Category Archives: Administration Guides

FortiWLC – Beacon Services

Leave a reply

Beacon Services

Fortinet Beacon Services use iBeacon to allow mobile application (iOS and Android devices) to receive signals from beacons in the physical world to deliver hyper-contextual content to users based on location. Bluetooth Low Energy (BLE) is the wireless personal area network technology used for transmitting data over short distances. Broadly, the Beacon Service requires a Bluetooth based iBeacon device to broadcast signals and a mobile application to receive these signals once it comes in the configured proximity. You can now create multiple Beacon Service profiles and map APs to a specific profile.

The Beacon services are available by default in FAP U421EV, FAP U423EV, FAP U321EV and FAP U323EV. For other non-wave2 APs, you will need Bluetooth adapters (For example: Broadcom USB Class 2 Bluetooth 4.0 Dongle, CSR 4.0 Bluetooth Dongle and Iogear Bluetooth 4.0 USB Micro Adapter GBU521). Ensure that Bluetooth adapters support Bluetooth version 4.0 or above.

Note:

Wave 1 APs must be connected to 802.3at power supply.

You can perform the following operations to manage the Beacon Services. Navigate to Configuration > Devices > Beacon Services.

Adding Beacon Services Profiles

This option allows you to add a Beacon Service. You can create multiple Beacon Service profiles and also map APs to a specific profile.

APs part of a profile send iBeacons that will help advertise hyperlocal content to users in context to their location.

Beacon Services

Update the following fields.

BLE Profile – Unique name for this Beacon Service profile. The supported range is 1-64 alphanumeric characters.

Advertise BLE Beacon – Enables the BLE beacons to advertise packets received by devices. These packets determine the location of the device with respect to the Beacon.

BLE Format – BLE Format – Select ibeacon as a BLE Format.

Beaconing Interval (ms) – Select the time interval at which the Beacons transmit signals to associated devices, that is, this sets the rate at which beacons advertise packets. Setting the beacon interval to a higher value decreases the frequency of unicasts and broadcasts sent by the AP. The supported range is 100-1000 milliseconds.

Universal Unique Identifier (UUID) – Click Generate UUID, to receive a UUID that is specific to the beacon. The purpose of the ID is to distinguish iBeacons in your network from all other beacons in other networks not monitored by you.

Major Number – This number is assigned to some beacons in a network and is used to distinguish this subset of beacons within a larger group of beacons. For example, beacons within a particular geographic area can have the same major number. The supported range is 0 to 65535.

Minor Number – This number is assigned to identify individual beacons. For example, each beacon in a group of beacons with the same major number, will have a unique minor number. The supported range is 0 to 65535.

Power Level – Select a power level for the beacon’s transmit signal. The higher the power the greater will be the range of your signal. This is measured in dBM (Decibel-Milliwatts). The supported range is 0(-29 dBm) to 15(4dBm).

Exporting Beacon Services Profiles

You can export the existing Beacon profiles into your local drive.

Importing  Beacon        Services      Profiles

You can load Beacon Services profiles by importing files (*.csv) from your local drive.

Click Import and browse to the saved *.csv template file.

Beacon Services

Adding         APs    to        the     Beacon        Service        Profile

Click the edit icon to view the service profile details. Beacon Services – Update page is displayed to make changes to the service profile.

Click the Add option to start adding APs to the service profile. By default this page shows the list of APs added to the service profile.

  • You can add multiple APs to a service profile.
  • An AP can be mapped to only one service profile at a time.

Editing Beacon Services Profiles

Select the Beacon Services profile and click Edit to edit the values for an existing profile.

Beacon Services

Deleting Beacon Services Profiles

Select the Beacon Services profile and click Delete in the Action column to delete the profile.

Beacon Services

FortiWLC – Device Fingerprinting

Leave a reply

Device Fingerprinting

Device fingerprinting allows collection of various attributes about a device connecting to your network. The collected attributes can fully or partially identify individual devices, including the client’s OS, device type, and browser being used.

Device Fingerprinting can provide more information for the station and allows system administrators to be more aware of the types of devices in use and take necessary actions. You can view the details of the devices via Monitor > Dashboard. You can import, export, add, delete, or restore the devices using the fingerprint command and the show fingerprints command displays the device fingerprints stored in the system. See Command Reference Guide for more information on the CLI commands.

Configuration Using WebUI

Configuration > Devices > Device Fingerprint

By default, this page lists the configured device OS types that can be monitored.

Device Fingerprinting

Adding a New Device OS

To add a new device OS type, click the ADD button and enter the device name and the associated hexadecimal characters (starting with 37 or 3c) and then click SAVE to add this device to the list.

Modifying an Existing Device OS

To modify an existing entry, select the checkbox for that entry and click the EDIT button. Make the required changes in the pop up box and click the SAVE button.

Device Fingerprinting

Export Device OS Details

To export the existing list of devices to another controller, click the checkbox in the column header to select all entries. Then click the EXPORT button to create a text file with the entries.

Import New Device OS Details

To import new entries, click the IMPORT button and browse the location with the text file. Then click the SAVE button to add the new list.

Configuration Using CLI

The CLI command fingerprint has the following options:

default(15)(config)# fingerprint ?

add                    (10) Adds description and hexadecimal characters. delete                 (10) Deletes description and hexadecimal characters. export                 (10) Adds description and hexadecimal characters. import                 (10) Adds description and hexadecimal characters. restore                (10) Restores configuration file.

  • add – To add new device OS type
  • delete – Remove an existing device OS type
  • import – Specify the filename to import device OS types. The file must be available in /opt/ meru/images folder.
  • export – To export the current list of device OS types. The exported file is stored as a .txt file in /opt/meru/images directory

Device Fingerprinting

FortiWLC – RF Interferer Classification

Leave a reply

RF Interferer Classification

Wi-Fi networks operate in the unlicensed 2.4 and 5 GHz frequency bands, where they share a medium with a variety of other devices. With the exception of Bluetooth devices, none of the other devices have any mechanisms to co-exist with Wi-Fi networks. As a result, when an interfering device is emitting energy in the WLAN channel the WLAN Access Point is used for communication, the throughput of the AP can be significantly affected.

Spectrum detects all non-802.11 interference devices, especially the devices mentioned in the below list:

  • Microwave ovens (conventional)
  • Microwave ovens (inverter)
  • Motorola Canopy Wireless
  • Non-Wifi Wireless Bridges
  • Wireless video cameras (digital and analog)
  • Analog cordless phones (2.4GHz and 5GHz)
  • FHSS cordless phones (2.4GHz and 5GHz)
  • DSSS cordless phones (2.4GHz and 5GHz)
  • Bluetooth devices
  • Wireless baby monitors
  • Game Controllers
  • RF Jammers (both narrowband and wideband)
  • Wireless mice
  • Zigbee devices
  • Motion Detectors (S-band, radar-based)

In addition to the above mentioned devices, the RF Jamming devices also exist. The RF Jamming devices can be used to intentionally interfere with wireless communications. Although, these devices are considered to be illegal in the US and elsewhere, they provide performance and security issues to WLANs.

Wireless LANs based on the IEEE 802.11 standards, function in the unlicensed 2.4 and 5 GHz frequency bands. Other devices emitting radio-frequency energy in these bands can interfere with WLAN transmissions. The “Radio frequency characteristics for the interferer devices listed below” on page 126 lists some common RF interferer and their RF characteristics.

Radio frequency characteristics for the interferer devices

The Radio frequency characteristics for the interferer devices are listed below:

From the deployment perspective, the Spectrum coverage not only depends upon its sensor (receiver sensitivity), but also depends upon the interference devices transmit power (or signal strength). We cannot place the sensors far away and expect the very low signal strength interference device packets to reach the sensor.

Theoretically, lower the signal strength of the interference devices more sensors must be packed to catch those devices.

The “Sensors” on page 123 (“Software Sensors” on page 123 and “Hardware Sensors” on page 123) must be installed at least six feet away from a servicing AP. Having it closer affects the accuracy of interference classification.

The servicing APs must not be installed very close to PSM3x, as the false events (Analog Cordless Phones, etc.,) may be detected by PSM3x sensor due to the EMI (Electromagnetic Interference) emitted near by APs.

For Example:

Bluetooth has 2.2 dBm transmit power, for which the sensors must be placed closer in the given site, for it to be captured. So, the signal strength of interference devices is inversely proportional to the sensors coverage area.

Also the sensor coverage area is proportional to the receiver sensitivity. More the receiver sensitivity (which can be obtained with higher gain antennas) the sensors can be more sparsely distributed compared to the above example.

The conclusion is, the coverage area of the sensor depends upon the lowest signal strength of the interference device to be detected and depends upon the receiver sensitivity of the sensor. More the signal strength of the interference device and more the receiver sensitivity, the sensors will have more coverage and vice versa. Assuming the above considerable factors the predictable coverage can be identified with the following table, which has a specified interference transmit power. So it’s the administrator or the user environment the deployment for the sensors can be predicted.

TABLE 9: Radio frequency characteristics for the interferer devices listed below

Interferer Device Frequency Range Transmit Power Modulation #

Communication

Channels

Supported

 Width Features
Bluetooth 2402-2480 MHz 2.2 dBm GFSK, FHSS 79 1 MHz Pulsed, low-power
Analog Cordless Phone 2403-2480 MHz NA Narrow

Band FM

 40 ~300 kHz Narrow Band FM
DSSS Digital

Cordless

Phone

 2407.5-2472

MHz

 20 dBm DSSS 40 1.5 MHz Highpower, duty Factor
FHSS Digital

Cordless

Phone

 2408.5-2472

MHz

 21 dBm FHSS 90 892 kHz Pulsed, high-power
Conventional

Microwave

Oven

 2.4 GHz 800W N/A N/A N/A Pulsed, broadband
Inverter

Microwave

 2.4 GHz 1300W N/A N/A N/A Pulsed, broadband
Wireless

Video Camera

 2414 – 2468

MHz

 10 dBm Frequency

Modulation

(FM)

 4 N/A Broadband, highpower
Digital Video Monitor 2402 – 2483

MHz

 20 dBm FHSS 27 2MHz Highpower, frequency hopping
Game Con-

troller

 2402 – 2482

MHz

 N/A FHSS 40 500kHz Pulsed, low-power,

Frequency hopping
RF Interferer Detection

With the WLANs supporting critical applications such as voice and video communications, monitoring and management of RF interference becomes a security imperative. Interference can be from an intentional, malicious interferer such as an RF jammer or from an unintentional source such as a cordless phone in a nearby location. In either case, the ability of the WLAN to support the real-time communication required by these applications can be severely compromised by the RF interference. WLANs must be able to continuously detect the interferer in the RF environment for these security issues and trigger alerts to network administrators.

The Sensors which are listed in the Event Log page provides the interference event information.

Figure 32 on page 127 illustrates the sensors listed on the Event Log screen.

Figure 32: Sensors listed on the Event Log screen

Each interferer device signal is treated as an interference event and is detected by the following parameters:

  • Event Subtype (Type of interferer)
  • Signal Strength (Current/ Average / Maximum) dBm
  • Affected Channel(s) (Impact will be on the channels listed)
  • Center frequency
  • Duration (how long the inference event was seen)
  • Start Time (At what time the interference event started)
  • Stop Time (At what time the interference event stopped)

The active Interference event is highlighted in bold font and a red dot.

The event which is not alive at the moment will be grayed out as shown in the

The RF Interferer classification is detected by the following parameters

  • Channel
  • Signal Strength

Interferer can be detected,

  • By opting to filter, for only on that channel.
  • Interferer fading into the 2.4GHz and the 5GHz spectrum by varying its signal strength which is detected by opting to filter the signal strength ranging from >=- 10 dBm to >=110 dBm
  • By Specific interferer devices.

Interferer on all channels, in the range of signal strength and also on all types of Interferer devices can also be filtered by opting “All”.

Historical Spectrum dashboard Analysis

Spectrum Manager provides historical spectrum data for analysis. The impact on the interferer devices can be determined with the data available from the past with the tentative date and time. Interference events caused by the interferer devices are stored in the Spectrum Manager database for future analysis. A history of interference events for one year is maintained.

Event logs

The triggered events from the particular sensor are consolidated, captured and displayed in the Event Log screen as displayed in Figure 146 on page 351.

Time-based Analysis

The Spectrum events are the time-based triggered events, for which the “Start and Stop time” is not provided. It must display the dashboard for the current interference activity. Ensure the “Earliest Time possible in Start time and Use current time in Stop time” check box is checked, to view the dashboard for real time display.

Proactive Spectrum Manager

Proactive Spectrum Manager, designed for single channel deployment, takes a top-level view into the channel spectrum, then recommends the best channels) for network operation. The PSM dashboard presents a goodness value for all channels and recommended channels of operation for the network using a chart with green (good) and red (don’t use) bars.

Configure Proactive Dashboard Manager Using the Web UI

Use the dashboard to see the channel goodness over the spectrum and best available channels for 20MHz or channel-bonded (40MHz) operation on the 2.4 and 5GHz bands. The spectrum shows bar chart goodness values for all 20MHz and 40MHz channels. The higher the bar, the better the channel is. If the color of the bar is grey, no observation on that channel has taken place.

You have two PSM options, View and Evaluate.

  • View is enabled on all channels by default. View mode monitors interference, such as rogues, and displays recommendations for channel use. If you see solid green bands on every channel in the charts, either only View is enabled or Evaluate is also enabled and there are no rogues on any channels.
  • Evaluate is disabled on all channels by default. If you enable Evaluate mode on the channels, then PSM will manage the use of those channels by moving devices away from channels with a specified amount of rogue activity. To enable Evaluate:
  1. Click Monitor > Spectrum Manager > PSM.
  2. Click Evaluate at the top of the screen.

Optionally, select one of the options from the Evaluate drop-down list:

View turns on rogue detection, does an immediate scan, turns off rogue detection, and then displays the results.

One Time Adapt turns on rogue detection, does a scan, turns off rogue detection, and then moves stations to recommended channels immediately

Periodic Adapt repeats at the interval you set in the minutes value. Every x minutes, it turns on rogue detection, does a scan, turns off rogue detection, and then moves stations to recommended channels immediately.

  1. Optionally change the Evaluation Time from 120 seconds to a value of 5 – 300 seconds. Evaluation affects rogue scanning (turns it on for Evaluation Time seconds) and optionally changes channels.
  2. Optionally change the Threshold from 25 to a value of 1 – 100 rogues. Threshold indicates a delta in goodness value between current and recommended channel that triggers a change of channel. Non-zero threshold applies to periodic adaptation.
  3. Optionally change the Adaption Interval from 30 to a value of either zero or 5 – 10080 seconds. (The values 1-4 seconds are not supported.) The adaptation interval determines how often channels can be automatically changed for this controller.
  4. Click Start Wizard.
  5. Confirm by clicking OK twice.

Click Graph Help to see what the chart colors mean. Click Details on either chart to see numeric values for the green bars in the charts. A summary of rogue scanning parameters is presented at the bottom of the screen. Also, the adaptation period of a periodic adaptation is shown if one is running. The view automatically refreshes every minute.

If rogue detection is not enabled on the network, PSM turns it on when needed for evaluate mode, then turns it back off. For example, if you use the option One Time Adapt, PSM turns on rogue detection, does a scan and then moves stations to recommended channels immediately. This overwrites the running config and reboots the APs (save it to make it permanent).

Blacklisted channels are never recommended. RS4000 and mesh radios are not supported. The more non-Fortinet equipment on a channel, the lower the recommendation will be to use that channel. Do not use this feature with a multichannel configuration.

 

Configure Proactive Dashboard Manager Using the CLI

The CLI command for Proactive Dashboard Manager is proactive-spectrum-manager evaluate. This is an example:

mg‐mc2# proactive‐spectrum‐manager evaluate

** Attention: Stations may be disconnected in this evaluation **

Are you absolutely sure [yes/No]? yes   

Evaluation time [120s]? 10

View or Adapt [View/adapt]? adapt

Adaptation period [0] min (5‐10080)? 0

FortiWLC – Control Panels

Leave a reply

Control Panels

The Control Panels are displayed towards the left of the Dashboard screen.

The following table depicts the various Control Panel tabs available on the Monitor Console screen:

  • “Sensors Filter” on page 112
  • “Advanced Filter” on page 114
  • “Interference” on page 115
  • “Display Settings” on page 116
Sensors Filter

The Sensors Filter enables to filter the information to be displayed on the screen by selecting a sensor under sensor hierarchy. Perform the following steps to configure the Sensors filter:

  • Select the Sensors Filter A list of sensors deployed is displayed.
  • Select a sensor in Sensor hierarchy and click on Filter selected Group/sensor. The following changes also occur:
  • The selected sensor is displayed on Trend Graph, Interferer Type and Affected Channels sections of the Dashboard
  • The Event Log details are updated with selected sensor in Event Log
  • The Sensors Filter tab displays the following two sections:
  • “Sensors Hierarchy” on page 112
  • “Group Information” on page 112

Sensors Hierarchy

The Sensors Hierarchy section displays the sensors hierarchically belonging to the controller.

Group Information

The Group Information section provides the details of the selected Enterprise, Campus, Building, Floor and AP.

  • The following details for the selected Enterprise, Campus, Building, Floor and AP are displayed:
  • Name – Displays the name of the sensor.
  • Description – Displays the MAC address of the sensor.
  • IP Address – Displays the IP address of the sensor
  • Status – Displays the connection status of the sensor.
  • Select an Enterprise, Campus, Building, Floor or AP from the above Sensors Hierarchy
  • Select the Filter Selected Group/Sensor
  • The graph for the selected sensor is displayed on Trend Graph, Interferer Type and Affected Channels sections of the Dashboard

The Sensors Filter tab is enabled only in the below mentioned tabs:

  • Dashboard
  • Event Log
Time Filter

The Time Filter enables to configure the screen to display information over a period of time.

This can be performed by configuring the Start Time and Stop Time parameters on the page.

Perform the below actions to configure the Time Filter:

  • Select the Time Filter
  • The Time Filter tab displays the following two sections:
  • “Start Time” on page 113
  • “Stop Time” on page 113

Start Time

  • Select the option Earliest Time Possible. The system fetches the data available for the earliest possible time.
  • Uncheck the Earliest Time Possible option to select the Start Time.
  • From the Time option, select the time from the drop-down list. The format followed is hh:mm:ss
  • From the Date option, select the calendar icon to select the Month, Date and Year. The format followed is the mm/dd/yyyy.
Stop Time
  • Select the option Use Current Time. The system applies the current time.
  • Uncheck the Use Current Time option to select the Stop Time.
  • From the Time option, select the time from the drop-down list. The format followed is hh:mm:ss
  • From the Date option, select the calendar icon to select the Month, Date and Year. The format followed is the mm/dd/yyyy.
  • Select Apply Time Filter
  • The Time Filter is applied to the Trend Graph, Interferer Type and Affected Channels sections of the Dashboard

The Time Filter tab is applied and enabled to the below mentioned tabs:

  • Dashboard
  • Event Log
Advanced Filter

The Advanced Filter option enables to configure the information to be displayed on the screen by choosing the following available filters:

  • Channel Filter
  • This filter enables you to filter the information based on the available channels.
  • Select the desired channel from the Channel
  • Select Apply Filter. The Channel Filter is applied to the Dashboard screen and the Event Log
  • RSSI Filter
  • This filter depicts the signal strength of the Interferer device.
  • Select the desired RSSI value from the RSSI Filter The values displayed are in dBm.
  • Select Apply Filter. The RSSI Filter is applied to the Dashboard screen and the Event Log
  • Interferer Type
  • This filter depicts the Interferer Type.
  • A list of Interferer Type options is available for selection.
  • Select the desired Interferer Type.
  • Select Apply Filter. The Interferer Type filter is applied to the Dashboard
  • Event Log Type
  • This filter depicts the Event Log Type (Alert Event or Interferer Log Event).
  • A list of Interferer Log Events and Alert Event options is available for selection in the Event log
  • Select the desired Event Log Type and select desired Event Subtype.
  • Select Apply Filter. The Event Log Type/Subtype filter is applied to the Event Log
Interference

The Interference section displays the following:

  • Start Time: This is the Start Time of the interference and interference type.
  • Add Note: The Add Note icon enables to add a note.

The Notes section is enabled only on the completion of manual recording. The Notes section displays the following:

Delete Note – The Delete Note icon enables to delete a note.

Timestamps – The Timestamp is used to adjust the Current Recording playback time to the Time stamp of the note.

The Interference and Notes option is displayed on the following tabs:

  • Channel Availability
  • Channel Utilization
  • Spectrogram
  • Equalizer
  • Persistence
Display Settings

The Display Settings option enables to configure the information to be displayed on the following screens:

  • Event Log
  • Channel Availability
  • Channel Utilization
  • Spectrogram
  • Equalizer
  • Persistence
Event Log – Display Settings

Perform the following actions to select the columns to be displayed on the Event Log screen:

  • Select the Event Log The Event Log screen is displayed.
  • Select the Display Settings
  • Select the desired columns to be displayed.
  • The selected columns are displayed on the Event Log
Channel Availability – Display Settings

Perform the following actions to modify the graphical display of the Channel Availability screen:

  • Select the Channel Availability The Channel Availability screen is displayed.
  • Select the Display Settings (Figure 27 on page 117 illustrates the Channel Availability screen of the Display Settings.)
  • The Chart Settings option is displayed.

Figure 27: Display Settings – Channel Availability

  • Select the Frequencies from the drop-down list to view the Channel Quality and Channel Utilization on the respective channels. The Display Frequency can be set to scan the 4 GHz frequency band, the 5 GHz frequency band or both.
  • Select the Combine Utilization This enables the Channel Utilization graph (which is in channel quality) to combine the Non-Wireless LAN Interference and Wireless LAN Interference.
Channel Utilization – Display Settings

Perform the following actions to modify the graphical display of the Channel Availability screen:

  • Select the Channel Utilization The Channel Utilization screen is displayed.
  • Select the Display Settings
  • The following sections are displayed: (Figure 28 on page 118 illustrates the Channel Utilization screen of the Display Settings.)
  • “Timescale settings ” on page 117
  • “Channel selection settings” on page 117

Timescale settings

  • Select the Time Span. The valid range is between 2 min – 120 min.
  • Select the Time Units. The Time Units allows you to select the Elapsed Time or Actual Time.

Channel selection settings

Select the Frequency Band from the drop-down list.

The Select All option enables to display all the WLAN Channel Utilization. Figure 28: Display Settings – Channel Utilization

Spectrogram – Display Settings

The Spectrogram – Display Settings provides the following options:

  1. Data
    • Select the Data The Data option allows you to select the Instantaneous data or Peak data.
  2. Time Span
    • Select the Time Span. The Time Span ranges between Long – Short.
  3. Axis
    • Select the Axis The Axis is configured based on Frequency and Wi-Fi Channels.

Frequency: This option displays the graph based on the frequency.

Wi-Fi Channels: This option displays the graph based on the Wi-Fi Channels. Select the WiFi Channels option, the following parameters are displayed:

  • Highlight Channel: Check the Highlight Channel option, to highlight a channel when the channel in the x-axis is being mouse-over.
  • Wi-Fi Channel Width: Select the Wi-Fi Channel Width from the drop-down list. This sets the channel width for the spectrogram to display. Select any one option from the drop-down list.

The options are 20Mhz, 20Mhz+Upper 20 Mhz and 20Mhz+Lower 20 Mhz.

  1. Band
  • Select one option from the Band
  • The Spectrogram for the respective bands can be set by selecting one of the options from the drop-down list.
  • The options is 4GHz, 5GHz (Lower) and 5GHz (Upper).
  1. Overlay Interference – This option highlights the spectrum activity for a particular interferer.

For Example: In the scenario where more interference events are noticed and if the particular interferer is to be viewed, then the overlay for that interferer device can be checked.

(Figure 29 on page 119 illustrates the Spectrogram screen of the Display Settings.)

Figure 29: Display Settings – Spectrogram

Markers

  1. Select the Spectrogram The Spectrogram screen is displayed.
  2. Select the Display Settings
  3. Select the Markers
  4. The markers can be used to visually mark a Frequency on the Spectrogram
  5. Check a marker in the Markers section, the marker appears on the Spectrogram
  6. Select the marker on the display to move it to the desired frequency to visually mark off.
Equalizer – Display Settings

The Equalizer – Display Settings provides the following options:

  1. Persistence
  • Select the Persistence
  • Setting Persistence, allows us to study the timed trends in the graph. Increasing the persistence of the display increases the amount of time that samples are retained and displayed allowing us to study variations over time. This can be set in the bar on the display settings from Zero to

Figure 30 on page 121 illustrates the Equalizer screen of the Display Settings.

  1. Axis
  • Select the Axis The Axis is configured based on Frequency and Wi-Fi Channels.
  • Frequency: This option displays the graph based on the frequency.
  • Wi-Fi Channels: This option displays the graph based on the Wi-Fi Channels. Select the Wi-Fi Channels option, the following parameters are displayed:
  • Highlight Channel: Check the Highlight Channel option, to highlight a channel when the channel in the x-axis is being mouse-over.
  • Wi-Fi Channel Width: Select the Wi-Fi Channel Width from the drop-down list. This sets the channel width for the spectrogram to display. Select any one option from the drop-down list. The options are 20Mhz, 20Mhz+Upper 20 Mhz and 20Mhz+Lower 20 Mhz.
  1. Band
  • Select one option from the Band
  • The Equalizer for the respective bands can be set by selecting one of the options from the drop-down list.
  • The options is 4GHz, 5GHz (Lower) and 5GHz (Upper).

Figure 30: Display Settings – Equalizer

Markers

  1. Select the Equalizer The Equalizer screen is displayed.
  2. Select the Display Settings
  3. Select the Markers
  4. The markers can be used to visually mark a Frequency on the Equalizer
  5. Check a marker in the Markers section, the marker appears on the Equalizer
  6. Select the marker on the display to move it to the desired frequency to visually mark off.
Persistence – Display Settings

The Persistence Settings provides the following options:

  1. Persistence
  • Select the Persistence range.
  • Setting Persistence, allows us to study the timed trends in the graph. Increasing the Persistence of the display increases the amount of time that samples are retained and displayed allowing us to study variations over time. This can be set in the bar on the display settings from Zero to

Figure 31 on page 122 illustrates the Persistence screen of the Display Settings.

  1. Axis
  • Select the Axis
  • The Axis is configured based on Frequency and Wi-Fi Channels.
  • Frequency: This option displays the graph based on the frequency.
  • Wi-Fi Channels: This option displays the graph based on the Wi-Fi Channels. Select the Wi-Fi Channels option, the following parameters are displayed:

Highlight Channel: Check the Highlight Channel option, to highlight a channel when the channel in the x-axis is being mouse-over.

Wi-Fi Channel Width: Select the Wi-Fi Channel Width from the drop-down list. This sets the channel width for the spectrogram to display. Select any one option from the drop-down list.

The options are 20Mhz, 20Mhz+Upper 20 Mhz and 20Mhz+Lower 20 Mhz.

  1. Band:
  • Select one option from the Band
  • The Equalizer for the respective bands can be set by selecting one of the options from the drop-down list.
  • The options is 4GHz, 5GHz (Lower) and 5GHz (Upper).

Figure 31: Display Settings – Persistence

Markers

  1. Select the Persistence The Persistence screen is displayed.

Figure 31 on page 122 illustrates the Persistence screen of the Display Settings.

  1. Select the Display Settings
  2. Select the Markers The markers can be used to visually mark a Frequency on the Persistence plot.
  3. Check a marker in the Markers section, the marker appears on the Persistence
  4. Select the marker on the display to move it to the desired frequency to visually mark off.

Sensors

The Sensors are classified as follows:

Software Sensors

The software-based sensor is a normal AP with one Radio in ScanSpectrum Mode. Here, the AP mode can be modified from Service/Normal Mode to ScanSpectrum Mode.

Note:

  • The modification of AP mode from Service/Normal Mode to ScanSpectrum Mode can be performed only via the FortiWLC GUI or by pushing the AP template with Radio profile configured with the ScanSpectrum Mode from FortiWLM.
  • You can configure both radios of FAP-U421EV, FAP-U423EV, FAP-U321EV, FAP-U323EV sensors in ScanSpectrum Mode, which will make the radios to scan both the Radio spectrum for interference. For all the other Sensors, only single radio can be configured in ScanSpectrum Mode at a time.
  • No client service will be provided once Radios are configured in the ScanSpectrum

The Software Sensors include the following Access Points:

  • AP1014i
  • AP1010i
  • AP1010e
  • AP1020i
  • AP1020e
  • AP332i
  • AP332e
  • AP832i
  • AP832e
  • FAP-U421EV FAP-U423EV FAP-U321EV
  • FAP-U323EV
Hardware Sensors

The Hardware-based sensors are completely dedicated to monitor the airwaves of the time. By having a dedicated subsystem, the sensor can classify and report on the type and source of interference almost instantly and without taking CPU resources away from the wireless radio. The Hardware Sensors include the following Access Points:

 

  • PSM3x
  • AP433is

FortiWLC – Spectrum Manager Dashboard

Leave a reply

Spectrum Manager Dashboard

The Spectrum Manager Dashboard screen presents the interference information gathered from various “Sensors” on page 123 (“Software Sensors” on page 123 and “Hardware Sensors” on page 123). It provides a graphical representation of the Interference devices activity in the 2.4Ghz and 5Ghz spectrum.

Figure 19 on page 102 illustrates the Spectrum Manager Dashboard screen.

Figure 19: Spectrum Manager Dashboard

The following table depicts the various sections displayed on the Dashboard screen.

Trend Graph The Trend Graph plots the number of interference events observed over a period of time.
Interferer Type The Interferer Type Graph is a pie chart divided by the different types of interferer observed in the set duration. The area of each sector is proportional to the percentage of the number of individual interference events from a particular type of interferer against the total number of interference events in the set duration.
Affected Channels The Affected Channels Graph is a pie chart that plots the number of times, a particular channel was impacted due to an interference events. The area of each sector is proportional to the percentage of the number of events that impacted a particular channel against the total number of events.

Note: An interference event impacts multiple channels simultaneously.

The Dashboard screen provides various expandable control panels to filter database and modify display settings. For further information, refer to “Control Panels” on page 112 topic.

The Dashboard screen allows you to connect to the following other tabs:

  1. “Event Log” on page 103
  2. “Spectrum Manager – Channel Availability” on page 106
  3. “Spectrum Manager – Channel Utilization” on page 107
  4. “Spectrum Manager – Spectrogram” on page 108
  5. “Spectrum Manager – Equalizer” on page 109
  6. “Spectrum Manager – Persistence” on page 110

The above mentioned tabs from 3 to 7 are enabled only, by selecting the View live data from sensor option on the Event Log screen or it can be viewed through Show Spectrum Display of the selected sensor displayed on the Sensor’s page. For further information, refer to Spectrum Manager – Event Log screen.

Event Log

Spectrum Manager > Monitor > Dashboard > Event Log

The Spectrum Manager Event Log screen provides the detailed log information of the sensors.

Figure 20 on page 104 illustrates the Spectrum Manager Event Log screen.

Figure 20: Spectrum Manager – Event Log

The following table depicts the Event Information displayed on the Event Log screen:

Field Description  
Event ID Displays the Event ID.  
Event Type Displays the type of Event.  
Event Subtype Displays the interference source name.  
Sensor Displays the name of the selected Sensor. The following options are available for selection:

•  View live data from sensor: This option allows you to read the live data from the Sensor.

The below mentioned tabs are enabled by the selection of the View live data from sensor option.

•  Channel Availability

•  Channel Utilization

•  Spectrogram

•  Equalizer

•  Persistence

The above mentioned tabs reveal data of the selected Sensor in their respective tabs.

•  Show interferer on map:  Select the icon

The E(z)RF Map Management screen is displayed, depicting the location of the interfering device on the Floor.

  
  Field Description
  Group Displays the sensor’s group.
  Signal Strength Displays the Signal Strength of Interference with Min, Max, and Avg values in dBm.
  Channel Utilization Displays the percentage of channel utilized by the interferer.
  Start Time Displays the Start Time of the interference detected by the sensor.
  Stop Time Displays the Stop Time of the interference detected by the sensor.
  Duration Displays the Duration of the interference detected by the sensor.
  Center Frequency Displays the Center Frequency of the interference.
  Affected Channel(s) Displays the number of channels affected by the interference.
  Recording Id Displays the recording event Id.
  Additional Information Displays the interfere type for alert triggered event.
  Active Displays the number of active events highlighted with bold red dot.
Interference Event Clustering

The Spectrum Manager Event Log screen displays the cluster of events. Multiple interference reports, correlated to the same interferer and interference event are assigned to the same cluster ID. The interference event is reported as a single event, when multiple sensors reporting the same interference event.

Figure 21 on page 106 illustrates the Interference Event Clustering screen.

Figure 21: Interference Event Clustering

The Spectrum Manager Event Log screen provides various Control Panel tabs. For further information, refer to “Control Panels” on page 112.

Spectrum Manager – Channel Availability

Navigation: Spectrum Manager > Monitor > Dashboard > Channel Availability

  1. Select the Channel Availability

The Channel Availability screen displays the Channel Quality and Channel Utilization graphs.

Figure 22 on page 107 illustrates the Spectrum Manger Channel Availability screen.

Figure 22: Spectrum Manager – Channel Availability

  1. The Channel Quality and Channel Utilization graph, rendered in a flash application, displays a real time calculated channel quality for each of the Wi-Fi channels as well as the level of interference detected on each channel. The interference is differentiated between 802.11 interference and Non-802.11 The Channel Utilization graph also displays the Channel Utilization per Interference.
  2. Each of the interference is displayed as a percentage of the channel it is utilized.

The Channel Utilization per Interference type is displayed on the Channel Utilization graph, only if the Show Non-Wifi Interference Type option is checked in the Display Settings. This option is displayed only for the Hardware Sensors (See “Hardware Sensors” on page 123.)

  1. The Channel Availability screen provides various Control Panel For further information, refer to “Control Panels” on page 112.
Spectrum Manager – Channel Utilization

Spectrum Manager > Monitor > Dashboard > Channel Utilization

  1. Select the Channel Utilization

Figure 23 on page 108 illustrates the Spectrum Manager Channel Utilization screen.

The Channel Utilization screen displays the WLAN Channel Utilization and Non-WLAN

Channel Utilization graphs. This option is displayed only for the Hardware Sensors (See

“Hardware Sensors” on page 123.)

Figure 23: Spectrum Manager – Channel Utilization

  1. The WLAN Channel Utilization and Non-WLAN Channel Utilization graphs, rendered in a flash application, displays a real time calculated channel utilization for each of the WLAN and Non-WLAN Channels.
  2. The Channel Utilization screen provides various Control Panel For further information, refer to “Control Panels” on page 112.
Spectrum Manager – Spectrogram

Navigation: Spectrum > Monitor > Dashboard > Spectrogram

  1. Select the Spectrogram

Figure 24 on page 109 illustrates the Spectrum Manager Spectrogram screen.

The Spectrogram screen provides the spectrum activity for the Interferer devices.

Figure 24: Spectrum Manager – Spectrogram

  1. The scrolling Spectrogram displays the following details:
    • The frequency and amplitude of RF energy over time is displayed.
    • The x-axis displays the Frequency (MHz) or Wi-Fi channel number. The amplitude of the energy is plotted as Instantaneous data or the maximum peak hold amplitude. The amplitude is represented in blue color representing the weakest signal and red representing the strongest signal.
    • The y-axis displays the Time, with the most recent data at the bottom of the display and the plotted data scrolling upward.
  2. The Spectrogram screen provides various Control Panel For further information, refer to “Control Panels” on page 112.
Spectrum Manager – Equalizer

Spectrum > Monitor > Dashboard > Equalizer

  1. Select the Equalizer

Figure 25 on page 110 illustrates the Spectrum Manager Equalizer screen.

Figure 25: Spectrum Manager – Equalizer

  1. The Equalizer screen provides a flash application that starts Sensor to the browser. The Equalizer is a plot of the amplitude versus the frequency of RF (RF Energy or Signal) scanned by the “Sensors” on page 123.
  2. The Spectrum Equalizer plots the amplitude frequency for the detected RF energy. The frequency along the x-axis can be displayed as either frequency (MHz) or Wi-Fi channels. Both the instantaneous amplitude (the last data point collected over the scan period) and the maximum peak hold amplitude (the highest data point collected over the scan period) are dynamically plotted. The instantaneous data is plotted in yellow, while the peak hold data is plotted in blue. The colors are user configurable.
  3. The Equalizer screen provides various Control Panel For further information, refer to “Control Panels” on page 112.
Spectrum Manager – Persistence

Spectrum > Monitor > Dashboard > Persistence

  1. Select the Persistence

Figure 26 on page 111 illustrates the Spectrum Manager Persistence screen.

Figure 26: Spectrum Manager – Persistence

  1. The Persistence screen provides a flash application. The Persistence provides the spectrum activity for the Interferer devices to view the channel Persistence link to display the interference events.
  2. The Persistence display plots the amplitude frequency for the detected RF energy. Both the instantaneous amplitude (the last data point collected over the scan period) and the maximum peak hold amplitude (the highest data point collected over the scan period) are dynamically plotted. The color of a pixel on the display represents the number of times the energy was detected at that specific frequency and amplitude, with blue representing the least frequent and red representing the most frequent.

The Persistence screen provides various Control Panel tabs. For further information, refer to “Control Panels” on page 112.

 

FortiWLC – Accessing Spectrum Manager

Leave a reply

Accessing Spectrum Manager

  • FortiWLC (SD) versions 6.0-2-0 and later provide the ability to configure deployed APs in spectrum scanning mode, acting as a software-based spectrum monitoring device. This configuration is performed via the Configuration > Wireless > Radio table. To configure an AP for spectrum scanning mode, click the desired interface from the table and use the AP Mode drop-down to specify ScanSpectrum Mode.

Figure 18: AP Mode Options

Accessing Spectrum Manager

 

Once the desired AP(s) are configured, the user can access the Spectrum Manager console via Monitor > Spectrum Manager > Console.

FortiWLC – IPv6 Client Support

Leave a reply

IPv6 Client Support

FortiWLC (SD) supports both bridge and tunnel mode ESS profile for wireless and wired clients connected to Fortinet access points (APs). The IPv6 client support provides the following:

  • “Basic IPv6 Forwarding” on page 98
  • “IPv6 forwarding in dynamic VLAN deployment” on page 99
  • “High Performance IPv6 Forwarding” on page 100
  • “IPv6 Security” on page 100
  • “IPv6 Multicast Optimization” on page 101
  • “IPv6 Prioritization” on page 101
  • “IPv6 Network Management Enhancements” on page 101
Basic IPv6 Forwarding

FortiWLC (SD) acts as an L2 switch for IPv6 clients connected in the tunnel and bridge mode. The IPv6 specification (RFC 2460) defines IPv6 router and IPv6 host subclasses of IPv6 modes. The controllers and the APs act as IPv6 hosts which forward the IPv6 packets at layer

IPv6 Client Support

2 and not as IPv6 router. The ESS profile supports IPv4, Dual Stack (IPv4 and IPv6) and IPv6only clients simultaneously. The following modes of IPv6 address configuration for clients are supported:

  • Stateless Address Auto Configuration (SLAAC)
  • DHCPv6
  • Static IPv6 Configuration (Manual)
  • Link local address

The VLAN profile for wireless clients will use IPv4 address and does not require IPv6. The Allow Multicast Flag option in ESS is used to allow or block multicast traffic in ESS. If this is set to Off, then all IPv6 multicast traffic is blocked except for the Router Advertisements, Router Solicitations, Neighbor Solicitations, Neighbor Discovery Messages and DHCPv6 packets.

You can configure the Bridging, Allow Multicast, and Multi-To-Unicast field in the ESS profile configuration. See the chapter “Configuring an ESS.” for more details.

For the wired networks connected to the AP, configure the Allow Multicast and IPv6 bridging in Port profile, see “Configuring Port Profiles” on page 202 for more details.

The Neighbor Discovery Optimization field of IPv6 parameter can be configured via Configuration > Devices > Controller > IPv6 Parameter.

The IPv6 related CLI commands are as follows:

  • show station – this command displays the IP address type in a new column IP Mode. The valid values for this column are IPv4, IPv6, and IPv4v6.
  • sh station multiple-ip – this command displays one row for each IPv4 address and one row for each IPv6 address of the station. The IPv6 address type column is added which displays one of the following values if the address is a IPv6 address – Global Unicast, Global Unicast DHCP, Link Local, Temporary.

See the Fortinet Command Reference Guide for more information on the CLI commands.

IPv6 forwarding in dynamic VLAN deployment

In the previous releases of FortiWLC (SD), for dynamic VLAN (multiple VLANs in one ESS) deployment, FortiWLC (SD) forwards multicast packets to all stations irrespective of their assigned VLAN. This was supported for IPv4 in the previous release and in FortiWLC (SD) 6.0-2-0 onwards, IPv6 is supported. Router advertisements are multicast messages that provide the router prefix information used by IPv6 stations to auto-configure their IPv6 address.

The following diagram explains the router advertisement filtering behavior:

IPv6 Client Support

Figure 17: Router Advertisement Filtering

Three wireless stations are connected to an ESS profile configured with RADIUS assigned VLANs. Two stations belong to VLAN 200 and one belongs to VLAN100. Router advertisement by the router in VLAN 100 is not sent to stations assigned to VLAN 200.

When an AP forwards router advertisements on an ESS profile configured for dynamic VLAN, RAs for one VLAN is not sent to stations in other VLANs. They are converted to unicast packets and sent only to wireless stations which are assigned to that particular VLAN. This behavior is supported for all RF virtualization modes and overrides the multicast-unicast conversion settings.

The Multicast-To-Unicast field has to be set to Only Router Advertisement (Perform Conversion only for RAs) in the ESS profile for the conversion to take place. This will ensure that the APs Multicast-To-Unicast conversion happens for RA packets to send it to only those stations which belong to that VLAN ID.

High Performance IPv6 Forwarding

FastPath feature is supported for IPv6 clients in tunnel mode. This feature is used for increasing the throughput of the controller only for UDP and TCP data flow for IPv4 and IPv6. If the FastPath field for the controller is On, then the throughput increases.

IPv6 Security

The IPv6 security is designed to secure IPv6 link operation and they are applied to both tunnel and bridge modes. The IPv6 security is supported by the following filtering methods:

IPv6 Client Support

  • RA Guard –This is supported to block or reject the RA guard messages that arrive at the network device platform.
  • DHCPv6 Guard – This is supported to block DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients.
IPv6 Multicast Optimization

The IPv6 multicast optimization reduces the multicast traffic generated by neighbor discovery and router advertisements. This support is provided only in the tunnel mode.

IPv6 Prioritization

The IPv6 QoS support is provided by prioritizing IPv6 packets based on the traffic class field in the IPv6 header.

IPv6 Network Management Enhancements

The IPv6 client support feature provides the NMS enhancement to store multiple IPv6 addresses. The controller supports maximum of 8 addresses per client which includes:

  • Global unicast addresses (DHCP and Autoconfigured)
  • Link-local address
  • Temporary address

FortiWLC – Using Fortinet Service Control

Leave a reply

Using Fortinet Service Control

Fortinet’s Service Control feature is designed to allow clients in the enterprise network to access and communicate with devices that are advertising service via a protocol such as Bonjour. The limitation for Bonjour-enabled devices is that they were largely designed for smallscale use; however, they are growing increasingly prevalent in the enterprise-level environment. The nature of the service makes scaling for larger deployments challenging because the wireless traffic communications for these protocols cannot travel across various subnets; as such, users on VLAN1 will be unable to access a device operating on VLAN2 (for example).

Service Control addresses this problem by providing a framework by which Fortinet will direct traffic from clients on different subnets over to the Bonjour-capable devices (and vice versa), allowing seamless communication between the two. Additionally, users can specify which services should be available to specific users, SSIDs, or VLANs, allowing a fine control to be exercised over the deployment.

To enable Service Control:

  1. Navigate to Configuration > Service Control. By default, you land on the Service Control Dashboard, which currently displays no information (as the service is disabled).
  2. Click the Settings tab to access the Global Settings tab
  3. Check Enable Service Control. The page will automatically refresh.

Refer to the sections below for configuration instructions.

Modifying Service Control Global Configuration

Once Service Control has been enabled, the Settings tab displays two new tables: Discovery Criteria and Advanced Options. The Discovery Criteria allows the user to specify the types of services that may be discovered. By default, all AirPlay and AirPrint services configured in the system will be set for discovery across all SSIDs and APs and on Controller native VLAN by controller on the wired side. To modify this, click the pencil icon under the Services column to access the Discovery Criteria dialog.

Figure 12: Discovery Criteria

  1. As shown above, the All Services box is checked, ensuring that all configured services will automatically be detected by the system. Uncheck this box and select the desired service(s) if you wish to restrict the types of services provided.
  2. The Select Wireless Network section allows the user to customize which SSIDs/APs can access the services; by default, all of them are permitted. These options control how wireless devices access the services provided.
  3. The Select Wired Network section controls how wired devices access the services; enter the VLAN(s) that should be allowed access. To add wired gateways, click the Add button and specify the desired options from the resulting list of devices.
  4. Click Save to save your changes.
Wired Service Discovery using AP and Controller

Follow these steps for the wired service discovery using AP and Controller:

  1. The APs and Controller wired interface is used for discovering services. Add APs and/or Controller to wired gateway list.
  2. Ensure that the APs or Controller wired interface is tagged with VLAN on which services needs to be discovered and also the VLAN should be added to VLAN list.
Adding or Removing Services

The Services tab allows the user to modify the services that may be detected via Service Control; by default, several services are pre-configured in the system. However, users can expand this list by clicking the Add button to create a new service.

Figure 13: Adding a New Service

Fill in the required fields as described below:

  • Name—Enter a name for the service
  • Description—Enter a brief description
  • Service Type—Enter the service type string(s). If multiple entries are needed, enter them one at a time, clicking Add after each one. They will display in the Added Service Types table.

Note: To remove an added service, check the box alongside it and click Delete.

Click Save to save the new service.

Configuring Locations

The Locations tab allows you to specify locations where services should be discovered and advertised; by default, no locations are configured, so click Add to create one.

Figure 14: Adding a Location

A Location consists of three main components: the location’s name, description, and member APs. Enter the Name and Description in the fields provided, then select the AP(s) that belong to the desired location from the list. Click the button pointing to the right to add the selected AP(s) to the new location.

After clicking Save, the new location will appear in the Location Table. The AP(s) specified in the Location definition will now provide access to the service.

Creating User Groups

User Groups segregates Subscriber and Advertisers under a group. User Groups define which users/Advertisers (grouped by either VLAN for wired clients or SSID and Location for wireless) can access the advertised service or advertise the services. As no groups are present by default, click Add to create one.

Figure 15: Creating a User Group

A User Group consists of four main components: the group’s name, description, Role, and wireless/wired users with wired gateway list. These fields will allow you to customize which users can access the defined services.

  1. Enter the Name and Description in the fields provided.
  2. Select one of the Role for the user group. The options are Advertiser, Subscriber, or Both.
  3. Select the User Group Type. The options are Wireless or Wired.
  4. If you have selected Wireless user group type, then Select Wireless Section is displayed. From the Select Wireless Users section, select the SSIDs that should be allowed access. To select multiple options, click and drag across them. Ctrl+click to select or de-select items individually.
  5. If you have selected Wired user group type, then the Select Wired Users section is displayed. Enter the VLAN(s) that should be allowed to access advertised services.
  6. Click Save to create the group. The devices contained within the group’s parameters will now be able to access the advertised services.
Defining Service Control Policies

Service Control policies determine which user groups can access specific advertised services. Thus, the policies table allows you to define routes between the subscriber (i.e., the device that seeks the service) and the advertiser (i.e., the device that provides access to the service).

 

  1. From the Policies tab, click Add to access the Create Service Control Policy window. Figure 16: Creating a Policy
  2. Enter a name for the policy to be created in the Policy Name field.
  3. Enter the description of the policy.
  4. Use the Select Subscriber drop-down to specify the group that should be granted access.
  5. Select the desired services from the list supplied in the Choose Services section. Note that if all services should be included, simply check the All services box.
  6. Finally, use the Select Advertiser drop-down to select the group that supplies access to the services.
  7. Click Save to save the new policy.