FortiOS Handbook - Deploying Wireless Networks

More documents

Recommendations

Info

What’s new in FortiOS 5.4 To enable automatic authorization per-interface config system interface edit port15 set auto-auth-extension-device enable end In the GUI, the Automatically authorize devices option is available when Addressing Mode is set to Dedicated to Extension Device. Control WIDS client deauthentication rate for DoS attack (285674 278771) As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A new WIDS Profile option in the CLI limits the deauthentication rate. config wireless-controller wids-profile edit default set deauth-unknown-src-thresh 10 end The range is 1 to 65,535 deathorizations per second. 0 means no limit. The default is 10. Prevent DHCP starvation (285521) The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from depleting the DHCP address pool by making multiple requests. Add this option as follows: config wireless-controller vap edit "wifi" append broadcast-suppression dhcp-starvation end Prevent ARP Poisoning (285674) The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from spoofing ARP messages. Add this option as follows: config wireless-controller vap edit "wifi" append broadcast-suppression arp-poison end Suppress all other multicast/broadcast packets (282404) The SSID broadcast-suppression field in the CLI contains several options for specific multicast and broadcast packet types. Two new options suppress multicast (mc) and broadcast (bc) packets that are not covered by any of the specific options. config wireless-controller vap edit "wifi" append broadcast-suppression all-other-mc all-other-bc end 16 Deploying Wireless Networks for FortiOS 5.4 Fortinet Technologies Inc.
What’s new in FortiOS 5.4 A new configurable timer flushes the wireless station presence cache (283218) The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit. The timer is one of the wireless controller timers and it can be set in the CLI. For example: config wireless-controller timers set sta-locate-timer 1800 end The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 seconds) because that could cause duplicate logs to be generated. Distributed Automatic Radio Resource Provisioning (DARRP) support (283501) Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. The distributed ARRP feature allows FortiAP units to select their channel so that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges. Furthermore, Fortinet's implementation of DARRP simplifies operations by removing dependency on client software or hardware. By default, DARRP optimization occurs at a fixed interval of 1800 seconds. Optionally, you can now schedule optimization for a fixed time. This enables you to confine DARRP activity to a low-traffic period. Setting darrpoptimize to 0, makes darrp-day and darrp-time available. For example, here's how to set DARRP optimization for 3:00am every day: config wireless-controller timers set darrp-optimize 0 set darrp-day sunday monday tuesday wednesday thursday friday saturday set darrp-time 03:00 end Both darrp-day and darrp-time can accept multiple entries. The FAP-320C, 320B and 112B second WAN port can be configured as a LAN bridge (261415) This change makes FortiAP models 320C, 320B and 112B work more like other FortiAP models with LAN ports. The LAN port can be • bridged to the incoming WAN interface • bridged to one of the WiFi SSIDs that the FortiAP unit carries • connected by NAT to the incoming WAN interface The LAN port is labeled LAN2. The port labeled LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or to FortiCloud. By default, LAN2 is bridged to LAN1. Access to other modes of LAN2 operation must be enabled in the CLI: config wireless-controller wtp-profile edit set wan-port-mode wan-lan end Deploying Wireless Networks for FortiOS 5.4 Fortinet Technologies Inc. 17
Page 1 and 2: FortiOS Handbook - Deploying Wirele
Page 3 and 4: TABLE OF CONTENTS Change Log 9 Intr
Page 5 and 6: Configuring the built-in access poi
Page 7 and 8: Monitoring wireless network health
Page 9 and 10: Change Log Change Log Date Change D
Page 11 and 12: Introduction How this guide is orga
Page 13 and 14: What’s new in FortiOS 5.4 In the
Page 15: What’s new in FortiOS 5.4 set wtp
Page 19 and 20: What’s new in FortiOS 5.4 Opportu
Page 21 and 22: What’s new in FortiOS 5.4 The all
Page 23 and 24: Introduction to wireless networking
Page 29 and 30: Configuring a WiFi LAN Overview of
Page 31 and 32: Configuring a WiFi LAN Creating a F
Page 33 and 34: Configuring a WiFi LAN Defining a w
Page 43 and 44: Configuring a WiFi LAN Dynamic user
Page 45 and 46: Configuring a WiFi LAN Configuring
Page 51 and 52: Access point deployment This chapte
Page 53 and 54: Access point deployment Network top
Page 55 and 56: Access point deployment Discovering
Page 61 and 62: Access point deployment Wireless cl
Page 63 and 64: Access point deployment FortiAP Gro
Page 65 and 66: Access point deployment LAN port op
Page 67 and 68:
Access point deployment LED options
Page 69 and 70:
Wireless Mesh The access points of
Page 71 and 72:
Wireless Mesh Overview of Wireless
Page 73 and 74:
Wireless Mesh Configuring a meshed
Page 75 and 76:
Wireless Mesh Configuring a meshed
Page 77 and 78:
Wireless Mesh Configuring a point-t
Page 79 and 80:
WiFi-Ethernet Bridge Operation Brid
Page 81 and 82:
WiFi-Ethernet Bridge Operation Brid
Page 83 and 84:
WiFi-Ethernet Bridge Operation Fort
Page 85 and 86:
WiFi-Ethernet Bridge Operation Usin
Page 87 and 88:
Using Remote WLAN FortiAPs Configur
Page 89 and 90:
Features for high-density deploymen
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Protecting the WiFi Network WiFi da
Page 97 and 98:
Wireless network monitoring You can
Page 99 and 100:
Wireless network monitoring Monitor
Page 101 and 102:
Wireless network monitoring Monitor
Page 103 and 104:
Configuring wireless network client
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Wireless network examples This chap
Page 121 and 122:
Wireless network examples Basic wir
Page 123 and 124:
Wireless network examples Basic wir
Page 125 and 126:
Wireless network examples A more co
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Using a FortiWiFi unit as a client
Page 137 and 138:
Support for location-based services
Page 139 and 140:
Troubleshooting In the following se
Page 141 and 142:
Troubleshooting Signal strength iss
Page 143 and 144:
Troubleshooting Throughput issues T
Page 145 and 146:
Troubleshooting Connection issues C
Page 147 and 148:
Troubleshooting Connection issues D
Page 149 and 150:
Troubleshooting General problems wh
Page 151 and 152:
Troubleshooting General problems To
Page 153 and 154:
Troubleshooting Packet sniffer Resu
Page 155 and 156:
Troubleshooting Packet sniffer •
Page 157 and 158:
Troubleshooting Useful debugging co
Page 159 and 160:
Reference FortiAP web-based manager
Page 161 and 162:
Reference Wireless radio channels W
Page 163 and 164:
Reference FortiAP CLI cfg -c cfg -x
Page 165 and 166:
Reference FortiAP CLI Var WTP_LOCAT
Page 167 and 168:
Reference FortiAP CLI cw_diag -c da
show all

FortiOS Handbook - Deploying Wireless Networks

Create successful ePaper yourself

Delete template?

Save as template?