FortiAP Cloud - User Guide

Version 21.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

April 22, 2021

FortiAP Cloud 21.1 User Guide
53-211-567276-20210422
 TABLE OF CONTENTS

Change log 6
Introduction 7
Supported access points 8
Recommended FortiAP firmware version 8
Network port numbers 8
FortiAP Cloud subscription details 8
FortiAP Cloud workflow 10
Getting started 11
Registering on FortiCloud and accessing FortiAP Cloud 11
Registering on FortiCloud 11
Accessing FortiAP Cloud 11
FortiAP Cloud UI overview 12
Adding a user to a FortiAP Cloud account 15
Changing the password of a FortiAP Cloud account 15
Enabling two-factor authentication for FortiAP Cloud 16
Removing a user from a FortiAP Cloud account 16
Activating the multi-tenancy feature 16
Adding a FortiAP device to FortiAP Cloud with a key 17
Adding a FortiAP device to FortiAP Cloud without a key 17
Adding a FortiAP network to FortiAP Cloud 19
Monitoring 20
Network (Traffic) 20
Network (Security) 22
APs 24
Radios 25
Clients 26
Neighbour (Interfering and Rogue Networks) 26
BLE Devices 27
Deploying a FortiAP device to a FortiAP network 29
Managing Access Points 30
Viewing the FortiAP status 30
Upgrading a FortiAP device 38
Rebooting a FortiAP device 39
Activating/Deactivating a FortiAP device 39
Configuring FortiAP settings 39
Changing FortiAP settings 40
Overriding FortiAP Settings 41
Undeploying a FortiAP device 41
Adding a floor plan to FortiAP Cloud 42
Setting a FortiAP device on a map or floor plan 42
Capturing packets on a FortiAP device 44

FortiAP Cloud User Guide Fortinet Technologies Inc.

 4

Spectrum Analysis on a FortiAP device 45

VLAN Probe 48
iPerf Bandwidth Test 48
Configuration 50
Adding an SSID to a FortiAP network 51
Basic Settings 57
Advanced Settings 59
Creating the My Captive Portal page 62
Adding a FortiAP platform profile 63
Configuring SNMP Profile 64
Adding a BLE Profile 64
Enabling Distributed Automatic Radio Resource Provisioning (DARRP) 65
Adding AP tags 67
Configuring MAC access control and MAC filtering 68
Exporting ACL list 68
Adding an L3 Firewall Profile 69
Adding a QoS profile 70
Creating a FortiAP Cloud group and users 72
Adding a FortiAP Cloud guest 73
Adding a FortiAP Cloud guest manager 73
Adding a RADIUS server 74
Adding a Tunnel profile 75
Adding a Schedule Profile 76
Editing the FortiAP network time zone 77
Enabling FortiAP network alerts 77
Editing radio scan settings 78
Editing timeout settings for idle client and captive portal user authentication 78
Enabling Duplicate SSID 78
Enabling Bonjour Relay 79
Enabling FortiPresence 80
Viewing the history of configuration changes 82
Logs 84
Displaying logs 84
Exporting logs 84
Reports 86
Customizing an AP network summary report 86
Scheduling an AP network summary report 87
Managing AP network history reports 87
Generating a PCI compliance report for an AP network 87
REST API 89
Frequently asked questions 90
What subscription do I need to buy to enable FortiAP Cloud? 90
What happens if my paid FortiAP Cloud subscription expires? 90

FortiAP Cloud User Guide Fortinet Technologies Inc.

 5

What FortiAP models does FortiAP Cloud support? 90

How many FortiAP devices can my FortiAP Cloud account manage? 90
How do I add my FortiAP device to my FortiAP Cloud account? 91
What happens if my FortiAP device loses connection with FortiAP Cloud? 91
Does my internal networking and wireless traffic get sent to FortiAP Cloud? 91
Do I need to use FortiGate with FortiAP Cloud? 91
Can FortiAP devices be managed by FortiAP Cloud and work with FortiPresence? 92

FortiAP Cloud User Guide Fortinet Technologies Inc.

Change log

Date Change description

2021-03-15 FortiAP Cloud 21.1 release version.

2021-04-22 Updated Multiple Pre-shared Keys in section Basic Settings on page 57.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Introduction

FortiAP Cloud centralizes the life-cycle management of your standalone FortiAP deployment with a simple, intuitive,
and easy-to-use cloud interface that is accessible from anywhere at any time. With FortiAP Cloud, you can deploy,
configure, and manage your FortiAP devices. FortiAP Cloud also offers enhanced visibility, monitoring, reporting, and
analytics features for your FortiAP devices.
FortiAP Cloud also supports the FortiAP-S series which combines the elements of unified threat management (UTM)
protection at the network edge.
If you are interested in cloud management of FortiAP devices that are already connected to FortiGate devices, then use
FortiGate Cloud, not FortiAP Cloud.
The following image shows the FortiAP Cloud overview including the network management system (NMS) and
administration communications:

FortiAP Cloud User Guide Fortinet Technologies Inc.

Introduction 8

Supported access points

FortiAP Cloud supports all FortiAP, Compact FortiAP (FortiAP-C), Smart FortiAP (FortiAP-S), and Universal FortiAP
(FortiAP-U) models.
For a complete list of cloud-managed access points, review the Wireless Product Matrix.

Recommended FortiAP firmware version

Fortinet recommends that you use FortiAP version 6.0 or later with FortiAP Cloud version 21.1.

Network port numbers

The following table lists the network port numbers used by FortiAP Cloud:

Purpose Protocol Port number

Customer UI and API access HTTPS TCP/443

AP initial discovery HTTPS TCP/443

AP CAPWAP (configuration, event logs, and CAPWAP UDP/5246, UDP/5247

statistics)

AP UTM logs — TCP/514

AP firmware download HTTPS TCP/8443

AP FortiGuard services (FortiAP-S series — UDP/53, UDP/8888

only)

AP to FortiPresence UDP/3000

FortiAP Cloud subscription details

Basic management of all APs is free and offers basic configuration and control of FortiAP devices, 7-day log retention,
and FortiPresence Free Tier access.
For advanced AP management, you must purchase a license for each FortiAP device. For license ordering details such
as stock keeping unit (SKU) codes, see the FortiAP Cloud Data Sheet.
FortiAP-S requires a different license which also enables FortiGuard services on the access point (AP).
The following table includes details about FortiAP Cloud service offerings: 

FortiAP Cloud User Guide Fortinet Technologies Inc.

Introduction 9

FortiAP Cloud service Free service Subscription

Basic AP management Yes Yes

Advanced AP management No Yes

This service includes:
l Airtime Fairness
l AP Scan Threshold
l Assigning dynamic VLAN
l Beacon Interval (ms)
l BLE Profile
l Blocking intra-SSID traffic
l Broadcast Suppression
l Configuring Bonjour Relay
l Customizing data rates
l DARRP Configuration
l DHCP Option 82
l Disabling unwanted data rates
l DTIM Period
l Duplicate SSID creation
l GRE/L2TP Tunnels
l L3 Firewall Profile
l MPSK Scheduling
l Overriding radio profile parameters
l Probe Response Suppression
l Protected Management Frames
(802.11w)
l QoS - WMM
l Radio Sensitivity (Rx-SOP)
l SNMP Management
l Spectrum Analysis
l Sticky Clients Removal
l VLAN Probe
l iPerf Bandwidth Test
l Voice Enterprise (802.11kv)

Log retention duration 7 days 1 year

FortiPresence Free Tier access Yes Yes

FortiPresence Paid Tier access No Yes

This service includes:
l Support for unlimited number of sites
l Multi-site reporting
l One year data retention

Customer support (8x5 or 24x7 FortiCare) No Yes

FortiGuard subscription services (FortiAP-S No Yes

series only)

FortiAP Cloud User Guide Fortinet Technologies Inc.

FortiAP Cloud workflow

After purchasing and physically deploying the FortiAP devices (such as connecting to the internet) in various premises,
perform the tasks and procedures from the following workflow to configure and monitor FortiAP devices using the
FortiAP Cloud management solution.

Task Description and procedure

sequence

Task 1 Register on FortiCloud and access the FortiAP Cloud management solution.
Perform this procedure:
Registering on FortiCloud and accessing FortiAP Cloud on page 11

Task 2 Add a purchased FortiAP device to your FortiAP Cloud account inventory.
Later in this workflow, you will deploy that FortiAP device from the inventory to a FortiAP network.
Perform the applicable procedure:
l Adding a FortiAP device to FortiAP Cloud with a key on page 17
l Adding a FortiAP device to FortiAP Cloud without a key on page 17

Task 3 Add logical AP networks to organize your FortiAP devices by their physical premises.
With a FortiAP network, you manage FortiAP devices and service set identifiers (SSID).
Perform this procedure:
Adding a FortiAP network to FortiAP Cloud on page 19

Task 4 Deploy your FortiAP devices from the inventory into various FortiAP networks. This task includes
assigning a wireless network name that clients can connect to, and configuring settings for access
control, security, and availability.
Perform this procedure:
Deploying a FortiAP device to a FortiAP network on page 29

Task 5 Configure and customize FortiAP settings (for example, rogue scan).
Perform this procedure:
Configuring FortiAP settings on page 39

Task 6 Create SSIDs and make them available on desired FortiAP devices.
Perform the applicable procedure:
l Adding an SSID to a FortiAP network on page 51
l Adding a WPA2 Enterprise SSID to a FortiAP network
l Adding a FortiAP Cloud captive portal SSID to a FortiAP network
l Adding a My Captive Portal SSID to a FortiAP network

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started

This section includes the following FortiAP Cloud procedures:

l Registering on FortiCloud and accessing FortiAP Cloud on page 11
l FortiAP Cloud UI overview on page 12
l Adding a user to a FortiAP Cloud account on page 15
l Changing the password of a FortiAP Cloud account on page 15
l Enabling two-factor authentication for FortiAP Cloud on page 16
l Removing a user from a FortiAP Cloud account on page 16
l Activating the multi-tenancy feature on page 16
l Adding a FortiAP device to FortiAP Cloud with a key on page 17
l Adding a FortiAP device to FortiAP Cloud without a key on page 17
l Adding a FortiAP network to FortiAP Cloud on page 19

Registering on FortiCloud and accessing FortiAP Cloud

Access FortiAP Cloud and other Fortinet Cloud services by using the FortiCloud single sign-on portal.

If you are Then go to

A new FortiCloud user Registering on FortiCloud on page 11

Accessing FortiAP Cloud on page 11

An existing FortiCloud user Accessing FortiAP Cloud on page 11

Registering on FortiCloud

1. Start a web browser and go to the Fortinet website.

2. In the top-right corner, click Login to FortiCloud .

The FortiCloud dialog opens.
3. Click Register.
4. Follow the instructions to create your FortiCloud account.
5. Fortinet sends a verification code to the email address specified during the registration. Use this code to validate
your email address and complete the FortiCloud account creation.

Accessing FortiAP Cloud

Use this procedure to access FortiAP Cloud.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started 12

In this procedure, you need to select the FortiAP Cloud service you want to use. The following table lists the available
services:

FortiAP Cloud service Purpose

(domain)

APCloud Global Used by customers worldwide except in Europe and Japan regions.

APCloud Europe Used by customers in the Europe region.

If you are in Japan, do not perform the following steps. To access the FortiAP Cloud service
for Japan, visit jp.fortiapcloud.com.

1. Start a web browser and go to the Fortinet website.

2. In the top-right corner, click Login to FortiCloud .

3. Type your email address and password associated with your FortiCloud account.
4. Click Login.
5. If you have enabled FortiToken two-factor authentication, then check your FortiToken Mobile application or email
(as applicable), type the security code, and click Go.
6. In the top-right corner, hold the pointer over your email address, and then click FortiAP.
The FortiAP Cloud page opens.
7. Select the service.
8. Click Access.
The FortiAP Cloud Home page opens. For details, see the FortiAP Cloud UI overview on page 12.

FortiAP Cloud UI overview

This section covers the following UI topics:

l FortiAP Cloud Home page on page 13
l FortiAP Cloud Network page on page 14

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started 13

FortiAP Cloud Home page

To perform the following tasks, click My Account.

- Adding a user to a FortiAP Cloud account on page 15
- Changing the password of a FortiAP Cloud account on page 15
- Enabling two-factor authentication for FortiAP Cloud on page 16
- Removing a user from a FortiAP Cloud account on page 16
- Activating the multi-tenancy feature on page 16

To access the FortiAP Cloud documentation, click Product Documentation.

To switch to a different domain, click Switch to.

To access a different account, click Switch Account.

To view what's new in the current release, click New Features.

To add a FortiAP device to FortiAP Cloud, click Inventory and then import the key. For
details, see Adding a FortiAP device to FortiAP Cloud with a key on page 17.

To view statistics and visualization for the overall network and subsequent levels such as AP,
radio, client, information on radio health, and SSIDs. Hover over these charts to view details.

This list shows FortiAP networks. To access a FortiAP network, click the network name. A
separate tab opens for that FortiAP network. See FortiAP Cloud Network page on page 14.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started 14

To rename or delete a FortiAP Cloud network or view its time zone (locale), click Actions.

FortiAP Cloud Network page

Multiple FortiAP devices can be managed within a FortiAP network. For example, an office environment that has
multiple floors could have a FortiAP network for each floor managing its own set of AP devices.
For information about adding a FortiAP network, see Adding a FortiAP network to FortiAP Cloud.
The following image shows an example of the FortiAP Cloud Network page:

The following table describes the menus available on the FortiAP Cloud Network page:

Menu Description

Monitor Displays a dashboard with a view of all managed APs including up time, client details, usage
statistics, and rogue APs that may be in your environment.

Access Points Displays the status of APs. Allows tasks such as configuration and upgrade. You can also
capture packets and observe live network traffic on an AP.

Configure Provides sub-menus to add and configure wireless service set identifiers (SSID) including
platform profiles, AP tags, MAC access control and more. You can also enable Bonjour Relay
and FortiPresence.

Logs Provides logs for events in the following categories: wireless, antivirus, botnet, IPS, web
access, and application control.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started 15

Menu Description

Reports Provides summary reports with charts on current and past information such as traffic and
client count by SSID and AP. Also provides the option to run PCI compliance reports.

Deploy APs Allows the deployment of an AP from the inventory to an AP network. During an AP
deployment, you can set the platform profile, AP tags, an AP site, and administration
settings.

Adding a user to a FortiAP Cloud account

You can add an admin user or a regular user to your account.

A regular user does not have the same option to create FortiAP Networks, or have access to the AP inventory.

Procedure steps

1. In the top-right corner of the FortiAP Cloud Home page, click My Account.
2. Click Add User.
3. Complete the following fields:
l Email
l Re-type email
l User name
l Role
l Language
4. To save changes, click Submit.
5. To close the My Account dialog, click X.

Changing the password of a FortiAP Cloud account

1. In the top-right corner of the FortiAP Cloud Home page, click My Account.

2. In the Action column, click the pencil.

3. Click Change Password.
The Fortinet User Portal website opens.
4. Log in to the Fortinet User Portal with your user name and password.
5. In the Profile area, click Change Password.
6. Complete the fields for your old and new passwords.
7. To save your new password, click Apply.
8. To quit the Fortinet User portal, go to the top-right corner and click Sign Out.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started 16

Enabling two-factor authentication for FortiAP Cloud

Two-factor authentication is offered as part of the FortiAP Cloud, including the free service. You can choose to enable
two-factor authentication using FortiToken Mobile or email.

1. In the top-right corner of the FortiAP Cloud Home page, click My Account
The My Account dialog opens.
2. Click 2-Factor.
The Enable 2-Factor Authentication dialog opens.
3. Click Yes.
4. Click FortiToken Setting.
The FortiCloud page opens.
5. Click Edit.
6. Select one of the following options:
l Enable Two-Factor Authentication Using FortiToken Mobile
l Enable Two-Factor Authentication Using Email
7. Click Save.
8. Check your email and follow the instructions to complete the setup.
9. The next time you log in to FortiCloud to access FortiAP Cloud, type the authentication token code available from
FortiToken Mobile or your email depending on the FortiToken setting that you selected during the setup.

Removing a user from a FortiAP Cloud account

You can remove an admin user or a regular user from your account.

Procedure steps

1. In the top-right corner of the FortiAP Cloud Home page, click My Account.

2. Under Action, select the delete icon for the user you wish to delete.
3. Click Yes.

Activating the multi-tenancy feature

With a multi-tenancy account, you can create and manage multiple sub-accounts. You can add and move devices
between these sub-accounts and each account can have its own administrators and users.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started 17

Prerequisites

Purchase a license for the FortiAP Cloud multi-tenancy feature and obtain the activation code.

Procedure steps

1. In the top-right corner of the FortiAP Cloud Home page, click My Account.
2. Click Activate multi-tenancy feature.
3. Enter the activation code.
4. Click Submit.

Adding a FortiAP device to FortiAP Cloud with a key

Use this procedure to add a FortiAP device to your FortiAP Cloud account using its FortiAP Cloud key (or multiple
FortiAP devices with a bulk key).
If the FortiAP device does not have a FortiAP Cloud key, then go to the Adding a FortiAP device to FortiAP Cloud
without a key on page 17 procedure.

Prerequisites

l Find the FortiAP Cloud key printed on a sticker located on your FortiAP device.
l If you purchased a bulk key to add multiple FortiAP devices in a single import, then locate that bulk key on the
purchase order (PO) from Fortinet.

Procedure steps

1. Using an Ethernet cable, connect the FortiAP device to a network that allows internet access.
2. Log in to FortiCloud and connect to FortiAP Cloud.
3. On the Home page, click Inventory.
4. Click Import AP Key. If you have a bulk key, click Import Bulk Key.
5. Type the key.
6. Click Submit.
7. Make sure that the FortiAP device is added to the inventory list.
8. You can now go to the Adding a FortiAP network to FortiAP Cloud on page 19 procedure.

Adding a FortiAP device to FortiAP Cloud without a key

If the FortiAP device is an older model that does not have a sticker with the FortiAP Cloud key, then use this procedure
to add the FortiAP device to your FortiAP Cloud account.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started 18

Prerequisites

Take note of the model name and number of your AP and the firmware version you need to upgrade to (see
Recommended FortiAP firmware version on page 8).

Procedure steps

1. Download the FortiAP firmware:

a. Start a web browser and visit the Fortinet Support website.
b. Log in to your account.
c. Click Download > Firmware Images.
d. In Select Product, select the AP product to upgrade.
e. Click the Download tab.
f. Navigate to the firmware image file that you want to download. For example FAP_224D-v6-build0037-
FORTINET.out.
g. To save that firmware image file to your computer, go to the end of the row, click HTTPS, and follow the on-
screen instructions.
h. Take note of the path where you save the firmware image file.
2. Upgrade and configure the FortiAP device:
a. Connect your computer to the FortiAP Ethernet port.
b. The default IP address of the FortiAP device is 192.168.1.2. If your computer does not have an IP address on
the same subnet, change the IP address of your computer to 192.168.1.3.
c. Start a web browser and connect to https://192.168.1.2.
d. Log in to the FortiAP UI as admin. Leave the Password field empty.
e. In the Status section, go to Firmware Version and click Update.

f. Follow the on-screen instructions to load and apply the firmware file.
g. When you see the message "Uploading file is done. Firmware updating.", click OK, and close the web
browser.
h. After the upgrade is complete, start a web browser and connect to https://192.168.1.2.
i. In the WTP Configuration section, go to AC Discovery Type and select FortiCloud.

j. Type the name and password of your FortiAP Cloud account.

k. Click Apply.
l. Disconnect your computer from the FortiAP Ethernet port.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Getting started 19

m. Restore your computer to its normal network configuration.

n. Using an Ethernet cable, connect the FortiAP device to a network that allows internet access.
3. Check FortiAP Cloud for the newly added FortiAP device:
a. Log in to FortiCloud and connect to FortiAP Cloud.
b. On the Home page, click Inventory.
c. Make sure that the list includes the newly added FortiAP device.
4. You can now go to the Adding a FortiAP network to FortiAP Cloud on page 19 procedure.

Adding a FortiAP network to FortiAP Cloud

A FortiAP network is a logical grouping of FortiAP devices for common configuration and management. A FortiAP Cloud
account can have multiple FortiAP networks. For instance, if you have 20 FortiAP devices and you plan to use 10
FortiAP devices in the head office and the other 10 FortiAP devices in a branch office, then you would create two
FortiAP networks.
In a FortiAP network, you can also group FortiAP devices into subsets (sites) and then apply configurations to those
subsets. For example, in an office building, you can have a FortiAP device subset for each floor of the building.
Though it is possible and valid to have a single FortiAP network containing all FortiAP devices, and apply configurations
to subsets of FortiAP devices, the recommendation is that you create multiple independent AP networks.

Procedure steps

1. Log in to FortiCloud and access FortiAP Cloud.

2. On the Home page, click Add FortiAP Network.
3. Type a name for the FortiAP network.
4. Select a time zone. This is the time zone of the FortiAP devices that you want to manage with this FortiAP network.
5. Click Submit.
The newly created network is added to the FortiAP Cloud Home page.
6. Click the FortiAP network that you created.
A new tab opens in your web browser and a dialog box shows the following message: "There is no SSID in this
AP network. Please add an SSID."
7. Click OK.
8. To complete the addition of a wireless network name and its related configuration, go to the Configuration on page
50 section and follow one of the SSID-related procedures.

FortiAP Cloud User Guide Fortinet Technologies Inc.

 Monitoring 20

Monitoring

The FortiAP Cloud provides a comprehensive dashboard with detailed statistics and visualization for the overall network
and subsequent levels such as AP, radio, client, and rogue devices. The information presented in the dashboard is
pivotal for monitoring network health and for diagnostic purpose.
The dashboards are split into three views - Standard, Charts, and List. The standard view displays information as a
combination of chart based and listed data. The charts and list view displays data only in a series of charts and columns
respectively. You can filter the lists displayed based on specific parameters and hide others by modifying the Column
Setting.
The dashboard data can be filtered using the location based AP sites created during deployment. The chart dashlets
and columns are click-able to view detailed information; hover over these charts to view details.
Dashboard data is refreshed every 60 seconds, you can refresh the dashboard as per requirement.
Note: The Charts view provides additional and varied data in comparison to the Standard view. The subsequent
sections describe data fields displayed in all views.

Network (Traffic)

This dashboard provides network traffic information arranged in several rows and charts.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Monitoring 21

l AP Status counts the APs based on their connection status, APs up for more than 24 hours, APs up for less than
24 hours, and APs that are currently down.
l 2.4/5 GHz Radio provides a summary for both 2.4 GHz and 5 GHz radios. Displays the radio modes (Disabled,
Monitor, Offline) and health (Poor, Fair, Good), the station count, the total number of MAC errors, throughput,
data usage, rogue APs, and APs in scan mode.
l Clients & Throughput displays the number of clients and the throughput for each of the 2.4 GHz and 5 GHz
bands over the selected period of time.
l Top 20 APs by Clients Count (2.4 GHz and 5 GHz) displays the twenty APs with the highest number of clients
connected to them in the 2.4 GHz and 5GHz bands.
l Top SSIDs by Client Count displays the five SSIDs with the highest number of clients connected to the SSID;
counts the number of clients connected to each of these SSIDs and the total number of clients in the network. Filter
data based on the band (2.4 GHz, 5 GHz, or both).
l Top SSIDs by Usage displays the five SSIDs with the highest data usage; counts the number of clients
connected to each of these SSIDs and the total number of clients in the network. Filter data based on the band (2.4
GHz, 5 GHz, or both).

FortiAP Cloud User Guide Fortinet Technologies Inc.

Monitoring 22

l Top 20 Stations by Throughput displays the 20 clients with the highest throughput.
l Top 20 Stations by Usage displays the 20 clients with the highest data usage.

Click on the AP, Radio, client, and SSID information to view details.

Network (Security)

This dashboard provides network security information such as web applications, attacks, and viruses.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Monitoring 23

l Top Web - The top ten web categories that are most frequently used.
l Top Attacks - The top ten attacks that the FortiAP Cloud's IPS most frequently prevents.
l Top Viruses - The top ten viruses that the FortiAP Cloud's AV most frequently detects.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Monitoring 24

APs

This dashboard provides visualization of APs in your network and their health and utilization.

l AP Status displays the APs based on their connection status, whether online or offline.
l AP CPU Usage categorizes all the APs into different buckets of high and normal CPU utilization.
l AP Memory Usage categorizes all the APs into different buckets of high and normal memory utilization.
l Top APs by Clients displays the five APs with highest number of clients connected to them; counts the number
of clients connected to each of these APs and the total number of clients.
l Top APs By Throughput displays the five APs with highest throughput; displays the throughput for each of these
APs and the aggregate throughput.
l Top APs By Volume displays the five APs associated with the highest data volume; displays the data volume for
each of these APs and the total data volume.
l Top APs by Interfering BSSIDs displays the top most interfering APs' BSSIDs.
l Top AP Group displays the five AP groups with highest number of AP members; counts the number of APs in
each of these AP groups and the total number of AP groups.
l AP Advertisement Management categorizes all the APs based on whether they avail free service or are
subscription services

FortiAP Cloud User Guide Fortinet Technologies Inc.

Monitoring 25

l Top AP Models displays the five AP models mostly deployed in your network; counts the number of APs
belonging to each of these AP models and the total number of AP models.
l Top AP OS displays the five FOS version most FAPs belong to; counts the number of APs belonging to each of
these AP models and the total number of AP models.

Radios

The data displayed on this dashboard categorizes the 2.4 GHz and 5 GHz radios into the top most based on different
criteria, highest number of clients, highest throughput, data volume, noise levels (dBm), channel distribution, interfering
APs, radio types, and Tx power (dBm). Radio Modes counts the radios in the 2.4 GHz and 5 GHz modes based on the
operating modes: AP, Disabled, and Monitor. Click on any of these to view the radio details.

Click on any radio name to view the radio configuration and other associated details.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Monitoring 26

Clients

This tab lists the clients in your network with the associated information. The data displayed on this dashboard
categorize the clients based on different criteria, bands and sub-bands used, SSIDs, SNR, highest throughput, data
volume, VLAN, authentication mode, encryption mode, associated APs, number of channels, operating system, device
types, and user groups. Click on the displayed data to view the client and other associated details.
You can disconnect a wireless client from the wireless network. However, the disconnected wireless clients may connect
back when operating in auto-connect mode or one manually connects the client.

Neighbour (Interfering and Rogue Networks)

This tab displays any neighboring APs (including rogue APs) that might be present in your network. The data displayed
on this dashboard categorize the rogue APs based on different criteria, class (Rogue, Accepted, Unclassified), SSIDs,
signal strength, the radios detected by, channel used, authentication modes, and vendors. Click on the displayed data
to view the devices and other associated details.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Monitoring 27

BLE Devices

This dashboard displays devices detected over Bluetooth Low Energy (BLE) with associated details such as the
configured UUID, Major ID, and the device name and manufacturer. Click on the displayed data to view the devices and
other details.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Monitoring 28

FortiAP Cloud User Guide Fortinet Technologies Inc.

Deploying a FortiAP device to a FortiAP network 29

Deploying a FortiAP device to a FortiAP network

Use this procedure to deploy a FortiAP device from your account inventory to your FortiAP network.

Prerequisites

Complete the following procedures, as applicable:

l Adding a FortiAP device to FortiAP Cloud with a key on page 17 or Adding a FortiAP device to FortiAP Cloud
without a key on page 17
l Adding a FortiAP network to FortiAP Cloud on page 19

Procedure steps

1. Make sure that the window shows the FortiAP network where you want to deploy the FortiAP device.
2. In the Menu bar, select Deploy APs.
3. In the table, select the FortiAP device(s) that you want deploy.
4. Click Next.
5. Follow the on-screen instructions in each section and click Next.
6. In Preview, review the summary.
7. If you need to make changes, click Prev. Otherwise, click Deploy.
8. Click OK.
9. In the Menu bar, click Access points.
10. In the Navigation pane, select Status View.
11. Verify that the table includes the deployed FortiAP device.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points

This section includes the following procedures to deploy, configure, and manage access points in FortiAP Cloud:
l Viewing the FortiAP status on page 30
l Upgrading a FortiAP device on page 38
l Rebooting a FortiAP device on page 39
l Activating/Deactivating a FortiAP device on page 39
l Configuring FortiAP settings on page 39
l Overriding FortiAP Settings on page 41
l Undeploying a FortiAP device on page 41
l Capturing packets on a FortiAP device on page 44
l Adding a floor plan to FortiAP Cloud on page 42
l Setting a FortiAP device on a map or floor plan on page 42
l Spectrum Analysis on a FortiAP device on page 45
l VLAN Probe on page 48
l iPerf Bandwidth Test on page 48

Viewing the FortiAP status

The status view provides vital information about the FortiAP health. It organizes data in various tabs with configuration
and operational status of the FortiAP and its radios. Information is classified into charts and lists.

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Status View.

Summary

This tab displays the FortiAP and wireless client summary, by default, data for the last 12 hours is displayed. You can
filter information for specific SSIDs; the client count affected by connection issues and the Association,
Authentication, DHCP, and DNS failures are listed. The graphs display the FortiAP aggregate throughput (uplink and
downlink) and the client count for the selected duration. Wireless information such as the client count with good and low
RSSI values and clients per SSID are also displayed.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 31

AP

This tab displays the aggregate data usage (uplink and downlink), the FortiAP uptime, Platform profile details, and radio
configuration (overridden parameters are highlighted).

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 32

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 33

You can perform the actions on the FortiAP.

l Reboot
l Upgrade
l Deactivate
l Undeploy
l LED blinking
l Configuration edit

Logs

This tab displays the following logs associated with the FortiAP.
l Wireless Logs
l Antivirus Logs
l Application control Logs
l Botnet Logs
l IPS Logs
l Web Access Logs
You can set the duration to view FortiAP logs, by default, logs are displayed for the last 12 hours. The donut charts
display the number of logs based on their severity; High, Medium, Low, and Info.
Note: The FortiAP must have a UTM license to access all logs except Wireless Logs.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 34

Radio

This tab displays wireless statistics and the list of wireless clients. You can select any one of the 3 radios to view the
associated details. The charts display the client count with good and low RSSI values, interfering and non-interfering
APs’ count, throughput (Mbps), interfering APs’ BSSIDs, and the channel utilization.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 35

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 36

Neighbour APs

This tab displays any neighboring APs detected by this FortiAP and visualizes data on the basis of signal strength and
vendor. Click on the displayed data to view the devices and other associated details.

BLE

This tab displays devices detected over BLE with associated details such as the configured UUID, Major ID, and the
device manufacturer. Click on the displayed data to view the devices and other details.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 37

Tools

This tab displays the functionalities/utilities that you can run on the FortiAP. These are available in Edit View > Tools.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 38

Upgrading a FortiAP device

Use this procedure to upgrade the firmware on one or more FortiAP devices.
FortiAP Cloud downloads the firmware to the FortiAP device.

During a FortiAP firmware upgrade, there is a service interruption because the FortiAP device
needs to reboot.

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Edit View.
3. To set the firmware upgrade for a single FortiAP device:
a. In the table, locate the FortiAP device that you want to upgrade. At the end of that row, click on the Actions
tab and select Upgrade AP.
b. Select the build and schedule.
c. To save changes, click Apply.
4. To set the firmware upgrade for multiple FortiAP devices:
a. In the table, select checkboxes for all the FortiAP devices that you want to upgrade.
b. Click Change > Upgrade Firmware.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 39

c. For each FortiAP device, select the build and schedule.

d. To save changes, click Apply.

Rebooting a FortiAP device

Use this procedure to reboot one or more FortiAP devices.

FortiAP devices will need to reboot during a FortiAP firmware upgrade.

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Edit View.
3. In the table, locate the row for the FortiAP device to configure. At the end of that row, click on the Actions tab and
select Reboot AP.
4. You may have to wait a few minutes before the AP is successfully rebooted.

Activating/Deactivating a FortiAP device

Use this procedure to activate a FortiAP device.

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Edit View.
3. In the table, locate the row for the FortiAP device to configure. At the end of that row, click on the Actions tab and
select Activate AP/ Deactivate AP.
4. The Status of the AP changes to Not Activated/ Online as per the action.

Configuring FortiAP settings

Use this procedure to modify the settings of a FortiAP device.

When you configure a FortiAP device, you can apply or change the following settings:
l Name
l AP Tag
l Platform Profile (Use the default profile or a custom profile. See the Adding a FortiAP platform profile on page 63
procedure.)
l Admin Access (Telnet, HTTP, HTTPS, SSH, SNMP)
l Admin Password

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 40

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Edit View.
3. In the table, locate the row for the FortiAP device. At the end of that row, click on the Edit tab and to configure/edit
the AP settings.
4. To save the changes, click Apply.

Changing FortiAP settings

Use this procedure to change the settings of a FortiAP device.

When you configure a FortiAP device, you can apply or change the following settings:
l Tags
l Sites
l Platform Profiles (Use the default profile or a custom profile. See the Adding a FortiAP platform profile on page 63
procedure.) & Overrides (See the Overriding FortiAP Settings on page 41 procedure.)
l Admin (Telnet, HTTP, HTTPS, SSH, SNMP) and Admin Password
l Firmware (See the Upgrading a FortiAP device on page 38 procedure.)
l Undeploy (See the Undeploying a FortiAP device on page 41 procedure.)

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Edit View.
3. In the table, locate the row for the FortiAP device to configure and click on the Change tab.

4. Edit settings as required.

5. To save the changes, click Apply.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 41

Overriding FortiAP Settings

The FortiAP Platform profile settings Band, Channel, and TX Power can be overridden. For more information, see
Adding a FortiAP platform profile on page 63.

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Edit View.
3. In the table, locate the row for the FortiAP device to update. At the end of that row, click on the Edit tab and select
Change Platform Profiles and Overrides.
4. Select the parameters to be modified and enter the new values.
Alternately, you can override these settings in the AP deployment page.

Procedure steps

1. In the Menu bar, click Deploy APs.

2. Select the FortiAP device to update and select Set Platform Profiles and Overrides.
3. Select the parameters to be modified and enter the new values.

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Edit View.
3. In the table, locate the row for the FortiAP device to update and click on the Change tab and select Change
Platform Profiles and Overrides.
4. Select the parameters to be modified and enter the new values.

Undeploying a FortiAP device

When you undeploy a FortiAP device, FortiAP Cloud removes the device from a FortiAP network and then returns this
device to the AP Inventory list. You can then deploy that device to another FortiAP network or delete it from FortiAP
Cloud.

Procedure steps

1. Go to the FortiAP network that has the FortiAP device that you want to undeploy.
2. In Menu bar, click Access Points.
3. In the Navigation pane, click Edit View.
4. In the table, locate the FortiAP device that you want to undeploy. At the end of that row, click on the Actions tab
and select Undeploy or click on the Change tab and select Undeploy.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 42

5. Click Yes.
6. Go to the FortiAP Cloud Home page and click Inventory.
7. Make sure that the FortiAP device is in the AP inventory list.

Adding a floor plan to FortiAP Cloud

Use this procedure to add a floor plan to FortiAP Cloud.

Prerequisites

Identify the site where you want to load a floor plan. Go to Access Points > Map View. If there is no site, then add
one.

Procedure steps

1. In the Menu bar, click Access Points.

2. In the Navigation pane, click Map View and then select the site to which you want to add a floor plan.

3. Click and select Add Floor Plan.

The Upload Floor Plan dialog opens.
4. To select a file for the floor plan, click Choose File.
The File Upload dialog opens.
5. Locate the file and then click Open.
6. If it is an outdoor plan, select Is Outdoor?
7. Click Submit.
FortiAP Cloud displays the uploaded floor plan.
8. You can adjust the magnification, opacity, and rotation of the floor plan.

9. To save changes, click Apply.

Setting a FortiAP device on a map or floor plan

Use this procedure to set the position of a FortiAP device on a map or floor plan.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 43

Prerequisites

l Complete the Adding a floor plan to FortiAP Cloud on page 42 procedure, if you want to set a FortiAP device on a
floor plan.
l Identify the site that has the map or floor plan that you want to set the FortiAP device on. Go to Access Points
> Map View.

Procedure steps

1. To move a FortiAP device to the site that has the map or floor plan that you want to use:
a. In the Menu bar, click Access Points.
b. In the Navigation pane, click Edit View.
c. In the first column of the table, select the checkbox for the FortiAP device that you want to move.
d. Click Change > Change Site.
e. Select the site and click Apply.
2. To set the position of a FortiAP device on a map or floor plan:
a. In the Navigation pane, click Map View and then select the site that includes the FortiAP that you want to use.

b. Click and select Set AP Position.

c. Click and drag to the desired position on the map or floor plan.
d. Click Close.
The map or floor plan shows the FortiAP device.
The following image shows an example of an AP set on a floor plan:

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 44

Capturing packets on a FortiAP device

Use this procedure to capture packets on a FortiAP device. Packet captures help you diagnose and troubleshoot FortiAP
device problems in a FortiAP Cloud deployment. Capturing packets can affect device performance because the capture
can collect large amounts of data. We recommend capturing packets when required only.
The packet capture includes the following information:
l No.: The packet number.
l Time: The start time of the packet capture with the format yyyy-mm-dd hh:mm:ss.
l Source: The IP address of the device that is sending the packet.
l Destination: The IP address of the device that is receiving the packet.
l Length: The length of each packet in bytes.
l Info: Additional information about the packet such as Control and Provisioning of Wireless Access Points
(CAPWAP) control messages. For example, wireless termination points (WTP) information such as the following
events:
l WTP Event Response
l WTP Event Request

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 45

Procedure steps

1. In Menu bar, click Access Points.

2. In the Navigation pane, click Edit View.
3. In the table, locate the FortiAP device for which you want to capture packets. At the end of that row, click on the
Tools tab and select Capture Packet.
The <FortiAP_name> (Capturing) dialog opens.
4. To stop the packet capture, click Stop.
5. To download the packet capture, click Download PCAP.

Spectrum Analysis on a FortiAP device

This feature provides visual spectrum analysis capabilities that scan radios for RF channel conditions and sources of
interference which can potentially impact WLAN efficiency. Based on the spectrum analysis data, corrective measures
such as determining optimal channel planning, debugging client related connectivity issues and automatic transmit
power settings are initiated. This facilitates quality wireless service levels by ensuring the optimal usage of the channels
considering the information provided by the FortiAP Cloud spectrum analyser. Both 802.11 and non-802.11 sources of
interference can be detected and analyzed by the spectrum analyzer.
This feature is supported only on the FortiAP-S and FortiAP-W2 models with FortiOS 6.4 and above.
Notes:
l Spectrum analysis is only supported when the radio is in the monitor mode.
l FortiAP supports spectrum analysis and is online.
l FortiAP Advanced Management License is required.
Select the channels to be scanned and configure the scan duration, the spectrum analysis is performed on both 2.4 GHz
and 5 GHz frequency bands. The spectrum analyzer result displays widgets with the type of interference, signal
strength, impacted channels, and wireless spectrum current utilization, start and end time and duration of the
interference. It classifies wireless & non-wireless interferences to easy identification of the source.
l You can select the AP, Radio, and Channels to be scanned for interferences.
l The Scan Duration can be set to 1, 5, 30, 60 minutes or Infinity. When Infinity is selected the scan is performed
till it is manually stopped.
l The Sampling Interval and the number of Spectrogram Samples cannot be modified.
Select Start and the GUI periodically polls the spectrum analysis data based on the fixed sampling interval of 1000
milliseconds. Data is visualized as 4 charts representing signal interference marking the noise levels for each channel,
signal interference spectrogram representing 60 samples for different channels at specific time intervals, the duty cycle
charts marking the extent to which a non-WiFi device/neighbouring AP is interfering, and the duty cycle spectrogram
representing 60 such duty samples for each channel over a period of time.
The tabular data for non-WiFi interference displays the time and frequency of last detection and any of the following
type of devices causing the interference.
l Microwave ovens
l Video bridges

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 46

l Wi-Fi, DSSS cordless phones

l Bluetooth, FHSS cordless phones
The tabular data for WiFi interference displays the online neighbouring AP's BSSID, SSID, maximum signal strength,
and channel and time of last detection.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 47

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 48

VLAN Probe

VLAN probe feature enables FortiAPs to probe connected VLANs and subnets. It sends DHCP probes from the FortiAP’s
Ethernet interface to specific VLANs on the wired interface and returns information on their availability and subnet
details. This helps diagnose and troubleshoot WiFi deployment issues.
l AP – Select the FortiAP. FOS version 6.4.0 and higher are supported.
l WAN Port – Select the 1st or 2nd Ethernet port of the FortiAP to initiate the VLAN probe.
l VLAN Range – Select the range of VLANs to probe. The valid range is 1 -4094.
l Timeout – Configure the timeout for the VLAN probe. The valid range is 1 – 60 seconds with a default value of 10
seconds.
l Retries – Configure the number of retries before timeout. The valid range is 1 to 10 with a default value of 6.
Select Start and the FortiAP initiates VLAN probe as per configurations.

iPerf Bandwidth Test

The iPerf bandwidth test measures the UDP and TCP real-time network throughput to aid in estimating the maximum
achievable bandwidth in your network. This is useful to isolate problems related to slow network connections. The iPerf
test is performed between the FortiAP and an endpoint that can be a wireless client, a computer in the LAN, or an
external online server like ping.online.net. You must start the iPerf server manually on the endpoint unless using the
online server. This feature tests uplink, downlink, or both traffic streams.
l AP - Select the FortiAP for iPerf testing.
Note: The supported FOS version is 6.4.0 and higher for FAP-S/W2 models and 6.2.0 or higher for FAP-U models.
l Port – Select the port. The valid range is 1 – 65535.
l iPerf2 Endpoint – Enter the endpoint device IPv4 address/hostname.
l Duration – Enter the duration for the iPerf test. The allowed values are 10, 30, and 60 seconds.
l Protocol – Select the protocol to measure throughput, UDP or TCP.
l Target Bandwidth – This is applicable only on UDP traffic. The valid range is 1 – 1024 Mbps.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Managing Access Points 49

l Bidirectional Test – When disabled only uplink traffic is tested and when enabled both uplink and downlink traffic
streams are measured. In a bidirectional test, the total time required to complete the test is twice the selected
time. For example, if 30 seconds is the configured test duration then the total time required to complete the test is
60 seconds; 30 seconds for uplink and 30 seconds for downlink.
Select Start and the FortiAP initiates iPerf testing as per configurations.

Notes:
l Fortinet recommends to use the latest IPerf 2.0.x version in the endpoint machine.
l IPv6 servers are not supported for iPerf testing.
l Ensure the iPerf test ports are enabled in the firewall.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration

This section includes the procedures for creating different types of SSID with FortiAP Cloud and configuring various
options.
Use the following table for configuration information available in a FortiAP network under the Configure section.

Configuration module Description

SSIDs Configuration of SSIDs and their deployment on all APs or selected APs in the AP
Network. For more information, see Adding an SSID to a FortiAP network on
page 51.

Platform Profile Customization of AP profiles.

For more information, see Adding a FortiAP platform profile on page 63.

SNMP Profile To create and assign an SNMP profile.

For more information, see Configuring SNMP Profile on page 64

BLE Profile To configure a BLE Profile.

For more information, see Adding a BLE Profile on page 64.

DARRP Configure Distributed Automatic Radio Resource Provisioning (DARRP).

For more information, see Enabling Distributed Automatic Radio Resource
Provisioning (DARRP) on page 65

AP Tags AP grouping. APs in a group share the same AP tag.

For more information, see Adding AP tags on page 67.

MAC Access Control
Import and export MAC addresses in order to manage an access control list
(ACL).
For more information, see:
l Configuring MAC access control and MAC filtering on page 68
l Exporting ACL list on page 68

L3 Firewall Profile Create L3 profiles used in SSID.

For more information see, Adding an L3 Firewall Profile on page 69.

QoS Profile QoS profiles used in SSIDs.

For more information, see Adding a QoS profile on page 70.

FortiAPCloud User/Group
Users and their group configurations can help avoid the need for RADIUS servers
at the customer location.
For more information, see:
l Creating a FortiAP Cloud group and users on page 72
l Adding a FortiAP Cloud guest on page 73
l Adding a FortiAP Cloud guest manager on page 73

Tunnel Profile GRE/L2TP profiles used in SSIDs.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 51

Configuration module Description

For more information, see Adding a Tunnel profile on page 75

Schedule Profile Create a Multiple PSK schedule profile.

For more information, see Adding a Schedule Profile on page 76..

My RADIUS Server RADIUS servers used for authenticating wireless users.

For more information, see Adding a RADIUS server on page 74.

Network Manage various network administration settings.

For more information, see:
l Editing the FortiAP network time zone on page 77
l Enabling FortiAP network alerts on page 77
l Editing radio scan settings on page 78
l Editing timeout settings for idle client and captive portal user authentication
on page 78
l Enabling Duplicate SSID on page 78

Bonjour Relay Configure the Bonjour Relay service for devices to broadcast their services.
For more information, see Enabling Bonjour Relay on page 79.

FortiPresence Configure FortiPresence for user traffic analytics.

For more information, see Enabling FortiPresence on page 80.

Change History View the history of FortiAP Cloud configuration changes.

For more information, see Viewing the history of configuration changes on page
82.

Adding an SSID to a FortiAP network

Use this procedure to configure and add an SSID to a FortiAP network.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add the SSID.
2. In the Menu bar, click Configure.
3. In the Navigation bar, click SSIDs.
4. Click Add SSID and select any of the listed Authentication Methods on page 52.
5. To go to Security, click Next. If the FortiAP model supports security features, then select the ones you want to
enable.
6. To go to Availability, click Next and complete the following fields.
l Radio: Select which radios you want to be active.
l Per-AP: Select whether you want the SSID to be available to all APs or APs with specific tags.
l Schedule: Select a schedule for when the SSID is available.
7. To go to Preview, click Next and review the summary. If you need to make changes, click Prev.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 52

8. To complete the changes, click Apply.

9. You can now go to the Deploying a FortiAP device to a FortiAP network on page 29 procedure.

Authentication Methods

This section describes the supported authentication methods. Follow the prerequisites and configuration options listed
for each authentication method, and the Basic Settings on page 57 and Advanced Settings on page 59 to add an SSID.
l WPA2 Personal on page 52
l WPA2 Enterprise on page 52
l WPA3-SAE/WPA3-SAE Transition on page 53
l WPA3 Enterprise on page 54
l WPA3-OWE/WPA3-OWE Transition on page 54
l FortiAP Cloud captive portal on page 55
l My Captive Portal on page 56

WPA2 Personal

Add a WPA2 Personal SSID to a FortiAP network

Prerequisites Configuration

l If you want to use the MAC access control, make
sure to import MAC addresses (see the Configuring
MAC access control and MAC filtering on page 68
procedure).
l If you want to apply a QoS profile, make sure that
the QoS profile exists (see the Adding a QoS profile
on page 70 procedure).
l If you want the SSID to be available to APs with
specific tags only, make sure that the AP tags exist
(see the Adding AP tags on page 67 procedure).
l If you want to block intra-SSID traffic, and
customize radio and rate optional settings, then
purchase a FAP Advanced Management License.
l Authentication: Select WPA2-Personal. Type a
Pre-shared Key (PSK). This PSK must contain
from 8 to 63 printable ASCII characters or exactly 64
hexadecimal numbers. If older stations also need to
be supported, then select WPA/WPA2-Personal
which enables mixed (WPA and WPA2) mode
authentication.
l Captive Portal: Leave as No Captive Portal.
Complete the Basic Settings on page 57 and Advanced
Settings on page 59 as required.

WPA2 Enterprise

WPA2 Enterprise SSIDs can be configured to use an external RADIUS server to authenticate wireless clients, or control
access to the SSID with a configured user group.
With the RADIUS accounting server method, the Accounting Interim Interval parameter becomes available. The AP
will send an Interim Update Accounting-Request to update the RADIUS accounting server with time and bandwidth
usage. The default value is set to 600 seconds (or 10 minutes).

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration
Prerequisites
l Complete the Adding a RADIUS server on page 74
procedure.
l If you want to use the MAC access control, make
sure to import MAC addresses (see the Configuring
MAC access control and MAC filtering on page 68
procedure).
l If you want to apply a QoS profile, make sure that
the QoS profile exists (see the Adding a QoS profile
on page 70 procedure).
l If you want the SSID to be available to APs with
specific tags only, make sure that the AP tags exist
(see the Adding AP tags on page 67 procedure).
l If you want to enable dynamic VLAN, block intra-
SSID traffic, and customize radio and rate optional
settings, then purchase a FAP Advanced
Management License.
WPA3-SAE/WPA3-SAE Transition
Add a WPA3 simultaneous authentication of equals (SAE) or WPA3-SAE Transition SSID to a FortiAP network.
Prerequisites
l If you want to use the MAC access control, make
sure to import MAC addresses (see the Configuring
MAC access control and MAC filtering on page 68
procedure).
l If you want to apply a QoS profile, make sure that
the QoS profile exists (see the Adding a QoS profile
on page 70 procedure).
l If you want the SSID to be available to APs with
specific tags only, make sure that the AP tags exist
(see the Adding AP tags on page 67 procedure).
l If you want to block intra-SSID traffic, and
customize radio and rate optional settings, then
purchase a FAP Advanced Management License.
FortiAP Cloud User Guide
53
Configuration
With enterprise class SSIDs, individual users can have
their own login (such as username and password, and
VLAN, administrative control).
l Authentication: Select WPA2-Enterprise (or
WPA/WPA2-Enterprise mixed mode). To define
authorized users
l RADIUS Auth Setting: Set to one of the following:
l My RADIUS Server: Use your own RADIUS
server. To define your RADIUS server, see
Adding a RADIUS server
l FortiCloud User/Group: Use FortiAP Cloud as
the RADIUS server. In this case, you do not need
to have your own RADIUS server. All users are to
be defined in FortiAP Cloud (see Creating a
FortiAP Cloud group and users).
Complete the Basic Settings on page 57 and Advanced
Settings on page 59 as required.
Configuration
With enterprise class SSIDs, individual users can have
their own login (such as username and password, and
VLAN, administrative control).
l Authentication: Select WPA3-SAE or WPA3-SAE
Transition.
l WPA3-SAE: Type an SAE Password. This
password must contain 8 to 32 alphanumeric
characters or exactly 64 hexadecimal numbers.
l WPA3-SAE Transition: Enables mixed (WPA2
and WPA3) mode authentication. Two
passwords are used in the SSID; if the SAE
Password is used, client connects with WPA3
SAE and if Pre-shared Key is used, client
connects with WPA2 PSK. This PSK must
contain from 8 to 63 printable ASCII characters
or exactly 64 hexadecimal numbers.
l Captive Portal: Add a captive portal to the SSID.
l To add a FortiAP Cloud captive portal, see
section FortiAP Cloud captive portal on page 55.
l To add your own captive portal, see section My
Captive Portal on page 56
Complete the Basic Settings on page 57 and Advanced
Settings on page 59 as required.
Fortinet Technologies Inc.
Configuration 54

WPA3 Enterprise

WPA3 Enterprise SSIDs can be configured to use an external RADIUS server to authenticate wireless clients, or control
access to the SSID with a configured user group.
With the RADIUS accounting server method, the Accounting Interim Interval parameter becomes available. The AP
will send an Interim Update Accounting-Request to update the RADIUS accounting server with time and bandwidth
usage. The default value is set to 600 seconds (or 10 minutes).

Prerequisites Configuration

l Complete the Adding a RADIUS server on page 74 With enterprise class SSIDs, individual users can have their
procedure. The RADIUS server must support 192- own login (such as username and password, and VLAN,
bit AES encryption as required by WPA3-Enterprise administrative control).
security level. l Authentication: Set to WPA3-Enterprise.
l If you want to use the MAC access control, make l RADIUS Auth Setting: To define authorized users,
sure to import MAC addresses (see the set to My RADIUS Server where you use your own
Configuring MAC access control and MAC filtering RADIUS server. To define your RADIUS server, see
on page 68 procedure). Adding a RADIUS server
l If you want to apply a QoS profile, make sure that Complete the Basic Settings on page 57 and Advanced
the QoS profile exists (see the Adding a QoS Settings on page 59 as required.
profile on page 70 procedure).
l If you want the SSID to be available to APs with
specific tags only, make sure that the AP tags exist
(see the Adding AP tags on page 67 procedure).
l If you want to enable dynamic VLAN, block intra-
SSID traffic, and customize radio and rate optional
settings, then purchase a FAP Advanced
Management License.

WPA3-OWE/WPA3-OWE Transition

Add a WPA3 opportunistic wireless (OWE) or WPA3-OWE Transition SSID to a FortiAP network.

Prerequisites Configuration

l If you want to use the MAC access control, make
sure to import MAC addresses (see the
Configuring MAC access control and MAC filtering
on page 68 procedure).
l If you want to apply a QoS profile, make sure that
the QoS profile exists (see the Adding a QoS
profile on page 70 procedure).
l If you want the SSID to be available to APs with
specific tags only, make sure that the AP tags
exist (see the Adding AP tags on page 67
procedure).
l If you want to block intra-SSID traffic, and
customize radio and rate optional settings, then
purchase a FAP Advanced Management License.
l Authentication: Select WPA3-OWE.
Enable OWE Transition to allow clients that do not
support OWE to connect to an OWE enabled network.
This mode requires an Open OWE Transition SSID
for such clients to connect.
l Captive Portal: Add a captive portal to the SSID.
l To add a FortiAP Cloud captive portal, see section
FortiAP Cloud captive portal on page 55.
l To add your own captive portal, see section My
Captive Portal on page 56
Complete the Basic Settings on page 57 and Advanced
Settings on page 59 as required.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration
FortiAP Cloud captive portal
FortiAP Cloud includes captive portal settings that you can customize during the SSID addition.
If you want to create and use your own captive portal, then go to the Adding a My Captive Portal SSID to a FortiAP
network procedure.
Prerequisites
l If you want to use the MAC access control, make
sure to import MAC addresses (see the
Configuring MAC access control and MAC filtering
on page 68 procedure).
l If you choose one of the following sign on
methods, make sure to complete the required
setup:
l My RADIUS Server (see Adding a RADIUS
server on page 74)
l FortiAP Cloud user and group (see Creating a
FortiAP Cloud group and users on page 72)
l If you want to apply a QoS profile, make sure that
the QoS profile exists (see the Adding a QoS
profile on page 70 procedure).
l If you want the SSID to be available to APs with
specific tags only, make sure that the AP tags
exist (see the Adding AP tags on page 67
procedure).
l If you want to block intra-SSID traffic, and
customize radio and rate optional settings, then
purchase a FAP Advanced Management License.
FortiAP Cloud User Guide
55
Configuration
l Authentication: Select Open or WPA2-Personal.
If you select WPA2-Personal, then type a Pre-
shared Key. This password must contain from 8 to 63
characters. Characters can be any combination of
upper and lower case letters, numbers, punctuation
marks, and symbols.
l Captive Portal: Select FortiAPCloud Captive
Portal.
l MAC Access Control: Select to allow clients
identified in the MAC address import list to connect to
that SSID.
l Fail Through Mode. This mode is available if
you select the Open authentication. If you select
the Fail Through Mode, then the following
applies:
l If a client is not in the MAC address import
list, then the client must pass captive-portal
authentication to access the internet.
l If a client is in the MAC address import list,
then the client can bypass the captive-portal
authentication and access the internet
directly.
l Redirect URL: The URL to which the user is
redirected after a successful login; Original request
or Specific URL.
l Walled Garden: The walled garden is a list of web
domains that users can access before completing the
authentication process. You can type an IP address,
domain name, and subnetwork address/mask.
Separate multiple entries with a comma.
l Sign-on Method: Choose one of the following:
l Click Through: Users go to the captive portal
page and click Continue to gain access to the
wireless network. Users do not type a username
and password. 
l My RADIUS Server: Select a configured
RADIUS server.
l FortiAP Cloud user and group: Select a
configured FortiAP Cloud group.
l Self-registered guests: Users access the
Fortinet Technologies Inc.
Configuration
Prerequisites
My Captive Portal
In this procedure, you are required to create your own captive portal page.
If you prefer to use and customize an existing captive portal page, then go to the Adding a FortiAP Cloud captive portal
SSID to a FortiAP network procedure instead.
Prerequisites
l Complete the Creating the My Captive Portal page
on page 62 procedure.
l If you want to use the MAC access control, make
sure to import MAC addresses (see the
Configuring MAC access control and MAC filtering
on page 68 procedure).
l Choose and set up one of the following sign on
methods:
l My RADIUS Server (see the Adding a
RADIUS server on page 74 procedure)
l FortiAP Cloud user and group (see the
Creating a FortiAP Cloud group and users on
page 72 procedure)
FortiAP Cloud User Guide
56
Configuration
captive portal page and sign up for an account.
They receive their username and password details
by SMS or email as defined in step 11 of this
procedure. 
l Social media: Users can sign on with their social
media account. FortiAP Cloud supports
Facebook, Google+, LinkedIn, and Twitter
accounts.
In the Captive Portal page, you can additionally
customize the following.
l Logo: You can upload an image.
l Title: You can change the appearance of the title
(background color and image as well as the text color)
or the text (in English, French, or Japanese).
l Message: You can add a message (in English,
French, or Japanese) and change the background
color, image, and text color.
l Self-Registered: If you selected the sign on method
as self-registered guest (in step 5), then you can
customize the page for self-registered guests as well
as set an account expiration period and a method to
generate a username and password.
Complete the Basic Settings on page 57 and Advanced
Settings on page 59 as required.
Configuration
l Authentication: Select Open or WPA2-Personal.
If you select WPA2-Personal, then type a Pre-
shared Key. This password must contain from 8 to 63
characters. Characters can be any combination of
upper and lower case letters, numbers, punctuation
marks, and symbols.
l Captive Portal: Select My Captive Portal.
l MAC Access Control: Select to allow clients
identified in the MAC address import list to connect to
that SSID.
l Fail Through Mode. This mode is available if
you select the Open authentication. If you select
the Fail Through Mode, then the following
Fortinet Technologies Inc.
 Configuration 57

Prerequisites Configuration

l If you want to apply a QoS profile, make sure that applies:

the QoS profile exists (see the Adding a QoS
profile on page 70 procedure).
l If you want the SSID to be available to APs with
specific tags only, make sure that the AP tags exist
(see the Adding AP tags on page 67 procedure).
l If you want to block intra-SSID traffic, and
customize radio and rate optional settings, then
purchase a FAP Advanced Management License.
l If a client is not in the MAC address import
list, then the client must pass captive-portal
authentication to access the internet.
l If a client is in the MAC address import list,
then the client can bypass the captive-portal
authentication and access the internet
directly.
l Captive Portal URL: Type the URL of your captive
portal page.
l Redirect URL: The URL to which the user is
redirected after a successful login; Original request
or Specific URL.
l Walled Garden: The walled garden is a list of web
domains that users can access before completing the
authentication process. You can type an IP address,
domain name, and subnetwork address/mask.
Separate multiple entries with a comma.
l Sign-on Method
: Choose one of the following:
l Click Through: Users go to the captive portal
page and click Continue to gain access to the
wireless network. Users do not type a username
and password. 
l My RADIUS Server: Select a configured
RADIUS server.
l FortiAP Cloud user and group: Select a
configured FortiAP Cloud group.
Complete the Basic Settings on page 57 and Advanced
Settings on page 59 as required.

Basic Settings

Configure the following basic settings for an SSID assigned to your FortiAP network.

Field Description

SSID Type a name for this wireless network. Wireless clients use this name to find and
connect to this wireless network.

Enabled Select to have the SSID active.

Broadcast SSID Select to advertise the SSID. All wireless clients within range can see the SSID
when they scan for available networks.

MAC Access Control Select to allow clients identified in the MAC address import list to connect to that
SSID.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 58

Field Description

l Fail Through Mode. This mode is available if you select the Open
authentication. If you select the Fail Through Mode, then the following
applies:
l If a client is not in the MAC address import list, then the client must
pass captive-portal authentication to access the internet.
l If a client is in the MAC address import list, then the client can bypass
the captive-portal authentication and access the internet directly.

Mesh Link Select to enable the mesh link.

A wireless mesh eliminates the need for Ethernet wiring by connecting Wi-Fi APs
to each other by radio. AP networks can be configured in this way so that only one
AP unit is connected to the wired network.

Data Encryption When either of the mixed mode authentication methods are enabled, select a
data encryption protocol: AES, TKIP, or TKIP-AES.

Multiple Pre-shared Keys Multiple PSKs can also be configured for Personal SSIDs, in which case stations
will be able to connect to an SSID using either a common PSK or their own PSK.
You can select the configured schedule profile for activating multiple PSKs. For
more information, see Adding a Schedule Profile on page 76.
Note:A maximum of 128 multiple PSKs are allowed per SSID.
AP as RADIUS client The FortiAP acts as a RADIUS client and sends accounting information to the
configured RADIUS server.
This configuration parameter is applicable ONLY when the SSID operates in the
OPEN security mode with external captive portal and RADIUS authentication and
accounting parameters.
When AP as RADIUS client is enabled, the FortiAP redirects clients to the
configured external captive portal, collects credentials and performs RADIUS
authentication and accounting. When disabled (default), the legacy functionality
continues where the FortiAP redirects all clients to a centralized FortiAP Cloud
which then redirects them to the configured external captive portal.
When you enable AP as RADIUS Client, the following parameters become
configurable.
l Secure HTTP - Secure HTTP is used to post credentials from the
configured external captive portal web server to the FortiAP. This is disabled
by default.
l Session Interval - The time interval after which the captive portal
authentication session is invalidated and the user is required to log in again.
The valid range for the session interval is 0 - 864000 seconds, 0 (default)
indicates that the user is never logged out.
Note: This feature is supported on FAP-S and FAP-W2 models with firmware
versions 6.2 and 6.4.

RADIUS Acct Settings Select the RADIUS profile for accounting.

CoA is also supported and can be enabled in RADIUS Accounting profile.

FortiAP Cloud User Guide Fortinet Technologies Inc.

 Configuration 59

Field Description

IP assignment Select Bridge or NAT. If you choose NAT, then complete the following:
l Local LAN: Select Allow or Deny.
l DHCP Lease Time: Default is 3600 seconds (or one hour).
l IP/Network Mask: Type the IP address and network mask of the SSID.
QoS Profile If you want to apply a QoS profile that you have already created, select it from the
list.

VLAN ID If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless
network (SSID).
Default is 0 for non-VLAN operation.

Advanced Settings

With a FortiAP advanced management license, you can enable the following advanced settings.

Field Description

Radio Sensitivity (Rx-SOP)
The Receiver Start of Packet (Rx-SOP) configures a threshold to allow FortiAPs
to adjust the SSID cell size. The radio discards all received wireless frames with
minimum WiFi signal lesser than the configured threshold value. Adjusted cell
size ensures that wireless clients are connected to the nearest FortiAP at highest
possible data rates and distant clients do not deprive other clients of airtime.
The valid range of signal strength is -95 to -20 dBm with a default value of -79
dBm for 2.4GHz and -76 dBm for 5GHz.

Probe Response Restricts distant wireless clients from connecting to the FortiAP if the received
Suppression signal strength is less than the configured threshold. The FortiAP does not send
any probe response to these distant wireless clients and responds to the probe
requests sent from nearby clients only. The valid range of signal strength is -95 to
-20 dBm with a default value of -80 dBm.

Sticky Clients Removal De-authenticates sticky wireless clients (distant clients that stick to the FortiAP) if
the signal strength is less than the configured threshold. The valid range of signal
strength is -95 to -20 dBm with a default value of -79 dBm for 2.4GHz and -76
dBm for 5GHz.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration
Field
Protected Management
Frames (802.11w)
Voice Enterprise (802.11kv)
FortiAP Cloud User Guide
60
Description
Provides a layer of security for wireless management frames by ensuring that
traffic comes from legitimate sources. Network attackers and malicious entities
are unable to disrupt legitimate wireless connections by sending spoofed clear
text wireless management frames.
l Disable - Disables the usage of 802.11w management protection frames.
l Optional - Allows wireless clients that do not support 802.11w along with
those that support 802.11w to associate with the SSID.
l Required - Allows only those wireless clients to associate with the SSID that
support 802.11w and prevents clients that do not support 802.11w from
associating.
l PMF Association Comeback Timeout (seconds) - Specifies the time
which an associated client must wait before the association can be tried
again when first denied. The valid range is 1 -20 seconds with a default value
of 1 second.
l PMF SA Query Retry Timeout (milliseconds) - Specifies the amount of
time the controller waits for a response from the wireless client for the query
process. If there is no response from the client, it is dis-associated. The
supported values are 100, 200, 300, 400, and 500 milliseconds with a
default value of 200 milliseconds
Note: Any change in the PMF configuration requires the controller to delete and
then add the SSID. This disrupts existing connections.
This feature provides support for network assisted roaming based on 802.11k and
802.11v standards.
802.11k network assisted roaming allows a potential roaming wireless client to
collect from its current AP the list of compatible neighbour APs. This saves the
wireless client from performing full scan on both bands. The wireless client
selects and moves to the optimal neighbour AP from the list. The 802.11k also
provides support for Radio Resource Management (RRM) such as APs querying
the associated wireless clients for beacon reports and perceived RSSI used to
prepare the compatible neighbour AP list for wireless clients.
802.11v network assisted roaming allows the wireless network to send requests
to associated clients, recommending better APs to associate with while roaming.
This is beneficial for both load balancing and in guiding clients with poor
connectivity.
The BSS Transition feature allows the roaming client to initiate a BSS transition
query to the associated AP for a candidate list of other APs it can re-associate
with, the associated AP responds with a BSS transition request containing the
requested AP list. The AP can also send an unsolicited BSS transition request to
the client. The client can accept the request and re-associate with the suggested
APs or it can reject the request and continue its association with the current AP.
Fortinet Technologies Inc.
Configuration
Field
Airtime Fairness Weight (%)
Broadcast Suppression
L3 Firewall Profile
Block intra-SSID traffic
Tunnel Settings
FortiAP Cloud User Guide
61
Description
Wi-Fi has a natural tendency for clients farther away or clients at lower data rates
to monopolize the airtime and drag down the overall performance. Airtime
Fairness (ATF) helps to improve the overall network performance.
Airtime Fairness is configured per SSID, each SSID is granted airtime according
to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
Data frames that exceed the configured % allocation are dropped. Enable Airtime
Fairness when creating a Platform profile.
l Applicable only on downlink traffic.
l Applicable only on data, management and control functions are excluded.
l Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.
l Applicable on all authentication modes.
Airtime Fairness is supported with FOS 6.2.0 and on all FortiAP-S and FortiAP-
W2 models.
Note: Enable ATF processing on desired radios in AP Platform Profile.
Suppresses the transmission of specific broadcast traffic to secure the wireless
network and optimize airtime usage. When the received broadcast traffic exceeds
the threshold, the interface discards it until the broadcast traffic drops below a
specific threshold.
Since broadcast packets sent to wireless clients connected to a FortiAP occupy
valuable airtime, unnecessary and potentially detrimental packets can impact
network throughput.
By default, ARP Replies, ARPs For Known Clients, DHCP Uplink, DHCP
Downlink, and DHCP Unicast broadcast suppression is enabled.
Create L3 Firewall rules. For more information, see Adding an L3 Firewall Profile
on page 69.
To block intra-SSID network traffic.
Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
FortiAP Cloud supports tunnel redundancy. When the primary tunnel goes
down, data traffic is automatically redirected to the secondary or the standby
tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel
Profile. For more information, see Adding a Tunnel profile.
l Tunnel Echo Interval: The time interval to send echo requests to primary
and secondary tunnel peers. The valid range is 1 to 65535 seconds; default
is 300 seconds.
l Tunnel Fallback Interval: The time interval for secondary tunnel to fall
back to the primary tunnel once it is active. The valid range is 1 to 65535
seconds; default is 7200 seconds.
Fortinet Technologies Inc.
Configuration 62

Field Description

DHCP Option 82 DHCP option 82 (DHCP relay information) secures wireless networks served
by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation
and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID
parameters enhance this security mechanism by allowing the FortiAP to
include specific AP and client device information into the DHCP request
packets. Both these options are disabled by default.
The DHCP server can use the location of a DHCP client when assigning IP
addresses or other parameters.
Note: This feature is supported with FOS 6.2.0 and above.
l Circuit ID: The AP information is inserted in the following formats:
l Style-1: ASCII string composed in the format <AP MAC
address>;<SSID>;<SSID-TYPE>. For example, "
00:12:F2:00:00:59;SSID12;Bridge".
l Style-2: ASCII string composed of the AP MAC address. For
example, "00:12:F2:00:00:59".
Style-3: ASCII string composed in the format <Network-
Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-
MAC address>. For example, "WLAN:FAPS221E-
default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".
l Remote ID: The MAC address of the client device is inserted in the
following format:
Style-1 - ASCII string composed of the client MAC address. For
example,"00:12:F2:00:00:59".
Radio and Rates Optional Customize the 2.4 GHz and 5 GHz rate settings.
Settings

Creating the My Captive Portal page

This section includes details about creating the My Captive Portal page. The creation of this page is a prerequisite for
the Adding a My Captive Portal SSID to a FortiAP network procedure.
A user connects to the Wi-Fi network and is redirected to https://<my_captive_portal_url>?grant_
url=fortiapcloud_grant_url.
The user lands on the captive portal, who is then redirected by the captive portal to the <FortiAPCloud_grant_url>.
Check the AP network web URL in the address bar. This URL should be set to https://xxxx-<digit>.fortiapcloud.com.
l The base URL of <FortiAPCloud_grant_url> without -<digit> can be https://xxxx.fortiapcloud.com
l The full URL of <FortiAPCloud_grant_url> can be
https://xxxx.fortiapcloud.com/APAuthentication/submit?type=external
If the SSID sign on method is Click Through, no parameters are submitted. For the other SSID sign on methods, the
following parameters are submitted:
l User
l Password

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 63

l error_page_url
Sample jsp to paste in the captive portal
<form action="<%=request.getAttribute("grant_url") %>" method="POST">
<input type="hidden" name="error_page_url" value="http://yourcompany.com/test/error.jsp"/>
<table>
<tr><td>Username:</td><td><input name="user" type="text"></td></tr>
<tr><td>Password:</td><td><input name="password" type="password"></td></tr>
<tr><td><input type="submit" value="Login"></td></tr>
</table>
</form>

Adding a FortiAP platform profile

FortiAP Cloud provides default platform (AP) profiles for each supported model. All APs of a given model can use their
default platform profile. However, more profiles can be added, edited, and then assigned to APs, thereby changing their
characteristic. For instance, two FAP221E models can have their own platform profiles, one with rogue scanning
disabled (using default platform profile) and the other enabled (using a customized platform profile).
Other parameters that you can customize for each AP using its own platform profile include radio band, channel,
channel width, and transmit power.
When you perform the Configuring FortiAP settings on page 39 procedure, you can select the FortiAP platform profile
that you added using this procedure.

Procedure steps

1. In the Menu bar, click Configure.

2. In the Navigation pane, click Platform Profile.
3. Near the top-right corner, click Add Platform Profile.
4. Customize the profile. The following features require a license for advanced AP management.
Airtime Fairness

AP Scan Threshold - Configures the threshold for minimum detected signal strength required for a FortiAP to be
categorized as and interfering/rogue AP when a scan is performed. This parameter is supported in the monitor
mode and conditionally in the AP mode with either of the these parameters enabled, Radio Resource Provision,
Auto TX Power Control enabled, Rogue AP Scan. The valid range of signal strength is -95 to -20 dBm with a default
of -90 dBm.

Beacon Interval (ms) – Configures the time interval between two successive beacon frames. The beacon interval
is measured in milliseconds and supports a valid range of 40 – 3500 milliseconds with a default of 100 milliseconds.
Higher beacon intervals aid in the power saving capability of wireless clients and lower beacon intervals keep fast
roaming clients connected to the network.

DTIM Period – Configures the Delivery Traffic Indication Map (DTIM) interval to transmit buffered multicast and

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 64

broadcast data, after the beacon is broadcast. This enables wireless clients in power-saving mode to wake up at a
suitable time to check for buffered traffic. Higher DTIM period aids in the power saving capability of wireless clients
and lower DTIM period speeds up broadcast and multicast data delivery to wireless clients. The valid range is 1 -
255 with a default of 1.
The recommended values are 1 (to transmit broadcast and multicast data after every beacon) and 2 (to transmit
broadcast and multicast data after every other beacon).
5. To save the profile, click Apply.
The list of profiles includes the new FortiAP platform profile.

Configuring SNMP Profile

FortiAP Cloud supports SNMP access to FortiAPs such as sending queries and receiving traps. To assign an SNMP
profile to a FortiAP, see Adding a FortiAP platform profile on page 63.
Note: A FortiAP can be associated with a platform profile linked to a configured SNMP profile, even if the SNMP admin
access is disabled in the AP settings.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to configure SNMP.
2. In the Menu bar, click Configure.
3. In the Navigation area, click SNMP Profile.
4. Click Add Profile.
5. Enter a unique name for the SNMP profile.
6. Enter the SNMP Engine ID; the default is FortiAPCloud, and the administrator Contact Info.
7. Enter the threshold for high CPU usage (%) when the trap is sent. The valid range is 10 - 100 and the default is 80.
8. Enter the threshold for high memory usage (%) when the trap is sent. The valid range is 10- 100 and the default is
80.
9. Add SNMP v1/v2 communities and enable SNMP queries and traps as required. Enter the SNMP management
stations in the Host field. A maximum of four, comma separated hosts can be specified along with optional
netmasks.
10. Configure SNMP v3 users and manage traps and queries for these users. You can manage the security level for
message authentication and encryption. The supported authentication and encryption algorithms are MD5 and
SHA. The valid range for authentication and encryption passwords is 8 - 32 characters. You can configure the
SNMP user-notify Hosts; a maximum of sixteen, comma separated hosts can be specified
11. To close the dialog box, click Save.

Adding a BLE Profile

BLE is a wireless personal area network technology used for transmitting data over short distances. It allows mobile
applications to receive advertisements from beacons and deliver hyper-contextual content to clients based on location.
The BLE profile incorporates Google’s Eddystone and Apple’s iBeacon to identify groups of devices and individual

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 65

devices. Broadly, based on the configured BLE profile, the FortiAP broadcasts signals that the client receives when it
comes in the configured proximity.
Individual AP overrides for BLE profile parameters are supported. See section Overriding FortiAP Settings on page 41.
Name - Enter a unique name for the BLE profile. Valid range is 1 – 32 characters.
Advertising – Select one or multiple supported advertising protocols, iBeacon, Eddystone UUID, Eddystone URL.
You can configure the following broadcast data for iBeacon.
l iBeacon UUID – Click Generate UUID to obtain a unique 128-bit identifier in 8-4-4-4-12 Hex format for a beacon.
Specify wtp-uuid to generate FortiAP specific identifier.
l iBeacon Major ID – A unique identifier assigned to some beacons in a network and is used to distinguish this
subset of beacons within a larger group of beacons. For example, beacons within a particular geographic area can
have the same major number. The valid range is 0 -65535 with a default of 1000.
l iBeacon Minor ID - A unique identifier assigned to identify individual beacons. For example, each beacon in a
group of beacons with the same major number, will have a unique minor number. The valid range is 0 -65535 with a
default of 2000.
You can configure the following broadcast data for Eddystone UUID.
l Eddystone Namespace ID – A unique identifier assigned to some beacons in a network. This serves the same
purpose as the aforementioned iBeacon Major ID. The valid range is 1 -20 Hex digits, the corresponding ASCII
value is also displayed. You can enter the ID in ASCII format also using the ASCII link.
l Eddystone Instance ID - A unique identifier assigned to identify individual beacons. This serves the same
purpose as the aforementioned iBeacon Minor ID. The valid range is 1 - 12 Hex digits, the corresponding ASCII
value is also displayed. You can enter the ID in ASCII format also using the ASCII link.
Eddystone URL - The FortiAP broadcasts the configured URL as a beacon and the physical web or the latest Google
Chrome plugin picks up the beacon and renders the URL into a web page. The URL supports HTTP and HTTPS and
valid range is 1 -30 characters. The default is http://www.fortinet.com.
TX Power Level – Select a power level for the beacon’s transmit signal. The higher the power the greater will be the
range of your signal. The valid range is –21 dBm to +5 dBm with a default value of 0 dBm.
Beaconing Interval - Select the time interval at which the successive beacons transmit signals to associated devices,
that is, this sets the rate at which beacons advertise packets. The valid range is 40 -3500 milliseconds with a default of
100 milliseconds.
BLE Scanning – Enable scanning for BLE devices. This is disabled by default.
BLE Scan Report Interval – The interval to generate BLE scan report. The valid range is 10 – 3600 seconds with a
default value of 30 seconds.

Enabling Distributed Automatic Radio Resource Provisioning

(DARRP)

The presence of neighbouring APs or other devices operating in the same frequency range as your access point, can
lead to interference on the configured channel. This may affect the WiFi experience for your network user.
The DARRP feature automatically and periodically selects the optimal channel for your access point by measuring
utilization and interference on the available channels. The channel selected is best suited for wireless communications.
This is especially useful in large-scale deployments where multiple access points have overlapping radio ranges.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 66

Configuring Basic DARRP

Basic DARRP configuration is enabled by default.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network that you want to edit.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click Network.
4. Enable DARRP optimization for your network. Configure the following parameters.
l Optimize Timer - Configures the timer interval for DARRP optimization. The default is 10 minutes and the
valid range is 10 - 1440 minutes.
l Optimize Schedule - Configures One Time or Recurring schedules. One time schedule initiates DARRP
optimization only once on a particular day and time. Recurring schedule initiates and repeats DARRP
optimization on specific days and time of the week. A maximum of 4 schedules can be created for both types.
l Optimize Now - Manually initiates DARRP optimization. This operation occurs irrespective of the configured
timer or schedule.

Configuring Advanced DARRP

Advanced DARRP configuration uses various additional parameters to perform DARRP optimization and accurate
channel planning. It integrates data from channel utilization and takes into consideration the neighbour AP channel
configuration and non-WiFi interference sources. The DARRP profile must be applied per radio in the Platform profile.
Notes:
l Supported on FortiAP version 6.4.2 or higher.
l Spectrum analysis and channel utilization features are used. FortiAP Cloud uses spectrum analysis in the scan
only mode and restores it's original configuration when DARRP is disabled.
l FortiAP Advanced Management License is required for this feature.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network that you want to edit.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click DARRP Profile.
4. Click Add Profile and configure the following parameters.

Profile Name A unique DARRP Profile name. Valid range is 1 - 36 characters.

Description Any remarks/notes specific to the profile. The valid range is 0 – 255 characters.

Selection Period The time period to measure average channel load, noise floor, spectral RSSI.
The valid range is 0 to 65535 seconds and the default is 3600 seconds.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 67

Monitor Period The time period to measure average transmit retries and receive errors. The valid
range is 0 to 65535 seconds and the default is 300 seconds.

Managed AP Weight The weight in DARRP channel score calculation for managed APs. The valid
range is 0 to 2000 and the default is 50.

Rogue AP Weight The weight in DARRP channel score calculation for rogue APs. The valid range is
0 to 2000 and the default is 10.

Noise Floor Weight The weight in DARRP channel score calculation for noise floor. The valid range is
0 to 2000 and the default is 40.

Channel Load Weight The weight in DARRP channel score calculation for channel load. The valid range
is 0 to 65535 and the default is 20.

Spectral RSSI Weight The weight in DARRP channel score calculation for spectral RSSI. The valid
range is 0 to 2000 and the default is 40.

Weather Channel Weight The weight in DARRP channel score calculation for weather channels. The valid
range is 0 to 2000 and the default is 1000.

DFS Channel Weight The weight in DARRP channel score calculation for DFS channels. The valid
range is 0 to 2000 and the default is 500.

AP Threshold Threshold to reject channel in DARRP channel selection phase 1 due to

surrounding APs. Integer value from 1 to 500 (default = 250)

Noise Floor Threshold Threshold in dBm to reject channel in DARRP channel selection phase 1 due to
noise floor. dBm (-95 to -20, default = -85)

Channel Load Threshold The threshold to reject a channel in DARRP channel selection phase 1 due to
channel load. The valid range is 0 to 100% and the default is 60%.

Spectral RSSI Threshold The threshold to reject a channel in DARRP channel selection phase 1 due to
spectral RSSI. The valid range is -95 dBm to -20dBm and the default is -65 dBm.

Tx Retries Threshold The threshold for transmit retries to trigger channel reselection in DARRP monitor
stage. The valid ranges is 0 to 1000% and the default is 300%.

Rx Errors Threshold The threshold for receive errors to trigger channel reselection in DARRP monitor
stage. The valid range is 0 to 100% and the default is 50%.

Include Weather Channel To enable or disable the use of weather channels in DARRP channel selection.
This is disabled by default.

Include DFS Channel To enable or disable the use of DFS channels in DARRP channel selection. This
is disabled by default.

Adding AP tags

When you configure a wireless network (SSID), you decide whether the SSID is available to all APs or to a certain groups
of APs. A group of APs is formed by assigning the same tag to them. For example, if there are 10 APs in your AP

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 68

network, you could create 2 AP groups based on AP model or by their physical location.
Use AP tags to control which SSIDs to broadcast on a group of FortiAP devices.

Procedure steps

1. In the Menu bar, click Configure.

2. In the Navigation pane, click AP Tags.
3. Near the top-right corner, click Add AP Tag.
4. Type a name and description.
5. To save the AP tag, click Apply.
6. You can assign AP tags to an AP when you perform the Activating/Deactivating a FortiAP device on page 39
procedure.

Configuring MAC access control and MAC filtering

FortiAP Cloud supports the configuration of station MAC addresses to allow those stations to access wireless networks.
This is called an access control list (ACL). Only Allow ACL is currently supported (Deny ACL is not supported).

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to import MAC addresses.
2. In the Menu bar, click Configure.
3. In the Navigation area, click MAC Access Control.
4. Click Import.
5. Add the MAC addresses. Separate each address with a comma. An import can include a maximum of 10,000
MAC addresses (records).
6. Review the summary. If you want to make changes, click Back.
7. To import the MAC addresses, click Submit.
A dialog box displays a status message. Here is an example: Import 2 records successfully.
8. To close the dialog box, click OK.
9. When adding an SSID to an FortiAP network, make sure to select MAC Access Control.

Exporting ACL list

Use this procedure to export all MAC addresses as an access control list (ACL) text file.

Prerequisites

Complete the importing MAC addresses procedure in Configuring MAC access control and MAC filtering.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 69

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network that has the MAC addresses to export.
2. In the Menu bar, click Configure.
3. In the Navigation bar, click MAC Access Control.
4. Click Export All.
5. Complete the instructions on the screen to open or save the text file.

Adding an L3 Firewall Profile

Layer 3 Firewall rules provide granular access control of client traffic in your wireless network. An L3 Firewall profile
allows or denies traffic between wireless clients based on the configured source and destination IP addresses/ports and
specific protocols. The L3 Firewall profile must be assigned to an SSID profile.
Notes:
l The maximum number of rules allowed per profile are to 64.
l FortiAP Advanced Management License is required for this feature.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to create the L3 Firewall profile.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click L3 Firewall Profile.
4. Click Add Profile.
5. Complete the following fields:

Name A unique L3 Firewall Profile name. Valid range is 1 - 32 characters.

Rule ID A unique rule identifier. The L3 Firewall rules are sorted and processed in the
ascending order of the rule IDs, that is, starting from the lowest rule ID. The
valid range is 1 - 65535 and a rule ID cannot be modified.
Note: It is recommended to have a buffer between rule IDs to facilitate
creating new rule IDs in future.

Enabled Select to enable or disable the rule.

Comment Any remarks/notes specific to the rule. The valid range is 0 – 255 characters.

IP Version Select the IP rule type. You can create IPv4 or IPv6 rules based on your
network requirements.

Policy Select the policy action for the rule. Wireless traffic can be allowed or denied
based on the configured rule.

Protocol Select the protocol type to apply the rule. The protocol types are defined
based on the Internet Assigned Numbers Authority (IANA) categorization. The
valid range is 0 – 255.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 70

Source Address Specifies the source IP address to match the rule. You can select Any to
specify all networks, Local LAN IP addresses, or Specify an IP address and
the optional netmask length with a valid range of 0 – 32.

Source Port Specify the source port to match the rule. This can be a single port, port
range, multiple comma-separated ports, or any denoted by a 0. The valid
range is 0 – 65535.

Destination Address Specifies the destination IP address to match the rule. You can select Any to
specify all networks, Local LAN IP addresses, or Specify an IP address and
the optional netmask length with a valid range of 0 – 32.

Destination Port Specify the destination port to match the rule. This can be a single port, port
range, multiple comma-separated ports, or any denoted by a 0. The valid
range is 0 – 65535.

Adding a QoS profile

When you add an SSID to a FortiAP network, you can assign a quality of service (QoS) profile to that SSID. The QoS
profile helps to set up different QoS parameters for voice, video, data wireless networks, or guest/employee wireless
networks.
FortiAP Cloud transfers the QoS configuration parameters to each FortiAP, which then interprets the values and
enforces the QoS.

Prerequisites

Complete the Adding a FortiAP network to FortiAP Cloud on page 19 procedure.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add the QoS profile.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click QoS Profile.
4. Click Add QoS Profile.
5. Complete the following fields:

Name The name you want to give to the QoS profile.

Comment A description of the QoS profile or any other text for this profile. This field is
optional.

Uplink The maximum uplink bandwidth for each FortiAP radio, defined by the SSID.
Here is an SSID example (with two radios) and an uplink value of 100000 Kbps:
l 10 stations are connected to the Guest SSID on 2.4 GHz (radio 1): The total
maximum uplink bandwidth of the stations connecting to that Guest SSID is
100000 Kbps.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 71

l 20 stations are connected to the Guest SSID on 5 GHz (radio 2): The total
maximum uplink bandwidth of the stations connecting to that Guest SSID is
100000 Kbps.
The range is from 0 to 2097152 Kbps (or approximately 2 Gbps). The default is 0,
which means there is no restriction.

Downlink The maximum downlink bandwidth for each FortiAP radio, defined by the SSID.
Here is an SSID example (with two radios) and a downlink value of 100000 Kbps:
l 10 stations are connected to the Guest SSID on 2.4 GHz (radio 1): The total
maximum downlink bandwidth of the stations connecting to that Guest SSID is
100000 Kbps.
l 20 stations are connected to the Guest SSID on 5 GHz (radio 2): The total
maximum downlink bandwidth of the stations connecting to that Guest SSID is
100000 Kbps.
The range is from 0 to 2097152 Kbps. The default is 0, which means there is no
restriction.

Station Uplink The maximum uplink bandwidth for each station in the SSID.
The range is from 0 to 2097152 Kbps. The default is 0, which means there is no
restriction.

Station Downlink The maximum downlink bandwidth for each station in the SSID.
The range is from 0 to 2097152 Kbps. The default is 0, which means there is no
restriction.

Burst When you enable the burst parameter on the SSID, the first couple of packets have
a large buffer to upload and download after the station connects. After that, the
station traffic returns to normal.
By default, the Burst checkbox is unselected.

WMM QoS WiFi Multi-Media (WMM) enables priority marking of data packets from
different applications and preserving these markings by translating them into DSCP
values when forwarding them upstream and downstream. The priority is set
between four access categories; voice, video, best effort, and background.
The applications that require improved throughput and performance are inserted in
queues with higher priority. WMM maintains the priority of these applications over
others which are less time critical.
You can customize the priority markings for various traffic types and apply these
changes to WMM-enabled SSID profiles. All configurations are disabled by default.
Note: This feature is supported with FOS 6.2.0 and above and requires a FortiAP-S
or FortiAP-W2 device.
l WMM UAPSD: The Unscheduled Automatic Power Save Delivery (UAPSD)
enables the power save mechanism.
l Call Admission Control: Enable this option to regulate voice traffic. Specify
the Call Capacity, the maximum number of concurrent VoIP calls allowed.
The valid range is 0 – 60 and default is 10.
l Bandwidth Admission Control: Enable this option to limit traffic bandwidth
usage. Specify the Bandwidth Capacity, the bandwidth usage per second.
The valid range is 0 – 600000 kbps and default is 2000 kbps.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 72

Configure the Call Admission Control and Bandwidth Admission Control

parameters when creating a Platform profile.
Specify the appropriate DSCP values for downstream (LAN to WLAN) traffic. You
can map one or more (up to 16) DSCP values into the following access categories.
For example, DSCP values 48 and 56 (and even other non-standard values used in
your network) can be mapped into the WMM access category - Voice.
l DSCP Voice Mapping: DSCP mapping for the voice traffic.
l DSCP Video Mapping: DSCP mapping for the video traffic.
l DSCP Best Effort Mapping: DSCP mapping for the best-effort traffic.
l DSCP Background Access Mapping: DSCP mapping for the background
traffic.
Specify the appropriate DSCP values for upstream (WLAN to LAN) traffic. You can
mark the following access categories with appropriate DSCP values. For example,
DSCP value 48 can be used to mark the WMM access category - Voice.
l DSCP Voice AC: DSCP mapping for the voice traffic.
l DSCP Video AC: DSCP mapping for the video traffic.
l DSCP Best Effort AC: DSCP mapping for the best-effort traffic.
l DSCP Background AC: DSCP mapping for the background traffic.

6. To complete the addition of the QoS profile, click Apply.

Creating a FortiAP Cloud group and users

Perform this procedure to use a FortiAP Cloud group and users as the RADIUS setting when you configure an SSID with
WPA-2 Enterprise authentication. As part of user group configuration, you can assign VLAN IDs, especially useful for
when assigning users to different networks without requiring multiple SSIDs.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add the group.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click FortiAP Cloud User/Group.
4. Click Group.
5. Click Add Group.
6. Complete the following fields:

Group ID Type the ID for this group, up to a maximum of 16 characters in length.

Description Type a description for this group.

VLAN ID The VLAN ID for this group.

7. Click Apply.
8. Click User.
9. Click Add user.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 73

10. Complete the following fields:

User ID Type the ID for this user, up to a maximum of 64 characters in length.

Full name Type the full name for this user.

Password Type the password associated with this user.

VLAN ID The VLAN ID for this group.

Email address Type the email address for this user.

Re-type Email
Groups Select the group you want this user to be added to.

11. Click Apply.

Adding a FortiAP Cloud guest

Use this procedure to add a single guest or multiple guests in FortiAP Cloud.

Prerequisites

Add a guests SSID. For details, see procedure.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add the guest.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click FortiAP Cloud User/Group.
4. Click Guest.
5. Click Add Guest.
6. If you want to add multiple guests, click the Multiple Guest checkbox.
7. Complete the fields.
8. To complete the addition of guests, click Apply.

Adding a FortiAP Cloud guest manager

Use this procedure to add a guest manager in FortiAP Cloud.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add the guest manager.
2. In the Menu bar, click Configure

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 74

3. In the Navigation pane, click FortiAP Cloud User/Group.

4. Click Guest Manager.
5. Click Add Guest Manager.

Make sure to type an email address that the FortiAP network configuration is not already
using.

6. Complete the fields.

7. To add the guest manager, click Submit.

Adding a RADIUS server

Perform this procedure to add a RADIUS server to a FortiAP network and then use this server to authenticate wireless
clients.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add the RADIUS server.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click My RADIUS server.
4. Click Add My RADIUS Server.
5. Complete the following fields:

Name Type a name for My RADIUS Server.

NAS IP Type the IP address of the network access server (NAS).

This field is optional.

Primary server name/IP Type the server name or IP address of the primary RADIUS server.

Primary server secret Type the secret key of the primary RADIUS server.

Secondary server name/IP Type the server name or IP address of the secondary RADIUS server.
This field is optional.

Secondary server secret Type the secret key of the secondary RADIUS server.
This field is optional.

Server port If the RADIUS server is not using the default port, then type the server port.
The default is 1812.

CoA Status Enable Change of Authorization (CoA) to allow the RADIUS server to adjust
active client sessions. The AP disconnects user sessions when it receives a
Disconnect-Request from the RADIUS server.

6. To complete the addition of the RADIUS server, click Apply.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 75

Adding a Tunnel profile

When you add an SSID to a FortiAP network, you can assign a generic routing encapsulation (GRE) tunneling or a Layer
2 Tunneling Protocol (L2TP) profile to that SSID. The configured GRE tunnel profile encapsulates data traffic from
wireless and wired clients between the FortiAP and a GRE concentrator, for example, a router.

The configured L2TP profile allows Internet Service Providers (ISP) to enable VPN services using an encryption protocol.
Traffic is encrypted within the tunnel that is established between the FortiAP and an L2TP access concentrator.
Note: You cannot delete a tunnel profile if it is being used by an SSID.

Prerequisites

Complete the Adding a FortiAP network to FortiAP Cloud on page 19 procedure.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add the tunnel profile.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click tunnel Profile.
4. Click Add Tunnel Profile.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 76

5. Complete the following fields:

Name Enter a unique name for the tunnel. The name can be from 1 to 32 characters.

Tunnel Type Select GRE or L2TP as the tunnel type.

Tunnel IP address Enter the IP address of the Wireless Access Gateway (WAG), the tunnel remote
end. Only IPv4 address format is supported.

Tunnel Port Enter the tunnel port when using L2TP.

Configure the following fields to monitor the tunnel.

Ping interval Enter the frequency at which ping requests are sent to check the status of the
tunnel. The valid range is 1 – 65535 seconds; default is 1 second.

Ping number Enter the number of ping requests sent at the configured interval. The valid range is
1 – 65535; default is 5.

Recv pkt timeout Enter the duration for which the devices wait for the ping response; after this the
ping request times out. The valid range is 1 – 65535 seconds; default is 160
seconds.

DHCP Server IP Optionally, enter the DHCP server IP address.

Address

6. To complete the addition of the tunnel profile, click Apply.

Adding a Schedule Profile

This feature allows each Multiple PSK entry to have its own availability schedule based on different time periods. The
defined schedule profile is referred to by the Multiple PSK entries in the SSID profile.
Notes:
l Maximum number of profiles allowed is1024 and each profile can have 1 - 40 schedules.
l Schedule profiles cannot be deleted when used by a Multiple PSK in the SSID.
l Date and time are scheduled as per the FortiAP network timezone.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to create the Schedule profile.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click Schedule Profile.
4. Click Add Profile.
5. Complete the following fields:

Name A unique name for the profile/schedule. The valid range is 1 – 36 characters.

Comment Any remarks/notes specific to the profile/schedule. The valid range is 0 – 255
characters.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 77

Type Each individual schedule is either One-Time or Recurring. One-Time

schedules have absolute start and stop date/time and they expire after the
configured period.
Recurring or repetitive schedules have start/stop time for selected days of the
week and they never expire. When the All Day option is selected, the
schedule applies to all days of the week with the start and stop time set to
00:00. Disable the All Day option to select specific week days and modify the
start and stop time.
Note: The schedule Type cannot be modified after the profile is created.

Editing the FortiAP network time zone

Use this procedure to edit the time zone of a FortiAP network.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network that you want to edit.
2. In the Menu bar, click Configure.
3. In the Navigation page, click Network.
4. Locate the AP Network Info section.
5. In the Time Zone drop-down list, select the time zone.
6. Click Apply.
7. Verify the updated time zone:
a. Go back to the FortiAP Cloud Home page.
b. Locate the FortiAP network that you selected in step 1.

c. Click Config and then click Locale.

d. Make sure that the Locale dialog displays the updated time zone.
e. Click Close.

Enabling FortiAP network alerts

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network that you want to edit.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click Network.
4. Locate the AP Network Alert section.
5. If you want to use the email associated with the FortiAP Cloud account, click Use Account Email. Otherwise, in
the Send alerts via email to field, type an email address.
6. Click Apply.

FortiAP Cloud User Guide Fortinet Technologies Inc.

 Configuration 78

Editing radio scan settings

Use this procedure to change the following radio scan settings:

l editing background scan interval (in seconds)
l disabling background scan
l enabling passive scan mode (no probe)

Prerequisites

To use the radio scan settings, make sure to enable one of the following platform profile settings:
l Automatic TX Power Control
l Radio Resource Provision
l Rogue AP Scan
For details about the platform profile, see the Adding a FortiAP platform profile on page 63 procedure.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network that you want to edit.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click Network.
4. In the Radio Scan section, complete the updates.
5. Click Apply.

Editing timeout settings for idle client and captive portal user
authentication

1. On the FortiAP Cloud Home page, select the FortiAP network that you want to edit.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click Network.
4. In the Timeout section, complete the updates.
5. Click Apply.

Enabling Duplicate SSID

A duplicate SSID bears the same wireless network SSID as another original SSID. The duplicate SSID can have
different configurations and can be deployed on different APs/AP groups (AP tags).
Consider an example of an organization where an original SSID Staff is configured on AP Group 1 located at the
company headquarters. The duplicate SSID Staff is configured on AP Group 2 located at the company branch. Both

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 79

these SSIDs have different configurations, such as, VLANs, QoS, and so on. A wireless client moving from the
headquarters (AP Group 1) to the branch (AP Group 2) seamlessly transitions from the original SSID Staff to the
duplicate SSID Staff and is now governed by the configurations of the duplicate SSID.
The OID of the duplicate SSID is displayed for easy identification.

Note: The original and duplicate SSIDs must NOT be deployed on the same AP. This may prevent the wireless client
from connecting to the desired SSID.
You must delete the duplicate SSIDs before disabling this feature.

Enabling Bonjour Relay

Bonjour is a protocol where devices broadcast their services. For example, an Apple TV sends a Bonjour broadcast, so
an iPad knows it is there and can connect to it.
With Bonjour Relay, you set the FortiAP-S device to operate with a service network (where the Apple TV is), and a client
network (where the iPad is). The FortiAP-S device re-transmits the Bonjour requests from the service network onto the
client network. The iPad can learn where the Apple TV is and create a session.
To set up Bonjour Relay, enter one or more services as Service VLAN and Client VLAN, along with a definition of the
service. For example, you may choose to only send the information about the Apple TV to a meeting room, and not to
the printer in reception. After you define these services, select the FortiAP that will perform the Bonjour Relay function.

Prerequisites

You must purchase a FAP Advanced Management License.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network that you want to edit.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click Bonjour Relay.
4. Select the Enable Bonjour Relay checkbox.
5. To add the Bonjour Service:
a. Go to the Bonjour Service section and click the plus sign (+).
b. Complete the following fields:

Description Specify a name for the Bonjour Service.

Service VLAN Specify one or more VLAN ID where network services are running.
A valid VLAN ID is from 0 to 4094.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 80

APs support up to 32 VLAN entries.

To specify multiple entries, use a comma (,) or a dash (-).
For a full range, use "all". When you use "all", it counts as one entry.
For example, 1,2-5.

Client VLAN A valid VLAN ID is from 0 to 4094.

APs support up to 32 VLAN entries.
To specify multiple entries, use a comma (,) or a dash (-).
For a full range, use "all". When you use "all", it counts as one entry.
For example, all.

Services Select one or more Bonjour services that you want to advertise across the
FortiAP network.
To enable all services, select the all checkbox.

6. To save changes, click Submit.

7. To add a Bonjour Relay Gateway:
a. Go to the Bonjour Relay Gateway section and click the plus sign (+).
b. For each subnet, select only one AP as the Bonjour Relay Gateway.
c. To save changes, click Submit.

Enabling FortiPresence

FortiPresence is a secure and comprehensive data analytics solution designed to provide presence and positioning
analytics for user traffic. By capturing analytics of consumer traffic patterns, businesses can learn more about their
customers.
For location analytics, the FortiAP uses a Push API to communicate with FortiPresence.

How it works

1. Smartphone emits a Wi-Fi probe signal, even if it is in the visitor’s pocket and not connected to the Wi-Fi network.
2. FortiAP captures the MAC address and signal strength information from the smartphone.
3. FortiAPCloud managed AP summarizes and forwards the data records directly to FortiPresence.
4. FortiPresence service receives data.
5. FortiPresence analytics engine processes and correlates the data.
6. Data is displayed in the analytics dashboard in an actionable format.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 81

Prerequisites

l Access your FortiPresence account UI and navigate to Admin > Settings > Discovered APs to retrieve the
following parameters:
l Project Name
l Project Secret Key
l Location Server IP
l Port
l For FortiPresence configuration details, see the following sections in the FortiPresence Administration Guide:
l Configuring location services
l Configuring captive portal

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network that you want to edit.
2. In the Menu bar, click Configure.
3. In the Navigation pane, click FortiPresence.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 82

4. Complete the following fields:

Mode Select one of the following options to enable FortiPresence:

l Foreign Channels Only: With this setting AP will only listen to clients
on foreign channels when doing background scan. It will not listen to
clients associated to other APs running on its home (or operating)
channel to preserve associated clients traffic.
l Foreign and Home Channels: AP will also listen to connected clients
associated to other APs on its home channel. This is useful for
FortiPresence, but can negatively impact AP performance when AP is
serving clients.

Server IP Address Specify the IP address of the server. Copy the value from the FortiPresence
UI.
In the FortiPresence UI, the value is in the Location Server IP field.

UDP Listening Port Type UDP listening port. The default is 3000.
Copy the value from the FortiPresence UI. In the FortiPresence UI, the value
is in the Port field.

Project Name Specify a project name. Copy the value from the FortiPresence UI.
In the FortiPresence UI, the text is in the Project Name field.

Secret Password Type fortipresence. Copy the value from the FortiPresence UI.
In the FortiPresence UI, the password is in the Project Secret Keyfield.

Report Transmit Frequency Frequency at which each AP will report wireless client information to the
FortiPresence server.
The default is 30 seconds. The range is between 5 and 65535 seconds (or
approximately 18 hours).

Reporting of Rogue APs If you want FortiPresence to report rogue APs, select the checkbox.

Reporting of Unassociated If you want FortiPresence to report unassociated stations, select the
Stations checkbox.

5. Click Apply.

Viewing the history of configuration changes

You can view the history of FortiAP Cloud configuration changes.

Procedure steps

1. On the FortiAP Cloud Home page, select the FortiAP network.

2. In the Menu bar, click Configure.
3. In the Navigation pane, click Change History.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Configuration 83

4. The history of FortiAP Cloud configuration changes presents the following details:
l Time
l Access IP
l User
l Email
l Category
l Action
l New Value vs Old Value
You can optionally filter these entries by the following time periods:
l Last 60 Minutes
l Last 24 Hours
l Last 7 Days
l Last 30 Days
l Specify

FortiAP Cloud User Guide Fortinet Technologies Inc.

Logs

This section includes the following FortiAP Cloud log procedures:

l Displaying logs on page 84
l Exporting logs on page 84

Displaying logs

Yo can view logs related to FortiAP Cloud features. The logs can be filtered using the AP sites created during
deployment based on the AP location.
1. In the Menu bar, click Logs.
2. In the Navigation pane, select one of the following categories:
l Wireless Logs
l AntiVirus Logs
l Botnet Logs
l IPS Logs
l Web Access Logs
l Application Control Logs

Exporting logs

Use this procedure to export logs to a comma-separated values (CSV) file.

Procedure steps

1. In the Menu bar, click Logs.

2. In the Navigation page, select one of the following categories:
l Wireless Logs
l AntiVirus Logs
l Botnet Logs
l IPS Logs
l Web Access Logs
l Application Control Logs
3. Click Export.
The Export to CSV dialog opens.
4. In the Top drop-down list, select how many logs you want to export.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Logs 85

5. Click Apply.
The Opening <AP_network_name_and_date>.zip dialog opens.
6. Select to open or save the file.
7. Click OK.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Reports

This section includes the following FortiAP Cloud report procedures:

l Customizing an AP network summary report on page 86
l Scheduling an AP network summary report on page 87
l Managing AP network history reports on page 87
l Generating a PCI compliance report for an AP network on page 87

Customizing an AP network summary report

Use this procedure to customize an AP network summary report, and its various sections and sub-sections.

Procedure steps

1. In the Menu bar, click Reports.

2. In the Navigation pane, click Summary Report.

If you want to Then

Change the summary report

settings 1. Click Settings.
2. You can add a logo, change the language, and enable or disable the
generation of an empty report.
3. To save changes, click Submit.
Customize a section
1. Go to the section that you want to customize and click
2. Select one of the following action:
a. Add Chart
b. New Section Title
c. New Report Block
d. Reset Report
3. Follow the onscreen instructions.

Customize a sub-section
1. Click Edit.
2. You can change the sub-section title and add filters.
3. To save and apply the changes, click Run.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Reports 87

Scheduling an AP network summary report

Use this procedure to schedule when you want to receive an AP network summary report by email.

Procedure steps

1. In the Menu bar, click Reports.

2. In the Navigation pane, click Summary Report.
3. Click Schedule.
4. Select the frequency (Daily, Weekly, or Monthly).
5. To receive summary reports by email, select Email To and type an email address.
6. To access a summary report, go to the Navigation pane and click History Reports.

Managing AP network history reports

Use this procedure to view, download, send by email, and delete AP network history reports.

Procedure steps

1. In the Menu bar, click Reports.

2. In the Navigation pane, click History Reports.
3. Hold the pointer over the report that you want to access.

If you want to Click

View the report

Download the report

Send the report by email

Delete the report

Generating a PCI compliance report for an AP network

Use this procedure to answer questions about AP network settings for compliance with the Payment Card Industry Data
Security Standard (PCI DSS) 3.0.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Reports 88

Procedure steps

1. In the Menu bar, click Reports.

2. In the Navigation pane, click PCI Report.
3. Review and answer questions.
4. To generate a PCI report, click Run Report.
The generated PCI compliance report opens.
5. To save the report, scroll to the right and click Save Report.
6. To return to the list of questions, scroll to the right and click Back to Questionnaire.
7. To access previously saved reports, click Saved Reports.

FortiAP Cloud User Guide Fortinet Technologies Inc.

REST API 89

REST API

REST (REpresentational State Transfer) is a modern, scalable (but not high performance) client-server based RPC
technique using existing HTTP protocol methods (such as GET, POST, PUT, DELETE) on server resources (identified
by URLs) and transferring the resources in either XML / JSON / HTML representation.
FortiAP Cloud REST API provides functions similar to its GUI functions, both configuration and monitoring are
supported over REST API.
For details about REST API, see the FortiAP Cloud REST API User Guide in the Fortinet Developer Network (FNDN).

FortiAP Cloud User Guide Fortinet Technologies Inc.

Frequently asked questions

This section includes the following frequently asked questions (FAQ) about FortiAP Cloud: 
l What subscription do I need to buy to enable FortiAP Cloud? on page 90
l What happens if my paid FortiAP Cloud subscription expires? on page 90
l What FortiAP models does FortiAP Cloud support? on page 90
l How many FortiAP devices can my FortiAP Cloud account manage? on page 90
l How do I add my FortiAP device to my FortiAP Cloud account? on page 91
l What happens if my FortiAP device loses connection with FortiAP Cloud? on page 91
l Does my internal networking and wireless traffic get sent to FortiAP Cloud? on page 91
l Do I need to use FortiGate with FortiAP Cloud? on page 91
l Can FortiAP devices be managed by FortiAP Cloud and work with FortiPresence? on page 92

What subscription do I need to buy to enable FortiAP Cloud?

There is no subscription required to use your FortiAP with FortiAP Cloud. If you want to unlock enterprise configuration
capabilities, FortiPresence Paid Tier, and one-year of log retention, then you can purchase a FortiAP Cloud license
which also includes technical support.
For more information, see FortiAP Cloud subscription details on page 8.

What happens if my paid FortiAP Cloud subscription expires?

If you are currently subscribed to the paid FortiAP Cloud subscription and allow your license to expire, your network will
continue to operate. However, your access to service capabilities will be limited to the free service.

What FortiAP models does FortiAP Cloud support?

FortiAP Cloud supports all FortiAP, Compact FortiAP (FortiAP-C), Smart FortiAP (FortiAP-S), and Universal FortiAP
(FortiAP-U) models.

How many FortiAP devices can my FortiAP Cloud account manage?

There is no limit for the number of FortiAP devices that a FortiAP Cloud account can manage.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Frequently asked questions 91

How do I add my FortiAP device to my FortiAP Cloud account?

For details about adding a FortiAP device to a FortiAP Cloud account, see one of the following procedures, as
applicable:
l Adding a FortiAP device to FortiAP Cloud with a key on page 17
l Adding a FortiAP device to FortiAP Cloud without a key on page 17

What happens if my FortiAP device loses connection with FortiAP

Cloud?

If your FortiAP device loses connection with FortiAP Cloud, or in the unlikely event that the FortiAP Cloud service is
unavailable, then all functions which are not hosted in FortiAP Cloud continue to work without interruption. FortiAP
locally stores the configuration which continues to function.
Open, WPA2 Personal, and WPA2 Enterprise (with 802.1X RADIUS authentication) SSIDs that are not using FortiAP
Cloud-hosted authentication (such as the ones using a local RADIUS server or local captive portal) continue to work
uninterrupted.
Functions of the following SSIDs with authentication in FortiAP Cloud are disrupted:
l FortiAP Cloud-hosted captive portals
l FortiAP Cloud external captive portals
l FortiAP Cloud user groups

Does my internal networking and wireless traffic get sent to FortiAP

Cloud?

No. Fortinet uses an out-of-band management architecture, meaning that only management data flows through the
FortiAP Cloud infrastructure. No user traffic passes through Fortinet data centers. Your data stays on your network.

Do I need to use FortiGate with FortiAP Cloud?

No. Fortinet recommends you register your FortiAP devices to be directly managed by FortiAP Cloud. You do not need
to use a FortiGate device as a proxy to manage FortiAP devices from FortiAP Cloud.
If you want to cloud-manage FortiAP devices in an environment that includes FortiGate, then use FortiGate Cloud
instead of FortiAP Cloud.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Frequently asked questions 92

Can FortiAP devices be managed by FortiAP Cloud and work with

FortiPresence?

Yes. FortiAP devices can be managed by FortiAP Cloud and work with FortiPresence. For configuration details, see
Enabling FortiPresence on page 80 and FortiPresence documentation.

FortiAP Cloud User Guide Fortinet Technologies Inc.

Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.