February 25, 2014 at 01:24FortiAP-14C is a remote access point from Fortinet. A good option to build a secure wireless network for a remote office
- Tutorial
In this article we will talk about FortiAP-14C , a novelty in the line of wireless access points FortiAP from Fortinet's - miniature single-module point to build for remote offices / branch offices of enterprises, which is positioned on the right and is called the Remote the AP . This is one of the three access points that the vendor positions as “remote” - the FortiAP-11C is weaker in the line (but more convenient for personal purposes, a la travel and frequent movements outside the office) and FortiAP-28C (more powerful).
Describing the functionality of FortiGate UTM devices in a previous article, we indicated that FortiGate, among many of its capabilities, has an on-board wireless controller (on models 40C and above) for managing thin FortiAP access points.
Therefore, as “Given” for today's review of our news, we mean a central office with a corporate network protected by FortiGate and a remote office, where we will deploy a separate island of safe infrastructure. At the same time, the fact that the remote office will be protected by the same rules and policies that are configured on FortiGate central office is very important, which minimizes the time spent on administration and provides ample opportunities for centralized management and protection of network resources. In addition, users can broadcast the same SSID as in the main office, and for devices connected to the LAN interface, you can create a bridge either in the SSID or in the address pool on the WAN interface of the point.
Since we touched on the capabilities and technical characteristics of the subject, here is a complete list of them:
The dimensions are very small and the weight is only 100 grams, so remote offices simply can not do without these 100 grams :-) What can you say about setting the point, it is very simple and affordable, and most importantly - one-time, after which the admin of the central office and FortiGate in it hands will administer the entire network in an integrated and seamless manner, along with individual islands of branches and remote offices.
But we’ll start the configuration later, since the point is not unpacked and untouched.
Having picked up the packed box and opening it, we see the delivery package.
So, let's see what we got:
- FortiAP-14C access point - 1 pc.;
- The power supply for the access point (5V, 1A at the output) with a "euro" socket - 1 pc.;
- Network patch cord UTP Cat5e with RJ-45 connectors - 1 pc.;
- “Mounting kit” in the form of a pair of screws for mounting on a wall and a pair of dowels;
- QuickStart Guide - a fascinating reading manual in English for completeness, connection and configuration of the subject.
The upper side of the point is:
you see the lights (left to right): Power , the WiFi status , the WAN status , the LAN-port status 1-2-3-4 .
Here's what the FortiAP-14C dot looks like on the back, where the interfaces are located. From this side we see the power supply socket from the power supply unit (DC-IN), 4 connectors for LAN interfaces, a WAN interface connector, and a “Reset” button to reset the settings.
A bit confused by the presence of characteristic sockets, or rather plugs for allegedly installing external antennas. Perhaps in such a case another model will be released. This is still a mystery, for there is no information on this issue.
Now about the possibilities of the point. As we have already indicated in the specifications, the point has only one radio module in the 2.4 GHz, 802.11n standard with a speed of up to 150 Mbps. Although this is a remote version (Remote AP), the point remains “thin” and is controlled by the controller integrated in FortiGate, connecting to the Internet via the WAN interface and establishing a secure tunnel with FortiGate. By air, you can access by connecting to any pre-configured and broadcast SSID of the same FortiGate as in the central office. Using LAN interfaces in a remote office, you can access addresses in the point WAN interface pool or FortiGate SSID. And each SSID on FortiGate is a separate interface in order to unify the configuration of various types of firewall policies.
Thus, connecting the point remotely in the office, having previously set it to the address of the external Internet interface at FortiGate, we get the same protection, security profiles and authentication from anywhere in the world. The line between wired and wireless access is blurring more and more, which is very important in the current trend of the widespread use of wireless devices that are constantly increasing in number.
Well, let's go directly to the setup to figure out how to achieve this.
The point has the so-called "Zero" configuration, capable of responding via HTTP to the address http: // 192.168.1.2 (on the PC, you need to configure the stats, a la 192.168.1.3/24).
The standard login, as on FortiGate is admin , without a password.
Also, the default point can receive an address from a DHCP server. Further, a point with a specific address begins to detect the wireless controller in various ways, namely:
Broadcast
- Multicast
- DHCP option 138, which is described and corresponds to RFC 5417 for the CAPWAP protocol.
When the point finds the controller, it will appear in the WiFi Controller> Managed Access Points> Managed FortiAPs section of the FortiGate web interface, and the corresponding status “AC Discovery Status - Discovered AC” will appear in the web interface of the point itself .
We see that in the upper part of the FortiAP-14C web interface, in addition to viewing information about the status, details of the current settings, operating hours, loading point resources and other things, you can perform the following manipulations:
- Change the firmware version in the Firmware Version section .
- Change the default access password in the Current Administrator section .
- Download / unload a copy of the System Configuration - Backup, Restore .
Next, the network settings follow, below we see the Network Configuration section , where you can change the type of Static or DHCP . Nothing stops registering in Static modeonce and for all, the static address, mask, and default gateway, as well as the VLAN ID, if any, will occur in the point subnet. The same settings, only with the “Default” suffix, are present in the DHCP mode. Immediately, you can enable / disable access via HTTP and TELNET to this web interface.
The Connectivity section suggests choosing the uplink mode for our point, to choose from:
- Ethernet - everything is clear here, a wired uplink via Ethernet, in our case, via the WAN interface.
- Mesh - such a fully-connected topology of building a wireless network is supported, where the access points themselves can act as a repeater and router without using wired connections between each other. This feature is part of the FortiOS operating system version 5.0 and higher.
- Ethernet with mesh backup support - a combined mode of a wired uplink with redundant connection over a mesh network in the event of a break.
For Ethernet , you do not need to configure anything in the web interface, for Mesh , you need to specify a password and SSID, by which internal pairing with other points will be carried out. The Ethernet Bridge function organizes the connection between two access points in bridge mode for building WiFi spans between buildings, etc.Ethernet with mesh backup support , being essentially the same Mesh , has the same settings.
Further, the WTP Configuration section offers us to configure the detection modes of the wireless controller. Among them, Auto, combining all the settings in bulk. Considering in more detail these will be the modes:
- Static - static mode with the ability to assign three addresses to the remote controller.
- DHCP - indicates the port and Option Code, the value is 138 by default and is recommended for CAPWAP AC DHCPv4 Option, according to RFC 5417 "Control And Provisioning of Wireless Access Points (CAPWAP)".
- DNS - indicates the port and up to three domain names of the host where the remote controller is located.
- Broadcast - only a port is enough for detection by broadcasting (finally, we recall that by default we have port 5246, the controller also listens by default, unless otherwise known to the administrator and configured for FortiGate).
- Multicast - the same port and address 224.0.1.140, corresponding to CAPWAP-AC (RFC5415) in IANA (IPv4 Multicast Address Space Registry).
We assume that the necessary settings are made. The addresses of the remotely located controller were written in our configuration, as below:
So, what happens on FortiGate when the access point tries to reach out to its built-in wireless controller? The point appears under WiFi Controller -> Managed Access Points -> Managed FortiAPsas unauthorized:
We check the serial, see the source address from where the point came to and authorize it by clicking Authorize in the section menu:
For a while, the point hangs in an unauthorized state:
... after which it will be clearly and clearly displayed in the menu as authorized and now wholly controlled by us:
In this case, the point will tell about its name / serial number, pleasant authorized (green) state, address (received remotely), which SSID it broadcasts, channels, the number of connected clients and its version of software. Well, double-click on this entry or click Edit and see what's inside:
Here are more detailed descriptions and settings of our point:
- Serial Number- besides serial
- Name - name / description (for your taste and color)
- Comments - descriptive comments, for example, the name of the location office
- Managed AP Status -> Status: Online - status of
Connected Via Ethernet (192.168.3.113) - received address Ethernet interface interface
Base MAC Address 08: 5b: 0e: 28: 16: 08 - MAC address of the wireless interface of the point
Join Time 12/11/13 19:32 - association time with the
Clients controller 0 - number of active clients
FortiAP OS Version FAP14C- v5.0-build060 [Upgrade] - software version and Upgrade buttonfor uploading to the updated software point
State Authorized - Status = Authorized
- Wireless Settings
AP Profile: choosing a profile for the access point to work
Automatic - if you select it, you can manually configure all the settings listed below Wireless Settings
FAP-14C_default - built-in profile in FortiGate for this model
[Apply] - apply the profile after selecting
Enable WiFi Radio - on / off. for the operation of the
SSID radio module : - selection of SSID for broadcasting by a point
- Automatically Inherit all SSIDs - the ability to broadcast all previously created SSIDs on FortiGate automatically
- Select SSIDs:- manual selection of specific SSIDs (multiple selection)
FAP_14C_test (SSID: FAP_14C_test) - example of a selected SSID through Select SSIDs
Auto TX Power Control Disable / Enable - on / off. automatic adjustment of the signal power of the
TX Power radio module 0 - 100% - set the power in percent with the Disable value of the Auto TX Power Control
Band 802.11bgn_2.4G 2.4GHz5GHz - broadcast range (for this model 5 GHz is inactive)
Channel 6 - working channel
Do not participate in Rogue AP scanning- “non-compliance” with parallel scanning of unregistered wireless networks and, accordingly, potentially unsafe access points (the so-called Rogue AP)
LAN Port: setting the built-in LAN ports of the
Mode point - None - LAN ports work in the mode of a regular switch, without uplink.
- Bridge to: WAN Port - bridge mode with the point WAN port. Devices in the LAN will receive an address from the same pool as the WAN port
SSID name - bridge mode from the selected SSID point (wireless and wired users will be in the same address space configured in the SSID interface).
We looked at the settings, but to work, we need to create an SSID which, as already mentioned, will also be a separate interface for applying security and authentication policies to it, configuring and enabling the necessary FortiGate UTM functions, such as antivirus, antispam, web filtering, IPS , DLP, application control, VoIP and others.
Therefore, go to WiFi Controller> WiFi Network> SSID and create an SSID there using the intuitive Create new button :
Inside we see the following settings:
Here we explain what is what. So:
Name - the name of the interface
Type - the type under which the WiFi SSID is hidden, which is very clear
Traffic Mode - traffic mode, below are the options
Tunnel to Wireless Controller - the tunnel to the controller means that the addresses will be the same as in the network settings of the interface below
Local bridge with FortiAP's Interface - the bridge mode with the point WAN port, which has already been described for the LAN ports of this point model, however for other models (including this one), another bridge mode from WAN is also available for wireless clients.
Mesh Downlink - assigning an SSID to those involved in building the Mesh network
IP / Network Mask - IP address and network mask of the future interface
- Administrative Access: HTTPS, PING, HTTP, FMG-Access, SSH, SNMP, TELNET, FCT-Access, Auto IPsec Request - different modes of administrative access to the interface.
- DHCP ServerEnable - enable a DHCP server for wireless clients
Address Range (Create New - Edit - Delete) - create, edit and delete an address range for a DHCP server
Starting IP - End IP - start and end IP address of a
Netmask DHCP server - network mask DHCP server
Default Gateway (Same as Interface IP, Specify) - DHCP server default gateway (either the same as the interface address or manually specified)
DNS Server (Same as System DNS, Specify) - DNS server issued to DHCP clients -server (the same as system ones or manually specified)
- WiFi Settings
SSID - name (can be identical with the name of the interface )
Security Mode - WPA / WPA2-Personal, WPA / WPA2-Enterprise, Captive Portal, Open - SSID operation mode (for WPA / WPA2-Personal , Data Encryption and Pre-shared Key are indicated , for WPA / WPA2-Enterprise - Data Encryption and Authentication (in it, the user group pre-configured on the FortiGate RADIUS Server or Usergroup ), the User Groups are indicated on the Captive Portal ) Where the necessary user groups with all supported FortiGate authentication types appear, including integration with AD). Data Encryption (AES, TKIP, TKIP-AES) - select a list encryption algorithm
Pre-shared Key (8 - 63 characters) - network access key with this SSID
Block Intra-SSID Traffic - check mark to select whether to block traffic between clients on the same network with this SSID
Maximum Clients - limit on the maximum number of network clients with this SSID
Device Management: Detect and Identify Devices - the function of detecting and identifying connected devices for device identification policies in the settings of the Firewall
Listen for RADIUS Accounting Messages - enabling the reception of Accounting messages in data exchange sessions with RADIUS servers
Secondary IP Address - secondary IP address interface Ca
Comments - text comments, if necessary
Do not forget, after making the settings you need, click Apply, as a result of which our first SSID is created.
Now we’ll quickly go over the other features of the web interface as regards the wireless controller, and then proceed to create access policies for remote users of at least a remote access point in a still remote office.
Next, we have the Rogue AP settings. We will not describe for a long time, here from the settings the very fact of enabling the controller to detect “unaccounted for” SSID ( Enable Rogue AP Detection ), and enabling this detection in parallel with broadcasting SSID ( Enable On-Wire Rogue AP Detection Technique) We only note that Enable Rogue AP Detection should be considered a kind of "central toggle switch" for the entire wireless network controller, since the active checkmark Do not participate in Rogue AP scanning in the settings of the access point of the WiFi Controller> Managed Access Points> Managed FortiAPs section will prohibit this particular taken point involved in detecting Rogue AP. Screen below.
Settings - settings, but we still have “accounting and control” using multiple monitors. Client Monitor , for example, displays us all currently connected clients:
Roque AP Monitordisplays all SSIDs found and broadcast (or inactive, but caught at the time of broadcasting since the inclusion of Roque-detection). You can see almost everything: name, status, type of encryption, MAC address and vendor associated with it, signal strength and FortiAP radio module that detected the network:
Also, there is an extremely informative Wireless Health monitor with its own charts:
- AP Status (uptime points controller access, the number of active points and missing, falling off for some reason);
- Client Count Over Time (the number of clients in total with a schedule for a period of time: hour / day / month);
- Top Client Count Per-AP (Variations: 2.4 GHz Band, 5 GHz Band ) - top access points with the largest number of clients;
- Top Wireless Interference (variations: 2.4 GHz Band , 5 GHz Band ) - interference of nearby FortiAP access points, broadcast channels and errors;
- Login Failures Information - information about failed logins on SSIDs broadcast by FortiAP, in order to determine hacking attempts, etc.
It seems that we’ve finished FortiAP settings, the address part is there, now the FortiAP point is ready to broadcast all the SSIDs you need with or without encryption, and it will probably be done with user authentication through AD, RADIUS, TACACS + servers, or there will be a Captive Portal or Mesh network.
In any case, we have not yet set up access to any resources, and, like a firewall that respects itself, in addition to all the functions, FortiGate will not let us in anywhere. The case is “political”, i.e. in firewall policies. Let's meet them, in the section of the web interface Policy -> Policy -> Policy and click the Create New button .
Below is an example of setting the simplest “address” security policy ( Address ), using addresses and source and destination interfaces ( Incoming / Outgoing Interface , Source / Destination Address ), schedules ( Schedule ), permission of certain built-in services / protocols ( Web Access ) and actionACTION (enable / disable).
Logging Options here are designed to determine the level of logging (No logs / Only security events / All logs).
Security Profiles are designed to enable the necessary UTM profiles, which, in turn, must be configured in advance in the menu with the same name, or use the default profiles.
The User Identity policy implies defining the source and destination interfaces, the source address, and then the authentication rules created inside ( Configure Authentiacion Rules -> Create New ) follow . The initial view is below:
After Create New, we have the following dialog:
This includes the setting of the destination address (s), the choice of user authentication groups and / or individual users, the schedule, the service, and the action (enable / disable). Well, without security profiles, Security Profiles are nowhere - they can also be used in full.
Here's what the addressable firewall security policy looks like for WiFi users to leave our Internet access point after creation. I apologize in advance for the “two steps” screenshot.
In the same way, you can create policies for user access to the internal corporate network and vice versa (pay attention to the policies "2" and "4" , which feature both interfaces, external wan1 and internal internal)
Now our network is protected, the necessary accesses are allowed and it’s time for us to take stock. For some reason, I want to summarize them for wireless networks using Fortinet equipment in general, but the subject of this article, FortiAP-14C, is nevertheless left a little aside, as one of many very unified implementations among themselves. FortiAP is not in vain a separate line in the vendor’s portfolio and there are a dozen models of access points for both internal and external (industrial) use for building WiFi networks. At the same time, the vendor spends efforts on the development of this area and strives to comply with modern trends in wireless technologies, as evidenced by the very well-known research from Gartner .
The first result that I would like to recall is the total absence of a difference between wired and wireless clients and connections in terms of security and its implementation.
The second aspect is financial - after all, the cost of building, deploying and administering such an immediately secure network is reduced, and a huge plus is that a wireless controller that will manage WiFi access points has already been paid along with the purchase of FortiGate. Speaking toprove “contrary”, at the moment, only two of the most initial FortiGate models are NOThave a controller "on board". Along with this, no one will mind if FortiGate is used only as a controller for wireless networks, how much it will be justified is not for us to decide.
The next, third aspect is Fortinet ’s growth in the wireless market from year to year . We hope for rapid development, because there are makings!
In conclusion, we say that the subject of the article, a tiny FortiAP-14C access point, although having a more powerful "older brother" in the form of FortiAP-28C, would ideally suit remote offices, branches and other enterprises with a diverse multi-office structure. Yes, and being "in place", next to the controller, the point will work absolutely correctly, like all FortiAP from the line. An attractive price will only add advantages and reflection to potential buyers who are actively looking and just interested.
More links: The
initial setup and capabilities of FortiGate UTM devices for small businesses
Fortigate is a worthy replacement for the outgoing Microsoft Forefront TMG
Introducing Fortinet's new FortiGate-90D
Fortinet Authorized Training Courses
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service
Describing the functionality of FortiGate UTM devices in a previous article, we indicated that FortiGate, among many of its capabilities, has an on-board wireless controller (on models 40C and above) for managing thin FortiAP access points.
Therefore, as “Given” for today's review of our news, we mean a central office with a corporate network protected by FortiGate and a remote office, where we will deploy a separate island of safe infrastructure. At the same time, the fact that the remote office will be protected by the same rules and policies that are configured on FortiGate central office is very important, which minimizes the time spent on administration and provides ample opportunities for centralized management and protection of network resources. In addition, users can broadcast the same SSID as in the main office, and for devices connected to the LAN interface, you can create a bridge either in the SSID or in the address pool on the WAN interface of the point.
Since we touched on the capabilities and technical characteristics of the subject, here is a complete list of them:
The dimensions are very small and the weight is only 100 grams, so remote offices simply can not do without these 100 grams :-) What can you say about setting the point, it is very simple and affordable, and most importantly - one-time, after which the admin of the central office and FortiGate in it hands will administer the entire network in an integrated and seamless manner, along with individual islands of branches and remote offices.
But we’ll start the configuration later, since the point is not unpacked and untouched.
Having picked up the packed box and opening it, we see the delivery package.
So, let's see what we got:
- FortiAP-14C access point - 1 pc.;
- The power supply for the access point (5V, 1A at the output) with a "euro" socket - 1 pc.;
- Network patch cord UTP Cat5e with RJ-45 connectors - 1 pc.;
- “Mounting kit” in the form of a pair of screws for mounting on a wall and a pair of dowels;
- QuickStart Guide - a fascinating reading manual in English for completeness, connection and configuration of the subject.
The upper side of the point is:
you see the lights (left to right): Power , the WiFi status , the WAN status , the LAN-port status 1-2-3-4 .
Here's what the FortiAP-14C dot looks like on the back, where the interfaces are located. From this side we see the power supply socket from the power supply unit (DC-IN), 4 connectors for LAN interfaces, a WAN interface connector, and a “Reset” button to reset the settings.
A bit confused by the presence of characteristic sockets, or rather plugs for allegedly installing external antennas. Perhaps in such a case another model will be released. This is still a mystery, for there is no information on this issue.
Now about the possibilities of the point. As we have already indicated in the specifications, the point has only one radio module in the 2.4 GHz, 802.11n standard with a speed of up to 150 Mbps. Although this is a remote version (Remote AP), the point remains “thin” and is controlled by the controller integrated in FortiGate, connecting to the Internet via the WAN interface and establishing a secure tunnel with FortiGate. By air, you can access by connecting to any pre-configured and broadcast SSID of the same FortiGate as in the central office. Using LAN interfaces in a remote office, you can access addresses in the point WAN interface pool or FortiGate SSID. And each SSID on FortiGate is a separate interface in order to unify the configuration of various types of firewall policies.
Thus, connecting the point remotely in the office, having previously set it to the address of the external Internet interface at FortiGate, we get the same protection, security profiles and authentication from anywhere in the world. The line between wired and wireless access is blurring more and more, which is very important in the current trend of the widespread use of wireless devices that are constantly increasing in number.
Well, let's go directly to the setup to figure out how to achieve this.
The point has the so-called "Zero" configuration, capable of responding via HTTP to the address http: // 192.168.1.2 (on the PC, you need to configure the stats, a la 192.168.1.3/24).
The standard login, as on FortiGate is admin , without a password.
Also, the default point can receive an address from a DHCP server. Further, a point with a specific address begins to detect the wireless controller in various ways, namely:
Broadcast
- Multicast
- DHCP option 138, which is described and corresponds to RFC 5417 for the CAPWAP protocol.
When the point finds the controller, it will appear in the WiFi Controller> Managed Access Points> Managed FortiAPs section of the FortiGate web interface, and the corresponding status “AC Discovery Status - Discovered AC” will appear in the web interface of the point itself .
We see that in the upper part of the FortiAP-14C web interface, in addition to viewing information about the status, details of the current settings, operating hours, loading point resources and other things, you can perform the following manipulations:
- Change the firmware version in the Firmware Version section .
- Change the default access password in the Current Administrator section .
- Download / unload a copy of the System Configuration - Backup, Restore .
Next, the network settings follow, below we see the Network Configuration section , where you can change the type of Static or DHCP . Nothing stops registering in Static modeonce and for all, the static address, mask, and default gateway, as well as the VLAN ID, if any, will occur in the point subnet. The same settings, only with the “Default” suffix, are present in the DHCP mode. Immediately, you can enable / disable access via HTTP and TELNET to this web interface.
The Connectivity section suggests choosing the uplink mode for our point, to choose from:
- Ethernet - everything is clear here, a wired uplink via Ethernet, in our case, via the WAN interface.
- Mesh - such a fully-connected topology of building a wireless network is supported, where the access points themselves can act as a repeater and router without using wired connections between each other. This feature is part of the FortiOS operating system version 5.0 and higher.
- Ethernet with mesh backup support - a combined mode of a wired uplink with redundant connection over a mesh network in the event of a break.
For Ethernet , you do not need to configure anything in the web interface, for Mesh , you need to specify a password and SSID, by which internal pairing with other points will be carried out. The Ethernet Bridge function organizes the connection between two access points in bridge mode for building WiFi spans between buildings, etc.Ethernet with mesh backup support , being essentially the same Mesh , has the same settings.
Further, the WTP Configuration section offers us to configure the detection modes of the wireless controller. Among them, Auto, combining all the settings in bulk. Considering in more detail these will be the modes:
- Static - static mode with the ability to assign three addresses to the remote controller.
- DHCP - indicates the port and Option Code, the value is 138 by default and is recommended for CAPWAP AC DHCPv4 Option, according to RFC 5417 "Control And Provisioning of Wireless Access Points (CAPWAP)".
- DNS - indicates the port and up to three domain names of the host where the remote controller is located.
- Broadcast - only a port is enough for detection by broadcasting (finally, we recall that by default we have port 5246, the controller also listens by default, unless otherwise known to the administrator and configured for FortiGate).
- Multicast - the same port and address 224.0.1.140, corresponding to CAPWAP-AC (RFC5415) in IANA (IPv4 Multicast Address Space Registry).
We assume that the necessary settings are made. The addresses of the remotely located controller were written in our configuration, as below:
So, what happens on FortiGate when the access point tries to reach out to its built-in wireless controller? The point appears under WiFi Controller -> Managed Access Points -> Managed FortiAPsas unauthorized:
We check the serial, see the source address from where the point came to and authorize it by clicking Authorize in the section menu:
For a while, the point hangs in an unauthorized state:
... after which it will be clearly and clearly displayed in the menu as authorized and now wholly controlled by us:
In this case, the point will tell about its name / serial number, pleasant authorized (green) state, address (received remotely), which SSID it broadcasts, channels, the number of connected clients and its version of software. Well, double-click on this entry or click Edit and see what's inside:
Here are more detailed descriptions and settings of our point:
- Serial Number- besides serial
- Name - name / description (for your taste and color)
- Comments - descriptive comments, for example, the name of the location office
- Managed AP Status -> Status: Online - status of
Connected Via Ethernet (192.168.3.113) - received address Ethernet interface interface
Base MAC Address 08: 5b: 0e: 28: 16: 08 - MAC address of the wireless interface of the point
Join Time 12/11/13 19:32 - association time with the
Clients controller 0 - number of active clients
FortiAP OS Version FAP14C- v5.0-build060 [Upgrade] - software version and Upgrade buttonfor uploading to the updated software point
State Authorized - Status = Authorized
- Wireless Settings
AP Profile: choosing a profile for the access point to work
Automatic - if you select it, you can manually configure all the settings listed below Wireless Settings
FAP-14C_default - built-in profile in FortiGate for this model
[Apply] - apply the profile after selecting
Enable WiFi Radio - on / off. for the operation of the
SSID radio module : - selection of SSID for broadcasting by a point
- Automatically Inherit all SSIDs - the ability to broadcast all previously created SSIDs on FortiGate automatically
- Select SSIDs:- manual selection of specific SSIDs (multiple selection)
FAP_14C_test (SSID: FAP_14C_test) - example of a selected SSID through Select SSIDs
Auto TX Power Control Disable / Enable - on / off. automatic adjustment of the signal power of the
TX Power radio module 0 - 100% - set the power in percent with the Disable value of the Auto TX Power Control
Band 802.11bgn_2.4G 2.4GHz
Channel 6 - working channel
Do not participate in Rogue AP scanning- “non-compliance” with parallel scanning of unregistered wireless networks and, accordingly, potentially unsafe access points (the so-called Rogue AP)
LAN Port: setting the built-in LAN ports of the
Mode point - None - LAN ports work in the mode of a regular switch, without uplink.
- Bridge to: WAN Port - bridge mode with the point WAN port. Devices in the LAN will receive an address from the same pool as the WAN port
SSID name - bridge mode from the selected SSID point (wireless and wired users will be in the same address space configured in the SSID interface).
We looked at the settings, but to work, we need to create an SSID which, as already mentioned, will also be a separate interface for applying security and authentication policies to it, configuring and enabling the necessary FortiGate UTM functions, such as antivirus, antispam, web filtering, IPS , DLP, application control, VoIP and others.
Therefore, go to WiFi Controller> WiFi Network> SSID and create an SSID there using the intuitive Create new button :
Inside we see the following settings:
Here we explain what is what. So:
Name - the name of the interface
Type - the type under which the WiFi SSID is hidden, which is very clear
Traffic Mode - traffic mode, below are the options
Tunnel to Wireless Controller - the tunnel to the controller means that the addresses will be the same as in the network settings of the interface below
Local bridge with FortiAP's Interface - the bridge mode with the point WAN port, which has already been described for the LAN ports of this point model, however for other models (including this one), another bridge mode from WAN is also available for wireless clients.
Mesh Downlink - assigning an SSID to those involved in building the Mesh network
IP / Network Mask - IP address and network mask of the future interface
- Administrative Access: HTTPS, PING, HTTP, FMG-Access, SSH, SNMP, TELNET, FCT-Access, Auto IPsec Request - different modes of administrative access to the interface.
- DHCP ServerEnable - enable a DHCP server for wireless clients
Address Range (Create New - Edit - Delete) - create, edit and delete an address range for a DHCP server
Starting IP - End IP - start and end IP address of a
Netmask DHCP server - network mask DHCP server
Default Gateway (Same as Interface IP, Specify) - DHCP server default gateway (either the same as the interface address or manually specified)
DNS Server (Same as System DNS, Specify) - DNS server issued to DHCP clients -server (the same as system ones or manually specified)
- WiFi Settings
SSID - name (can be identical with the name of the interface )
Security Mode - WPA / WPA2-Personal, WPA / WPA2-Enterprise, Captive Portal, Open - SSID operation mode (for WPA / WPA2-Personal , Data Encryption and Pre-shared Key are indicated , for WPA / WPA2-Enterprise - Data Encryption and Authentication (in it, the user group pre-configured on the FortiGate RADIUS Server or Usergroup ), the User Groups are indicated on the Captive Portal ) Where the necessary user groups with all supported FortiGate authentication types appear, including integration with AD). Data Encryption (AES, TKIP, TKIP-AES) - select a list encryption algorithm
Pre-shared Key (8 - 63 characters) - network access key with this SSID
Block Intra-SSID Traffic - check mark to select whether to block traffic between clients on the same network with this SSID
Maximum Clients - limit on the maximum number of network clients with this SSID
Device Management: Detect and Identify Devices - the function of detecting and identifying connected devices for device identification policies in the settings of the Firewall
Listen for RADIUS Accounting Messages - enabling the reception of Accounting messages in data exchange sessions with RADIUS servers
Secondary IP Address - secondary IP address interface Ca
Comments - text comments, if necessary
Do not forget, after making the settings you need, click Apply, as a result of which our first SSID is created.
Now we’ll quickly go over the other features of the web interface as regards the wireless controller, and then proceed to create access policies for remote users of at least a remote access point in a still remote office.
Next, we have the Rogue AP settings. We will not describe for a long time, here from the settings the very fact of enabling the controller to detect “unaccounted for” SSID ( Enable Rogue AP Detection ), and enabling this detection in parallel with broadcasting SSID ( Enable On-Wire Rogue AP Detection Technique) We only note that Enable Rogue AP Detection should be considered a kind of "central toggle switch" for the entire wireless network controller, since the active checkmark Do not participate in Rogue AP scanning in the settings of the access point of the WiFi Controller> Managed Access Points> Managed FortiAPs section will prohibit this particular taken point involved in detecting Rogue AP. Screen below.
Settings - settings, but we still have “accounting and control” using multiple monitors. Client Monitor , for example, displays us all currently connected clients:
Roque AP Monitordisplays all SSIDs found and broadcast (or inactive, but caught at the time of broadcasting since the inclusion of Roque-detection). You can see almost everything: name, status, type of encryption, MAC address and vendor associated with it, signal strength and FortiAP radio module that detected the network:
Also, there is an extremely informative Wireless Health monitor with its own charts:
- AP Status (uptime points controller access, the number of active points and missing, falling off for some reason);
- Client Count Over Time (the number of clients in total with a schedule for a period of time: hour / day / month);
- Top Client Count Per-AP (Variations: 2.4 GHz Band, 5 GHz Band ) - top access points with the largest number of clients;
- Top Wireless Interference (variations: 2.4 GHz Band , 5 GHz Band ) - interference of nearby FortiAP access points, broadcast channels and errors;
- Login Failures Information - information about failed logins on SSIDs broadcast by FortiAP, in order to determine hacking attempts, etc.
It seems that we’ve finished FortiAP settings, the address part is there, now the FortiAP point is ready to broadcast all the SSIDs you need with or without encryption, and it will probably be done with user authentication through AD, RADIUS, TACACS + servers, or there will be a Captive Portal or Mesh network.
In any case, we have not yet set up access to any resources, and, like a firewall that respects itself, in addition to all the functions, FortiGate will not let us in anywhere. The case is “political”, i.e. in firewall policies. Let's meet them, in the section of the web interface Policy -> Policy -> Policy and click the Create New button .
Below is an example of setting the simplest “address” security policy ( Address ), using addresses and source and destination interfaces ( Incoming / Outgoing Interface , Source / Destination Address ), schedules ( Schedule ), permission of certain built-in services / protocols ( Web Access ) and actionACTION (enable / disable).
Logging Options here are designed to determine the level of logging (No logs / Only security events / All logs).
Security Profiles are designed to enable the necessary UTM profiles, which, in turn, must be configured in advance in the menu with the same name, or use the default profiles.
The User Identity policy implies defining the source and destination interfaces, the source address, and then the authentication rules created inside ( Configure Authentiacion Rules -> Create New ) follow . The initial view is below:
After Create New, we have the following dialog:
This includes the setting of the destination address (s), the choice of user authentication groups and / or individual users, the schedule, the service, and the action (enable / disable). Well, without security profiles, Security Profiles are nowhere - they can also be used in full.
Here's what the addressable firewall security policy looks like for WiFi users to leave our Internet access point after creation. I apologize in advance for the “two steps” screenshot.
In the same way, you can create policies for user access to the internal corporate network and vice versa (pay attention to the policies "2" and "4" , which feature both interfaces, external wan1 and internal internal)
Now our network is protected, the necessary accesses are allowed and it’s time for us to take stock. For some reason, I want to summarize them for wireless networks using Fortinet equipment in general, but the subject of this article, FortiAP-14C, is nevertheless left a little aside, as one of many very unified implementations among themselves. FortiAP is not in vain a separate line in the vendor’s portfolio and there are a dozen models of access points for both internal and external (industrial) use for building WiFi networks. At the same time, the vendor spends efforts on the development of this area and strives to comply with modern trends in wireless technologies, as evidenced by the very well-known research from Gartner .
The first result that I would like to recall is the total absence of a difference between wired and wireless clients and connections in terms of security and its implementation.
The second aspect is financial - after all, the cost of building, deploying and administering such an immediately secure network is reduced, and a huge plus is that a wireless controller that will manage WiFi access points has already been paid along with the purchase of FortiGate. Speaking to
The next, third aspect is Fortinet ’s growth in the wireless market from year to year . We hope for rapid development, because there are makings!
In conclusion, we say that the subject of the article, a tiny FortiAP-14C access point, although having a more powerful "older brother" in the form of FortiAP-28C, would ideally suit remote offices, branches and other enterprises with a diverse multi-office structure. Yes, and being "in place", next to the controller, the point will work absolutely correctly, like all FortiAP from the line. An attractive price will only add advantages and reflection to potential buyers who are actively looking and just interested.
More links: The
initial setup and capabilities of FortiGate UTM devices for small businesses
Fortigate is a worthy replacement for the outgoing Microsoft Forefront TMG
Introducing Fortinet's new FortiGate-90D
Fortinet Authorized Training Courses
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service