FortiAP-14C - remote access point from Fortinet. A good option to build a secure wireless network for a remote office
In this article we will talk about FortiAP-14C , a new product in the Fortinet line of wireless access points from Fortti - a miniature single-module point for building for remote offices / branches of enterprises, which is rightly positioned and called Remote AP . This is one of the three access points positioned by the vendor as “remote” - the FortiAP-11C is also weaker in the line (but more convenient for personal purposes, a la travel and frequent movements outside the office) and FortiAP-28C (more powerful).
Describing the functionality of FortiGate UTM devices in one of the previous articles , we have indicated that among its many features, OntiBate has an integrated wireless controller (for models 40 and above) to control FortiAP thin access points.
')
Therefore, as a “Dano” for today's review of our new product, we mean the central office with FortiGate protected corporate network and the remote office, where we will deploy a separate island of secure infrastructure. At the same time, the fact that a remote office will be protected by the same rules and policies that are configured for the FortiGate central office is minimized, which minimizes the time spent on administration and provides extensive opportunities for centralized management and protection of network resources. In addition, users can broadcast the same SSID as in the main office, and for devices connected to the LAN interface, you can create a bridge either in the SSID or in the address pool on the WAN interface of the point.
Since we have touched on the capabilities and technical characteristics of the subject, here is a complete list of them:
The dimensions are very small, and the weight is only 100 grams, so remote offices simply cannot do without 100 grams :-) You can’t say about setting up a point, it’s very simple and accessible, and most importantly - one-time, after which the admin of the central office and FortiGate it hands will administer the entire network in a complex and inconspicuous manner, along with individual islands of branches and remote offices.
But let's get down to setting up later, since the point here is not unpacked and untouched.
Taking a packed box and opening it - we see the delivery set.
So, let's see what we got:
- FortiAP-14C access point - 1 pc .;
- Power supply for the access point (5V, 1A at the outlet) with a “euro” socket - 1 pc .;
- UTP Cat5e network patch cord with RJ-45 connectors - 1 pc;
- "Mounting kit" in the form of a pair of screws for mounting on the wall and a pair of dowels;
- QuickStart Guide - a fascinating readable manual in English for completeness, connection and configuration of the subject.
The top side of the point looks like this:
Here we see the indicators (from left to right): Power , WiFi status, WAN status, LAN ports status 1-2-3-4 .
Here is what the FortiAP-14C point looks like on the reverse side, where the interfaces are located. On this side, we see the power supply socket from the power supply unit (DC-IN), 4 connectors for LAN interfaces, the WAN interface connector, and the “Reset” button for resetting the settings.
A little confused by the presence of characteristic sockets, or rather caps for allegedly installing external antennas. Perhaps in this case some other model will be released. While this is a mystery, because there is no information on this issue.
Now about the possibilities of the point. As we have already indicated in the characteristics, the point has only one radio module in the 2.4 GHz band, the 802.11n standard with speeds up to 150 Mbps. Although this is a remote option (Remote AP), the point remains “thin” and is controlled by the controller built into FortiGate, connecting to the Internet via the WAN interface and establishing a secure tunnel with FortiGate. By air, you can access by connecting to any pre-tuned and broadcasting SSID of the same FortiGate as in the central office. By LAN-interfaces in a remote office, you can access the addresses in the pool of the WAN-interface point, or to the SSID FortiGate. And each SSID on FortiGate is a separate interface in order to unify the configuration of various types of firewall policies.
Thus, connecting the point remotely in the office, having previously configured it to the address of the external Internet interface of FortiGate, we get the same protection, security and authentication profiles from anywhere in the world. The line between wired and wireless access is being erased more and more, which is very important given the current trend of widespread use of wireless devices that are constantly increasing their number.
Well, we proceed directly to the setting in order to figure out how to achieve this.
Point has a so-called. “Zero” configuration that can respond to HTTP at http: // 192.168.1.2 (on the PC you need to configure the statics, a la 192.168.1.3/24).
The login is standard, as on FortiGate - admin , without a password.
Also, the default point can receive an address from a DHCP server. Further, the point with a specific address begins to detect the wireless controller in various ways, namely:
- Broadcast
- Multicast
- DHCP option 138, which is described and complies with RFC 5417 for the CAPWAP protocol.
When a point finds a controller, it will appear in the WiFi Controller> Managed Access Points> Managed FortiAPs section of the FortiGate web interface, and the corresponding status “AC Discovery Status - Discovered AC” will appear in the web interface of the point itself.
We see that in the upper part of the FortiAP-14C web interface, in addition to viewing information about the status, details of the current settings, operation time, point load, and other things, such manipulations can be performed:
- Change the firmware version in the Firmware Version section.
- Change the standard access password in the Current Administrator .
- Download / upload a copy of the configuration of the System Configuration - Backup, Restore .
Then follow the network settings, below we see the Network Configuration section, where you can change the type of Static or DHCP . Nothing prevents you from registering in Static mode once and for all a static address, a mask and a default gateway, as well as a VLAN ID, if any, take place on a subnet point. The same settings, only with the “Default” postscript are present in the DHCP mode. Immediately, you can enable / disable HTTP and TELNET access to this web interface.
The Connectivity section offers to choose the uplink mode for our point, to choose from:
- Ethernet - everything is clear, wired uplink over Ethernet, in our case - via WAN-interface.
- Mesh - such a fully connected wireless network topology is also supported, where the access points themselves can act as a repeater and router without using wired connections between each other. This feature is available from the FortiOS 5.0 operating system and above.
- Ethernet with mesh backup support — combined wired uplink mode with redundant connection over a mesh network during a break.
For Ethernet , you do not need to configure anything in the web interface; for Mesh , you must specify a password and SSID, which will be used for interfacing with the other points. The Ethernet Bridge function organizes a connection between two access points in bridge mode to build WiFi spans between buildings, etc. Ethernet with mesh backup support , being essentially the same Mesh , has the same settings.
Further, the WTP Configuration section offers us to configure the detection modes of the wireless controller. Among them, Auto, combining all the settings together. Considering it in more detail will be the modes:
- Static - static mode with the ability to assign three addresses of the remote controller.
- DHCP - indicates the port and Option Code, the value is 138 by default and recommended for CAPWAP AC DHCPv4 Option, according to RFC 5417 "Control And Provision of Wireless Access Points (CAPWAP)".
- DNS — specifies the port and up to three domain names of the host where the remote controller is located.
- Broadcast - only a port is enough to detect via broadcast (finally, we’ll remember that the default port is 5246, the controller also listens to it by default, unless the administrator knows otherwise and is not configured for FortiGate).
- Multicast - the same port and address 224.0.1.140 corresponding to CAPWAP-AC (RFC5415) in IANA (IPv4 Multicast Address Space Registry).
We assume that the necessary settings are made. The addresses of the remotely located controller were written in our configuration, as below:
So, what happens on FortiGate when an access point tries to reach its built-in wireless controller? The point appears in the WiFi Controller -> Managed Access Points -> Managed FortiAPs section , as unauthorized:
We check the serial number, we see the source address, where the point came from and authorize it by clicking on Authorize in the section menu:
For some time, the point still hangs in an unauthorized state:
... after which it will be clearly and clearly displayed in the menu, as authorized and now fully under our control:
At the same time, the point will tell about its name / serial number, pleasant authorized (green) state, address (received remotely), what SSID it broadcasts, channels, number of connected clients and its software version. Well, click twice on this entry or click Edit and see what's inside:
Here are more detailed descriptions and settings of our point:
- Serial Number - again the serial
- Name - name / description (for your taste and color)
- Comments - descriptive comments, such as the name of the location office.
- Managed AP Status -> Status: Online - status
Connected Via Ethernet (192.168.3.113) - the resulting Ethernet interface interface point
Base MAC Address 08: 5b: 0e: 28: 16: 08 - MAC address of the wireless interface point
Join Time 12/11/13 19:32 - the time of association with the controller
Clients 0 - the number of active clients
FortiAP OS Version FAP14C-v5.0-build060 [Upgrade] - software version and Upgrade button to fill in the updated software point
State Authorized - State = Authorized
- Wireless Settings
AP Profile: select a profile for the access point to work
Automatic - when selected, you can manually configure all of the following Wireless Settings settings in this menu.
FAP-14C_default - built-in profile in FortiGate for this model
[Apply] - apply profile after selecting
Enable WiFi Radio - on / off. for radio operation
SSID: - select the SSID to broadcast as a dot
- Automatically Inherit all SSIDs - the ability to broadcast all SSIDs previously created on FortiGate automatically
- Select SSIDs: - select a specific SSID manually (select - multiple)
FAP_14C_test (SSID: FAP_14C_test) - an example of the selected SSID through Select SSIDs
Auto TX Power Control Disable / Enable - on / off. automatic adjustment of the signal strength of the radio module
TX Power 0 - 100% - set the power in percent when the Disable value of the parameter Auto TX Power Control
Band 802.11bgn_2.4G 2.4GHz5GHz - broadcasting range (for this model, 5 GHz is inactive)
Channel 6 - working channel
Do not participate in Rogue AP scanning - “non-susceptible” to parallel scanning of unregistered wireless networks and, accordingly, potentially unsafe access points (so-called Rogue AP)
LAN Port: setting the embedded LAN ports of a point
Mode - None - the LAN ports work in the usual switch mode, without uplink.
- Bridge to: WAN Port - bridge mode with a WAN port of a point. Devices on the LAN will receive an address from the same pool as the WAN port.
SSID name - bridge mode with the selected SSID point (wireless and wired users will be in the same address space configured in the SSID interface).
We looked at the settings, but for work we need to create an SSID which, as already mentioned, will be a separate interface for applying security and authentication policies to it, setting up and enabling the necessary FortiGate UTM functions, such as antivirus, antispam, web filtering, IPS , DLP, application control, VoIP and others.
And therefore, go to the WiFi Controller> WiFi Network> SSID and create an SSID there using the intuitive Create new button:
Inside we see the following settings:
Here we explain what is what. So:
Name - interface name
Type - the type under which WiFi SSID is hidden, which is extremely understandable
Traffic Mode - traffic mode, below options
Tunnel to Wireless Controller - the tunnel to the controller, means that the addresses will be the same as in the network settings of the interface below
Local bridge with FortiAP's Interface - the bridge mode with the WAN port of the point, which has already been described for the LAN ports of this model point, but for other models (including this one), another bridge mode is available with WAN and for wireless customers.
Mesh Downlink - Assign an SSID to participate in the construction of a Mesh network.
IP / Network Mask - IP address and network mask of the future interface
- Administrative Access: HTTPS, PING, HTTP, FMG-Access, SSH, SNMP, TELNET, FCT-Access, Auto IPsec Request - different modes of administrative access to the interface.
- DHCP Server Enable - enables the DHCP server for wireless clients
Address Range (Create New - Edit - Delete) - create, edit, and delete a range of addresses for a DHCP server
Starting IP - End IP - the starting and ending IP address of the DHCP server
Netmask - DHCP server network mask
Default Gateway (Same as Interface IP, Specify) - the default gateway of the DHCP server (either the same as the interface address or specified manually)
DNS Server (Same as System DNS, Specify) - DNS server issued to clients by a DHCP server (the same as system ones, or specified manually)
- WiFi Settings
SSID - name (may be identical with the name of the interface)
Security Mode - WPA / WPA2-Personal, WPA / WPA2-Enterprise, Captive Portal, Open — SSID operation mode (for WPA / WPA2-Personal , Data Encryption and Pre-shared Key are indicated, for WPA / WPA2-Enterprise - Data Encryption and Authentication (in it, pre-configured on FortiGate RADIUS Server or Usergroup - a group of users), with Captive Portal, there are User Groups ) Where the necessary groups of users appear with all FortiGate supported authentication types, up to AD integration.
Data Encryption (AES, TKIP, TKIP-AES) - choice of encryption algorithm according to the list
Pre-shared Key (8 - 63 characters) - network access key with this SSID
Block Intra-SSID Traffic - checkbox to block or not traffic between clients on the same network with this SSID
Maximum Clients — a limit on the maximum number of network clients with this SSID.
Device Management: Detect and Identify Devices - the function of detecting and identifying connected devices for device identification policies in the firewall settings
Listen for RADIUS Accounting Messages - enable the receipt of accounting information (Accounting Messages) in data exchange sessions with RADIUS servers
Secondary IP Address - secondary interface IP address
Comments - text comments, if needed
Do not forget after making the settings you need to click Apply, resulting in our first SSID created.
Now let's quickly go over the rest of the web-interface capabilities on the part of the wireless controller, and then proceed to create access policies for remote users of an equally remote access point in a still remote office.
Next we have the settings Rogue AP. We will not describe for a long time; here, from the settings, the fact that the controller turns on detection of “unrecorded” SSID ( Enable Rogue AP Detection ), and turns on such detection in parallel with the SSID ( Enable On-Wire Rogue AP Detection Technique ) broadcast. We only note that Enable Rogue AP Detection should be considered a “central toggle switch” for the entire wireless network controller, since the active tick check in the access points of the WiFi Controller> Managed Access Points> Managed FortiAPs section will specifically ban taken point involved in detecting Rogue AP. Screen below.
Settings - settings, and we still have “accounting and control” using multiple monitors. Client Monitor , for example, will display to us all currently connected clients:
Roque AP Monitor displays all SSIDs found and broadcast (or inactive, but captured at the time of broadcasting since Roque was turned on). You can see almost everything: name, status, encryption type, MAC addresses and the associated vendor, signal strength and FortiAP radio module that the network was detected in:
Also, there is an extremely informative Wireless Health monitor with its own charts:
- AP Status (uptime access points of the controller, the number of active points and missing, which have fallen off for some reason);
- Client Count Over Time (total number of clients with a schedule for the period of time: hour / day / month);
- Top Client Count Per-AP (variations: 2.4 GHz Band , 5 GHz Band ) - top access points with the largest number of clients;
- Top Wireless Interference (variations: 2.4 GHz Band , 5 GHz Band ) - interference of adjacent FortiAP access points, broadcast channels and errors;
- Login Failures Information - information about unsuccessful logins on SSIDs broadcast by FortiAP, in order to determine hacking attempts, etc.
It seems that the FortiAP settings have been completed, the address part is there, the FortiAP is now ready to broadcast all the SSIDs you need with or without encryption, and it may be done with user authentication via AD, RADIUS, TACACS + servers, or the Captive Portal or Mesh network in general.
In any case, we have not configured the access to any resources, and, just like the FortiGate firewall, which respects itself besides all its functions, will not let us in anywhere. The case is “political” in firewall policies. We go to meet them, in the section of the web interface Policy -> Policy -> Policy and press the button to create Create New .
Below is an example of setting up the simplest “address” security policy ( Address ) using address and source and destination interfaces ( Incoming / Outgoing Interface , Source / Destination Address ), schedule ( Schedule ), permissions of certain embedded services / protocols ( Web Access ) and action ACTION (enable / disable).
Logging Options here are designed to determine the level of logging (No logs / Only security events / All logs).
Security Profiles are designed to enable the necessary UTM profiles, which, in turn, must be configured in advance in the menu with the same name, or use the default profiles.
The policy with user authentication ( User Identity ) implies the definition of source and destination interfaces, source addresses, and then follow the rules of authentication created within ( Configure Authentiacion Rules -> Create New ). Initial view below:
After Create New we have the following dialog:
This includes setting the destination address (s), selecting user authentication groups and / or individual users, schedule, service, and action (enable / disable). Well, without Security Profiles, there are nowhere to protect profiles - they can also be used in full.
WiFi- . « ».
, ( «2» «4» , , wan1 internal ).
, . - Fortinet , , FortiAP-14C, , . FortiAP , () WiFi-. , , Gartner .
, – .
– , , , , WiFi FortiGate.
, – Fortinet . , !
, , FortiAP-14C, « » FortiAP-28C, , . « », , FortiAP . , .
More links:
Initial configuration and FortiGate UTM devices for small businesses
- a worthy replacement for the outgoing Microsoft Forefront TMG
Introducing Fortinet's new FortiGate-90D model
Authorized Fortinet Training Courses
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service
Describing the functionality of FortiGate UTM devices in one of the previous articles , we have indicated that among its many features, OntiBate has an integrated wireless controller (for models 40 and above) to control FortiAP thin access points.
')
Therefore, as a “Dano” for today's review of our new product, we mean the central office with FortiGate protected corporate network and the remote office, where we will deploy a separate island of secure infrastructure. At the same time, the fact that a remote office will be protected by the same rules and policies that are configured for the FortiGate central office is minimized, which minimizes the time spent on administration and provides extensive opportunities for centralized management and protection of network resources. In addition, users can broadcast the same SSID as in the main office, and for devices connected to the LAN interface, you can create a bridge either in the SSID or in the address pool on the WAN interface of the point.
Since we have touched on the capabilities and technical characteristics of the subject, here is a complete list of them:
The dimensions are very small, and the weight is only 100 grams, so remote offices simply cannot do without 100 grams :-) You can’t say about setting up a point, it’s very simple and accessible, and most importantly - one-time, after which the admin of the central office and FortiGate it hands will administer the entire network in a complex and inconspicuous manner, along with individual islands of branches and remote offices.
But let's get down to setting up later, since the point here is not unpacked and untouched.
Taking a packed box and opening it - we see the delivery set.
So, let's see what we got:
- FortiAP-14C access point - 1 pc .;
- Power supply for the access point (5V, 1A at the outlet) with a “euro” socket - 1 pc .;
- UTP Cat5e network patch cord with RJ-45 connectors - 1 pc;
- "Mounting kit" in the form of a pair of screws for mounting on the wall and a pair of dowels;
- QuickStart Guide - a fascinating readable manual in English for completeness, connection and configuration of the subject.
The top side of the point looks like this:
Here we see the indicators (from left to right): Power , WiFi status, WAN status, LAN ports status 1-2-3-4 .
Here is what the FortiAP-14C point looks like on the reverse side, where the interfaces are located. On this side, we see the power supply socket from the power supply unit (DC-IN), 4 connectors for LAN interfaces, the WAN interface connector, and the “Reset” button for resetting the settings.
A little confused by the presence of characteristic sockets, or rather caps for allegedly installing external antennas. Perhaps in this case some other model will be released. While this is a mystery, because there is no information on this issue.
Now about the possibilities of the point. As we have already indicated in the characteristics, the point has only one radio module in the 2.4 GHz band, the 802.11n standard with speeds up to 150 Mbps. Although this is a remote option (Remote AP), the point remains “thin” and is controlled by the controller built into FortiGate, connecting to the Internet via the WAN interface and establishing a secure tunnel with FortiGate. By air, you can access by connecting to any pre-tuned and broadcasting SSID of the same FortiGate as in the central office. By LAN-interfaces in a remote office, you can access the addresses in the pool of the WAN-interface point, or to the SSID FortiGate. And each SSID on FortiGate is a separate interface in order to unify the configuration of various types of firewall policies.
Thus, connecting the point remotely in the office, having previously configured it to the address of the external Internet interface of FortiGate, we get the same protection, security and authentication profiles from anywhere in the world. The line between wired and wireless access is being erased more and more, which is very important given the current trend of widespread use of wireless devices that are constantly increasing their number.
Well, we proceed directly to the setting in order to figure out how to achieve this.
Point has a so-called. “Zero” configuration that can respond to HTTP at http: // 192.168.1.2 (on the PC you need to configure the statics, a la 192.168.1.3/24).
The login is standard, as on FortiGate - admin , without a password.
Also, the default point can receive an address from a DHCP server. Further, the point with a specific address begins to detect the wireless controller in various ways, namely:
- Broadcast
- Multicast
- DHCP option 138, which is described and complies with RFC 5417 for the CAPWAP protocol.
When a point finds a controller, it will appear in the WiFi Controller> Managed Access Points> Managed FortiAPs section of the FortiGate web interface, and the corresponding status “AC Discovery Status - Discovered AC” will appear in the web interface of the point itself.
We see that in the upper part of the FortiAP-14C web interface, in addition to viewing information about the status, details of the current settings, operation time, point load, and other things, such manipulations can be performed:
- Change the firmware version in the Firmware Version section.
- Change the standard access password in the Current Administrator .
- Download / upload a copy of the configuration of the System Configuration - Backup, Restore .
Then follow the network settings, below we see the Network Configuration section, where you can change the type of Static or DHCP . Nothing prevents you from registering in Static mode once and for all a static address, a mask and a default gateway, as well as a VLAN ID, if any, take place on a subnet point. The same settings, only with the “Default” postscript are present in the DHCP mode. Immediately, you can enable / disable HTTP and TELNET access to this web interface.
The Connectivity section offers to choose the uplink mode for our point, to choose from:
- Ethernet - everything is clear, wired uplink over Ethernet, in our case - via WAN-interface.
- Mesh - such a fully connected wireless network topology is also supported, where the access points themselves can act as a repeater and router without using wired connections between each other. This feature is available from the FortiOS 5.0 operating system and above.
- Ethernet with mesh backup support — combined wired uplink mode with redundant connection over a mesh network during a break.
For Ethernet , you do not need to configure anything in the web interface; for Mesh , you must specify a password and SSID, which will be used for interfacing with the other points. The Ethernet Bridge function organizes a connection between two access points in bridge mode to build WiFi spans between buildings, etc. Ethernet with mesh backup support , being essentially the same Mesh , has the same settings.
Further, the WTP Configuration section offers us to configure the detection modes of the wireless controller. Among them, Auto, combining all the settings together. Considering it in more detail will be the modes:
- Static - static mode with the ability to assign three addresses of the remote controller.
- DHCP - indicates the port and Option Code, the value is 138 by default and recommended for CAPWAP AC DHCPv4 Option, according to RFC 5417 "Control And Provision of Wireless Access Points (CAPWAP)".
- DNS — specifies the port and up to three domain names of the host where the remote controller is located.
- Broadcast - only a port is enough to detect via broadcast (finally, we’ll remember that the default port is 5246, the controller also listens to it by default, unless the administrator knows otherwise and is not configured for FortiGate).
- Multicast - the same port and address 224.0.1.140 corresponding to CAPWAP-AC (RFC5415) in IANA (IPv4 Multicast Address Space Registry).
We assume that the necessary settings are made. The addresses of the remotely located controller were written in our configuration, as below:
So, what happens on FortiGate when an access point tries to reach its built-in wireless controller? The point appears in the WiFi Controller -> Managed Access Points -> Managed FortiAPs section , as unauthorized:
We check the serial number, we see the source address, where the point came from and authorize it by clicking on Authorize in the section menu:
For some time, the point still hangs in an unauthorized state:
... after which it will be clearly and clearly displayed in the menu, as authorized and now fully under our control:
At the same time, the point will tell about its name / serial number, pleasant authorized (green) state, address (received remotely), what SSID it broadcasts, channels, number of connected clients and its software version. Well, click twice on this entry or click Edit and see what's inside:
Here are more detailed descriptions and settings of our point:
- Serial Number - again the serial
- Name - name / description (for your taste and color)
- Comments - descriptive comments, such as the name of the location office.
- Managed AP Status -> Status: Online - status
Connected Via Ethernet (192.168.3.113) - the resulting Ethernet interface interface point
Base MAC Address 08: 5b: 0e: 28: 16: 08 - MAC address of the wireless interface point
Join Time 12/11/13 19:32 - the time of association with the controller
Clients 0 - the number of active clients
FortiAP OS Version FAP14C-v5.0-build060 [Upgrade] - software version and Upgrade button to fill in the updated software point
State Authorized - State = Authorized
- Wireless Settings
AP Profile: select a profile for the access point to work
Automatic - when selected, you can manually configure all of the following Wireless Settings settings in this menu.
FAP-14C_default - built-in profile in FortiGate for this model
[Apply] - apply profile after selecting
Enable WiFi Radio - on / off. for radio operation
SSID: - select the SSID to broadcast as a dot
- Automatically Inherit all SSIDs - the ability to broadcast all SSIDs previously created on FortiGate automatically
- Select SSIDs: - select a specific SSID manually (select - multiple)
FAP_14C_test (SSID: FAP_14C_test) - an example of the selected SSID through Select SSIDs
Auto TX Power Control Disable / Enable - on / off. automatic adjustment of the signal strength of the radio module
TX Power 0 - 100% - set the power in percent when the Disable value of the parameter Auto TX Power Control
Band 802.11bgn_2.4G 2.4GHz
Channel 6 - working channel
Do not participate in Rogue AP scanning - “non-susceptible” to parallel scanning of unregistered wireless networks and, accordingly, potentially unsafe access points (so-called Rogue AP)
LAN Port: setting the embedded LAN ports of a point
Mode - None - the LAN ports work in the usual switch mode, without uplink.
- Bridge to: WAN Port - bridge mode with a WAN port of a point. Devices on the LAN will receive an address from the same pool as the WAN port.
SSID name - bridge mode with the selected SSID point (wireless and wired users will be in the same address space configured in the SSID interface).
We looked at the settings, but for work we need to create an SSID which, as already mentioned, will be a separate interface for applying security and authentication policies to it, setting up and enabling the necessary FortiGate UTM functions, such as antivirus, antispam, web filtering, IPS , DLP, application control, VoIP and others.
And therefore, go to the WiFi Controller> WiFi Network> SSID and create an SSID there using the intuitive Create new button:
Inside we see the following settings:
Here we explain what is what. So:
Name - interface name
Type - the type under which WiFi SSID is hidden, which is extremely understandable
Traffic Mode - traffic mode, below options
Tunnel to Wireless Controller - the tunnel to the controller, means that the addresses will be the same as in the network settings of the interface below
Local bridge with FortiAP's Interface - the bridge mode with the WAN port of the point, which has already been described for the LAN ports of this model point, but for other models (including this one), another bridge mode is available with WAN and for wireless customers.
Mesh Downlink - Assign an SSID to participate in the construction of a Mesh network.
IP / Network Mask - IP address and network mask of the future interface
- Administrative Access: HTTPS, PING, HTTP, FMG-Access, SSH, SNMP, TELNET, FCT-Access, Auto IPsec Request - different modes of administrative access to the interface.
- DHCP Server Enable - enables the DHCP server for wireless clients
Address Range (Create New - Edit - Delete) - create, edit, and delete a range of addresses for a DHCP server
Starting IP - End IP - the starting and ending IP address of the DHCP server
Netmask - DHCP server network mask
Default Gateway (Same as Interface IP, Specify) - the default gateway of the DHCP server (either the same as the interface address or specified manually)
DNS Server (Same as System DNS, Specify) - DNS server issued to clients by a DHCP server (the same as system ones, or specified manually)
- WiFi Settings
SSID - name (may be identical with the name of the interface)
Security Mode - WPA / WPA2-Personal, WPA / WPA2-Enterprise, Captive Portal, Open — SSID operation mode (for WPA / WPA2-Personal , Data Encryption and Pre-shared Key are indicated, for WPA / WPA2-Enterprise - Data Encryption and Authentication (in it, pre-configured on FortiGate RADIUS Server or Usergroup - a group of users), with Captive Portal, there are User Groups ) Where the necessary groups of users appear with all FortiGate supported authentication types, up to AD integration.
Data Encryption (AES, TKIP, TKIP-AES) - choice of encryption algorithm according to the list
Pre-shared Key (8 - 63 characters) - network access key with this SSID
Block Intra-SSID Traffic - checkbox to block or not traffic between clients on the same network with this SSID
Maximum Clients — a limit on the maximum number of network clients with this SSID.
Device Management: Detect and Identify Devices - the function of detecting and identifying connected devices for device identification policies in the firewall settings
Listen for RADIUS Accounting Messages - enable the receipt of accounting information (Accounting Messages) in data exchange sessions with RADIUS servers
Secondary IP Address - secondary interface IP address
Comments - text comments, if needed
Do not forget after making the settings you need to click Apply, resulting in our first SSID created.
Now let's quickly go over the rest of the web-interface capabilities on the part of the wireless controller, and then proceed to create access policies for remote users of an equally remote access point in a still remote office.
Next we have the settings Rogue AP. We will not describe for a long time; here, from the settings, the fact that the controller turns on detection of “unrecorded” SSID ( Enable Rogue AP Detection ), and turns on such detection in parallel with the SSID ( Enable On-Wire Rogue AP Detection Technique ) broadcast. We only note that Enable Rogue AP Detection should be considered a “central toggle switch” for the entire wireless network controller, since the active tick check in the access points of the WiFi Controller> Managed Access Points> Managed FortiAPs section will specifically ban taken point involved in detecting Rogue AP. Screen below.
Settings - settings, and we still have “accounting and control” using multiple monitors. Client Monitor , for example, will display to us all currently connected clients:
Roque AP Monitor displays all SSIDs found and broadcast (or inactive, but captured at the time of broadcasting since Roque was turned on). You can see almost everything: name, status, encryption type, MAC addresses and the associated vendor, signal strength and FortiAP radio module that the network was detected in:
Also, there is an extremely informative Wireless Health monitor with its own charts:
- AP Status (uptime access points of the controller, the number of active points and missing, which have fallen off for some reason);
- Client Count Over Time (total number of clients with a schedule for the period of time: hour / day / month);
- Top Client Count Per-AP (variations: 2.4 GHz Band , 5 GHz Band ) - top access points with the largest number of clients;
- Top Wireless Interference (variations: 2.4 GHz Band , 5 GHz Band ) - interference of adjacent FortiAP access points, broadcast channels and errors;
- Login Failures Information - information about unsuccessful logins on SSIDs broadcast by FortiAP, in order to determine hacking attempts, etc.
It seems that the FortiAP settings have been completed, the address part is there, the FortiAP is now ready to broadcast all the SSIDs you need with or without encryption, and it may be done with user authentication via AD, RADIUS, TACACS + servers, or the Captive Portal or Mesh network in general.
In any case, we have not configured the access to any resources, and, just like the FortiGate firewall, which respects itself besides all its functions, will not let us in anywhere. The case is “political” in firewall policies. We go to meet them, in the section of the web interface Policy -> Policy -> Policy and press the button to create Create New .
Below is an example of setting up the simplest “address” security policy ( Address ) using address and source and destination interfaces ( Incoming / Outgoing Interface , Source / Destination Address ), schedule ( Schedule ), permissions of certain embedded services / protocols ( Web Access ) and action ACTION (enable / disable).
Logging Options here are designed to determine the level of logging (No logs / Only security events / All logs).
Security Profiles are designed to enable the necessary UTM profiles, which, in turn, must be configured in advance in the menu with the same name, or use the default profiles.
The policy with user authentication ( User Identity ) implies the definition of source and destination interfaces, source addresses, and then follow the rules of authentication created within ( Configure Authentiacion Rules -> Create New ). Initial view below:
After Create New we have the following dialog:
This includes setting the destination address (s), selecting user authentication groups and / or individual users, schedule, service, and action (enable / disable). Well, without Security Profiles, there are nowhere to protect profiles - they can also be used in full.
WiFi- . « ».
, ( «2» «4» , , wan1 internal ).
, . - Fortinet , , FortiAP-14C, , . FortiAP , () WiFi-. , , Gartner .
, – .
– , , , , WiFi FortiGate.
, – Fortinet . , !
, , FortiAP-14C, « » FortiAP-28C, , . « », , FortiAP . , .
More links:
Initial configuration and FortiGate UTM devices for small businesses
- a worthy replacement for the outgoing Microsoft Forefront TMG
Introducing Fortinet's new FortiGate-90D model
Authorized Fortinet Training Courses
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service
Source: https://habr.com/ru/post/212909/
All Articles