Manage FortiAP via FortiGate

If you want to manage your Fortinet FortiAP via FortiCloud, we have a separate article for you hier.

We would like to show you an example of how easy it is to register a Fortinet FortiAP with a FortiGate and create a WLAN network. In this example, we create a WLAN network in tunnel mode. This gives the WLAN a separate subnet.

1. connecting and authorising FortiAPs

First, you should set the interface of the Fortigate where one or more access points will be located.

To do this, go to Network → Interfaces

• Set the role to LAN, Addressing mode to Manual and assign a fixed IP to the interface, for example 10.10.200.1/255.255.255.0.
• Activate CAPWAP for Administrative Access. For diagnostic purposes, you can also activate PING. However, this is usually not necessary.
• The DHCP server must also be activated. If desired, you can also set an IP range for the WLAN terminals.
• Finally, activate the Device Detection function under Networked Devices.

</>

Now you can connect one or more FortiAP units to the FortiGate unit.

To view the list of managed FortiAPs, go to WiFi & Switch Controller → Managed FortiAPs in the FortiGate web interface. If the APs do not appear in the list immediately, try again after a few minutes by going to the list again.

After the entries have appeared, you may have noticed that they are coloured grey. The reason for this is that these devices have not yet been authorised. All you have to do is select the desired device with one click and authorise it.

After a few minutes, the devices should then appear in the list as authorised.

2 Creating an SSID

To set up a WLAN network, you need an SSID. To do this, go to WiFi & Switch Controller again and select SSID. The SSID is the public name of your new WLAN network.

Select Tunnel as the traffic mode and also set an IP for the WLAN interface (e.g. 10.10.201.1/255.255.255.0).

We also activate the DHCP server and the device detection in the WLAN interface.

Finally, we assign the name of the SSID under WiFi Settings.

In Security Mode, you can then select the type of encryption. We recommend using at least WPA2. With WPA2 Enterprise, you can also integrate a RADIUS server to provide employees with convenient yet secure single sign-on access.

The broadcast SSID option should be activated so that the end devices can also find the WLAN network without any problems.

</>

3. create a FortiAP profile

To create a FortiAP profile, go to the WiFi & Switch Controller menu and select FortiAP Profiles.

For Platform, select the model of FortiAP you are using and for Country/Region, select the appropriate country.

To protect the FortiAP from unwanted access, you can also set up an AP Login Password. This applies to the web interface of the AP itself, not to the WLAN network.

For Radio 1, set the Mode to Access Point and select Manual for SSIDs. Then simply select the desired SSIDs.

To assign the new profile to the SSIDs, go back to the list of managed FortiAPs under Wifi & Switch Controller à Managed FortiAPs, right-click on the desired AP and select the desired profile via Assign Profile.

</>

Allow wireless access to the Internet

If you wish, you can also allow access to the Internet via the WLAN. To do this, you must create a new policy in Policy&Objects → IPv4 Policy. Simply select the SSID as the incoming interface and the interface via which the Internet can be reached as the outgoing interface. Activate NAT in Firewall/Network Options and access to the Internet via the WLAN is possible.

</>

5. results

If you now log into the WLAN network with a wireless terminal, you should be able to call up pages on the Internet.

You can also monitor the network traffic. To do this, simply go to FortiView → All Segments à Policies. For more details, simply right-click on the policy and select Drill Down to Details.