Category Archives: FortiOS

Combining WiFi and wired networks with a software switch

Leave a reply

Combining WiFi and wired networks with a software switch

Combining WiFi and wired networks with a software switch

FortiAP local bridging (Private Cloud-Managed AP) Using bridged FortiAPs to increase scalability

 

Combining WiFi and wired networks with a software switch

A WiFi network can be combined with a wired LAN so that WiFi and wired clients are on the same subnet. This is a convenient configuration for users. Note that software switches are only available if your FortiGate is in Interface mode.

Wireless Mesh features cannot be used in conjunction with this configuration because they enable the FortiAP Local Bridge option.

To create the WiFi and wired LAN configuration, you need to:

  • Configure the SSID so that traffic is tunneled to the WiFi controller.
  • Configure a software switch interface on the FortiGate unit with the WiFi and internal network interface as members.
  • Configure Captive Portal security for the software switch interface.

 

To configure the SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New.

2. Enter:

Interface name                           A name for the new WiFi interface, homenet_if for example.

Traffic Mode                              Tunnel to Wireless Controller

SSID                                            The SSID visible to users, homenet for example.

Security Mode Data Encryption Preshared Key

Configure security as you would for a regular WiFi network.

3. Select OK.

4. Go to WiFi & Switch Controller > Managed FortiAPs, select the FortiAP unit for editing.

5. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

 

To configure the SSID – CLI

This example creates a WiFi interface “homenet_if” with SSID “homenet” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap

edit “homenet_if” set vdom “root”

set ssid “homenet”

set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354

set admin enable

set vaps “homenet_if” end

 

To configure the FortiGate software switch – web-based manager

1. Go to Network > Interfaces and select Create New > Interface.

2. Enter:

 

  Interface Name A name for the new interface, homenet_nw for example.
Type Software Switch
Physical Interface Members Add homenet_if and the internal network interface.
Addressing mode Select Manual and enter an address, for example

172.16.96.32/255.255.255.0
DHCP Server Enable and configure an address range for clients.
Security Mode Select Captive Portal. Add the permitted User Groups.
 

3.

  

Select OK.

  

 

To configure the FortiGate unit – CLI

config system interface edit homenet_nw

set ip 172.16.96.32 255.255.255.0 set type switch

set security-mode captive-portal set security-groups “Guest-group”

end

config system interface edit homenet_nw

set member “homenet_if” “internal” end

 

VLAN configuration

If your environment uses VLAN tagging, you assign the SSID to a specific VLAN in the CLI. For example, to assign the homenet_if interface to VLAN 100, enter:

config wireless-controller vap edit “homenet_if”

set vlanid 100 end

 

Additional configuration

The configuration described above provides communication between WiFi and wired LAN users only. To provide access to other networks, create appropriate firewall policies between the software switch and other interfaces.

 

FortiAP local bridging (Private Cloud-Managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

  • Installations where the WiFI controller is remote and most of the traffic is local or uses the local Internet gateway
  • Wireless-PCI compliance with remote WiFi controller
  • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.

 

Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The FortiAP unit’s WiFi and Ethernet interfaces behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

The Local Bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is not available in Bridge mode.

To configure a FortiAP local bridge – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter:

Interface name                           A name for the new WiFi interface.

Traffic Mode                              Local bridge with FortiAP’s Interface

SSID                                            The SSID visible to users.

Security Mode Data Encryption Preshared Key

Configure security as you would for a regular WiFi network.

3. Select OK.

4. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.

5. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

 

 

SSID configured for Local Bridge operation

 

To configure a FortiAP local bridge – CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “branchbridge”

set vdom “root”

set ssid “LANbridge”

set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354

set admin enable

set vaps “branchbridge” end

 

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

  • Traffic Mode is Local bridge with FortiAP’s Interface.

In this mode, the FortiAP unit does not send traffic back to the wireless controller.

  • Security Mode is WPA2 Personal.

These modes do not require the user database. In WPA2 Personal authentication, all clients use the same pre- shared key which is known to the FortiAP unit.

  • Allow New WiFi Client Connections When Controller is down is enabled.

This field is available only if the other conditions have been met.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap edit “branchbridge”

set vdom “root”

set ssid “LANbridge”

set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

set local-authentication enable end

 

 

Using bridged FortiAPs to increase scalability

The FortiGate wireless controller can support more FortiAP units in local bridge mode than in the normal mode. But this is only true if you configure some of your FortiAP units to operate in remote mode, which supports only local bridge mode SSIDs.

The Managed FortAP page (WiFi & Switch Controller > Managed FortiAPs) shows at the top right the current number of Managed FortiAPs and the maximum number that can be managed, “5/64” for example. The maximum number, however, is true only if all FortiAP units operate in remote mode. For more detailed information, consult the Maximum Values Table. For each FortiGate model, there are two maximum values for managed FortiAP units: the total number of FortiAPs and the number of FortiAPs that can operate in normal mode.

 

To configure FortiAP units for remote mode operation

1. Create at least one SSID with Traffic Mode set to Local bridge with FortiAP’s Interface.

2. Create a custom AP profile that includes only local bridge SSIDs.

3. Configure each managed FortiAP unit to use the custom AP profile. You also need to set the FortiAP unit’s wtp- mode to remote, which is possible only in the CLI. The following example uses the CLI both to set wtp-mode and select the custom AP profile:

config wireless-controller wtp

edit FAP22B3U11005354 set wtp-mode remote

set wtp-profile 220B_bridge end

 

Wireless Mesh

2 Replies

Wireless Mesh

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

Overview of Wireless Mesh Configuring a meshed WiFi network Configuring a point-to-point bridge

 

Overview of Wireless Mesh

The figure below shows a wireless mesh topology.

A wireless mesh is a multiple AP network in which only one FortiAP unit is connected to the wired network. The other FortiAPs communicate with the controller over a separate backhaul SSID that is not available to regular WiFi clients. The AP that is connected to the network by Ethernet is called the Mesh Root node. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection.

The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve regular WiFi clients are called Leaf nodes. Leaf APs also carry the mesh SSID for more distant leaf nodes. A leaf node can connect to the mesh SSID directly from the root node or from any of the other leaf nodes. This provides redundancy in case of an AP failure.

All access points in a wireless mesh configuration must have at least one of their radios configured to provide mesh backhaul communication. As with wired APs, when mesh APs start up they can be discovered by a FortiGate or FortiWiFi unit WiFi controller and authorized to join the network.

The backhaul SSID delivers the best performance when it is carried on a dedicated radio. On a two-radio FortiAP unit, for example, the 5GHz radio could carry only the backhaul SSID while the 2.4GHz radio carries one or more SSIDs that serve users. Background WiFi scanning is possible in this mode.

The backhaul SSID can also share the same radio with SSIDs that serve users. Performance is reduced because the backhaul and user traffic compete for the available bandwidth. Background WiFi scanning is not available in this mode. One advantage of this mode is that a two-radio AP can offer WiFi coverage on both bands.

 

Wireless mesh deployment modes

There are two common wireless mesh deployment modes:

 

Wireless Mesh         Access points are wirelessly connected to a FortiGate or FortiWiFi unit WiFi controller.

WiFi users connect to wireless SSIDs in the same way as on non-mesh WiFi networks.

Wireless bridging

Two LAN segments are connected together over a wireless link (the backhaul SSID). On the leaf AP, the Ethernet connection can be used to provide a wired network. Both WiFi and wired users on the leaf AP are connected to the LAN segment to which the root AP is connected.

 

Firmware requirements

All FortiAP units that will be part of the wireless mesh network must be upgraded to FAP firmware version 5.0 build 003. FortiAP-222B units must have their BIOS upgraded to version 400012. The FortiWiFi or FortiGate unit used as the WiFi controller must be running FortiOS 5.0.

 

Types of wireless mesh

A WiFi mesh can provide access to widely-distributed clients. The root mesh AP which is directly connected to then WiFi controller can be either a FortiAP unit or the built-in AP of a FortiWiFi unit that is also the WiFi controller.

 

FortiAP units used as both mesh root AP and leaf AP

 

FortiWiFi unit as root mesh AP with FortiAP units as leaf APs

An alternate use of the wireless mesh functionality is as a point-to-point relay. Both wired and WiFi users on the leaf AP side are connected to the LAN segment on the root mesh side.

 

Pointtopoint wireless mesh

2.4GHz

FortiGate Unit

�,MeshSSID

,,, SGHz

Wired clients

Configuring a meshed WiFi network

You need to:

  • Create the mesh root SSID.
  • Create the FortiAP profile.
  • Configure mesh leaf AP units.
  • Configure the mesh root AP, either a FortiWiFi unit’s Local Radio or a FortiAP unit.
  • Authorize the mesh branch/leaf units when they connect to the WiFi Controller.
  • Create security policies.

This section assumes that the end-user SSIDs already exist.

 

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

 

To configure the mesh root SSID

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter a Name for the WiFi interface.

3. In Traffic Mode, select Mesh Downlink.

4. Enter the SSID.

5. Set Security Mode to WPA2 Personal and enter the Preshared key.

Remember the key, you need to enter it into the configurations of the leaf FortiAPs.

6. Select OK.

 

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

The radio that carries the backhaul traffic must not carry other SSIDs. Use the Select SSIDs option and choose only the backhaul SSID. Similarly, the radio that carries user SSIDs, should not carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Configuring a WiFi LAN on page 828.

 

Configuring the mesh root FortiAP

The mesh root AP can be either a FortiWiFi unit’s built-in AP or a FortiAP unit.

 

To enable a FortiWiFi unit’s Local Radio as mesh root – web-based manager

1. Go to WiFi Controller > Local WiFi Radio.

2. Select Enable WiFi Radio.

3. In SSID, select Select SSIDs, then select the mesh root SSID.

4. Optionally, adjust TX Power or select Auto Tx Power Control.

5. Select Apply.

 

In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi & Switch Controller > SSID to change the SSID.

 

To configure a network interface for the mesh root FortiAP unit

1. On the FortiGate unit, go to Network > Interfaces.

2. Select the interface where you will connect the FortiAP unit, and edit it.

3. Make sure that Role is LAN.

4. In Addressing mode, select Dedicated to Extension Device.

5. In IP/Network Mask, enter an IP address and netmask for the interface.

DHCP will provide addresses to connected devices. To maximize the number of available addresses, the interface address should end with 1, for example 192.168.10.1.

6. Select OK.

At this point you can connect the mesh root FortiAP, as described next. If you are going to configure leaf FortiAPs through the wireless controller (see “Configuring a meshed WiFi network” on page 873), it would be convenient to leave connecting the root unit for later.

 

To enable the root FortiAP unit

1. Connect the root FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for it.

2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

3. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.

4. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

5. Select OK.

You might need to select Refresh a few times before the FortiAP shows as Online.

 

Configuring the leaf mesh FortiAPs

The FortiAP units that will serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit internal configuration.You can do this by direct connection or through the FortiGate wireless controller.

 

Method 1: Direct connection to the FortiAP

1. Connect a computer to the FortiAP unit’s Ethernet port. Configure the computer’s IP as 192.168.1.3.

2. Telnet to 192.168.1.2. Login as admin. By default, no password is set.

3. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1
cfg -a MESH_AP_SSID=fortinet.mesh.root
cfg -a MESH_AP_PASSWD=hardtoguess
cfg -c  

exit

4. Disconnect the computer.

5. Power down the FortiAP.

6. Repeat the preceding steps for each branch FortiAP.

Pages: 1 2

Access point deployment

Leave a reply

Access point deployment

This chapter describes how to configure access points for your wireless network. Overview

Network topology for managed APs Discovering and authorizing APs Advanced WiFi controller discovery

Wireless client load balancing for high-density deployments

FortiAP Groups

LAN port options

Preventing IP fragmentation of packets in CAPWAP tunnels

LED options

 

Overview

FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.

In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 850, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 850.

If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 850 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.

 

Network topology for managed APs

The FortiAP unit can be connected to the FortiGate unit in any of the following ways:

 

Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them. This configuration is common for locations where the number of FortiAP’s matches up with the number of ‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.

 

Wirecloset deployment

Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.

Gateway Deployment

Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.

 

Remote deployment

Discovering and authorizing APs

After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to

  • Configure the network interface to which the AP will connect.
  • Configure DHCP service on the interface to which the AP will connect.
  • Optionally, preauthorize FortiAP units. They will begin to function when connected.
  • Connect the AP units and let the FortiGate unit discover them.
  • Enable each discovered AP and configure it or assign it to an AP profile.

 

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

 

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the interface to which the AP unit connects.

2. Set Addressing Mode to Dedicate to Extension Device.

3. Enter the IP address and netmask to use.

This FortiGate unit automatically configures a DHCP server on the interface that will assign the remaining higher addresses up to .254 to FortiAP units. For example, if the IP address is 10.10.1.100, the FortiAP units will be assigned 10.10.1.101 to 10.10.1.254. To maximize the available addresses, use the .1 address for the interface:

10.10.1.1, for example.

4. Select OK.

 

To configure the interface for the AP unit – CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface edit port3

set mode static

set ip 10.10.70.1 255.255.255.0 end

config system dhcp server edit 0

set interface “dmz” config ip-range

edit 1

set end-ip 10.10.70.254 set start-ip 10.10.70.2

end

set netmask 255.255.255.0 set vci-match enable

set vci-string “FortiAP” end

The optional vci-match and  vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

 

Preauthorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.

 

To pre-authorize a FortiAP unit

1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.

On some models the WiFi Controller menu is called WiFi & Switch Controller.

2. Enter the Serial Number of the FortiAP unit.

3. Configure the Wireless Settings as required.

4. Select OK.

 

Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.

Pages: 1 2 3

Configuring a WiFi LAN

1 Reply

Configuring a WiFi LAN

When working with a FortiGate WiFi controller, you can configure your wireless network before you install any access points. If you are working with a standalone FortiWiFi unit, the access point hardware is already present but the configuration is quite similar. Both are covered in this section.

  • Overview of WiFi controller configuration
  • Setting your geographic location
  • Creating a FortiAP Profile
  • Defining a wireless network interface (SSID) Defining SSID Groups
  • Dynamic user VLAN assignment Configuring user authentication Configuring firewall policies for the SSID
  • Configuring the built-in access point on a FortiWiFi unit

 

On FortiGate model 30D, web-based manager configuration of the WiFi controller is disabled by default. To enable it, enter the following CLI commands:

config system global

set gui-wireless-controller enable end

 

If you want to connect and authorize external APs, such as FortiAP units, see the next chapter, Access point deployment.

 

 

Overview of WiFi controller configuration

The FortiGate WiFi controller configuration is composed of three types of object, the SSID, the AP Profile and the physical Access Point.

  • An SSID defines a virtual wireless network interface, including security settings. One SSID is sufficient for a wireless network, regardless how many physical access points are provided. You might, however, want to create multiple SSIDs to provide different services or privileges to different groups of users. Each SSID has separate firewall policies and authentication. Each radio in an access point can support up to 8 SSIDs.

A more common use of the term SSID is for the identifier that clients must use to connect to the wireless network. Each SSID (wireless interface) that you configure will have an SSID field for this identifier. In Managed Access Point configurations you choose wireless networks by SSID values. In firewall policies you choose wireless interfaces by their SSID name.

  • An AP Profile defines the radio settings, such as band (802.11g for example) and channel selection. The

AP Profile names the SSIDs to which it applies. Managed APs can use automatic profile settings or you can create

AP profiles.

  • Managed Access Points represent local wireless APs on FortiWiFi units and FortiAP units that the FortiGate unit has discovered. There is one managed access point definition for each AP device. An access point definition can use automatic AP profile settings or select a FortiAP Profile. When automatic profile settings are used, the managed AP definition also selects the SSIDs to be carried on the AP.

 

Conceptual view of FortiGate WiFi controller configuration

 

About SSIDs on FortiWiFi units

FortiWiFi units have a default SSID (wireless interface) named wlan. You can modify or delete this SSID as needed. As with external APs, the built-in wireless AP can be configured to carry any SSID.

The AP settings for the built-in wireless access point are located at WiFi Controller > Local WiFi Radio. The available operational settings are the same as those for external access points which are configured at

WiFi Controller > Managed FortiAPs.

 

Process to create a wireless network

To set up your wireless network, you will need to perform the following steps:

  • Make sure the FortiGate wireless controller is configured for your geographic location. This ensures that the available radio channels and radio power are in compliance with the regulations in your region.
  • Optionally, if you don’t want to use automatic AP profile settings, configure a FortiAP profile, specifying the radio settings and the SSIDs to which they apply.
  • Configure one or more SSIDs for your wireless network. The SSID configuration includes DHCP and DNS settings.
  • Configure the user group and users for authentication on the WLAN.
  • Configure the firewall policy for the WLAN.
  • Optionally, customize the captive portal.
  • Configure access points.

Configuration of the built-in AP on FortiWiFi units is described in this chapter. Connection and configuration of

FortiAP units is described in the next chapter, see Access point deployment on page 850.

 

 

Setting your geographic location

The maximum allowed transmitter power and permitted radio channels for WiFi networks depend on the region in which the network is located. By default, the WiFi controller is configured for the United States. If you are located in any other region, you need to set your location before you begin configuring wireless networks.

 

To change the location setting – CLI

To change the country to France, for example, enter

config wireless-controller setting set country FR

end

To see the list of country codes, enter a question mark (‘?’) instead of a country code.

Before changing the country setting, you must remove all FortiAP Profiles. To do this, go to WiFi & Switch Controller > FortiAP Profiles.

View all Country & Regcodes/Regulatory Domains

The following CLI command can be entered to view a list of the Country & Regcodes/Regulatory Domains supported by Fortinet:

cw_diag -c all-countries

Below is a table showing a sample of the list displayed by entering this command:

 

Country-code Region-code Domain ISOname Name
 

0

  

A

  

FCC3 & FCCA

  

NA

  

NO_COUNTRY_SET
 

8

  

W

  

NULL1 & WORLD

  

AL

  

ALBANIA
 

12

  

W

  

NULL1 & WORLD

  

DZ

  

ALGERIA
 

16

  

A

  

FCC3 & FCCA

  

AS

  

AMERICAN SAMOA
 

...

  

...

  

...

  

...

  

...

 

Pages: 1 2 3 4 5 6 7

Introduction to wireless networking

Leave a reply

Introduction to wireless networking

This chapter introduces some concepts you should understand before working with wireless networks, describes Fortinet’s wireless equipment, and then describes the factors you need to consider in planning deployment of a wireless network.

  • Wireless concepts Security Authentication
  • Wireless networking equipment
  • Automatic Radio Resource Provisioning

 

Wireless concepts

Wireless networking is radio technology, subject to the same characteristics and limitations as the familiar audio and video radio communications. Various techniques are used to modulate the radio signal with a data stream.

 

Bands and channels

Depending on the wireless protocol selected, you have specific channels available to you, depending on what region of the world you are in.

  • IEEE 802.11b and g protocols provide up to 14 channels in the 2.400-2.500 GHz Industrial, Scientific and Medical (ISM) band.
  • IEEE 802.11a,n (5.150-5.250, 5.250-5.350, 5.725–5.875 GHz, up to 16 channels) in portions of Unlicensed National Information Infrastructure (U-NII) band

Note that the width of these channels exceeds the spacing between the channels. This means that there is some overlap, creating the possibility of interference from adjacent channels, although less severe than interference on the same channel. Truly non-overlapping operation requires the use of every fourth or fifth channel, for example ISM channels 1, 6 and 11.

The capabilities of your wireless clients is the deciding factor in your choice of wireless protocol. If your clients support it, 5GHz protocols have some advantages. The 5GHz band is less used than 2.4GHz and its shorter wavelengths have a shorter range and penetrate obstacles less. All of these factors mean less interference from other access points, including your own.

When configuring your WAP, be sure to correctly select the Geography setting to ensure that you have access only to the channels permitted for WiFi use in your part of the world.

For detailed information about the channel assignments for wireless networks for each supported wireless protocol, see Reference on page 955.

 

Power

Wireless LANs operate on frequencies that require no license but are limited by regulations to low power. As with other unlicensed radio operations, the regulations provide no protection against interference from other users who are in compliance with the regulations.

Power is often quoted in dBm. This is the power level in decibels compared to one milliwatt. 0dBm is one milliwatt, 10dBm is 10 milliwatts, 27dBm, the maximum power on Fortinet FortiAP equipment, is 500 milliwatts. The FortiGate unit limits the actual power available to the maximum permitted in your region as selected by the WiFi controller country setting.

Received signal strength is almost always quoted in dBm because the received power is very small. The numbers are negative because they are less than the one milliwatt reference. A received signal strength of -60dBm is one millionth of a milliwatt or one nanowatt.

 

Antennas

Transmitted signal strength is a function of transmitter power and antenna gain. Directional antennas concentrate the signal in one direction, providing a stronger signal in that direction than would an omnidirectional antenna.

FortiWiFi units have detachable antennas. However, these units receive regulatory approvals based on the supplied antenna. Changing the antenna might cause your unit to violate radio regulations.

 

Security

There are several security issues to consider when setting up a wireless network.

 

Whether to broadcast SSID

It is highly recommended to broadcast the SSID. This makes connection to a wireless network easier because most wireless client applications present the user with a list of network SSIDs currently being received. This is desirable for a public network.

Attempting to obscure the presence of a wireless network by not broadcasting the SSID does not improve network security. The network is still detectable with wireless network “sniffer” software. Clients search for SSIDs that they know, leaking the SSID. Refer to RFC 3370. Also, many of the latest Broadcom drivers do not support hidden SSID for WPA2.

 

Encryption

Wireless networking supports the following security modes for protecting wireless communication, listed in order of increasing security.

None — Open system. Any wireless user can connect to the wireless network.

WEP64 — 64-bit Web Equivalent Privacy (WEP). This encryption requires a key containing 10 hexadecimal digits.

WEP128 — 128-bit WEP. This encryption requires a key containing 26 hexadecimal digits.

WPA — 256-bit WiFi Protected Access (WPA) security. This encryption can use either the TKIP or AES encryption algorithm and requires a key of either 64 hexadecimal digits or a text phrase of 8 to 63 characters. It is also possible to use a RADIUS server to store a separate key for each user.

WPA2 — WPA with security improvements fully meeting the requirements of the IEEE 802.11i standard. Configuration requirements are the same as for WPA.

For best security use the WPA2 with AES encryption and a RADIUS server to verify individual credentials for each user. WEP, while better than no security at all, is an older algorithm that is easily compromised. With either WEP or WAP, changing encryption passphrases on a regular basis further enhances security.

 

Separate access for employees and guests

Wireless access for guests or customers should be separate from wireless access for your employees. This does not require additional hardware. Both FortiWiFi units and FortiAP units support multiple wireless LANs on the same access point. Each of the two networks can have its own SSID, security settings, firewall policies, and user authentication.

A good practice is to broadcast the SSID for the guest network to make it easily visible to users, but not to broadcast the SSID for the employee network.

Two separate wireless networks are possible because multiple virtual APs can be associated with an AP profile. The same physical APs can provide two or more virtual WLANs.

 

Captive portal

As part of authenticating your users, you might want them to view a web page containing your acceptable use policy or other information. This is called a captive portal. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms can the user access other web resources.

For more information about captive portals, see the Captive portals chapter of the FortiOS Authentication Guide.

 

Power

Reducing power reduces unwanted coverage and potential interference to other WLANs. Areas of unwanted coverage are a potential security risk. There are people who look for wireless networks and attempt to access them. If your office WLAN is receivable out on the public street, you have created an opportunity for this sort of activity.

 

Monitoring for rogue APs

It is likely that there are APs available in your location that are not part of your network. Most of these APs belong to neighboring businesses or homes. They may cause some interference, but they are not a security threat. There is a risk that people in your organization could connect unsecured WiFi-equipped devices to your wired network, inadvertently providing access to unauthorized parties. The optional On-Wire Rogue AP Detection Technique compares MAC addresses in the traffic of suspected rogues with the MAC addresses on your network. If wireless traffic to non-Fortinet APs is also seen on the wired network, the AP is a rogue, not an unrelated AP.

Decisions about which APs are rogues are made manually on the Rogue AP monitor page. For detailed information, see Wireless network monitoring on page 894.

 

Suppressing rogue APs

When you have declared an AP to be a rogue, you have the option of suppressing it. To suppress and AP, the FortiGate WiFi controller sends reset packets to the rogue AP. Also, the MAC address of the rogue AP is blocked in the firewall policy. You select the suppression action on the Rogue AP monitor page. For more information, see Wireless network monitoring on page 894.

Rogue suppression is available only when there is a radio dedicated to scanning. It will not function during background scanning for spectrum analysis.

 

Wireless Intrusion Detection (WIDS)

You can create a WIDS profile to enable several types of intrusion detection:

  • Unauthorized Device Detection
  • Rogue/Interfering AP Detection
  • Ad-hoc Network Detection and Containment
  • Wireless Bridge Detection
  • Misconfigured AP Detection
  • Weak WEP Detection
  • Multi Tenancy Protection
  • MAC OUI Checking

For more information, see Protecting the WiFi Network on page 891.

Pages: 1 2 3

Chapter 8 – Deploying Wireless Networks

Leave a reply

Chapter 8 – Deploying Wireless Networks

This FortiOS Handbook chapter contains the following sections:

Introduction to wireless networking explains the basic concepts of wireless networking and how to plan your wireless network.

Configuring a WiFi LAN explains how to set up a basic wireless network, prior to deploying access point hardware. Access point deployment explains how to deploy access point hardware and add it to your wireless network configuration.

Wireless Mesh explains how to configure a Wi-Fi network where access points are connected to the Wi-Fi controller wirelessly instead of by Ethernet.

Combining WiFi and wired networks with a software switch shows how to use the FortiAP Wi-Fi-Ethernet bridge feature.

Protecting the WiFi Network explains the Wireless Intrusion Detection System (WIDS).

Wireless network monitoring explains how to monitor your wireless clients and how to monitor other wireless access points, potentially rogues, in your coverage area.

Configuring wireless network clients explains how to configure typical wireless clients to work with a WPA- Enterprise protected network.

Wireless network examples provides two examples. The first is a simple Wi-Fi network using automatic configuration. The second is a more complex example of a business with two Wi-Fi networks, one for employees and another for guests or customers.

Using a FortiWiFi unit as a client explains how to use a FortiWiFi unit as a wireless client to connect to other Wi-Fi networks. This connection can take the place of an Ethernet connection where wired access to a network or to the Internet is not available.

Support for location-based services explains how Fortinet supports location-based services that collect information about devices near FortiGate-managed access points, even if the devices don’t associate with the network.

Reference provides information about Wi-Fi radio channels.

 

What’s new in FortiOS 5.4

 

Automatic all-SSID selection in FortiAP Profile (219347)

The SSID field in FortiAP Profiles now includes the option Automatically assign Tunnel-mode SSIDs. This eliminates the need to re-edit the profile when new SSIDs are created. You can still select SSIDs individually using the Select SSIDs option.

Automatic assignment of SSIDs is not available for FortiAPs in Local Bridge mode. The option is hidden on both the Managed FortiAP settings and the FortiAP Profile assigned to that AP.

 

Improved override of FortiAP settings (219347 264010 264897)

The configuration settings of a FortiAP in WiFi Controller > Managed FortiAPs can override selected settings in the FortiAP Profile:

  • Band and/or Channel
  • Transmitter Power
  • SSIDs
  • LAN Port mode

 

Note that a Band override also overrides Channel selections.

In the CLI, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, and split tunneling settings.

 

Spectrum Analysis removed from FortiAP Profile GUI

Spectrum Analysis is no longer available in FortiAP Profiles in the GUI. It can be enabled in the CLI if needed.

 

Disable low data rates in 802.11a, g, n ac (297821)

To reduce air-time usage on your WiFi network, you can disable the use of low data rates which cause communications to consume more air time.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54 Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix “basic”, “12-basic” for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by MSC (Modulation and Coding Scheme) Index and the number of spatial streams.

  • 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
  • 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
  • 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
  • 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4

Here are some examples of setting basic and supported rates.

 

config wireless-controller vap edit <vap_name>

set rates-11a 12-basic 18 24 36 48 54 set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

Pages: 1 2 3 4 5

Chapter 7 – PCI DSS Compliance

Leave a reply

Chapter 7 – PCI DSS Compliance

 

Compliance

This FortiOS Handbook chapter contains the following sections:

Configuring FortiGate units for PCI DSS compliance on page 797 explains the Payment Card Industry Data Security Standard (PCI DSS). It provides information about configuring your network and FortiGate unit to help you comply with PCI DSS requirements.

 

FortiOS 5.4 PCI DSS compliance new features

Vulnerability Scanning has been removed (293156)

Vulnerability scanning can now be done from FortiClient.

 

PCI DSS Compliance Check Support (270014)

FortiOS 5.4 allows you to run a compliance check either on demand or according to a schedule that automatically checks PCI DSS compliance at the global or VDOM level. The compliance check determines whether the FortiGate is compliant with each PCI DSS requirement by displaying an ‘X’ next to the non-compliant entries in the GUI logs.

Go to System > Advanced > Compliance, turn on compliance checking and configure a daily time to run the compliance check. Or you can select Run Now to run the compliance check on demand.

Go to Log & Report > Compliance Events to view compliance checking log messages that show the results of running compliance checks.

Pages: 1 2 3 4 5 6 7 8 9 10

GTP packets are not moving along your network

Leave a reply

GTP packets are not moving along your network

When GTP packets are not getting to their destination, this could be caused by any one of a number of issues. General troubleshooting principals apply here.

The following sections provide some suggestions on how to troubleshoot this issue:

  • Attempt to identify the section of your network with the problem
  • Ensure you have an APN configured
  • Check the logs and adjust their settings if required
  • Check the routing table
  • Perform a sniffer trace
  • Generate specific packets to test the network

 

Attempt to identify the section of your network with the problem

The first step is to determine how widespread this problem is. Does it affect the whole GPRS network, or just one or two devices?

If the entire network is has this problem, the solution is likely a more general one such as ensuring the security policies allow GTP traffic to pass, the GTP profile specifies SSGNs and GSGNs, or ensuring the GTP general settings are not overly limiting.

If one part of the network is affected, the problem is more likely centered around configurations with those network devices specified such as the handover group, or authorized SGSNs/GGSNs. It is also possible that small portions of the network may have hardware related issues such as cabling or faulty hardware. This section does not address those issues, and assumes hardware is not the problem.

The handover group is a whitelist of GTP addresses allowed to handle GTP messages. If a device’s address is not on this list, it will be denied.

 

Ensure you have an APN configured

When you configure your GTP profile, ensure you first configure the APN. Without it, there will be no flow of traffic. The APN is used in nearly all GTP communications and without it, the Carrier-enabled FortiGate unit doesn’t have the information it needs.

 

Check the logs and adjust their settings if required

During normal operation, the log settings will show any problems on the network but may not provide the level of details required to fully troubleshoot the problem. The reason for this is that the level of detail required for troubleshooting would quickly overwhelm the daily logs without any real benefit.

GTP related events in the event log will have message IDs in the range 41216 to 41222. For more information on GTP log messages, see the Log Message Reference. For more information on logging in general, see the Logging and Reporting guide.

Once there is a problem to troubleshoot, check the logs to trace the traffic patterns and narrow down the possible sources of the problem. There may be enough detail for you to locate and fix the problem without changing the log settings.

Remember to set any changes you made to the log settings back to their original val- ues when you are done troubleshooting. Otherwise, the amount of detail will over- whelm your logging.

 

However, if more detail is required you can change settings such as:

  • Lower the Log Frequency number in GTP Profiles so fewer or no log messages are dropped. This will allow a more accurate picture of everything happening on the network, where you may have had only a partial picture before.
  • Ensure all the GTP log events are enabled to provide you with a complete picture.
  • Ensure that all relevant event types are enabled under Log & Report > Log Config > Log Settings. For more information on GTP related logging, see Logging events on the Carrier-enabled FortiGate unit. General information to look for in the logs includes:
  • Are all packets having problems or just certain types?
  • Are all devices on the network having problem, or just certain devices?
  • Is it just GTP traffic that is having problems or are all types of traffic having the same problem?

 

Check the routing table

On any network, the routing table determines how packets reach their destination. This is also true on a carrier network.

If the Carrier-enabled FortiGate unit is running in NAT mode, verify that all desired routes are in the routing table

— local subnets, default routes, specific static routes, and dynamic routing protocols. For complete information, it is best to check the routing table in the CLI. This method provides more complete information.

 

If VDOMs are enabled on your Carrier-enabled FortiGate unit, all routing related CLI

commands must be performed within a VDOM and not in the global context.

 

To check the routing table using the CLI

# get router info routing-table all

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default

 

S* 0.0.0.0/0 [10/0] via 192.168.183.254, port2

S 1.0.0.0/8 [10/0] via 192.168.183.254, port2

S 2.0.0.0/8 [10/0] via 192.168.183.254, port2

C 10.142.0.0/23 is directly connected, port3

B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m

C 192.168.182.0/23 is directly connected, port2

Examining an entry from the routing table above:

B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m

B                                BGP. The routing protocol used.

10.160.0.0/23            The destination of this route including netmask.

[20/0]                         20 indicates and administrative distance of 20 out of a range of 0 to 255.

0 is an additional metric associated with this route, such as in OSPF

10.142.0.74               The gateway, or next hop.

port3                         The interface used by this route.

2d18h02m                 How old this route is, in this case almost three days old.

 

Perform a sniffer trace

When troubleshooting network traffic, it helps to look inside the headers of packets to determine if they are traveling along the route you expect. Packet sniffing can also be called a network tap, packet capture, or logic analyzing.

If your Carrier-enabled FortiGate unit has NP interfaces that are offloading traffic, this will change the sniffer trace. Before performing a trace on any NP interfaces, disable offloading on those interfaces.

 

What can sniffing packets tell you

If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, what the port of entry is on the Carrier-enabled FortiGate unit, if the ARP resolution is correct, and if the traffic is being sent back to the source as expected.

 

Sniffing packets can also tell you if the Carrier-enabled FortiGate unit is silently dropping packets for reasons such as RPF (Reverse Path Forwarding), also called Anti Spoofing. This prevents an IP packet from being forwarded if its source IP address either does not belong to a locally attached subnet (local interface), or be a hop on the routing between the FortiOS Carrier and another source (static route, RIP, OSPF, BGP). Note that RPF can be disabled by turning on asymmetric routing in the CLI (config system setting, set asymmetric enable), however this will disable stateful inspection on the Carrier-enabled FortiGate unit and consequently cause many features to be turned off.

If you configure virtual IP addresses on your Carrier-enabled FortiGate unit, the unit will use those addresses in preference to the physical IP addresses. If not configured properly, secondary IP addresses can cause a broadcast storm. You will notice the sec- ondary address being preferred when you are sniffing packets because all the traffic

will be using the virtual IP addresses. This is due to the ARP update that is sent out when the VIP address is configured.

 

How to sniff packets

The general form of the internal FortiOS packet sniffer command is:

diag sniffer packet <interface_name> <‘filter’> <verbose> <count>

To stop the sniffer, type CTRL+C.

<interface_name>    The name of the interface to sniff, such as port1 or internal. This can also be

any to sniff all interfaces.

<filter>

What to look for in the information the sniffer reads. none indicates no filtering, and all packets will be displayed as the other arguments indicate.

The filter must be inside single quotes (‘).

<verbose>                The level of verbosity as one of:

1 – print header of packets

2 – print header and data from IP of packets

3 – print header and data from Ethernet of packets

<count>                    The number of packets the sniffer reads before stopping. If you don’t put a number here, the sniffer will run forever unit you stop it with <CTRL C>.

For a simple sniffing example, enter the CLI command diag sniffer packet port1 none 1 3. This will display the next 3 packets on the port1 interface using no filtering, and using verbose level 1. At this verbosity level you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.

In the output below, port 443 indicates these are HTTPS packets, and 172.20.120.17 is both sending and receiving traffic.

Head_Office_620b # diag sniffer packet port1 none 1 3 interfaces=[port1] filters=[none]

0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757

0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808

0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933

 

Generate specific packets to test the network

If some packets are being delivered as expected while others are not, or after you believe you have fixed the problem, it is a good idea to generate specific traffic to test your network.

For example if you discover through log messages and packet sniffing that Create PDP Context Request messages are not being delivered between two SGSNs, you can generate those specific messages on your network to confirm they are the problem, and later that you have solved the problem and they are now being delivered as expected.

This step requires a third party traffic generation tool, either hardware or software. This is not be supported by Fortinet.