firewall concepts” explains the ideas behind the components, techniques and processes that are involved in setting up and running a firewall in general and the FortiGate firewall in particular. The premise here is that regardless of how experienced someone is with firewalls as they go through the process of configuring a firewall that is new to them they are likely to come across a term or setting that they may not be familiar with even if it is only in the context of the setting they are working in at the moment. FortiGate firewall are quite comprehensive and can be very granular in the functions that they perform, so it makes sense to have a consistent frame of reference for the ideas that we will be working with.

Some examples of the concepts that will be addressed here are:

  • “What is a Firewall?”
  • “NAT”
  • “IPv6”

 

“Firewall objects” describes the following firewall objects:

  • Addressing
  • Services
  • Firewall Policies

“Network defense” describes various methods of defending your Network using the abilities of the FortiGate Firewall.

“GUI & CLI – What You May Not Know” helps you navigate and find the components in the Web-based Manager that you will need to build the functions. This section is does not include any in-depth explanations of what each object does as that is covered in the concepts section. This section is for showing you where you need to input your information and let you know what format the interface expects to get that information

“Building firewall objects and policies” is similar to a cookbook in that it will refer to a number of common tasks that you will likely perform to get the full functionality out of your FortiGate firewall. Because of the way that firewall are designed, performing many of the tasks requires that firewall components be set up in a number of different sections of the interface and be configured to work together to achieve the desired result. This section will bring those components all together as a straight forward series of instructions.

“Multicast forwarding” is a reference guide including the concepts and examples that are involved in the use of multicast addressing and policy forwarding as it is used in the FortiGate firewall.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Fortinet Wireless Reference

Reference

This chapter provides some reference information pertaining to wireless networks.

  • FortiAP web-based manager
  • Wireless radio channels
  • WiFi event types
  • FortiAP CLI

 

FortiAP web-based manager

You can access the FortiAP unit’s built-in web-based manager. This is useful to adjust settings that are not available through the FortiGate unit’s WiFi Controller. Logging into the FortiAP web-based manager is similar to logging into the FortiGate web-based manager.

 

System Information

Status

The Status section provides information about the FortiAP unit.

 

You can:

  • Select Change to change the Host Name.
  • Select Update in Firmware Version to upload a new FortiAP firmware file from your computer.
  • Select Change Password to change the administrator password.
  • Select Backup to save the current FortiAP configuration as a file on your computer.
  • Select Restore to load a configuration into your FortiAP unit from a file on your computer.

 

Network Configuration

Select DHCP or select Static and specify the IP address, netmask, and gateway IP address. Administrative Access settings affect access after the FortiAP has been authorized. By default, HTTP access needed to access the FortiAP web-based manager is enabled, but Telnet access is not enabled.

 

Connectivity

These settings determine how the FortiAP unit connects to the FortiGate WiFi controller.

 

Uplink                       Ethernet – wired connection to the FortiGate unit (default) Mesh – WiFi mesh connection

Ethernet with mesh backup support

Mesh AP SSID          Enter the SSID of the mesh root. Default: fortinet.mesh.root

Mesh AP Pass- word

Enter password for the mesh SSID.

Ethernet Bridge

Bridge the mesh SSID to the FortiAP Ethernet port.

This is available only whe Uplink is Mesh.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Wireless Packet sniffer

Packet sniffer

Capturing the traffic between the controller and the FortiAP can help you identify most FortiAP and client connection issues.

 

This section describes the following recommended packet sniffing techniques:

  • CAPWAP packet sniffer
  • Wireless traffic packet sniffer

 

CAPWAP packet sniffer

The first recommended technique consists of sniffing the CAPWAP traffic.

  • Enable plain control on the controller and on the FortiAP to capture clear control traffic on UDP port 5246.
  • On the controller:

diagnose wireless-controller wlac plain-ctl <FortiAP_serial_number> 1

 

Result:

WTP 0-FortiAP2223X11000107 Plain Control: enabled

l  On the FortiAP:

cw_diag plain-ctl 1

 

Result:

Current Plain Control: enabled

Note that some issues are related to the keep-alive for control and data channel.

  • Data traffic on UDP port 5247 is not encrypted. The data itself is encrypted by the wireless security mechanism.

Data traffic is helpful to troubleshoot most of the issues related to station association, EAP authentication, WPA key exchange, roaming, and FortiAP configuration.

You can also set up a host or server to which you can forward the CAPWAP traffic:

1. Configure the host/server to which CAPWAP traffic is forwarded:

diagnose wireless-controller wlac sniff-cfg <Host_IP_address> 88888

 

Result:

Current Sniff Server: 192.168.25.41, 23352

2. Choose which traffic to capture, the interface to which the FortiAP is connected, and the FortiAP’s serial number:

diagnose wireless-controller wlac sniff <interface_name> <FortiAP_serial_number> 2

 

Result:

WTP 0-FortiAP2223X11000107 Sniff: intf port2 enabled (control and data message)

In the above syntax, the ‘2’ captures the control and data message—’1′ would capture only the control message, and ‘0’ would disable it.

3. Run Wireshark on the host/server to capture CAPWAP traffic from the controller.

  • Decode the traffic as IP to check inner CAPWAP traffic.

 

Example CAPWAP packet capture

The following image shows an example of a CAPWAP packet capture, where you can see: the Layer 2 header; the sniffed traffic encapsulated into Internet Protocol for transport; CAPWAP encapsulated into UDP for sniffer purpose and encapsulated into IP; CAPWAP control traffic on UDP port 5246; and CAPWAP payload.

 

Wireless traffic packet sniffer

The second recommended technique consists of sniffing the wireless traffic directly ‘on the air’ using your FortiAP.

 

Wireless traffic packet capture

Packet captures are useful for troubleshooting all wireless client related issues because you can verify data rate and 802.11 parameters, such as radio capabilities, and determine issues with wireless signal strength, interference, or congestion on the network.

A radio can only capture one frequency at a time; one of the radios is set to sniffer mode depending on the traffic or channel required. You must use two FortiAPs to capture both frequencies at the same time.

  • Set a radio on the FortiAP to monitor mode.

iwconfig wlan10

 

Result:

wlan10 IEEE 802.11na   ESSID:””

Mode:Monitor Frequency:5.18 GHz Access Point: Not-Associated

  • The capture file is stored under the temp directory as wl_sniff.pcap

 

/tmp/wl_sniff.cap

  • Remember that the capture file is only stored temporarily. If you want to save it, upload it to a TFTP server before rebooting or changing the radio settings.
  • The command cp wl_sniff.cap newname.pcap allows you to rename the file.
  • Rather than TFTP the file, you can also log in to the AP and retrive the file via the web interface. Move the file using the command: mv name /usr/www You can verify the file was moved using the command cd/usr/www and then browsing to: <fortiAP_ IP>/filename

 

Syntax

The following syntax demonstrates how to set the radio to sniffer mode (configurable from the CLI only). Sniffer mode provides options to filter for specific traffic to capture. Notice that you can determine the buffer size, which channel to sniff, the AP’s MAC address, and select if you want to sniff the beacons, probes, controls, and data channels.

 

configure wireless-controller wtp-profile edit <profile_name>

configure <radio>

set mode sniffer

set ap-sniffer-bufsize 32 set ap-sniffer-chan 1

set ap-sniffer-addr 00:00:00:00:00:00 set ap-sniffer-mgmt-beacon enable

set ap-sniffer-mgmt-probe enable set ap-sniffer-mgmt-other enable set ap-sniffer-ctl enable

set ap-sniffer-data enable end

end

 

Once you’ve performed the previous CLI configuration, you’ll be able to see the packet sniffer mode selected in the GUI dashboard under WiFi & Switch Controller > FortiAP Profiles and WiFi & Switch Controller > Managed FortiAPs. Bear in mind that if you change the mode from the GUI, you’ll have to return to the CLI to re-enable the Sniffer mode.

 

To disable the sniffer profile in the CLI, use the following commands:

 

config wireless-controller wtp-profile edit <profile_name>

config <radio>

set ap-sniffer-mgmt-beacon disable set ap-sniffer-mgmt-probe disable set ap-sniffer-mgmt-other disable set ap-sniffer-ctl disable

set ap-sniffer-data disable end

end

 

If you change the radio mode before sending the file wl_sniff.cap to an external

TFTP, the file will be deleted and you will lose your packet capture.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Troubleshooting Fortinet Wireless LAN

In the following section, you will learn basic troubleshooting techniques for a secure Fortinet wireless LAN

including:

  • strategies for troubleshooting Fortinet wireless devices
  • how to avoid common misconfigurations
  • solutions to connectivity issues
  • capturing and analyzing wireless traffic
  • wireless debug commands

 

The goal of this document is to provide you with practical knowledge that you can use to troubleshoot the FortiOS wireless controller and FortiAP devices. This includes how to use tools and apply CLI commands for maintenance and troubleshooting of your wireless network infrastructure, analyze problems per OSI layer, explore diagnostics for commissioning issues regarding at-client and access point connectivity problems, and understand the packet sniffer technique as a strong troubleshooting tool.

The content is divided as follows: Signal strength issues

Throughput issues Connection issues General problems Packet sniffer

Useful debugging commands

 

Signal strength issues

Poor signal strength is possibly the most common customer complaint. Below you will learn where to begin identifying and troubleshooting poor signal strength, and learn what information you can obtain from the customer to help resolve signal strength issues.

 

Asymmetric power issue

Asymmetric power issues are a typical problem. Wireless is two-way communication; high power access points (APs) can usually transmit a long distance, however, the client’s ability to transmit is usually not equal to that of the AP and, as such, cannot return transmission if the distance is too far.

 

Measuring signal strength in both directions

To solve an asymmetric power issue, measure the signal strength in both directions. APs usually have enough power to transmit long distances, but sometimes battery-powered clients have a reply signal that has less power, and therefore the AP cannot detect their signal.

It is recommended that you match the transmission power of the AP to the least powerful wireless client—around 10 decibels per milliwatt (dBm) for iPhones and 14dBm for most laptops.

Even if the signal is strong enough, other devices may be emitting radiation as well, causing interference. To identify the difference, read the client Rx strength from the FortiGate GUI (under Monitor > WiFi Client Monitor) or CLI.

The Signal Strength/Noise value provides the received signal strength indicator (RSSI) of the wireless client. For example, A value of -85dBm to -95dBm is equal to about 10dB levels; this is not a desirable signal strength. In the following screenshot, one of the clients is at 18dB, which is getting close to the perimeter of its range.

The Signal Strength/Noise value received from the FortiAP by clients, and vice versa, should be within the range of -20dBm to -65dBm.

You can also confirm the transmission (Tx) power of the controller on the AP profile (wtp-profile) and the FortiAP (iwconfig), and check the power management (auto-Tx) options.

 

Controller configured transmitting power – CLI:

config wireless-controller wtp-profile config <radio>

show

(the following output is limited to power levels)

auto-power-level : enable auto-power-high : 17

auto-power-low : 10

 

Actual FortiAP transmitting power – CLI:

iwconfig wlan00

 

Result:

wlan00 IEEE 802.11ng ESSID:”signal-check”

Mode:Master Frequency:2.412 GHz  Access Point:<MAC add> Bit Rate:130 Mb/s Tx-Power=28 dBm

 

Using FortiPlanner PRO with a site survey

The most thorough method to solve signal strength issues is to perform a site survey. To this end, Fortinet offers the FortiPlanner, downloadable at http://www.fortinet.com/resource_center/product_downloads.html.

 

Sample depiction of a site survey using FortiPlanner

The site survey provides you with optimal placement for your APs based on the variables in your environment. You must provide the site survey detailed information including a floor plan (to scale), structural materials, and more. It will allow you to place the APs on the map and adjust the radio bands and power levels while providing you with visual wireless coverage.

Below is a list of mechanisms for gathering further information on the client for Rx strength. The goal is to see how well the client is receiving the signal from the AP. You can also verify FortiAP signal strength on the client using WiFi client utilities, or third party utilities such as InSSIDer or MetaGeek Chanalyzer. You can get similar tools from the app stores on Android and iOS devices.

  • Professional Site Survey software (Ekahau, Airmagnet survey Pro, FortiPlanner)
  • InSSIDer
  • On Windows: “netsh wlan show networks mode=bssid” (look for the BSSID, it’s in % not in dBm!)
  • On MacOS: Use the “airport” command:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport” airport –s |

grep <the_bssid> (live scan each time)

 

l  On Droid: WiFiFoFum

 

Frequency interference

If the wireless signal seems to be strong but then periodically drops, this may be a symptom of frequency interference. Frequency interference is when another device also emits radio frequency using the same channel, co-channel, or adjacent channel, thereby overpowering or corrputing your signal. This is a common problem on a 2.4GHz network.

There are two types of interference: coherent and non-coherent.

  • Coherent interference: a result of another device using the same channel as your AP, or poor planning of a wireless infrastructure (perhaps the other nearby APs are using the same channel or the signal strength is too high).
  • Non-coherent interference: a result of other radio signals such as bluetooth, microwave, cordless phone, or (as in medical environments) x-ray machines.

Most common and simple solution for frequency interference is to change your operation channel. Typically, the channel can be set from 1 to 11 for the broadcast frequency, although you should always use channels 1, 6, and 11 on the 2.4GHz band.

Another solution, if it’s appropriate for your location, is to use the 5GHz band instead.

 

MetaGeek Chanalyzer

You can perform a site survey using spectrum analysis at various points in your environment looking for signal versus interference/noise. MetaGeek Chanalyzer is an example of a third party utility which shows a noise threshold.

Note that a signal of -95dBm or less will be ignored by Fortinet wireless adapters.

 

Throughput issues

Sometimes communication issues can be caused by low performance.

 

Testing the link

You can identify delays or lost packets by sending ping packets from your wireless client. If there is more than 10ms of delay, there may be a problem with your wireless deployment, such as:

  • a weak transmit signal from the client (the host does not reach the AP)
  • the AP utilization is too high (your AP could be saturated with connected clients)
  • interference (third party signal could degrade your AP or client’s ability to detect signals between them)
  • weak transmit power from the AP (the AP does not reach the host) — not common in a properly deployed network, unless the client is too far away

Keep in mind that water will also cause a reduction in radio signal strength for those making use out of outdoor APs or wireless on a boat.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Support For Location Based Services

Support For Location Based Services

FortiOS supports location-based services by collecting information about WiFi devices near FortiGate-managed access points, even if the devices don’t associate with the network.

Overview

  • Configuring location tracking
  • Viewing device location data on the FortiGate unit

 

Overview

WiFi devices broadcast packets as they search for available networks. The FortiGate WiFi controller can collect information about the interval, duration, and signal strength of these packets. The Euclid Analytics service uses this information to track the movements of the device owner. A typical application of this technology is to analyze shopper behavior in a shopping center. Which stores do people walk past? Which window displays do they stop to look at? Which stores do they enter and how long do they spend there? The shoppers are not personally identified, each is known only by the MAC address of their WiFi device.

After enabling location tracking on the FortiGate unit, you can confirm that the feature is working by using a specialized diagnostic command to view the raw tracking data. The Euclid Analytics service obtains the same data in its proprietary format using a JSON inquiry through the FortiGate unit’s web-based manager interface.

 

Configuring location tracking

You can enable location tracking in any FortiAP profile, using the CLI. Location tracking is part of location-based services. Set the station-locate field to enable. For example:

config wireless-controller wtp-profile edit “FAP220B-locate”

set ap-country US

config platform set type 220B

end

config lbs

set station-locate enable end

end

 

Automatic deletion of outdated presence data

The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit.

The timer is one of the wireless controller timers and it can be set in the CLI. For example:

config wireless-controller timers set sta-locate-timer 1800

end

 

The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 seconds) because that could cause duplicate logs to be generated.

 

Viewing device location data on the FortiGate unit

You can use the FortiGate CLI to list located devices. This is mainly useful to confirm that the location data feature is working, You can also reset device location data.

 

To list located devices

diag wireless-controller wlac -c sta-locate

 

To reset device location data

diag wireless-controller wlac -c sta-locate-reset

 

Example output

The following output shows data for three WiFi devices.

FWF60C3G11004319 # diagnose wireless-controller wlac -c sta-locate

sta_mac vfid rid base_mac freq_lst frm_cnt frm_fst frm_last intv_sum intv2_sum intv3_ sum intv_min intv_max signal_sum signal2_sum signal3_sum sig_min sig_max sig_fst sig_last ap

00:0b:6b:22:82:61 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 257 708 56 651 1836 6441 0 12 -21832

1855438 -157758796 -88 -81 -84 -88 0

00:db:df:24:1a:67 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 42 1666 41 1625 97210 5831613 0 60 -3608

310072 -26658680 -90 -83 -85 -89 0

10:68:3f:50:22:29 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 102 1623 58 1565 94136 5664566 0 60 -8025

631703 -49751433 -84 -75 -78 -79 0

The output for each device appears on two lines. The first line contains only the device MAC address and the VLAN ID. The second line begins with the ID (serial number) of the FortiWiFi or FortiAP unit that detected the device, the AP’s MAC address, and then the fields that the Euclid service uses. Because of its length, this line wraps around and displays as multiple lines.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Using a FortiWiFi unit as a client

Using a FortiWiFi unit as a client

A FortiWiFi unit by default operates as a wireless access point. But a FortiWiFi unit can also operate as a wireless client, connecting the FortiGate unit to another wireless network.

  • Use of client mode
  • Configuring client mode

 

Use of client mode

In client mode, the FortiWiFi unit connects to a remote WiFi access point to access other networks or the Internet. This is most useful when the FortiWiFi unit is in a location that does not have a wired infrastructure.

For example, in a warehouse where shipping and receiving are on opposite sides of the building, running cables might not be an option due to the warehouse environment. The FortiWiFi unit can support wired users using its Ethernet ports and can connect to another access point wirelessly as a client. This connects the wired users to the network using the 802.11 WiFi standard as a backbone.

Note that in client mode the FortiWiFi unit cannot operate as an AP. WiFi clients cannot see or connect to the FortiWifi unit in Client mode.

 

FortiWiFi unit in Client mode

Using a FortiWiFi unit as a client

FortiGate                                     FortiAP

>))

Wired  clients

Configuring client mode

To set up the FortiAP unit as a WiFi client, you must use the CLI. Before you do this, be sure to remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and so on.

 

To configure wireless client mode

1. Change the WiFi mode to client.

In the CLI, enter the following commands:

config system global

set wireless-mode client end

Respond “y” when asked if you want to continue. The FortiWiFi unit will reboot.

 

2. Configure the WiFi interface settings.

For example, to configure the client for WPA-Personal authentication on the our_wifi SSID with passphrase

justforus, enter the following in the CLI:

config system interface edit wifi

set mode dhcp

config wifi-networks edit 0

set wifi-ssid our_wifi

set wifi-security wpa-personal set wifi-passphrase “justforus”

end

end

The WiFi interface client_wifi will receive an IP address using DHCP.

 

3. Configure a wifi to port1 policy.

You can use either CLI or web-based manager to do this. The important settings are:

Incoming Interface (srcintf)     wifi

Source Address (srcaddr)       all

Outgoing Interface (dstintf)     port1

Destination Address

(dstaddr)

all

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

Enable NAT                                Selected

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Wireless network examples

Wireless network examples

This chapter provides an example wireless network configuration.

  • Basic wireless network
  • A more complex example

 

Basic wireless network

This example uses automatic configuration to set up a basic wireless network. To configure this wireless network, you must:

  • Configure authentication for wireless users
  • Configure the SSID (WiFi network interface)
  • Add the SSID to the FortiAP Profile
  • Configure the firewall policy
  • Configure and connect FortiAP units

 

Configuring authentication for wireless users

You need to configure user accounts and add the users to a user group. This example shows only one account, but multiple accounts can be added as user group members.

 

To configure a WiFi user – web-based manager

1. Go to User & Device > User Definition and select Create New.

2. Select Local User and then click Next.

3. Enter a User Name and Password and then click Next.

4. Click Next.

5. Make sure that Enable is selected and then click Create.

 

To configure the WiFi user group – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

Name                                           wlan_users

Type                                            Firewall

Members                                    Add users.

 

To configure a WiFi user and the WiFi user group – CLI

config user user edit “user01”

set type password

set passwd “asdf12ghjk”

end

config user group edit “wlan_users”

set member “user01” end

 

Configuring the SSID

First, establish the SSID (network interface) for the network. This is independent of the number of physical access points that will be deployed. The network assigns IP addresses using DHCP.

 

To configure the SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter the following information and select OK:

 

Interface Name                                    example_wifi_if

 

Traffic Mode                                        Tunnel to Wireless Controller

 

IP/Network Mask                                 10.10.110.1/24

 

Administrative Access                       Ping (to assist with testing)

 

DHCP Server                                        Enable

 

Address Range           10.10.110.2 – 10.10.110.199

 

Netmask                       255.255.255.0

 

Default Gateway          Same As Interface IP

 

DNS Server                   Same as System DNS

 

SSID                                                      example_wifi

 

Security Mode                                     WPA2 Enterprise

 

Authentication                                     Local, select wlan_users user group.

 

Leave other settings at their default values.

 

 

To configure the SSID – CLI

config wireless-controller vap edit example_wifi_if

set ssid “example_wifi” set broadcast-ssid enable set security wpa-enterprise set auth usergroup

set usergroup wlan_users set schedule always

end

config system interface edit example_wifi_if

set ip 10.10.110.1 255.255.255.0

end

config system dhcp server edit 0

set default-gateway 10.10.110.1 set dns-service default

set interface “example_wifi_if” config ip-range

edit 1

set end-ip 10.10.110.199 set start-ip 10.10.110.2

end

set netmask 255.255.255.0 end

 

Adding the SSID to the FortiAP Profile

The radio portion of the FortiAP configuration is contained in the FortiAP Profile. By default, there is a profile for each platform (FortiAP model). You can create additional profiles if needed. The SSID needs to be specified in the profile.

 

To add the SSID to the FortiAP Profile – web-based manager

1. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your model of FortiAP unit.

2. In Radio 1 and Radio 2, add example_wifi in SSID.

3. Select OK.

 

Configuring security policies

A security policy is needed to enable WiFi users to access the Internet on port1. First you create firewall address for the WiFi network, then you create the example_wifi to port1 policy.

 

To create a firewall address for WiFi users – web-based manager

1. Go to Policy & Objects > Addresses.

2. Select Create New > Address, enter the following information and select OK.

 

Name                                           wlan_user_net

 

Type                                            IP/Netmask

 

Subnet / IP Range                     10.10.110.0/24

 

Interface                                     example_wifi_if

 

Show in Address List               Enabled

 

 

To create a firewall address for WiFi users – CLI

config firewall address edit “wlan_user_net”

set associated-interface “example_wifi_if” set subnet 10.10.110.0 255.255.255.0

end

 

To create a security policy for WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policyand select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_wifi_if

 

Source Address                        wlan_user_net

 

Outgoing Interface                   port1

 

Destination Address                 All

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             ON. Select Use Destination Interface Address (default).

 

Leave other settings at their default values.

 

To create a firewall policy for WiFi users – CLI

config firewall policy edit 0

set srcintf “example_wifi” set dstintf “port1”

set srcaddr “wlan_user_net” set dstaddr “all”

set schedule always set service ALL

set action accept set nat enable

end

 

Connecting the FortiAP units

You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

 

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Network Mask to 192.168.8.1/255.255.255.0.

3. Select OK.

This procedure automatically configures a DHCP server for the AP units.

 

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0 end

 

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0

set interface port3 config exclude-range

edit 1

set end-ip 192.168.8.1 set start-ip 192.168.8.1

end

config ip-range edit 1

set end-ip 192.168.8.254 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable

set vci-string “FortiAP”

end

 

To connect a FortiAP unit – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

2. Connect the FortiAP unit to port 3.

3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If FortiAP units are connected but cannot be recognized, try disabling VCI-Match in the DHCP server settings.

4. When the FortiAP unit is listed, select the entry to edit it.

The Edit Managed Access Point window opens.

5. In State, select Authorize.

6. In FortiAP Profile, select the default profile for the FortiAP model.

7. Select OK.

8. Repeat Steps 2 through 8 for each FortiAP unit.

 

 

To connect a FortiAP unit – CLI

1. Connect the FortiAP unit to port 3.

2. Enter

config wireless-controller wtp

3. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22B3U10600118 ]

wtp-id: FAP22B3U10600118

4. Edit the discovered FortiAP unit like this:

edit FAP22B3U10600118 set admin enable

end

5. Repeat Steps 2 through 4 for each FortiAP unit.

 

A more complex example

This example creates multiple networks and uses custom AP profiles.

 

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

 

Configuration

To configure these wireless networks, you must:

  • Configure authentication for wireless users
  • Configure the SSIDs (network interfaces)
  • Configure the AP profile
  • Configure the WiFi LAN interface and a DHCP server
  • Configure firewall policies

 

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

 

To configure a WiFi user – web-based manager

1. Go to User & Device > User Definition and select Create New.

2. Select Local User and then click Next.

3. Enter a User Name and Password and then click Next.

4. Click Next.

5. Make sure that Enable is selected and then click Create.

 

To configure the user group for employee access – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

 

Name                                           employee-group

 

Type                                            Firewall

 

Members                                    Add users.

 

 

To configure a WiFi user and the user group for employee access – CLI

config user user edit “user01”

set type password

set passwd “asdf12ghjk” end

config user group

edit “employee-group” set member “user01”

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

 

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

 

To configure the FortiGate unit to access the guest RADIUS server – web-based manager

1. Go to User & Device > RADIUS Servers and select Create New.

2. Enter the following information and select OK:

 

Name                                           guestRADIUS

 

Primary Server IP/Name           10.11.102.100

 

Primary Server Secret               grikfwpfdfg

 

Secondary Server IP/Name      Optional

 

Secondary Server Secret         Optional

 

Authentication Scheme            Use default, unless server requires otherwise.

 

Leave other settings at their default values.

 

 

 

To configure the FortiGate unit to access the guest RADIUS server – CLI

config user radius edit guestRADIUS

set auth-type auto

set server 10.11.102.100 set secret grikfwpfdfg

end

 

To configure the user group for guest access – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

 

Name                                           guest-group

 

Type                                            Firewall

 

Members                                    Leave empty.

3. Select Create new.

4. Enter:

 

Remote Server                           Select guestRADIUS.

 

Groups                                       Select wireless

 

5. Select OK.

 

 

To configure the user group for guest access – CLI

config user group edit “guest-group”

set member “guestRADIUS” config match

edit 0

set server-name “guestRADIUS” set group-name “wireless”

end

end

The user authentication setup will be complete when you select the guest-group user group in the SSID

configuration.

 

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

 

To configure the employee SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter the following information and select OK:

 

Interface Name                          example_inc

 

Traffic Mode                              Tunnel to Wireless Controller

 

IP/Netmask                                 10.10.120.1/24

 

Administrative Access             Ping (to assist with testing)

 

Enable DHCP                             Enable

 

Address Range                       10.10.120.2 – 10.10.120.199

 

Netmask                                   255.255.255.0

 

Default Gateway                      Same As Interface IP

 

DNS Server                              Same as System DNS

 

SSID                                            example_inc

 

Security Mode                           WPA/WPA2-Enterprise

 

Authentication                           Select Local, then select employee-group.

 

Leave other settings at their default values.

 

 

To configure the employee SSID – CLI

config wireless-controller vap edit example_inc

set ssid “example_inc”

set security wpa-enterprise set auth usergroup

set usergroup employee-group set schedule always

end

config system interface edit example_inc

set ip 10.10.120.1 255.255.255.0 end

config system dhcp server edit 0

set default-gateway 10.10.120.1 set dns-service default

set interface example_inc config ip-range

edit 1

set end-ip 10.10.120.199 set start-ip 10.10.120.2

end

set lease-time 7200

set netmask 255.255.255.0 end

 

 

To configure the example_guest SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New.

2. Enter the following information and select OK:

 

Name                                           example_guest

 

IP/Netmask                                 10.10.115.1/24

 

Administrative Access             Ping (to assist with testing)

 

Enable DHCP                             Enable

 

Address Range                       10.10.115.2 – 10.10.115.50

 

Netmask                                   255.255.255.0

 

Default Gateway                      Same as Interface IP

 

DNS Server                              Same as System DNS

 

SSID                                            example_guest

 

Security Mode                           Captive Portal

 

Portal Type                                Authentication

 

Authentication Portal               Local

 

User Groups                              Select guestgroup

 

Leave other settings at their default values.

 

 

To configure the example_guest SSID – CLI

config wireless-controller vap edit example_guest

set ssid “example_guest”

set security captive-portal

set selected-usergroups guest-group set schedule always

end

config system interface edit example_guest

set ip 10.10.115.1 255.255.255.0 end

config system dhcp server edit 0

set default-gateway 10.10.115.1 set dns-service default

set interface “example_guest” config ip-range

edit 1

set end-ip 10.10.115.50 set start-ip 10.10.115.2

end

set lease-time 7200

set netmask 255.255.255.0 end

 

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

 

To configure the FortiAP Profile – web-based manager

1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.

2. Enter the following information and select OK:

 

Name                                           example_AP

 

Platform                                      FAP220B

 

Radio 1

 

Mode                                        Access Point

 

Band                                         802.11n

 

Channel                                    Select 1, 6, and 11.

 

Tx Power                                  100%

 

SSID                                          Select SSIDs and select example_inc and example_guest.

 

Radio 2

 

Mode                                        Access Point

 

Band                                         802.11n_5G

 

Channel                                    Select all.

 

Tx Power                                  100%

 

SSID                                          Select SSIDs and select example_inc.

 

 

To configure the AP Profile – CLI

config wireless-controller wtp-profile edit “example_AP”

config platform set type 220B

end

config radio-1

set ap-bgscan enable set band 802.11n

set channel “1” “6” “11”

set vaps “example_inc” “example_guest” end

config radio-2

set ap-bgscan enable set band 802.11n-5G

set channel “36” “40” “44” “48” “149” “153” “157” “161” “165” set vaps “example_inc”

end

 

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

 

To create firewall addresses for employee and guest WiFi users

1. Go to Policy & Objects > Addresses.

2. Select Create New, enter the following information and select OK.

 

Address Name                           employee-wifi-net

 

Type                                            Subnet / IP Range

 

Subnet / IP Range                     10.10.120.0/24

 

Interface                                     example_inc

 

 

3. Select Create New, enter the following information and select OK.

 

Address Name                           guest-wifi-net

 

Type                                            Subnet / IP Range

 

Subnet / IP Range                     10.10.115.0/24

 

Interface                                     example_guest

 

 

To create firewall policies for employee WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_inc

 

Source Address                        employee-wifi-net

 

Outgoing Interface                   port1

 

Destination Address                 all

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             Enable NAT

3. Optionally, select security profile for wireless users.

4. Select OK.

5. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the

ExampleCo private network.

 

 

To create firewall policies for employee WiFi users – CLI

config firewall policy edit 0

set srcintf “employee_inc” set dstintf “port1”

set srcaddr “employee-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable

set schedule “always” set service “ANY”

next edit 0

set srcintf “employee_inc” set dstintf “internal”

set srcaddr “employee-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable

set schedule “always” set service “ANY”

end

 

To create a firewall policy for guest WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_guest

 

Source Address                        guest-wifi-net

 

Outgoing Interface                   port1

 

Destination Address                 all

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             Enable NAT

3. Optionally, select UTM and set up UTM features for wireless users.

4. Select OK.

 

 

To create a firewall policy for guest WiFi users – CLI

config firewall policy edit 0

set srcintf “example_guest” set dstintf “port1”

set srcaddr “guest-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable end

 

Connecting the FortiAP units

You need to connect each FortiAP-220A unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

 

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Netmask to 192.168.8.1/255.255.255.0.

This step automatically configures a DHCP server for the AP units.

3. Select OK.

 

 

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0 end

 

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0

set interface port3 config ip-range

edit 1

set end-ip 192.168.8.9 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable

set vci-string “FortiAP”

end

 

To connect a FortiAP-220A unit – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

2. Connect the FortiAP unit to port 3.

3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.

4. When the FortiAP unit is listed, select the entry to edit it.

The Edit Managed Access Point window opens.

5. In State, select Authorize.

6. In the AP Profile, select [Change] and then select the example_AP profile.

7. Select OK.

8. Repeat Steps 2 through 8 for each FortiAP unit.

 

 

To connect a FortiAP-220A unit – CLI

1. Connect the FortiAP unit to port 3.

2. Enter:

config wireless-controller wtp

3. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22A3U10600118 ]

wtp-id: FAP22A3U10600118

4. Edit the discovered FortiAP unit like this:

edit FAP22A3U10600118 set admin enable

set wtp-profile example_AP

end

5. Repeat Steps 2 through 4 for each FortiAP unit.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring wireless network clients

Configuring wireless network clients

This chapter shows how to configure typical wireless network clients to connect to a wireless network with WPA- Enterprise security.

Windows XP client Windows 7 client Mac OS client Linux client Troubleshooting

 

Windows XP client

To configure the WPA-Enterprise network connection

1. In the Windows Start menu, go to Control Panel > Network Connections > Wireless Network Connection or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

If you are already connected to another wireless network, the Connection Status window displays. Select View Wireless Networks on the General tab to view the list.

If the network broadcasts its SSID, it is listed. But do not try to connect until you have completed the configuration step below. Because the network doesn’t use the Windows XP default security configuration, configure the client’s network settings manually before trying to connect.

2. You can configure the WPA-Enterprise network to be accessible from the View Wireless Networks window even if it does not broadcast its SSID.

3. Select Change Advanced Settings and then select the Wireless Networks tab.

 

Any existing networks that you have already configured are listed in the Preferred Networks list.

4. Select Add and enter the following information:

 

Network Name (SSID)               The SSID for your wireless network

Network Authentication           WPA2

Data Encryption                        AES

5. If this wireless network does not broadcast its SSID, select Connect even if this network is not broadcasting so that the network will appear in the View Wireless Networks list.

6. Select the Authentication tab.

7. In EAP Type, select Protected EAP (PEAP).

8. Make sure that the other two authentication options are not selected.

9. Select Properties.

10. Make sure that Validate server_certificate is selected.

11. Select the server certificate UTN-USERFirst-Hardware.

12. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).

13. Ensure that the remaining options are not selected.

14. Select Configure.

15. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.

16. Select OK. Repeat until you have closed all of the Wireless Network Connection Properties windows.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!