0% found this document useful (0 votes)

374 views478 pages

NSE7 - LAN Edge FortiGate 7.0 - Study Guide

Uploaded by

hedilon740

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

374 views478 pages

NSE7 - LAN Edge FortiGate 7.0 - Study Guide

Uploaded by

hedilon740

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 478

DO NOT REPRINT

LAN Edge
Study Guide
for FortiGate 7.0
DO NOT REPRINT
© FORTINET
Fortinet Training

https://training.fortinet.com

Fortinet Document Library

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://training.fortinet.com/local/staticpage/view.php?page=certifications

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Feedback

Email: [email protected]

3/16/2022
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 LDAP and RADIUS 4

02 Certificate-Based Authentication 58
03 RADIUS and Syslog Single Sign-On 99
04 Centralized Management 151
05 FortiSwitch 202
06 Port Security 253
07 Integrated Wireless 295
08 Guest Access 355
09 Enhanced Wireless 391
Solutions 459
LDAP and RADIUS

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to configure and troubleshoot LDAP and RADIUS authentication on
FortiGate. You will also review some FortiAuthenticator basics.

LAN Edge 7.0 Study Guide 4

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in remote authentication and FortiAuthenticator, you will be able to understand
and troubleshoot LDAP bind flow and RADIUS query flow, and integrating FortiAuthenticator with FortiGate.

LAN Edge 7.0 Study Guide 5

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

In this section, you will learn about LDAP.

LAN Edge 7.0 Study Guide 6

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

To begin, you will review the LDAP protocol.

The hierarchy of an LDAP schema does not need to resemble the organizational hierarchy. However, the
naming conventions and group structure usually match the company name and organizational hierarchy very
closely.

At the top of the LDAP schema is the root, or DC. This is where an LDAP tree always starts, in any schema.

Next, the groups (or branches) are defined using CN or OU. The exact behavior and options used depend on
the schema and what is being defined. Branches may contain objects, and each object contains attributes.
Objects are uniquely identified by their distinguished names (DNs). The full DN specifies where the object is,
and the name and value of an attribute that can be used to find it.

LAN Edge 7.0 Study Guide 7

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

There are three different methods, or bind types, a FortiGate can use to access an LDAP server: simple,
anonymous, and regular. In this lesson, you will learn about simple and regular binds.

A simple bind works as long as all accounts are in the same branch of the LDAP tree. The Distinguished
Name field defines the scope of the LDAP lookup. For example, if your distinguished name is set to ou=it,
ou=france, dc=trainingad, dc=training, dc=lab, only the users found under IT > France will be
able to authenticate. However, you will not be able to authenticate the users under any of the other containers.

In the example shown on this slide, Common Name Identifier is set to cn. As a result, the DN of the LDAP
queries will have the form cn=id, ou=it, ou=france, dc=trainingad, dc=training, dc=lab, where id refers to the
user being authenticated.

LAN Edge 7.0 Study Guide 8

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

When you use simple bind flow, FortiGate sends a bind request for the user who wants to authenticate with
the LDAP server. If the authentication is successful, the server responds to FortiGate with a Bind Response
Success message.

LAN Edge 7.0 Study Guide 9

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

This slide shows a summary of how to correctly configure regular bind for Windows AD. A different type of
LDAP server might require a different approach.

First, the Common Name Identifier is usually either cn or sAMAccountName. If you set it to cn, users must
authenticate using their full names (for example, John Smith). If you set it to sAMAccountName, users must
authenticate using their login names (for example, jsmith).

You can determine the Distinguished Name by querying the user DNs with the Windows AD command
dsquery.

You can determine the Username by querying the administrator DN with the same Windows AD command
dsquery.

Finally, the Password setting is the LDAP administrator password.

LAN Edge 7.0 Study Guide 10

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Regular bind is the most complex, versatile, and commonly used method. You complete LDAP authentication
using regular bind in four steps:

1. FortiGate logs in to (binds to) the LDAP server, using an administrator account. After this step, FortiGate
knows only the username. It doesn't know the branch where the user is located.
2. FortiGate performs a search query in the LDAP database to locate the user. In other words, to find the
user's DN. If the user is found, the server replies with the user DN. Then, FortiGate logs out of (unbinds
from) the LDAP server.
3. FortiGate binds to the LDAP server again, using the user credentials this time. It sends the DN it learned
in step 2, along with the password.
4. FortiGate gets the user attribute and group information. The method it uses for this depends on the type of
LDAP server, but it's usually an LDAP query.

When isolating an LDAP problem, you must first identify which of these four steps is failing.

LAN Edge 7.0 Study Guide 11

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Most LDAP authentication problems are caused by misconfigurations, which usually happen in one of the
following LDAP settings:

• Common Name Identifier

• Distinguished Name
• Username
• Password

Authentication problems most commonly occur on LDAP servers based on Windows AD. In this lesson, you
will verify if the regular bind LDAP configuration on such a server is correct.

LAN Edge 7.0 Study Guide 12

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

How do you check if the distinguished name is correct? You can run either of the following two commands at
the Windows AD server command prompt:

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Change state to 'User Binding' indicates the third step in the regular bind. In this step, FortiGate
requests authentication for user John Smith, and User Bind resp indicates the reply from the LDAP
server. If user authentication is successful, the process moves on to the last step of the process.

LAN Edge 7.0 Study Guide 20

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

The last step in the regular bind process is attribute and group query. In this example, FortiGate queries the
memberOf attribute from the LDAP server, and the LDAP server replies with the information.

LAN Edge 7.0 Study Guide 21

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Next, is the Primary group query of the authenticating user. The server responds with the primary group
of the user, which FortiGate binds to the user. This completes the steps in the LDAP regular bind process.
SUCCESS indicates that authentication was successful and FortiGate now has all of the required information
for the authenticated user.

LAN Edge 7.0 Study Guide 22

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

If there is a problem with either step 1 (admin bind) or step 3 (user bind), you can sniff the traffic between
FortiGate and the LDAP server to get the error code. Error codes provide an explicit description of why the
bind is failing.

The table on this slide describes the codes returned by the Windows AD server.

LAN Edge 7.0 Study Guide 23

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Here are a few industry-standard LDAP result codes. During LDAP authentication, the LDAP server returns a
result code for both successful and unsuccessful authentication attempts, which can indicate why an
authentication attempt was unsuccessful. For unsuccessful authentication requests, this error code can be
used to understand why an authentication failed. To get the full list of LDAP result codes, review RFC 4511.

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Finally, the following error indicates a problem in step 4:

get_member_of_groups-attr=<attribute_name> found 0 values

The user credentials are correct, but no user group information was found.

In some LDAP implementations, the user group information is not an attribute of the user. Instead, the users
are listed as an attribute of the group. In these instances, you need to query the group of the user. There is
additional configuration that allows FortiGate to work with these implementations, but the debug does not
reflect this, in these cases. In these implementations, you can ignore this error.

LAN Edge 7.0 Study Guide 29

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

What should you do if the problem is in step 1 (admin bind not working)?

• Use the dsquery query to check the administrator DN

• Check the administrator password
• Sniff the error code coming from the server

What should you do if the problem is in step 2 (LDAP server could not find the user)?

• If the Common Name Identifier is set to sAMAccountName, the user must use the login name. If it is set
to cn instead, the user must use the full name.
• Check the Distinguished Name setting, using the dsquery command

LAN Edge 7.0 Study Guide 30

1. The server sends a challenge message to the client, which includes a challenge value.
2. The client responds with a one-way hash of the password and the challenge value combined (note that
the password itself is never actually sent).
3. The server also calculates the one-way hash using the stored user password and the challenge value
combined.
4. The server compares the calculated hash with the hash received from the client.

LAN Edge 7.0 Study Guide 33

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

You can use RADIUS attributes to provide information about a user or a user group. RADIUS attributes
configured at a user level can provide user-related information, such as IP addresses. Attributes configured at
the user-group level are used to provide information that is applied to all the users within the specified group.

Vendors use vendor-specific attributes (VSA) to extend the basic functionality of RADIUS. Each vendor uses
a unique VSA ID to transmit additional information, based on authentication success or failure. You must use
VSA dictionaries to understand the proprietary VSA attributes that are supplied by the RADIUS vendors.

LAN Edge 7.0 Study Guide 34

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent from
FortiGate to the RADIUS server. Valid responses to this are Access-Accept and Access-Reject (yes and no,
respectively).

If two-factor authentication is enabled on the server, the server returns an Access-Challenge message, to
indicate it is looking for more information.

LAN Edge 7.0 Study Guide 35

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

When configuring the RADIUS server on FortiGate, you must provide the following information: Name,
Primary Server IP/Name, Primary Server Secret, and Authentication Method. When Authentication
Method is set to Default, FortiGate tries the different authentication schemes, starting with MSCHAP2,
CHAP, and then PAP. You can also type an IP address in the NAS IP field, if you want to send the
authentication request with the NAS-IP-Address or Called-Station-ID attribute attached to the
RADIUS Access-Request.

Note that MSCHAP is never used when the authentication method is set to Default. If you want to use only
MSCHAP as the authentication method scheme, you must specify MSCHAP manually.

LAN Edge 7.0 Study Guide 36

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

The diagnose test authserver radius-direct command is used to test the secret between the
RADIUS client and server.

It can be the first check that you run when diagnosing RADIUS issues, and can reduce troubleshooting time
significantly in many cases.

The RADIUS client is the FortiGate device here. There are two possible replies that you can see in the output,
as listed on this slide. It is important to note that Secret Invalid is only displayed if the RADIUS client is
an authorized client on the RADIUS server. If the RADIUS client is not authorized on the RADIUS server, you
receive a Server unreachable status message. This is because the RADIUS server does not respond to
requests sent by unauthorized RADIUS clients.

LAN Edge 7.0 Study Guide 37

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Similar to LDAP, there is a CLI test command for RADIUS.

When you use the CLI test command for RADIUS, you must provide not only the credentials for a test user,
but also the authentication scheme.

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

In this section, you will learn about FortiAuthenticator basics.

LAN Edge 7.0 Study Guide 42

LDAP and RADIUS

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Now, you will explore another benefit of adding FortiAuthenticator to your LAN edge solution.

If FortiGate is configured to authenticate clients using a remote LDAP server, VPN and wireless clients using
CHAP schemes are not able to authenticate. That is the case for wireless clients using PEAP/MSCHAP2 and
IPsec VPN clients with extended authentication (XAuth) and CHAP. The same applies for any other device or
application using CHAP, MSCHAP, or MSCHAP2 for authenticating against a FortiGate device that uses an
LDAP server as the back end.

The reason is that during CHAP, MSCHAP, and MSCHAP2 authentication, a client sends a one-way hash of
the password. However, the LDAP server, which is on the back end, is expecting the password itself.
FortiGate, which is acting as the LDAP client, does not have the client passwords, nor can it convert a hashed
password to a cleartext password.

LAN Edge 7.0 Study Guide 46

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Two possible methods that you can use to solve the CHAP and LDAP problem are:

• Use PAP: You must configure FortiGate to use PAP instead of CHAP when authenticating clients. This
approach is unsecure, because of the nature of the PAP protocol.
• Use RADIUS: Change your back-end server from LDAP to RADIUS.

If you are using Windows AD as your LDAP server, an alternative is to use FortiAuthenticator as an
authentication proxy. FortiAuthenticator would be located between FortiGate and the Windows server. You
must also configure FortiAuthenticator to log in to the Windows domain using the credentials of a Windows
administrator. This adds FortiAuthenticator as a trusted device on the Windows AD domain, allowing
FortiAuthenticator to proxy the password hash from the client to the Windows server, using NTLM.

LAN Edge 7.0 Study Guide 47

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

FortiAuthenticator can store the user database locally. It can also proxy authentication requests from a client
to a back-end authentication server.

Now, you will learn how to configure FortiAuthenticator to proxy authentication requests to a remote LDAP
server, which can be a Windows AD server.

You must configure the following settings: Name, Primary server name/IP, Base distinguished name, Bind
type and administrator Username and Password for regular bind type. Note that the Base distinguished
name sets the root node where LDAP starts searching for user accounts.

There are predefined LDAP templates you can select in the Server type section. They include default
attribute settings for well-known LDAP servers, such as Windows AD, OpenLDAP, and Novell eDirectory.

If you want FortiAuthenticator to relay CHAP, MSCHAP, and MSCHAPv2 authentication to a Windows AD
server, you must enable Windows Active Directory Domain Authentication and enter the credentials for a
Windows administrator. FortiAuthenticator logs in to the domain as a trusted device, allowing
FortiAuthenticator to proxy CHAP, MSCHAP, and MSCHAP2 authentication, using NTLM.

LAN Edge 7.0 Study Guide 48

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

The slide shows is an example of the configuration required for FortiAuthenticator to proxy authentication
requests to a remote RADIUS server.

LAN Edge 7.0 Study Guide 49

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

There are two ways you can add local users to FortiAuthenticator:
• Manually add users
• Import users from a comma-separated value (CSV) file or FortiGate configuration file

Note that FortiAuthenticator includes a self-service portal where users can register themselves.

You add remote LDAP and RADIUS users to FortiAuthenticator in different ways:
• For remote LDAP users, you must import users into the FortiAuthenticator user database from their remote
LDAP servers.
• For remote RADIUS users, you can create them based on a remote RADIUS server. You can migrate
remote RADIUS users to LDAP users, as well as edit and delete them. You can also flag remote RADIUS
users with the user role or administrator role.

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

The configuration example on this slide shows the Authentication type and Identity source sections.

The authentication type is set to Password/OTP authentication, which means that FortiAuthenticator
authenticates the user’s password and, if two-factor authentication is enabled for that user, FortiAuthenticator
also verifies the user’s one-time password (OTP).

The FortiAuthenticator RADIUS service also employs the concept of realms. Realms allow multiple domains
to authenticate to a single FortiAuthenticator device. Each realm is associated with a name, such as a domain
or company name, that is used during the login process to indicate the remote (or local) authentication server
on which the user resides. For example, if you are a service provider that hosts multiple domains and you
want each domain to have different permissions, you can set up a realm on FortiAuthenticator for each
domain. So even though each domain is using the same RADIUS client, realms allow you to control access
and permissions.

In the example shown on this slide, FortiAuthenticator expects the username to match the username@realm
format. In addition, there’s only one realm configured: local | Local users. In case the provided username
does not contain a realm portion, FortiAuthenticator uses the default realm configured in the policy. Because
the policy has only one realm configured, then that same realm becomes the default realm of the policy.

LAN Edge 7.0 Study Guide 54

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

The configuration example on this slide shows the Authentication factors and RADIUS response sections.

Every configured password and OTP factors means that FortiAuthenticator will verify all configured factors,
including regular and OTP passwords.

Finally, the RADIUS response section shows the different RADIUS attributes that are included in the
response to a successful or failed authentication request.

LAN Edge 7.0 Study Guide 55

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

Unlike FortiGate, FortiAuthenticator does not have real-time debug commands. Instead, you can access
extended logs for individual services. You can access the debug log page using the URL
https://<FortiAuthenticator_IP>/debug. You can use these logs to troubleshoot issues with
services running on FortiAuthenticator.

In the case of the debug logs for RADIUS authentication, there is the option of enabling debug mode, which
allows administrators to test RADIUS authentication using the credentials of a test user from the debug logs
window.

LAN Edge 7.0 Study Guide 56

LDAP and RADIUS

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure and troubleshoot LDAP and
RADIUS authentication on FortiGate.

LAN Edge 7.0 Study Guide 57

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to configure and troubleshoot certificate-based authentication.

LAN Edge 7.0 Study Guide 58

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in certificate-based authentication, you will be able to use and configure digital
certificates on FortiGate and FortiAuthenticator.

LAN Edge 7.0 Study Guide 59

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

In this section, you will review the basics of digital certificates.

LAN Edge 7.0 Study Guide 60

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

There are two basic techniques for encrypting information: symmetric encryption and asymmetric encryption.

Symmetric encryption uses a single key for encrypting and decrypting. This key is shared by the parties that
are exchanging encrypted information.

Asymmetric encryption uses a pair of keys. Both keys are mathematically related. One key is used for
encrypting the information. The other key is used for decrypting the information.

Hashes, on the other hand, are not encrypted information because they cannot be decrypted. A hash
algorithm generates an irreversible output from any input.

LAN Edge 7.0 Study Guide 61

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

Asymmetric cryptography, also known as public key cryptography, consists of a pair of keys that are
mathematically interrelated and perform inverse functions. Whatever is encrypted with one key can be
decrypted only with the other key. One key is made public (it can be distributed to others) and the other key is
private. In the example shown on this slide, the sender knows the recipient public key. So, the sender uses
the recipient public key to encrypt the information that is intended for the recipient only. Because the
information was encrypted using the recipient public key, it can be decrypted using only the recipient private
key, which only the recipient has. In this way, the sender ensures that only the intended recipient will be able
to decrypt the information.

LAN Edge 7.0 Study Guide 62

Certificate Operations

DO NOT REPRINT
© FORTINET

Now, you will learn more about the process of establishing an SSL session.

In the first step of the example shown on this slide, FortiGate connects to a web server that is configured for
SSL. In the initial hello message, the browser provides critical information that is needed to communicate with
the web server. This information includes the SSL version number and the names of the cryptographic
algorithms that it supports.

In the second step, the web server receives the message from FortiGate and chooses the first suite of
cryptographic algorithms included in the message, and verifies that it is also supported by the web server. The
web server replies with the chosen SSL version and cipher suite, and then sends its certificate to FortiGate.
Note that the certificate information is passed as cleartext over the public network. The information contained
in a certificate is typically public, so this is not a security concern.

In the third step, FortiGate validates the web server certificate. The checklist shown on this slide represents
the checks that FortiGate performs on the certificate to ensure that it can be trusted. If FortiGate determines
that the certificate can be trusted, then the SSL handshake continues.

LAN Edge 7.0 Study Guide 63

Certificate Operations

DO NOT REPRINT
© FORTINET

In the fourth step, FortiGate generates a value known as the premaster secret. FortiGate uses the server
public key, which is in the certificate, to encrypt the premaster secret. FortiGate then sends the encrypted
premaster secret to the web server. If a third-party intercepted the premaster secret, they would be unable to
read it, because they do not have the private key.

In the fifth step, the web server uses its private key to decrypt the premaster secret. Now, both FortiGate and
the web server share a secret value that is known by only these two devices.

LAN Edge 7.0 Study Guide 64

Certificate Operations

DO NOT REPRINT
© FORTINET

In the sixth step, both FortiGate and the web server derive the master secret based on the premaster secret.

In the seventh step, based on the master secret value, FortiGate and the web server generate the session
key. The session key is a symmetric key. It is required to encrypt and decrypt the data. Because both sides
have the session key, both sides can encrypt and decrypt data for each other.

In the eighth and final step before these two entities establish the secure connection, both FortiGate and the
web server send each other a summary (or digest) of the messages sent so far. The digests are encrypted
with the session key. The digests ensure that none of the messages exchanged during the creation of the
session have been intercepted or replaced. If the digests match, the secure communication channel is
established.

The SSL handshake is now complete. Both FortiGate and the web server are ready to communicate securely,
using the session keys to encrypt and decrypt the data they send over the network or internet.

LAN Edge 7.0 Study Guide 65

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

What is a digital certificate? It is a digital document that identifies an entity (such as a person or device). It
usually contains the entity public key.

Other important information contained in a certificate is:

• Serial number: A unique number for the issuing CA that identifies the certificate.
• Signature algorithm: Identifies the hashing and asymmetric algorithms used to produce the digital
signature that secures this certificate.
• Issuer and Subject: Identify the CA that produced the certificate and the entity to whom the certificate is
issued. The values are typically expressed using the X.500 or LDAP formats.
• Valid from and Valid to: Just like a passport or driver’s license, a certificate has a validity period—explicit
dates on which it is valid. The certificate is invalid on the dates that occur before and after the validity
period.
• CRL Distribution Points: Identifies to the application where it should retrieve the revocation list from.

In addition, note that some information displayed for a certificate is not actually part of the certificate, but
computed from it. This is the case of the Thumbprint (or fingerprint), which is a hash of the certificate
calculated by Windows, that can be used by applications as a unique identifier for certificates when making
trust decisions.

LAN Edge 7.0 Study Guide 66

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

CAs issue and sign digital certificates for end entities. When a CA issues and signs a digital certificate, the CA
is essentially proclaiming, “This is the entity who I say it is and I certify it.” The CA signature in the digital
certificate is encrypted using the CA private key.

PKI uses a relationship trust model, and the CA is at the root of the hierarchy as the trusted third party:
everything begins with the CA. A CA issues its own digital certificate—known as the root certificate—in order
to establish this point of ultimate trust. After the root certificate is established, the CA can generate digital
certificates that are issued and signed by the root.

Accordingly, if users trust the CA and can verify the CA signature as authentic, then they must trust that the
public key does belong to the entity identified in the digital certificate.

LAN Edge 7.0 Study Guide 67

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

There are many different types of certificates, each with different functions (and sometimes, confusingly, with
different names). A few common certificate types include:

CA certificates (also called root or authority certificates): These certificates identify the CA and create the root
of a CA hierarchy. As such, the certificate details have the same input for both the Issuer and Subject fields.
These certificates are self-signed and contain the CA public key needed to decrypt signatures in the signed
certificates.

Server certificates (also called service certificates): These certificates identify services and are used to secure
communication to and from servers, such as HTTPS websites, or Extensible Authentication Protocol (EAP)
802.1X authentication servers. The certificate details have the FQDN (or IP address) of the server in the
subject field. The public key of the server is included.

User certificates (also called client certificates): These certificates identify one person to another, a person to
a device or gateway, or one device to another device. The certificate includes the public key associated with
the identity.

Both user and server certificates belong to the category of end-entity certificates.

LAN Edge 7.0 Study Guide 68

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

In the example shown on this slide, a user with a web browser is connecting to an HTTPS website. The
website sends its certificate, which contains its public key and is signed by a CA named CA1. The website
certificate signature is encrypted with the CA1 private key. The browser must have the CA1 public key to
decrypt and validate the signature in the digital certificate. The CA1 public key is installed in the browser by
importing the CA1 digital certificate, which contains its public key.

Most browsers already have preinstalled the CA certificates of the most well-known public CAs. However, if
the server certificate is signed by a private CA, the public CA certificate must be installed in the browser. In
this way, the browser trusts the private CA and can verify the digital certificates that the CA has signed.

LAN Edge 7.0 Study Guide 69

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

In a similar way, digital certificates can be used to authenticate users. They can be combined with user
credentials for two-factor authentication. In this case, when the user is authenticating against an access
server, the user sends the digital certificate, which is signed by a CA. In the example on this slide, the CA is
CA1. The user certificate signature is encrypted with the CA1 private key. The access server must have the
CA1 certificate installed (which contains the CA1 public key) for decrypting and validating the user certificate.

LAN Edge 7.0 Study Guide 78

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

In this section, you will review how FortiAuthenticator can act as a CA.

LAN Edge 7.0 Study Guide 93

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

FortiAuthenticator can act as a self-signed or local CA for issuing and revoking digital certificates.

As a CA, the administrator can also import trusted CA certificates and certificate revocation lists.

FortiAuthenticator can also act as an OCSP server (for certificate revocation checks) and a SCEP RA (for
receiving CSRs and issuing certificates).

LAN Edge 7.0 Study Guide 94

Certificate-Based Authentication

DO NOT REPRINT
© FORTINET

User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN
network resources.

You can create a user certificate on FortiAuthenticator, or import and sign a CSR. User certificates, external
service certificates, and device certificates are all the same type of certificate.

Note that End Entities certificates can be used only to verify client identity and cannot be used to sign other
certificates.

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about different ways to collect logon events and convert them to Fortinet single
sign-on (FSSO) events. You will focus on RADIUS and syslog single sign-on and their relevant configurations.

LAN Edge 7.0 Study Guide 99

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in RADIUS and syslog SSO, you will be able to configure and use different
SSO methods on FortiAuthenticator.

LAN Edge 7.0 Study Guide 100

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

In this section, you will learn about FSSO collection methods.

LAN Edge 7.0 Study Guide 101

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

This slide shows the methods you can use to collect sign-on (or logon) information from, and convert it to,
FSSO. You can divide sign-on methods into two groups: Active Directory (AD) and Windows, and generic
sources. Sign-on information is sent to FortiAuthenticator, which acts as a collector agent to FortiGate.
FortiAuthenticator then maintains a record of all the sign-ons learned from different methods and forwards
them to FortiGate as FSSO. FortiGate can then use this information to provide accessibility to resources
based on FSSO information.

Fortinet also provides a standalone collector agent (or FSSO agent) that can be installed on a Windows host
to collect sign-on information through different methods. Unless otherwise stated, all references to the
collector agent on this lesson refer to the standalone collector agent.

LAN Edge 7.0 Study Guide 102

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

You can poll the logon events from the domain controller (DC) using three methods:

• Windows security event polling: Uses server message block (SMB) to get the event logs from the DC. It is
supported by both FortiAuthenticator and the collector agent. FortiAuthenticator polls the DC every five
seconds, and the collector agent every three seconds. Polling may run a bit slower but will not miss events.
By default, FortiAuthenticator ignores logon events from usernames ending with a $ sign.

• WMI-based Windows Security event polling: Uses Windows Management Instrumentation (WMI) to extract
the logon events. It is supported by the collector agent only, which polls the DC every three seconds. The
main advantage of this method is that the collector agent does not need to search security event logs on
the DC for user logon events. Instead, the DC returns all requested logon events through WMI.

• NetAPI-based logon sessions polling: Supported only by the collector agent. NetAPI, which is a Windows
API that provides access to network services, is used to retrieve server logon sessions. NetAPI runs faster
than security event log polling, but it may miss user logon events under heavy system load. Polling takes
place every 9 seconds, and it requires a query round-trip time of less than 10 seconds.

Note that while logon events can be detected from the security event logs and login sessions, you can’t detect
logout events. This is because logout events can be triggered in different ways, not just the logout action.
While some methods natively support logout detection (like the FortiClient SSO Mobility Agent), others, such
as DC polling, do not. To enable logout detection, both FortiAuthenticator and the collector agent support
WMI-based workstation IP address verification (or workstation check) to check the current logged-in user
state for a device. For this, FortiAuthenticator and the collector agent periodically connect to each workstation
to get the user login state. If the user is no longer logged in to the workstation, FortiAuthenticator and the
collector agent remove the user from the list of active FSSO users.

LAN Edge 7.0 Study Guide 103

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

You can enable Windows logon event polling on FortiAuthenticator by clicking Fortinet SSO Methods > SSO
> General. FortiAuthenticator uses LDAP lookup to collect user group memberships, and DNS lookup to
resolve the workstation IP address. DNS plays a big role in ensuring the overall reliability of FSSO events. If
DNS resolution is slow or not working properly, FSSO event information is not accurate or even valid.

By default, FortiAuthenticator supports event IDs 672, 680, 4768, and 4776; however, you can also enable
support for the following event IDs by clicking Configure Events:

528, 540, 673, 674, 4624, 4769, 4770

Note that FortiAuthenticator ignores usernames ending with a $ sign.

LAN Edge 7.0 Study Guide 104

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

After you enable Windows logon event polling, you must configure the logon event source in the Windows
Event Log Sources section. When you configure a new source, you must type values in the NetBIOS name,
IP, Account, and Password fields to use to poll events from that source. Use an account with administrator
privileges in the DC so that logon events can be retrieved.

If you configure multiple sources for polling logon events from the same domain, for each source, you must
select the LDAP lookup priority. If you select Primary, the source becomes the primary server for LDAP
lookups for that domain. If you select Secondary instead, FortiAuthenticator uses that source to perform
LDAP lookups only when the primary LDAP source fails.

For enhanced security, you can turn on Enable secure connection, and then select LDAPS or STARTTLS,
so FortiAuthenticator securely connects to the LDAP server.

After you configure a Windows event log source, you can check the Windows Event Log Sources monitor
section to verify that FortiAuthenticator can poll logon events from that source.

LAN Edge 7.0 Study Guide 105

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

Instead of polling the login information from the DCs, you can deploy DC and TS agents that send real-time
logon events to your FortiAuthenticator device. You can download DC and TS agent installers from the
Fortinet support site.

You must install a DC agent on each DC and then restart the DC after you install the agent. The DC agents
monitor user logon events and pass the information to FortiAuthenticator (which acts as a collector agent),
which stores the information and sends it to FortiGate. The DC agent is not a service like the collector agent—
it is a DLL file called dcagent.dll that is installed in the Windows\system32 directory.

The Citrix/Terminal Server (TS) agent is installed on a Citrix terminal server (which runs on Windows) to
monitor user logins in real time. It functions much like the DC agent on a Windows DC, in that it sends real-
time login information to the collector agent. However, unlike the DC agent, which sends logon events
generated by users that log in to the domain from their workstations (unique IP address), the TS agent sends
login information generated by users that log in to a TS (shared IP address). Because TS users share the
same IP address, each of them is assigned a unique port range to access the domain network resources. To
distinguish between TS users and, therefore, for FortiGate to be able to track the different TS users, the TS
agent also includes the port range assigned to each user in the login information sent to the collector agent.

LAN Edge 7.0 Study Guide 106

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

You must enable the DC/TS agent in FSSO methods on FortiAuthenticator to allow communication between
DC/TS agents and FortiAuthenticator. You can also enable optional authentication for added security. You
must configure both the DC/TS agent and FortiAuthenticator with the same password.

LAN Edge 7.0 Study Guide 107

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

SSOMA is a FortiClient feature that can also be installed as a standalone feature. SSOMA identifies the
logged in domain user and IP address, and communicates this information to FortiAuthenticator.

FortiClient SSOMA has several benefits over other FSSO detection methods:

• FortiClient sends regular HELLO packets. If FortiAuthenticator detects X number of missing HELLO
packets, the user is deauthenticated.
• If the device IP address stack changes, for example, roaming on the wireless network, the update is sent to
FortiAuthenticator.
• If the user logs out, FortiClient notifies FortiAuthenticator during the logout process and deauthenticates
the user.

LAN Edge 7.0 Study Guide 108

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

Like other SSO methods, you must enable SSOMA in the FSSO methods settings on FortiAuthenticator. By
default, SSOMA will connect to FortiAuthenticator on port 8001, but that can be changed to another port if
required. You can also enable optional authentication with secret keys, as well as configure keepalive and idle
timeout intervals.

Optionally, you can enable NTLM within SSOMA settings so that NTLM works in conjunction with FSSO.
When enabled, FortiAuthenticator requires NTLM authentication when:

• A user logs in to a workstation for the first time

LAN Edge 7.0 Study Guide 112

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

FortiNAC is a Fortinet network access control (NAC) solution that provides visibility of all devices and users
connected to the network.

FortiNAC can authenticate network users, and their login information can be sent to FortiAuthenticator when
you configure FortiNAC as an SSO source. The login information provided includes the username, group, and
IP address.

To configure FortiAuthenticator to use FortiNAC as an SSO source:

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

The next step is to create a syslog source. You must type values in the Name and IP address fields, and then
select a rule in the Matching rule drop-down list.

LAN Edge 7.0 Study Guide 123

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

You can view syslog SSO sessions on FortiAuthenticator by clicking Monitor > SSO > SSO Sessions.

On FortiGate, you click Dashboard > User & Devices > Firewall Users to view the FSSO logs.

LAN Edge 7.0 Study Guide 124

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

You can also view SSO-related logs that are specific to a single SSO source, such as RADIUS accounting or
the syslog feed. For example, you can view the RADIUS attributes that are sent in the accounting message,
or view the raw syslog feed that FortiAuthenticator is receiving.

LAN Edge 7.0 Study Guide 125

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

In this section, you will learn how to implement RSSO to be used with FortiAuthenticator and FortiGate.

LAN Edge 7.0 Study Guide 126

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

Consider the following important aspects before using RSSO:

• You must configure the RADIUS environment to send accounting records. How to configure every possible
RADIUS server is beyond the scope of this lesson.
• For direct RADIUS to FortiGate RSSO, you must configure the RADIUS server with appropriate group
names and users added to them.
• For RADIUS to FortiAuthenticator to FSSO, you must configure your LDAP directory with appropriate
group names and users added to them.

There are three different ways to deploy RSSO:

• FortiGate RSSO: RSSO accounting messages directly to FortiGate.

• FortiAuthenticator RSSO to FortiGate RSSO: RSSO accounting messages are sent to FortiAuthenticator,
which then forwards the packets to FortiGate or a third-party device.
• FortiAuthenticator RSSO to FSSO: RSSO accounting messages are converted to FSSO updates and
distributed to all FortiGate devices configured as FSSO clients on FortiAuthenticator.

Now, you will look at each of the three methods in more detail.

LAN Edge 7.0 Study Guide 127

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

FortiOS supports the use of RADIUS start, stop, and interim update messages to authenticate and manage
active users transparently. You can configure FortiGate to receive and use these messages.

LAN Edge 7.0 Study Guide 128

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

You must perform a few configuration steps to enable RSSO on FortiGate. First, you must enable RADIUS
Accounting in the Administrative Access section on the FortiGate interface where you expect to receive
RSSO messages. Then, you must click Security Fabric > Fabric Connectors, define an RSSO agent, and
configure it with a unique name and RADIUS shared secret that matches the one configured on the RADIUS
accounting server. This enables a form of authentication between the RSSO agent (FortiGate) and the
RADIUS accounting server (or RSSO server). You also need to create an RSSO user group locally on
FortiGate. In the RSSO user group, you must set the RADIUS Attribute Value, which is used for user group
matching. You can then use the RSSO user groups on a firewall policy to enable access for RSSO users.

RSSO user group matching works as follows:

1. When FortiGate receives the RADIUS accounting message, FortiGate checks the value for the attribute
set as sso-attribute in the RSSO agent configuration. In the example shown on this slide, the sso-
attribute is set to Class.
2. FortiGate checks its local RSSO user groups. If the value of the Class attribute contained in the
accounting message matches the value set as RADIUS Attribute Value in the RSSO user group, then
FortiGate associates the RADIUS user with the RSSO user group. In the example shown on this slide, the
configured RADIUS Attribute Value is IT.

In addition, FortiGate extracts the username from the attribute set as rsso-endpoint-attribute. In the
example shown on this slide, the attribute is set to User-Name.

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

The command diagnose rsso query queries the RSSO database on FortiGate.

You can query RSSO users by IP address, username, or group name.

This slide shows an example of a query using the IP address.

LAN Edge 7.0 Study Guide 133

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

FortiAuthenticator supports the use of RADIUS start, stop, and interim update messages to authenticate and
manage active users transparently. It receives RADIUS accounting messages, performs lookups against the
LDAP server for group membership, and then forwards the RADIUS message to the FortiGate RSSO agent.
This is useful when group membership information is handled by Active Directory, or when the RADIUS
server is business-critical IT infrastructure, limiting the changes that can be made to the server configuration.

LAN Edge 7.0 Study Guide 134

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

Use the steps on this slide and the next to configure FortiAuthenticator when you want to implement a
FortiAuthenticator RSSO to FortiGate FSSO solution:

1. Enable RADIUS Accounting SSO on the interface that will receive RADIUS accounting start and stop
messages.
2. Turn on Enable RADIUS Accounting SSO clients.

Use the following steps to configure FortiAuthenticator for FSSO:

1. Configure the interface to receive RADIUS accounting messages.

2. Select Enable RADIUS Accounting SSO Clients.
3. Configure the RADIUS Accounting SSO Client.

You must select the LDAP server from the drop-down list if you want to validate remote users using a back-
end LDAP server. FortiAuthenticator can retrieve group memberships from the LDAP server to verify that the
RSSO user account resides on the LDAP server. You can also categorize the user as External, which means
that the user account is not expected to be configured in the local or remote database. The RADIUS
Username attribute (default User-Name) and Client IPv4 attribute (default Framed-IP-Address) fields are
required. The User group attribute field is not required.

LAN Edge 7.0 Study Guide 139

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

You must configure FSSO on FortiGate to receive the FSSO updates from FortiAuthenticator. First, you
configure a Fortinet Single Sign-On Agent in External Connectors. Then, you can pull or create an FSSO
user group, and assign remote members to the group. You can then refer to the FSSO user group on a
firewall policy to provide network access to FSSO users.

LAN Edge 7.0 Study Guide 140

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

While the FortiAuthenticator Monitor page records that the user logged in through a Radius Accounting
source, you can confirm that the user was authenticated on FortiGate using the Fortinet Single Sign-On
method by looking at the Firewall Users widget.

You can also confirm this by running the diagnose debug authd fsso list command.

LAN Edge 7.0 Study Guide 141

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

This slide shows the real-time debugging of the FortiGate device that receives a login message from
FortiAuthenticator through FSSO.

LAN Edge 7.0 Study Guide 142

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

In this section, you will learn about troubleshooting FSSO using FortiAuthenticator.

LAN Edge 7.0 Study Guide 143

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

FortiAuthenticator makes troubleshooting easier because all the tools required to check the status of different
components in FSSO are available on the GUI. By clicking Monitor > SSO, you can view information, such as
SSO domains, active SSO sessions, Windows event log sources status, currently active FortiGate
connections, and DC/TS agents connection status.

If you have trouble distinguishing SSO sessions from TS/DC agents, you can view whether the DC/TS agents
are connected to FortiAuthenticator. If not, ensure that the correct IP address, port, and secret are configured
on both FortiAuthenticator and the DC/TS agents.

LAN Edge 7.0 Study Guide 144

RADIUS and Syslog Single Sign-On

DO NOT REPRINT
© FORTINET

FortiAuthenticator displays all the active SSO sessions on the Monitor tab. This tab displays detailed
information about SSO sessions that are currently active on FortiAuthenticator. On this tab, you can view
SSO-related information, such as login time, logout time, username, IP address, workstation name (AD),
domain, group, and SSO source. In the example shown on this slide, there are two SSO sources that are
currently in use, Eventlog Polling and Syslog feed.

LAN Edge 7.0 Study Guide 145

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about different ways to collect login events
and convert them to Fortinet single sign-on (FSSO) events. You also focused on RADIUS and syslog single
sign-on and their relevant configurations.

LAN Edge 7.0 Study Guide 150

Centralized Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiSwitch and FortiAP management on FortiManager.

LAN Edge 7.0 Study Guide 151

Centralized Management

DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in centralized management, you will be able to manage FortiGate using
FortiManager, configure the FortiLink interface to manage FortiSwitch, and enable a Security Fabric
connection to manage FortiAP.

LAN Edge 7.0 Study Guide 152

Centralized Management

DO NOT REPRINT
© FORTINET

In this section, you will review FortiManager basics.

LAN Edge 7.0 Study Guide 153

Centralized Management

DO NOT REPRINT
© FORTINET

When should you use FortiManager in your network?

In large enterprises and managed security service providers (MSSPs), the size of the network introduces
challenges that smaller networks don’t have: mass provisioning; scheduling rollout of configuration changes;
and maintaining, tracking, and auditing many changes.

Centralized management through FortiManager can help you to more easily manage many deployment types
with many devices, and to reduce the cost of operation.

What can FortiManager do?

• Provision firewall policies across your network.

• Act as a central repository for configuration revision control and security audits.
• Centrally manage of FortiSwitch and FortiAP devices.
• Act as a private FortiGuard distribution server (FDS) for your managed devices.
• Script and automate device provisioning, policy changes, and more, with JSON APIs.

LAN Edge 7.0 Study Guide 154

Centralized Management

DO NOT REPRINT
© FORTINET

There are two ways you can register a FortiGate device using FortiManager.

The first method involves the FortiManager device registration wizard. If the FortiGate device is supported and
all the details of the device are correct, FortiManager registers the device. This method is the one used in the
lab, and you'll learn more about this method in this lesson.

The second method involves a request for registration from the FortiGate device. This happens after you add
FortiManager on the FortiGate GUI. Then, when the FortiManager administrator receives the registration
request, the request is accepted (though it can be denied).

During device registration, FortiManager and FortiGate create a secure tunnel on TCP port 541. The tunnel is
used for checking device status and configuration, as well as configuration installation.

After FortiGate is registered on FortiManager, any FortiSwitch or FortiAP devices that are managed by that
FortiGate device are displayed on the FortiSwitch Manager and AP Manager panes, respectively.

LAN Edge 7.0 Study Guide 155

Centralized Management

DO NOT REPRINT
© FORTINET

When using the device registration wizard, the FortiManager administrator proactively initiates and, ultimately,
performs the registration. When this method is used, the administrator must have specific details about the
FortiGate device that they are registering.

You can launch the wizard from the Device Manager pane by clicking Add Device from the menu bar.

LAN Edge 7.0 Study Guide 156

Centralized Management

DO NOT REPRINT
© FORTINET

After you register a FortiGate device, it appears on Device Manager > Device & Groups.

LAN Edge 7.0 Study Guide 157

Centralized Management

DO NOT REPRINT
© FORTINET

To configure the device-level settings of your FortiGate devices, select the device or VDOM in the Device
Manager. In the example shown on this slide, the FortiGate device named FortiGate is selected.

The device-level settings of a managed FortiGate can be viewed and configured from the toolbar at the top of
the Dashboard. This enables you to view or configure interfaces, HA, DNS, and log settings, to name a few.
To configure or view routes, click Router > Static Route.

In the example shown on this slide, a new static route is created.

Most of the settings that you see in this example have a one-to-one correlation with the device configuration
that you would see if you logged in locally using the FortiGate GUI or CLI.

Note that there are only a few options in the Display Options section to customize the global display as
needed.

LAN Edge 7.0 Study Guide 158

Centralized Management

DO NOT REPRINT
© FORTINET

Another way to change device-level settings on devices is by using FortiManager scripts. Scripts are useful
for bulk configuration changes and consistency across multiple managed devices.

FortiManager supports two types of scripts:

• CLI: CLI scripts include only FortiOS CLI commands as they are entered at the command line prompt on a
FortiGate device.
• TCL: TCL is a dynamic scripting language that extends the functionality of CLI scripting. You must be
familiar with the TCL language and regular expressions. For more information about TCL scripts, visit the
official TCL website: http://www.tcl.tk

Scripts are enabled by default. For TCL scripts, you also need to enable the show command from the
FortiManager CLI.

LAN Edge 7.0 Study Guide 159

Centralized Management

DO NOT REPRINT
© FORTINET

If you want to edit the firewall policies and dependent objects on FortiManager, you go to the Policy &
Objects pane.

FortiManager organizes firewall policies in policy packages. You can then customize the policy packages for
each device or VDOM, or apply a single policy package for multiple devices that require the same set of
firewall policies.

LAN Edge 7.0 Study Guide 160

Centralized Management

DO NOT REPRINT
© FORTINET

After you configure the FortiGate device-level settings and firewall policies on FortiManager, the changes do
not take immediate effect—they must be installed. Therefore, you must install the changes to FortiGate by
using the Install Wizard on Device Manager.

During installation, you must choose between two different installation types. If you choose Install Device
Settings (only), the wizard installs only device-level configuration changes made from FortiManager. If you
have made changes to the device-level configuration and policies in the policy packages, you can choose
Install Policy Package & Device Settings, which installs policy package changes and any device-level
settings.

In the example shown on this slide, the Install Policy Package & Device Settings option is selected, which
also requires choosing the policy package to install.

LAN Edge 7.0 Study Guide 161

Centralized Management

DO NOT REPRINT
© FORTINET

In this section, you will learn how to enable the switch controller feature.

LAN Edge 7.0 Study Guide 162

Centralized Management

DO NOT REPRINT
© FORTINET

By default, the switch controller feature is enabled on most FortiGate models. In FortiGate VM models,
however, it is not enabled by default, but you can enable it by running the CLI commands shown on this slide.

After you enable the switch controller feature, the related switch controller settings are shown on the GUI by
default. If the GUI settings are not shown, make sure gui-switch-controller is enabled under system
settings.

LAN Edge 7.0 Study Guide 163

Centralized Management

DO NOT REPRINT
© FORTINET

All FortiGate devices come with a factory default FortiLink interface in the root VDOM dedicated to
communication between the switch controller (FortiGate) and the managed switches. By default, the interface
is created as a link aggregation group (LAG) interface.

The FortiLink interface comes with no LAG members by default. Therefore, you must add at least one
member to the FortiLink LAG interface and assign an IP address to it. FortiGate then uses the configured IP
address and netmask to configure a DHCP scope for assigning IP addresses and other network parameters
to managed switches.

By default, you must authorize the switches discovered by FortiGate before being able to manage them.
Alternatively, you can enable Automatically authorize devices to automatically authorize discovered
switches.

In addition, FortiLink split interface is enabled by default. If a FortiLink interface has two or more members,
this option instructs FortiGate to keep only one FortiLink interface port member active. This behavior is useful
when you connect your FortiLink interface from one FortiGate device to two or more switches, and the
switches do not support multi-chassis link aggregation (MCLAG) or MCLAG has not been configured yet.
Under this scenario, you lose management to one or more switches if FortiLink split interface is disabled. You
will learn more about FortiLink in another lesson.

LAN Edge 7.0 Study Guide 164

Centralized Management

DO NOT REPRINT
© FORTINET

You can also edit the FortiLink interface on FortiManager by accessing the device interface settings on
Device Manager.

The layout and options available on FortiManager are very similar to the ones displayed by the FortiGate GUI.
The option Automatically authorize devices you see on FortiGate is not available on FortiManager, but you
can use scripts or CLI-only objects to configure the setting.

LAN Edge 7.0 Study Guide 165

Centralized Management

DO NOT REPRINT
© FORTINET

In this section, you will learn about the FortiSwitch Manager pane, which enables you to manage FortiSwitch
devices on FortiManager.

LAN Edge 7.0 Study Guide 166

Centralized Management

DO NOT REPRINT
© FORTINET

FortiGate can act as a switch controller, which enables you to manage FortiSwitch devices from FortiGate
rather than having to individually access each FortiSwitch for management purposes.

On FortiManager, when you register a FortiGate device acting as a switch controller, the FortiSwitch devices
that are discovered by FortiGate are also used by FortiManager and displayed on the FortiSwitch Manager
pane.

FortiSwitch Manager enables you to centrally manage FortiSwitch devices discovered by all authorized
FortiGate devices on FortiManager. Instead of accessing each FortiGate device to manage its FortiSwitch
devices, you can manage all FortiSwitch devices controlled by all FortiGate devices from a single pane on
FortiManager. This can considerably reduce the operating expenses for your network, especially for large
networks that have tens or hundreds of switches deployed.

FortiSwitch Manager supports two management modes: central management and per-device management. In
central management mode (default mode), you maintain templates and assign them to FortiSwitch devices.
Central management mode is convenient for deploying multiple devices that use the same configuration. In
per-device management mode, you apply settings and profiles to individual FortiSwitch devices, which
enables you to deploy sites that use different configurations.

LAN Edge 7.0 Study Guide 167

Centralized Management

DO NOT REPRINT
© FORTINET

Central management mode is the default mode used by FortiSwitch Manager. You first configure a template
and then assign it to one or more FortiSwitch devices that require the same deployment. You make
configuration changes on the template, instead of on the individual FortiSwitch devices. Changes made on a
single template result in a configuration change on multiple devices. For this reason, central management
mode is best suited for deployments that use the exact same configuration on all FortiSwitch devices.

A FortiSwitch template is specific to a FortiSwitch model, and therefore, different switch models require
different templates.

In the example shown on this slide, site 1 and site 2 have identical network topologies. FortiManager is
configured with two FortiSwitch templates: core and access. The core template is assigned to devices acting
as a core switch on site 1 and site 2, while the access template is applied to devices acting as access
switches. The result is that you can manage six switches across two sites with only two templates. If you need
to deploy more identical sites, you can continue to use the same existing templates, resulting in even greater
scalability.

LAN Edge 7.0 Study Guide 168

Centralized Management

DO NOT REPRINT
© FORTINET

When you access the FortiSwitch Manager pane, the managed switches page opens by default. This page
displays a table containing all the switches discovered by all FortiGate devices registered on FortiManager.
For each authorized switch, the page displays its name, serial number, model (or platform), the current status,
the FortiLink interface used (on the controlling FortiGate), the controlling FortiGate and VDOM, IP address
(connected via), OS version, and join time. This is the same information that you would see on the FortiGate
GUI for a switch.

On the left menu, click Managed FortiGate if you want to view all switches discovered by all FortiGate
devices. Otherwise, click the FortiGate device that controls the switches you want to view. The page lists all
discovered FortiSwitch devices, including those that have not been authorized. Each switch displays an icon
to the left of its name that reports its current status, which is obtained by FortiManager by polling FortiGate
REST API every three minutes. The different statuses mean:

• Online: The switch is authorized and the management link with FortiGate is up.
• Offline: The switch is authorized but the management link with FortiGate is down.
• Unauthorized: The switch has been discovered by FortiGate, but it has not been authorized.
• Unknown: The switch is authorized but its status cannot be determined. This is usually the case when the
controller (FortiGate) is also offline.

The page also displays the template that has been assigned to the switch. On the example shown on this
slide, the switch has been assigned with the Training template and its status is Online.

When you right-click a switch, a menu with additional management actions, such as switch authorization or
firmware upgrade, is displayed.

LAN Edge 7.0 Study Guide 169

Centralized Management

DO NOT REPRINT
© FORTINET

When you click the More tab on the Managed FortiGate page, you can click Topology to view the block-
style topology representation of the connected FortiSwitch devices. On the topology, you can hover over
connection links or ports to get more details.

Another monitor tool you can click on is Faceplates. Faceplates displays a diagram of the management
connection between FortiGate and its controlled FortiSwitch devices. It also displays the status of each port
on the managed switches. The FortiGate interface used for managing switches is called FortiLink. FortiLink is
also the name of one of the protocols used by FortiGate for switch management. The protocol operates over
the switch uplink connected to FortiGate, and between switches for switch discovery. You will learn more
about FortiLink in another lesson. On the diagram, the switch port connected to the FortiLink interface is
circled in black (port24 in the example shown on this slide).

Both monitor tools display some information about the FortiGate device controlling the switch. The information
includes the serial number, management IP address, as well as the VDOM and the FortiLink interface name.
In the example of faceplates shown on this slide, the FortiLink interface name is fortilink and it belongs to the
root VDOM. Also note that the FortiGate management IP address refers to the IP address that FortiManager
uses to communicate with FortiGate through the secure tunnel on TCP port 541.

LAN Edge 7.0 Study Guide 170

Centralized Management

DO NOT REPRINT
© FORTINET

The FortiSwitch Templates section is where you configure the templates, VLANs, and other switch object
configurations for FortiSwitch devices. You can create a new template from scratch by clicking FortiSwitch
Template on the left menu, then clicking Create New, and then selecting the FortiSwitch model the template
will be based on. After you select the FortiSwitch model, FortiManager automatically populates the template
with the ports available in the selected switch model. In addition, FortiManager assigns a default configuration
to each switch port, which you can then change to suit your needs.

Another way to create a template is by importing its settings from the current configuration on a switch. This
option is useful when you want to build your template from the existing configuration on a production switch,
and then apply that configuration to other switches that require the same setup. To import a template, click
Import, and then select the FortiGate device and the switch you want to import the template settings from.

Before you create the template, you may want to configure the objects used by the template:
• VLAN: A FortiSwitch VLAN is a FortiGate VLAN interface bound to the FortiLink interface. The VLANs can
then be selected as the native VLAN and allowed VLANs on a switch port.
• Security Profiles: FortiSwitch supports 802.1X authentication. You configure the 802.1X authentication
policy in a security profile, and then assign the security profile to a switch port in the template.
• LLDP Profiles: FortiSwitch supports Link Layer Discovery Protocol (LLDP) and its extension LLDP for
Media Endpoint Discovery (LLDP-MED). An LLDP profile enables you to configure the type length values
(TLVs) to advertise on a port, as well as the LLDP-MED network policy used for auto VLAN configuration
on endpoints (usually phones).
• QoS Policy: FortiSwitch supports quality of service (QoS) policies, which enable you to classify and mark
packets entering a port for egress priority queuing purposes.
• Custom Command: Some FortiSwitch settings and diagnostic commands are available on the FortiSwitch
device only by creating custom commands.

LAN Edge 7.0 Study Guide 171

Centralized Management

DO NOT REPRINT
© FORTINET

To configure a port on a template, click Edit to modify the port settings. FortiManager displays a new window
showing the port settings. From there, you can select the native and allowed VLANs on the port, as well as
change its LLDP profile or security policy. You can also change some STP settings.

If you click Advanced Options, FortiManager shows the additional CLI-only objects available for the port.

LAN Edge 7.0 Study Guide 172

Centralized Management

DO NOT REPRINT
© FORTINET

Per-device management is the alternative mode available for FortiSwitch Manager. Unlike central
management mode, in which you configure templates, in per-device management mode you configure
FortiSwitch devices in the same way you would if you were configuring them on the FortiGate GUI.

The advantage of per-device management mode is that you can configure each switch differently. This makes
it an ideal option when you need to deploy switches that don’t necessarily require the same setup. In addition,
because FortiManager maintains separate device settings for each switch, any changes made on a switch
affect only that switch.

LAN Edge 7.0 Study Guide 173

Centralized Management

DO NOT REPRINT
© FORTINET

Central management mode is the default FortiSwitch Manager mode in an administrative domain (ADOM).
ADOMs enable you to create groupings of devices for administrators to monitor and manage. The purpose of
ADOMs is to divide administration of devices by ADOM and to control (restrict) administrator access.

To enable per-device management, you edit the settings of the ADOM you manage your FortiSwitch devices
on, and you uncheck the FortiSwitch option.

In the example shown on this slide, FortiSwitch has been cleared on the root ADOM.

LAN Edge 7.0 Study Guide 174

Centralized Management

DO NOT REPRINT
© FORTINET

After you enable per-device management mode, you can click Ports Configuration to edit the port
configuration of a switch instead of assigning a template to it. Also, the template column is no longer shown as
part of the information displayed for a switch.

In addition, the FortiSwitch Manager pane shows a FortiSwitch Profiles tab. You can use the other tab, CLI
Configurations, to access settings that are not available to configure directly within the FortiSwitch Manager.

LAN Edge 7.0 Study Guide 175

Centralized Management

DO NOT REPRINT
© FORTINET

The Ports Configuration page displays all the ports available on the switch. From the page, you can view or
edit the configuration of each port. Select a port and then click Edit to change its settings. After you click Edit,
a new window opens showing the port settings available.

In addition, on the Ports Configuration page, FortiManager displays the switch front view, indicating the
status of all ports on the switch. Hover over a port to see more information about it, such as its link status, the
FortiSwitch device it belongs to, its assigned VLANs, or even the name of its peer device discovered through
LLDP.

LAN Edge 7.0 Study Guide 176

Centralized Management

DO NOT REPRINT
© FORTINET

The FortiSwitch Profiles tab is where you configure additional switch objects. When compared to the
FortiSwitch templates section, you find the same configuration objects plus NAC Policy.

Network access control (NAC) policies enable you to assign a VLAN and other settings to ports that connect
to devices matching a certain criteria such as the MAC address, operating system, or type. The purpose is to
automatically configure a switch port with the correct settings based on the type of device connected.

Centralized Management

DO NOT REPRINT
© FORTINET

The example on this slide shows the managed APs in the AP Manager pane when using the central
management mode.

It shows wireless-related information, such as SSIDs, Channel, Clients, and AP Profile (or Wi-Fi profile). It
also displays the status for each AP, but, unlike FortiSwitch Manager, there is no Unknown status. The other
statuses (Online, Offline, Unauthorized) have the same meaning as in FortiSwitch Manager.

In addition, the page indicates the number of detected Rogue APs as well as the number of wireless clients
connected (Client Connected).

When you right-click an AP, a menu with more management actions is displayed.

LAN Edge 7.0 Study Guide 181

Centralized Management

DO NOT REPRINT
© FORTINET

You can click a number in the Clients column or click the Client Connected icon to display a table with the
list of wireless clients currently connected to the APs. For each client, the page displays some important
wireless information, such as the SSID and the FortiAP it is connected to, or the signal-to-noise ratio (or signal
strength/noise) and the signal strength. The last two values are key to determining the quality of the wireless
signal.

If device detection is enabled on the SSID that the client is connected to, then FortiGate attempts to identify
the device using various detection methods. You can click Column Settings to display additional columns
containing device-related information.

LAN Edge 7.0 Study Guide 182

Centralized Management

DO NOT REPRINT
© FORTINET

The Map View section in AP Manager displays the location of an AP on a Google Map, or its location on a
Floor Map. FortiManager determines the AP location on Google Maps based on the AP public IP address. If
the AP has a private IP address, FortiManager uses the controlling FortiGate location as the AP location. In
the example shown on this slide, FortiManager uses the FortiGate location because the AP has a private IP
address.

You can check Show Connection Down APs Only to display only the APs that are currently offline. This is
useful when you need to locate failed APs that require an on-site presence to restore the service.

In addition, when you click Show on Floor Map, FortiManager displays the floor map view for the selected
AP.

LAN Edge 7.0 Study Guide 183

Centralized Management

DO NOT REPRINT
© FORTINET

The Floor Map view enables you to upload the floor plan on the site where your APs are located. After that,
you must manually place each AP on the floor plan.

Hover over each AP to get more details about the device such as IP address, serial number, data usage, or
MAC address.

LAN Edge 7.0 Study Guide 184

Centralized Management

DO NOT REPRINT
© FORTINET

The WiFi Templates section is where you configure the profiles for your APs. A Wi-Fi profile contains all the
wireless settings for your AP, such as the AP operation mode, enabled channels, power control, client load
balancing options, and enabled SSIDs. It also contains the AP remote management settings.

You can create a new Wi-Fi profile from scratch by clicking AP Profile on the left menu, and then clicking
Create New. Alternatively, you can import a profile from an authorized FortiAP by clicking Import, and then
selecting the FortiGate device and the AP profile you want to import the profile settings from.

You can also configure the following objects that can be used in your Wi-Fi profile:

• SSID: This is where you configure your wireless service set identifiers (SSIDs).
• WIDS Profile: A wireless IDS (WIDS) profile enables you to configure rules to detect intrusion attacks on
the wireless network. It also enables you to detect rogue APs. A rogue AP is an AP that has not been
authorized on your network, or just an AP that is unknown.
• Bluetooth Profile: Enables you to configure FortiAP to scan for wireless devices using the Bluetooth low
energy (BLE) standard.
• QoS Profile: Used for controlling the amount of bandwidth generated through the AP or by a wireless
client.
• Bonjour Profile: Bonjour profiles are used to allow forwarding of Bonjour traffic sourced from wireless
devices to other FortiGate interfaces. The purpose is to allow the discovery and operation of Bonjour-
based services running on your wireless devices.

LAN Edge 7.0 Study Guide 185

Centralized Management

DO NOT REPRINT
© FORTINET

The image on this slide shows more settings available in a Wi-Fi profile for a dual-radio AP model. You can
configure different settings for each radio.

The Location Based Services section is where you configure the AP to collect information about wireless
devices detected by your AP. The information collected is then used by FortiPresence to provide presence
and positioning analytics for your locations.

LAN Edge 7.0 Study Guide 186

Centralized Management

DO NOT REPRINT
© FORTINET

Per-device management mode supports the same configuration options as in central management mode. The
only difference is that on per-device management mode, FortiManager maintains a set of Wi-Fi profiles for
each wireless controller (FortiGate), instead of having a set of profiles that are shared among all APs
controlled by all FortiGate devices.

In the example shown on this slide, FortiManager maintains three different Wi-Fi profiles for each FortiGate
device, and one of those profiles is applied to the controlling AP.

LAN Edge 7.0 Study Guide 187

Centralized Management

DO NOT REPRINT
© FORTINET

To enable per-device management, edit the settings of the ADOM you manage your FortiAP devices on, and
clear the FortiAP option.

LAN Edge 7.0 Study Guide 188

Centralized Management

DO NOT REPRINT
© FORTINET

In per-device management mode, all tabs look the same as in central management mode. The only difference
is the addition of the WiFi Template tab. Click this tab to edit the Wi-Fi profiles on the selected FortiGate
device.

The example on this slide shows only one FortiGate device. When there are multiple FortiGate devices, you
see a set of Wi-Fi profiles for each managed FortiGate.

LAN Edge 7.0 Study Guide 189

Centralized Management

DO NOT REPRINT
© FORTINET

In this section, you will learn about the FortiWLM extension on FortiManager, which provides you with
enhanced monitoring for your wireless network.

LAN Edge 7.0 Study Guide 190

Centralized Management

DO NOT REPRINT
© FORTINET

The FortiWLM management extension application (MEA) is a complement to AP Manager. While AP

Manager supports a monitor tab, with FortiWLM you get an enhanced monitoring view of your wireless
network. For this, FortiManager contacts the wireless controller (FortiGate) periodically to poll wireless-related
information, which is then used to report on the status of your wireless devices, build graphs and network
topologies, determine AP location, and generate alarms, among other things.

FortiWLM is disabled by default. When enabled, you require a valid FortiWLM license to monitor more than
three APs.

FortiWLM MEA provides monitoring services only. You still need to use AP Manager to deploy your APs and
change their configuration.

LAN Edge 7.0 Study Guide 191

Centralized Management

DO NOT REPRINT
© FORTINET

FortiWLM is disabled by default. You can enable it on the GUI or on the CLI.

To enable FortiWLM on the GUI, click Management Extensions and then FortiWLM, upon which
FortiManager prompts you to enable the extension. To enable FortiWLM, FortiManager needs to download
the application files from the internet, so you must make sure your FortiManager device has internet access.
While FortiManager is downloading and installing FortiWLM, it displays a progress bar under the FortiWLM
icon.

Alternatively, you can enable FortiWLM on the CLI by entering the commands shown on this slide. The CLI
also displays the progress of the application installation.

LAN Edge 7.0 Study Guide 192

Centralized Management

DO NOT REPRINT
© FORTINET

The image on this slide shows the FortiWLM main page (or dashboard) after it is enabled.

LAN Edge 7.0 Study Guide 193

Centralized Management

DO NOT REPRINT
© FORTINET

You must add wireless controllers (FortiGate devices) to FortiWLM before it can start collecting data for
monitoring purposes. Note that before doing this, the FortiGate devices must have been already registered on
the root ADOM on FortiManager. Also note that you can add only FortiGate devices registered on the root
ADOM to FortiWLM.

To add the wireless controller to FortiWLM, click Inventory > Devices, and then click ADD. FortiWLM
requests the device IP address, administrator credentials, and the ports it uses for SSH and HTTPS
administration.

LAN Edge 7.0 Study Guide 194

Centralized Management

DO NOT REPRINT
© FORTINET

In this section, you will learn about the ZTP solution available on FortiManager, which enables you to
configure your FortiGate and its connected devices without user intervention on the managed devices.

LAN Edge 7.0 Study Guide 195

Centralized Management

DO NOT REPRINT
© FORTINET

ZTP enables you to provision devices without having to change their configuration onsite. The local technician
needs to make only the necessary network physical connections and power up the devices. This approach
reduces human error while speeding up deployments thanks to automation.

ZTP works as follows:

1. The administrator adds the FortiGate device on FortiManager and configures all of its settings. The
configured settings include the device settings, policy package, and the configuration for its connected
switches and APs.
2. When FortiGate is connected to the network, FortiGate retrieves the FortiManager IP address or FQDN
through DHCP options 240 or 241 respectively, provided the DHCP server in the local network has been
preconfigured with such options.
3. FortiGate contacts FortiManager using the network parameters provided by the DHCP server.
4. FortiManager checks the FortiGate serial number against its local database. If the serial number matches
a preconfigured device, then device registration is completed. Optionally, you can configure a pre-shared
key on both FortiManager and FortiGate for identifying the managed device.
5. FortiManager pushes the preconfigured device settings to FortiGate.
6. If there are connected devices, such as switches and APs, FortiGate also pushes the configuration
provided by FortiManager for those devices.

LAN Edge 7.0 Study Guide 196

Centralized Management

DO NOT REPRINT
© FORTINET

The first step to achieve ZTP is to add the device on FortiManager before it is deployed on the field.

When you add the device on FortiManager, you must select Add Model Device, and then type the device
details. Usually you want to match the device based on its serial number, but you could also use a pre-shared
key if the device serial number is unknown.

You must also indicate the device model. However, if you use a serial number for device matching, then
FortiManager suggests a device model based on the serial number.

After you add the device, its Config Status and Policy Package Status are shown as Unknown and
Modified, respectively. Both statuses change after the device downloads the settings from FortiManager
during provisioning.

After the device is added, you may want to configure its required settings and policies on the Device Manager
and Policy & Objects panes, respectively. Otherwise, FortiManager uses the device factory default
configuration.

LAN Edge 7.0 Study Guide 197

Centralized Management

DO NOT REPRINT
© FORTINET

You can use ZTP to provision FortiSwitch and FortiAP devices that are connected to FortiGate by adding the
devices to their FortiManager panes.

When you add the connected devices ahead of time on FortiManager, they do not appear as online. However,
after FortiGate downloads the configuration from FortiManager, which also includes the settings for its
connected switches and APs, the devices are automatically authorized and eventually appear online.

LAN Edge 7.0 Study Guide 198

Centralized Management

DO NOT REPRINT
© FORTINET

FortiGate can obtain the FortiManager address through DHCP options 240 and 241. If the local DHCP server
is not configured with such options, you can manually set the FortiManager address on the GUI instead. Do
not configure the FortiManager address on the CLI because that does not initiate the secure tunnel between
FortiGate and FortiManager. This is a behavior by design.

If you have configured device matching based on pre-shared key instead of serial number, then you must also
run the CLI command shown on this slide. The command requires the user to provide the FortiManager serial
number and the configured pre-shared key.

LAN Edge 7.0 Study Guide 199

Centralized Management

DO NOT REPRINT
© FORTINET

After FortiGate retrieves the FortiManager address, it contacts FortiManager to initiate the secure tunnel on
TCP port 541. After the tunnel is established and the device is identified, FortiManager automatically initiates
the device configuration installation and shows a notification on Device Manager. Click the notification button
to view the installation progress.

After a few seconds, the installation is completed, and the device is shown as in sync.

If you have configured connected devices, they are also shown as online in their respective FortiManager
panes. Just keep in mind that FortiManager may need a few minutes before displaying them as online
because the devices are rebooted upon authorization and FortiManager queries their status every three
minutes.

LAN Edge 7.0 Study Guide 200

Centralized Management

DO NOT REPRINT
© FORTINET

By mastering the objectives covered in this lesson, you learned how to use FortiManager to deploy
FortiSwitch and FortiAP devices.

LAN Edge 7.0 Study Guide 201

FortiSwitch

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiSwitch configuration and troubleshooting when managed by FortiGate.

LAN Edge 7.0 Study Guide 202

FortiSwitch

DO NOT REPRINT
© FORTINET

Finally, unless otherwise stated, all references in this lesson are for managed switch mode. You will learn
more about standalone switch and FortiSwitch Cloud in another lesson.

LAN Edge 7.0 Study Guide 206

FortiSwitch

DO NOT REPRINT
© FORTINET

FortiGate uses multiple protocols to control FortiSwitch. The protocols listed on this slide are used mainly for
switch discovery, authorization, and health checks.

For discovery, FortiGate uses the FortiLink protocol by default. The FortiLink discovery frames include the
switch serial number, as well as the port information on the switch. Note that when FortiSwitch is in
standalone mode, only specific ports send FortiLink discovery frames by default. FortiLink is also used by
managed switches that are directly connected to FortiGate to send heartbeats.

You can also use LLDP as an alternative switch discovery method. LLDP is also used when setting up a
switch stack, because it enables the links connecting the switches to be automatically configured as trunks
(auto-ISL). You will learn more about trunks and auto-ISL in another lesson.

CAPWAP is another control protocol that FortiGate uses to manage FortiSwitch devices. CAPWAP performs
switch authentication, authorization, and health checks (heartbeats) by establishing a Datagram Transport
Layer Security (DTLS) tunnel between FortiGate and the switch. It is also used as the alternative and legacy
method for sending a firmware image file to a switch when you use the FortiGate GUI firmware upgrade tool.
FortiSwitch also uses CAPWAP to send LLDP neighbor information and switch logs to FortiGate.

LAN Edge 7.0 Study Guide 207

FortiSwitch

DO NOT REPRINT
© FORTINET

DHCP, DNS, NTP, and HTTPS are used for provisioning the switch with a management IP address, its time,
name resolution, and configuration, respectively.

FortiGate acts as the DHCP, DNS, and NTP server for the switch. FortiSwitch uses DHCP to get an IP
address from the same subnet as the FortiLink interface. In addition, FortiGate is configured to respond to
DNS and NTP requests received at the FortiLink interface by default. The use of NTP is very important
because the time on FortiGate and FortiSwitch must be in sync. Otherwise, the CAPWAP DTLS tunnel won’t
be established and therefore the switch won’t come online.

FortiGate uses HTTPS for pushing switch configuration, collecting diagnostics, and as the switch default
firmware upgrade method. For this, FortiGate uses the FortiSwitch REST API to communicate with the switch.
For example, when you change the port configuration of a switch on FortiGate, FortiGate uses the FortiSwitch
REST API to apply the changes on the switch. When you check the FortiSwitch ports on the GUI, FortiGate
also uses the FortiSwitch REST API to obtain the current port status information from the switch. When you
use the FortiSwitch firmware upgrade tool on the FortiGate GUI or CLI, FortiGate uploads the firmware image
file to the switch through HTTPS.

Finally, FortiGate also uses SSH to access the switch CLI. When you use the CLI connection tool available on
the GUI, FortiGate establishes an SSH connection to the switch management IP address.

LAN Edge 7.0 Study Guide 208

FortiSwitch

DO NOT REPRINT
© FORTINET

The default DHCP scope for the default FortiLink interface sets FortiGate as the default gateway, NTP server,
and DNS server for its managed switches. The DHCP scope is automatically configured based on the IP
address and netmask assigned to the interface. By default, the default FortiLink interface is assigned the IP
address 169.254.1.1 and netmask 255.255.255.0. In addition, the DHCP scope is also restricted to
Vendor Class Identifiers (VCIs) FortiSwitch and FortiExtender. This means that only FortiSwitch and
FortiExtender devices can obtain addresses from that scope.

For NTP, FortiGate is configured to respond to NTP requests received at the FortiLink interface.

LAN Edge 7.0 Study Guide 209

FortiSwitch

DO NOT REPRINT
© FORTINET

By default, the switch management mode is set to local (also known as standalone). The slide shows how
to change the management mode directly on the switch CLI. However, despite the switch operating in local
management mode by default, some of the switch ports are also configured to broadcast FortiLink discovery
frames by default. This set of ports varies among switch models. For example, in a FortiSwitch 224E-POE,
these ports are 21 to 28.

If you want a port to send out FortiLink discovery frames, you can enable auto-discovery-fortilink on
the port.

When FortiGate receives FortiLink discovery frames on any of its FortiLink interface port members, FortiGate
adds the switch to the list of managed switch and displays it as unauthorized. After you authorize the switch
on FortiGate, the switch management mode is changed to fortilink, which causes the switch to reboot.

FortiSwitch

DO NOT REPRINT
© FORTINET

In this section, you will learn how to configure FortiSwitch ports and VLANs.

LAN Edge 7.0 Study Guide 216

FortiSwitch

DO NOT REPRINT
© FORTINET

When FortiGate discovers the first switch, it automatically adds to its configuration some settings that are
needed for switch management. These settings include the following VLANs:

• Default: This is the default native VLAN assigned to all switch ports.
• Quarantine: This is the default VLAN used for quarantined traffic. On FortiGate, you can quarantine a
device connected to a switch, upon which the device is placed in the quarantine VLAN.
• RSPAN: It is used for sending encapsulated mirrored traffic across the network.
• Voice: When using LLDP-MED, you can assign the switch port to this VLAN if the endpoint is detected as a
voice device.
• Video: Same as the voice VLAN, but used when the endpoint is detected as a video device.
• Onboarding: When network access control (NAC) policies are enabled, this is the VLAN where devices
that do not match any of the configured NAC policies are placed. You will learn more about NAC policies in
this lesson.
• NAC segment: Used to prevent hosts from having to renew IP addresses when moving to another VLAN.

In addition, a DHCP scope is configured for all the preconfigured VLANs except the default VLAN. The VLANs
are also assigned with the predefined VLAN IDs shown in the example on this slide, and they can be edited or
deleted if required.

LAN Edge 7.0 Study Guide 217

FortiSwitch

DO NOT REPRINT
© FORTINET

When you manage a switch from FortiGate, the switch becomes an extension of FortiGate. You configure and
use FortiSwitch VLANs in the same way as FortiGate VLANs. Just keep in mind that a FortiSwitch VLAN must
be bound to the FortiLink interface. Otherwise, you won’t be able to select the VLAN when configuring the
VLAN settings on a switch port.

In addition, all interface settings usually available on FortiGate VLANs are available on FortiSwitch VLANs,
such as device detection, captive portal, and so on.

LAN Edge 7.0 Study Guide 218

FortiSwitch

DO NOT REPRINT
© FORTINET

Ports Configuration on FortiSwitch manager displays all the ports available on the switch. On FortiSwitch
manager, you can view or edit the configuration of each port.

To edit the settings on a port, select the port and click Edit to display a new window showing the port settings
available. On this window, you can assign the Native VLAN, as well as the Allowed VLAN list for the port.
You will learn more about these VLANs in this lesson.

In addition, when you right-click a port, a context menu is shown with some settings available for the port.
Moreover, on the ports configuration page, FortiManager also displays the switch front view, indicating the
status of all ports on the switch.

LAN Edge 7.0 Study Guide 219

FortiSwitch

DO NOT REPRINT
© FORTINET

FortiSwitch can process both tagged and untagged Ethernet frames. When you configure a port, you must
ensure that the port VLAN settings match the VLAN tagging required by the connected device for ingress and
egress traffic. Below are the VLAN settings that define how the port handles tagged and untagged traffic. Note
that the ingress and egress traffic refers to the traffic entering and leaving the switch port, respectively.

• Native VLAN: In most cases, this refers to the VLAN assigned to the endpoint. The native VLAN can be
defined as the default VLAN for untagged ingress traffic. Because most endpoints send traffic without
VLAN tag, then the endpoint traffic is placed in the VLAN defined as the native VLAN. Frames for egress
traffic matching the native VLAN are also sent untagged.

• Allowed VLAN: Defines the list of VLANs that are allowed on the port for both ingress and egress traffic,
and for both tagged and untagged traffic. The native VLAN is implicitly allowed on the port, and therefore,
you don’t need to include it in the allowed VLANs list. For the port to accept incoming frames tagged with
VLANs other than the native VLAN, the frames must be tagged with one of the VLANs defined in the
allowed VLAN list. When there are no VLANs defined as untagged VLANs, the egress traffic for an allowed
VLAN is tagged. The allowed VLAN settings is key on inter-switch links (ISLs), and in the FortiLink trunk,
because the traffic forwarded between the switches, and between the switch and FortiGate, are usually
tagged with multiple VLANs. You may also need to adjust the allowed VLAN settings on ports connecting
endpoints that send and expect to receive tagged traffic. This is the case for some IP phones or servers
that leverage the use of VLAN tags for their applications.

• Untagged VLAN: Usually, you don’t have to configure this setting. However, some features like quarantine
MAC or dynamic VLAN assignment, require it for the feature to work. The setting applies only to egress
traffic, and defines a list of VLANs for which the egress traffic is sent untagged. In order for the setting to
take effect, the untagged VLAN must also be a member of the allowed VLAN list.

LAN Edge 7.0 Study Guide 220

FortiSwitch

DO NOT REPRINT
© FORTINET

You can configure the untagged-vlans setting by running the commands shown on this slide.

LAN Edge 7.0 Study Guide 221

FortiSwitch

DO NOT REPRINT
© FORTINET

If you have PoE-powered devices connected to PoE-enabled switch ports, you can check the current PoE
status on the switch port from the faceplates section on FortiSwitch manager. Hover over the port to get the
amount of power delivered by the port.

Alternatively, you can also display the PoE information from FortiGate CLI by running the command shown on
the slide. Compared to FortiSwitch manager, the command displays more details about PoE, such as the
power class, voltage, current, and maximum power.

In case you want to reset the PoE delivery on a port, you can run a FortiGate CLI command like the one
shown on this slide.

LAN Edge 7.0 Study Guide 222

FortiSwitch

DO NOT REPRINT
© FORTINET

In FortiSwitch, a trunk is a link aggregation group (LAG) interface. Although other vendors use the term trunk
when referring to interfaces that accept tagged Ethernet frames, for FortiSwitch, a trunk is just a LAG
interface.

When you connect two FortiSwitch devices together, or when you connect FortiSwitch to the FortiGate
FortiLink interface, a trunk is automatically formed on the switch by the auto-ISL feature used by LLDP. Other
devices connecting to FortiSwitch using a LAG require that you manually configure a trunk on FortiSwitch.
You can manually configure a trunk on FortiSwitch manager by clicking Create New on the Ports
Configuration page, to display a new window with the settings available for the trunk.

LAN Edge 7.0 Study Guide 223

FortiSwitch

DO NOT REPRINT
© FORTINET

Access VLANs enable FortiSwitch to prevent direct communication among devices in the same VLAN.
Devices can communicate only with FortiGate. Traffic destined for other devices in the same VLAN is dropped
by FortiSwitch. Although other vendors use the term “access VLAN” when referring to the native or untagged
VLAN on a switch port, in FortiSwitch, “access VLAN” just refers to a VLAN that allows traffic to the switch
controller only.

Access VLANs can be used to place devices in a temporary or onboarding VLAN before they are
authenticated or identified by FortiGate, upon which FortiGate moves the device to the corresponding
production VLAN. Another use case for access VLANs is when you want to drop intra-VLAN traffic because
the devices don’t require client-to-client communication. This could prevent the spread of malware by
compromised hosts, reduce the amount of traffic in the network, or prevent an attacker from gathering network
information that can be later used to attack vulnerable hosts in the same VLAN.

You can enable access VLANs on a FortiSwitch VLAN by running the CLI commands shown on this slide.
Note that access VLAN is enabled on the quarantine and onboarding VLANs by default.

In the network diagram shown on this slide, port1 and port2 on FortiSwitch are placed in VLAN 10, which is a
FortiSwitch VLAN configured on FortiGate with access VLAN enabled. As a result, when client A sends traffic
destined to devices other than the VLAN 10 interface on FortiGate, FortiSwitch drops the traffic.

LAN Edge 7.0 Study Guide 224

FortiSwitch

DO NOT REPRINT
© FORTINET

When access VLAN is enabled, you can still allow intra-VLAN traffic through FortiGate by having FortiGate
perform proxy ARP for other hosts in the VLAN, and by having firewall policies allowing the intra-VLAN traffic.

This slide shows an example of the proxy ARP configuration needed on FortiGate based on the network
diagram shown on the slide. When client A sends ARP requests for resolving the MAC address of client B,
FortiGate responds to ARP requests on behalf of client B. As a result, when client A communicates with client
B, packets from client A to client B are sent through FortiGate, which is a traffic that is allowed by FortiSwitch.
When traffic arrives at FortiGate, the traffic is then forwarded to client B because FortiGate has a firewall
policy allowing the intra-VLAN traffic.

When you configure the firewall policy, you must select the same VLAN interface as the incoming interface
and the outgoing interface. You can also enable security profiles to perform inspection if required.

LAN Edge 7.0 Study Guide 225

LAN Edge 7.0 Study Guide 230

FortiSwitch

DO NOT REPRINT
© FORTINET

You can also see the list of matched devices on the FortiGate GUI and CLI. Note that if the device hostname
has been detected by FortiGate, the GUI will display the device hostname instead of its MAC address.

LAN Edge 7.0 Study Guide 231

FortiSwitch

DO NOT REPRINT
© FORTINET

For FortiSwitch ports acting as a NAC interface, the default behavior for new connections to the port is that
the link disconnects and then reconnects. This causes connected hosts to restart the DHCP process, which in
turn makes these devices obtain new IP addresses. The hosts lose existing firewall sessions, which is an
issue for using a NAC policy on FortiSwitch ports with dynamic changes to the physical connections.

NAC LAN segments prevent the IP addresses of hosts from changing while providing physical isolation. The
NAC policy takes effect when existing connected devices are in isolated segments where they are assigned
IP addresses by the nac_segment interface. This in turn preserves ongoing firewall sessions instead of
resetting traffic connections for the devices.

To configure the NAC LAN segment globally, VLANs that require segmentation must not have any Layer 3
settings such as IP address and DHCP server. The nac_segment interface assigns an IP address to each
device in its VLAN LAN segment. The NAC port should allow only the untagged nac_segment VLAN. Do not
add the segmented VLANs to the NAC port setting because they are part of global LAN configuration and do
not offer Layer 3 services, such as DHCP server.

LAN Edge 7.0 Study Guide 232

FortiSwitch

DO NOT REPRINT
© FORTINET

Before a device matches a NAC policy, it is placed in the onboarding VLAN. You can view the list of devices
placed in the onboarding VLAN by running the diagnose switch-controller mac-device nac
onboarding command on the FortiGate CLI.

You can also view the list of devices that have matched a NAC policy, and their location on the network, by
running the diagnose switch-controller mac-device nac known command. FortiSwitch
synchronizes the MAC address table of its managed switches every five seconds. If the MAC address of the
NAC device is not listed in the MAC address table for the last 900 seconds (15 minutes), the device is
considered inactive and is placed back in the onboarding VLAN.

LAN Edge 7.0 Study Guide 233

FortiSwitch

DO NOT REPRINT
© FORTINET

This slide shows the steps performed on the traffic received from FortiSwitch on ports configured as NAC
mode.

Implementing policies for controlling devices and user access to your networks for resource, role, device and
location-based access, and enforce security compliance with security and patch management policies, among
other controls.

The NAC policy is defined based on any significant field with the user device list entry. Devices within the list
may have NAC policy applied and are using the IoT device identification database or LLDP from FortiSwitch.

LAN Edge 7.0 Study Guide 234

FortiSwitch

DO NOT REPRINT
© FORTINET

In this section, you will learn about troubleshooting communication issues between FortiGate and FortiSwitch.

LAN Edge 7.0 Study Guide 235

FortiSwitch

DO NOT REPRINT
© FORTINET

When troubleshooting managed switches, start by running the execute switch-controller get-
conn-status command on the FortiGate CLI. The command provides you with key information for all
managed switches, such as their current status, management IP address, firmware version, as well as the last
time the switches successfully connected to (or joined) FortiGate. Under normal operation, a switch join time
should remain the same because it is the first time the switches joined FortiGate. However, a switch join time
that is frequently updated may indicate connectivity issues between the switch and FortiGate.

The output also provides you with two pieces of information that you will likely need to troubleshoot further:
stack name and switch ID. Because FortiGate supports management of multiple switch stacks, and given that
each stack can have multiple switches, knowing the stack name and the switch ID of a problematic switch
allows you to filter the output when running some troubleshooting commands. This is particularly useful when
dealing with large FortiSwitch deployments because reviewing the output of all managed switches can be
overwhelming. Note that all stack names start with FortiSwitch-Stack- followed by the FortiLink interface
the stack is connected to. In the example shown on this slide, the FortiLink interface is fortilink.

LAN Edge 7.0 Study Guide 236

FortiSwitch

DO NOT REPRINT
© FORTINET

If you add the switch ID to the execute switch-controller get-conn-status command, you get
further details about the switch, including the status summary of all of its ports and aggregate interfaces (or
trunks).

LAN Edge 7.0 Study Guide 237

FortiSwitch

DO NOT REPRINT
© FORTINET

The next step in troubleshooting a switch is to obtain the physical connection details of the stack. This is
especially helpful when troubleshooting instability issues caused by incorrect physical connections.

You can get the current physical topology of a stack by running the execute switch-controller get-
physical-conn command. The command can display the output in standard format or dot format. The
standard format is more suited for small deployments, because the output for these cases is usually easier to
read. The standard output organizes the switches per tier (or level), and indicates the ports used for each
connection between switches, and between switches and FortiGate devices. For example, the standard
format output shown on this slide corresponds to a two-switch stack. The switch that is directly connected to
FortiGate is classified as tier 1.

In addition, the output also includes the names of the trunks automatically configured through auto-ISL. In
auto-ISL, the trunk names contain a portion of the adjacent switch serial number.

LAN Edge 7.0 Study Guide 238

FortiSwitch

DO NOT REPRINT
© FORTINET

For large deployments, you may want to use the dot format output instead. The output can be loaded into an
image editor that supports graphviz format, such as GVedit, so the output is displayed as a graph.
Alternatively, you can upload the output into a graphviz converter website such as www.webgraphviz.com,
to generate the graph.

In the example shown on the slide, the dot output has been loaded into GVEdit. GVEdit then generates a
graph depicting the physical topology of the stack.

LAN Edge 7.0 Study Guide 239

FortiSwitch

DO NOT REPRINT
© FORTINET

Each time you change the FortiSwitch configuration on FortiGate, the change is saved in the FortiGate
configuration first, and then FortiGate pushes the configuration change to FortiSwitch through HTTPS and
using the FortiSwitch REST API. FortiSwitch then saves the changes locally. The command execute
switch-controller get-sync-status shows the status of the configuration synchronization between
FortiGate and FortiSwitch.

The command also displays the MAC address synchronization and HTTP firmware upgrade status. FortiGate
frequently polls the MAC address table from all managed switches to get the physical address listed on each
port. This information is then used by FortiGate to provide visibility, control, and ultimately security of the
network. In addition, FortiGate supports two methods for pushing firmware image files to managed switches:
CAPWAP and HTTPS. The upgrade status information displayed by the execute switch-controller
get-sync-status command is for the HTTPS method only.

LAN Edge 7.0 Study Guide 240

FortiSwitch

DO NOT REPRINT
© FORTINET

To verify that all the configuration needed for switch management is in place, you can run the execute
switch-controller diagnose-connection command. FortiGate checks that the following settings are
present:

• The FortiLink interface has the fortilink setting enabled

• There is a DHCP server scope for the FortiLink interface
• The NTP server is enabled on the FortiLink interface

The command also provides the latest NTP status information, as well as the FortiGate high availability (HA)
mode in use.

LAN Edge 7.0 Study Guide 241

FortiSwitch

DO NOT REPRINT
© FORTINET

When you specify a switch, the execute switch-controller diagnose-connection command also
includes in the output the following connectivity checks between FortiGate and the switch:

• FortiLink and CAPWAP connection status, including the last keepalive (or heartbeat) received
• The results of FortiGate sending pings to the switch

Note that this command also displays the output for the configuration check, which is described on the
previous slide.

LAN Edge 7.0 Study Guide 242

FortiSwitch

DO NOT REPRINT
© FORTINET

The command shown on this slide lists specific port information, such as its status, speed, MTU, as well as
multiple input and output counters. The output has been cut to include the information for port1 only.

LAN Edge 7.0 Study Guide 243

FortiSwitch

FortiSwitch

DO NOT REPRINT
© FORTINET

You can enable debug of the fortilinkd process for monitoring and troubleshooting the discovery of
FortiSwitch devices.

When a new FortiSwitch is discovered, the debug output shows the FortiSwitch serial number as well as the
FortiGate port where the FortiLink frames that triggered the switch discovery were received.

In addition, because the FortiLink discovery frames include the switch port information, FortiGate reads this
information from the frames to build the switch faceplate image shown on the GUI.

LAN Edge 7.0 Study Guide 247

FortiSwitch

DO NOT REPRINT
© FORTINET

After you authorize a switch and it comes online, the switch starts sending FortiLink heartbeats to FortiGate
every 3 seconds. FortiGate then acknowledges the heartbeats by sending a reply to the switch. The debug
output for the fortlinkd process also shows these heartbeats.

LAN Edge 7.0 Study Guide 248

FortiSwitch

DO NOT REPRINT
© FORTINET

To troubleshoot or monitor the configuration changes applied by FortiGate to the switches, you can enable
debug for the FortiLink configuration daemon.

In the example shown on this slide, the administrator sets the native VLAN for port2 on the switch to
Students. The Students VLAN uses VLAN ID 10. Because the change is made on FortiGate, it triggers a
configuration push to the managed switch. FortiGate first logs in to the managed switch REST API through
HTTPS, and then applies the configuration changes required for port2. After it finishes applying the changes,
FortiGate logs out of the switch.

LAN Edge 7.0 Study Guide 249

FortiSwitch

DO NOT REPRINT
© FORTINET

By default, all managed switches send notification-level logs, including information-level logs, to FortiGate so
they can be displayed on the FortiGate GUI. You can set a different log severity level either globally or for
each FortiSwitch.

LAN Edge 7.0 Study Guide 250

FortiSwitch

DO NOT REPRINT
© FORTINET

This slide shows an example of FortiSwitch-related logs available on the FortiGate GUI. FortiSwitch logs are
available as events logs on the FortiGate GUI. Because the event logs page also includes logs for other
system-related events, the logs in this example are filtered to display only the logs for the managed
FortiSwitch using the serial number.

Port Security

DO NOT REPRINT
© FORTINET

In this section, you will learn about 802.1X.

LAN Edge 7.0 Study Guide 255

Port Security

DO NOT REPRINT
© FORTINET

802.1X is a standard that is designed to provide authentication services to network devices that want to join a
wired or wireless network. The 802.1X standard defines an authentication protocol called EAP. It also defines
how EAP is encapsulated over the LAN (the EAPOL protocol) and over RADIUS.

802.1X involves the following three parties:

• The client, also known as the supplicant, is the device that wants to join the network. Its network stack
must support 802.1X.
• The authenticator is a network device, such as a wireless access point or a switch, that acts as the broker
in the authentication process. The authenticator allows or denies network access to the supplicant based
on the response received from the authentication server.
• The authentication server is a host that supports the RADIUS and EAP protocols, such as
FortiAuthenticator, that verifies the client credentials. The client credentials can be a username and
password, or a digital certificate. The authentication server also grants the supplicant with a level of
network access based on the existing network policies.

The client is not allowed to access the network until the client credentials are validated and authorized. Using
802.1X authentication, the client provides their credentials to the authenticator, which then passes on the
information to the authentication server for verification. If the authentication server determines that the
credentials are valid, the client device is granted access to the network.

Note that the authenticator does not need to store the client credentials or have knowledge of the
authentication method (for example, PEAP or EAP-TLS). The authentication messages are tunneled from the
client to the authentication server over the RADIUS protocol.

LAN Edge 7.0 Study Guide 256

Port Security

DO NOT REPRINT
© FORTINET

When a client (laptop) connects to a LAN switch that requires 802.1X authentication, the client sends its
credentials to the authenticator (FortiSwitch) using EAP over LAN (EAPOL) frames. The authenticator then
forwards the EAP messages to the authentication server (FortiAuthenticator), which is a RADIUS server that
supports EAP.

Before the client is authenticated, any non-EAPOL traffic sent by the client is blocked by the authenticator.
The client authentication process is as follows:

1. The client sends an EAPOL-Start frame to initiate the EAP authentication.

2. The authenticator replies with an EAP-Request/Identity message to request identification. All EAP
messages exchanged between the client and the authenticator are encapsulated into EAPOL frames.
3. The client responds with an EAP-Response/Identity message that contains the client identity (usually the
username).
4. The authenticator forwards the EAP-Response/Identity message to the authentication server in a RADIUS
Access-Request packet. All EAP messages exchanged between the authenticator and the authentication
server are encapsulated into RADIUS packets.
5. The authentication server replies with a RADIUS Access-Challenge packet containing an EAP-Request
message indicating the authentication method to use by the supplicant.
6. If the supplicant agrees on the requested EAP method, it responds with an EAP-Response message.
7. The client and the authentication server exchange multiple EAP-Request and EAP-Response messages
for credentials verification.
8. The authentication process finishes when the authentication server sends to the client an EAP-Success
message encapsulated into a RADIUS Access-Accept message.
9. At this point, any non-EAPOL traffic, such as IP traffic, is allowed by the authenticator.

DO NOT REPRINT
© FORTINET

FortiAuthenticator supports EAP-TLS, EAP-TTLS, and PEAP. Although on its GUI, FortiAuthenticator displays
EAP-TLS, EAP-TTLS, PEAP, and EAP-GTC, note that PEAP and EAP-GTC refer to PEAPv0/EAP-
MSCHAPv2 and PEAPv1/EAP-GTC, respectively.

In all these methods, a TLS session is established first, and a digital certificate is used for authenticating the
server. The way clients are authenticated varies from one method to another.

LAN Edge 7.0 Study Guide 265

Port Security

DO NOT REPRINT
© FORTINET

In this section, you will learn about 802.1X authentication on FortiSwitch.

LAN Edge 7.0 Study Guide 266

Port Security

DO NOT REPRINT
© FORTINET

To configure 802.1X port authentication on FortiSwitch, you must first create a security policy. When you
configure a security policy, you must select Port-based or MAC-based as the Security mode. Port-based is
preferred when you expect a single host per port to authenticate, even though there may be multiple hosts
connecting to the same port. Under this scenario, FortiSwitch authenticates a single host, and opens the port
to other devices behind the port. A use case for this scenario could be an AP. After the AP authenticates
against the switch, any of its connected devices can access the network despite using a different MAC
address from the one used by the AP during authentication. In addition, all devices will be granted the same
access level assigned to the AP during authentication. However, if you want to authenticate each device
behind a port, and optionally, grant each device with a different access level based on the credentials
provided, then MAC-based is required. Security-wise, MAC-based is also preferred because all hosts (or
MAC addresses) behind the port must authenticate for accessing the network. Performance-wise, port-based
is better because only a single host is required to authenticate.

In cases where a device does not support 802.1X, you can configure the security profile to place that device in
the VLAN selected as Guest VLAN. Alternatively, you can enable MAC authentication bypass to allow
network access to a non-802.1X device, provided the device MAC address is authorized on the authentication
server. You can also place devices that try to authenticate through 802.1X, but fail, in the VLAN selected as
Authentication fail VLAN.

You can disable EAP pass-through if the FortiSwitch role is to authenticate users against its local users
database, or if the authentication server does not support EAP. The authentication process is only performed
by FortiSwitch. FortiGate only pushes the settings to route EAP to the authentication server. As an 802.1X
authentication server, FortiSwitch supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5. Finally, if you
enable Override RADIUS timeout, the switch overrides the local reauthentication timer with the session-
timeout attribute value received from the RADIUS server.

LAN Edge 7.0 Study Guide 267

Port Security

DO NOT REPRINT
© FORTINET

After creating the security policies, you define which policy is applied to a FortiSwitch port. 802.1X
authentication is enabled only on ports that have a security policy assigned to them.

LAN Edge 7.0 Study Guide 268

Port Security

DO NOT REPRINT
© FORTINET

There are four 802.1X settings that can be configured either globally or per switch on the FortiGate CLI:

• link-down-auth: By default, FortiSwitch clears the 8021.X authentication information for a device after
the port the device is connected to bounces, which results in the device having to authenticate again.
However, you can configure FortiSwitch to skip reauthentication if the port bounces.
• reauth-period: FortiSwitch requests authenticated devices to reauthenticate every hour by default. This
option allows you to adjust this timer if needed.
• max-reauth-attempt: Defines how many times FortiSwitch tries to authenticate a device after the first
failed authentication attempt.
• tx-period: Sets the amount of time between 802.1X reauthentication attempts.

LAN Edge 7.0 Study Guide 273

Port Security

DO NOT REPRINT
© FORTINET

On FortiAuthenticator, you enable machine authentication by enabling Windows AD computer

authentication in the Authentication factors section of the matching RADIUS policy.

After you enable machine authentication, you can override the user group that is returned by
FortiAuthenticator for clients that have done either machine-only or user-only authentication. Because the
user group that is returned by FortiAuthenticator is commonly used by the authenticator, such as FortiSwitch,
to determine the VLAN for the device, this enables you to control the level of network access granted to the
device based on the returned user group. Usually, you want to grant full access to devices that have
performed both machine authentication and user authentication, and limited access to devices that have done
machine authentication only or user authentication only.

LAN Edge 7.0 Study Guide 274

Port Security

DO NOT REPRINT
© FORTINET

The list of returned attributes, which can include a user group, are configured in the RADIUS response
section of the matching RADIUS policy. The following are examples of controlling network access on devices
based on their authentication status:
• Devices that do both machine authentication and user authentication are assigned their normal user
groups, and therefore, granted full network access.
• Devices that do only machine authentication can be assigned a user group that grants limited network
access. FortiAuthenticator does not return the configured (or normal) user group as a RADIUS attribute.
Instead, it offers you the option to return additional RADIUS attributes, including a different user group,
which can have limited access to the network.

LAN Edge 7.0 Study Guide 275

Port Security

DO NOT REPRINT
© FORTINET

To limit access for unauthenticated users, you can configure additional attributes to return based on custom
use cases. Devices that do only user authentication can be assigned the normal user group, which provides
full network access, or with a different user group that grants limited access.

LAN Edge 7.0 Study Guide 276

Port Security

DO NOT REPRINT
© FORTINET

Create a guest VLAN and a failed authorization VLAN to dynamically assign them to hosts when they attempt
to access the network.

Unauthenticated hosts will be assigned to the Guest VLAN after the 802.1X authentication times out.

In addition, hosts that fail to authenticate (for example, compatible host with incorrect credentials), will be
assigned to the Authentication fail VLAN.

Each VLAN may provide DHCP service to allocate IP addresses to hosts.

LAN Edge 7.0 Study Guide 277

Port Security

DO NOT REPRINT
© FORTINET

MAC authentication bypass (MAB) allows access to devices that do not support 802.1X authentication. When
MAB is enabled in the security policy, and the 802.1X authentication times out, FortiSwitch performs the
authentication on behalf of the connected device. For this purpose, FortiSwitch sends a RADIUS Access-
Request, using the MAC address of the device as the username, and the encrypted MAC address of the
device as the password. FortiAuthenticator can be configured with a list of MAC addresses that are allowed to
access the network without 802.1X authentication. If the MAC address of the device is included in this list, the
device is authorized.

LAN Edge 7.0 Study Guide 278

Port Security

DO NOT REPRINT
© FORTINET

This packet capture shows the RADIUS Access-Request when MAB is used. It includes the FortiSwitch ID,
client MAC address (as the username), encrypted client MAC address (as the password), and the client MAC
address (as the Calling-Station-ID).

LAN Edge 7.0 Study Guide 279

Port Security

DO NOT REPRINT
© FORTINET

In FortiSwitch, you enable MAC authentication bypass for each security policy.

LAN Edge 7.0 Study Guide 280

Port Security

DO NOT REPRINT
© FORTINET

To have FortiAuthenticator work with MAB, you must add the MAC address of every supplicant on the
FortiAuthenticator MAC Devices page. After that, you must create one or more MAC groups on the User
Groups page, and then add the MAC devices to their respective MAC groups.

The next step is to enable MAC authentication bypass (MAB) in the Authentication type section of the
matching RADIUS policy. Then, in the Identity source section, select the MAB groups that are part of the
Authorized groups or the Blocked groups.

Finally, it is recommended that you enable the Require Call-Check attribute for MAC-based
authentication. Because MAB uses the device MAC address as the username and password, enabling this
option instructs FortiAuthenticator to also check that the RADIUS Access-Request received from the NAS
includes the Service-Type attribute, and it is set to Call-Check. By performing this additional verification,
FortiAuthenticator prevents processing non-MAB requests, which may also contain the device MAC address
in a RADIUS attribute, as MAB requests. Enabling Require Call-Check attribute for MAC-based
authentication does not require additional configuration on FortiSwitch. FortiSwitch always includes the
Service-Type attribute set to Call-Check in all its MAB requests.

LAN Edge 7.0 Study Guide 281

Port Security

DO NOT REPRINT
© FORTINET

This slide shows the authentication process when 802.1X is combined with MAB. When a physical device is
connected to an 802.1X port, FortiSwitch waits for the EAPOL-Start packet.

If FortiSwitch receives an EAPOL-Start packet from the connected device, the 802.1X authentication starts.
FortiSwitch checks the credentials against a RADIUS server, with the following results:

• If the credentials are invalid, and Authentication fail VLAN is enabled, traffic from the device is allowed
and assigned to the authentication fail VLAN.
• If the credentials are invalid, and Authentication fail VLAN is disabled, traffic from the device is blocked.
• If the credentials are valid, traffic from the device is allowed and assigned to the respective user VLAN.

If FortiSwitch does not receive EAPOL-Start packets after a certain amount of time, the 802.1X authentication
times out. After that, the source MAC address of the device is checked, with the following results:

• If MAC bypass is disabled, the traffic is assigned to the guest VLAN (or blocked, if Guest VLAN is
disabled).
• If MAC bypass is enabled, but the source MAC address is not in the MAB table, the traffic is assigned to
the guest VLAN (or blocked, if Guest VLAN is disabled).
• If MAC bypass is enabled, and the source MAC address is in the MAB table, the traffic is allowed and
assigned to the respective user VLAN.

LAN Edge 7.0 Study Guide 282

Port Security

DO NOT REPRINT
© FORTINET

In this section, you will learn how to quarantine MAC addresses with FortiGate and FortiSwitch.

LAN Edge 7.0 Study Guide 283

Port Security

DO NOT REPRINT
© FORTINET

To quarantine a MAC address, FortiSwitch and FortiGate work together to isolate a device. Isolation means
that a quarantined device can communicate only with FortiGate. If the device tries to communicate with any
other host on the network, the communication is blocked. To isolate a quarantined device, FortiSwitch
forwards all its traffic to FortiGate. The traffic can be any of the following destinations:

• FortiGate local: The destination is a FortiGate interface.

• Intra-VLAN: The destination is a device in the same VLAN.
• Inter-VLAN: The destination is a device in a different VLAN or network that is reached through FortiGate.

For the FortiGate local traffic, the communication is allowed if FortiGate is configured to allow the connection.
For example, a quarantined device can ping a FortiGate interface if ping access is enabled on that interface.
For other traffic, the communication is blocked by FortiGate.

You can quarantine devices by MAC address, either manually or automatically. MAC address quarantine
works as follows:

1. FortiGate monitors the device activity based on the traffic and security logs generated for the device.
2. If FortiGate determines that the device must be quarantined, either because an automated rule has been
triggered, or because of user intervention, FortiGate adds the device MAC address to its local quarantine
list.
3. FortiGate applies the quarantine-related configuration for the quarantined device to FortiSwitch using the
FortiSwitch REST API.
4. The pushed configuration instructs FortiSwitch to block the traffic from the quarantined MAC address.

To enable MAC address quarantine on the FortiGate CLI, run the commands shown on this slide.

LAN Edge 7.0 Study Guide 284

Port Security

DO NOT REPRINT
© FORTINET

FortiGate supports two MAC address quarantine modes: by VLAN and by redirect. In both modes, FortiGate
blocks the traffic from the quarantined MAC address provided the correct configuration is in place.

In by VLAN mode, FortiGate moves the quarantined MAC address to the quarantine VLAN. If you are using
the default quarantine VLAN as your quarantine VLAN, the inter-VLAN traffic from the device is automatically
blocked because the quarantine VLAN does not have any firewall policies configured. Note that the device
can still get an IP address through DHCP because the quarantine VLAN has the DHCP server enabled by
default. However, this would require the device to restart its DHCP client, which typically requires user
intervention. This could make it difficult for an administrator to perform remediation on the device.

In by redirect mode, FortiGate keeps the device in its current VLAN, and adds the device MAC address to the
QuarantinedDevices firewall address group. The device IP address does not change, which is useful for
performing remediation. However, to block the inter-VLAN traffic, you must configure a firewall policy to
explicitly block the traffic from the QuarantinedDevices address group.

In both modes, the intra-VLAN traffic is dropped automatically by FortiGate because the destination MAC
address of the traffic does not match the FortiGate interface. The destination MAC address of the traffic is the
MAC address of the target device located in the same VLAN. In addition, communication between the
quarantined devices and FortiGate is allowed. You can also configure additional firewall policies to explicitly
allow quarantined devices to access limited network resources, such as servers with Windows updates and
other security-related software updates, which are required for remediation.

To change the MAC address quarantine mode on the FortiGate CLI, run the commands shown on this slide.

LAN Edge 7.0 Study Guide 285

Port Security

DO NOT REPRINT
© FORTINET

In by redirect mode, FortiGate quarantines a device by creating a firewall address object that contains the
quarantined device MAC address. FortiGate then adds the firewall address object to the
QuarantinedDevices address group.

However, FortiGate does not add a firewall policy to block the inter-VLAN traffic from the
QuarantinedDevices address group. For this reason, the administrator must manually create a firewall policy
like the one shown on this slide. Like with any firewall policy, the administrator must also make sure that the
policy is placed in the correct position in the firewall policy list, so that the quarantined traffic matches the
block policy instead of the regular firewall policies that are used for production traffic.

LAN Edge 7.0 Study Guide 286

Port Security

DO NOT REPRINT
© FORTINET

If you are using by VLAN mode, then you might want use the default quarantine VLAN as your quarantine
VLAN. The quarantine VLAN gets created when the first switch is discovered by FortiGate, provided the
quarantine feature is enabled under config user quarantine.

The quarantine VLAN is assigned with VLAN ID 4093, and configured with the subnet 169.254.12.0/24
by default. In addition, the interface has DHCP Server enabled to assign IP addresses to quarantined
devices. By default, this VLAN is part of the allowed VLANs on a managed FortiSwitch, which is needed for
the quarantine feature to work. Moreover, to isolate quarantined devices from each other, access VLAN is
enabled on the quarantine VLAN by default. The access VLAN option is only visible on the FortiGate GUI,
and not on the FortiManager GUI.

In addition, the quarantine VLAN has captive portal enabled for device remediation. Part of the role of
quarantining devices is to challenge connectivity with the captive portal, which can be configured to present
custom messaging to the organization.

LAN Edge 7.0 Study Guide 287

Port Security

DO NOT REPRINT
© FORTINET

To manually quarantine a MAC address on the FortiGate GUI, browse to FortiSwitch Ports on the WiFi &
Switch Controller page, click the device listed in the Device Information column, and then select
Quarantine Host.

LAN Edge 7.0 Study Guide 288

Port Security

DO NOT REPRINT
© FORTINET

When FortiGate is a member of a Security Fabric group, the Security Fabric can quarantine devices
automatically using automation stitches.

In addition to requiring a FortiAnalyzer device to configure the Security Fabric, you also need a valid threat
detection services license on FortiAnalyzer. The license enables FortiAnalyzer to use IOCs to detect
compromised devices on the network. IOCs are events or characteristics collected about a device that
indicate, with high confidence, that the device has been compromised.

After FortiAnalyzer determines that the device has been compromised, you can configure the Security Fabric
to perform the following actions:

• IP ban: Traffic from the compromised device IP is blocked on FortiGate, but intra-VLAN traffic is still
allowed.
• Access layer quarantine: Inter-VLAN and intra-VLAN traffic from the compromised device MAC address is
blocked using FortiGate and FortiSwitch.
• Quarantine FortiClient: All traffic from the compromised device is blocked on the device itself provided the
device has FortiClient installed.
• VMware NSX security tag: An endpoint in VMware NSX environment that is compromised to be blocked
based on the security tag.
• FortiNAC quarantine: The PC is quarantined and its MAC address is disabled in the configured FortiNAC.

LAN Edge 7.0 Study Guide 289

Port Security

DO NOT REPRINT
© FORTINET

Known and unknown threat information is easily and efficiently shared among all elements and locations
within the Security Fabric. User-defined automation on FortiGate to quarantine compromised devices can be
strengthened with IOC services on FortiAnalyzer. This slide shows how compromised devices are
quarantined automatically, using IOC and the Security Fabric:

1. A device attempts to access content that is a security risk, such as malicious websites.
2. FortiGate blocks access to the site based on the firewall policy defined with the web filter profile.
3. FortiGate sends a log record to FortiAnalyzer regarding the violation committed.
4. FortiAnalyzer processes the logs using IOC services.
5. FortiAnalyzer makes a security risk verdict and sends it back to FortiGate.
6. User-defined automation takes action to quarantine the compromised device and place it in isolation.

LAN Edge 7.0 Study Guide 290

Port Security

DO NOT REPRINT
© FORTINET

Compromised devices are identified by FortiAnalyzer using threat detection services. IOC verdicts are sent to
the root FortiGate of the Security Fabric group, in case there is an automation stitch configured for
compromised devices.

You can create the automation stitch only on the root FortiGate, and then select which of the FortiGate
devices in the Security Fabric the stitch will be applied to when triggered.

After the stitch is triggered, there are many actions available. From the actions shown on the slide, the
following can block the traffic from the device: Access Layer Quarantine, FortiNAC Quarantine, IP Ban,
FortiClient Quarantine, and VMware NSX Security Tag.

LAN Edge 7.0 Study Guide 291

Port Security

DO NOT REPRINT
© FORTINET

On the FortiGate GUI, you can view the compromised devices by IOC verdict by accessing the
Compromised Hosts by Verdict widget available on the dashboard.

You can also display the compromised devices on the FortiAnalyzer GUI by accessing the Compromised
Hosts section on the FortiView pane. On this page, you can click Ack to acknowledge the event. After you
acknowledge an event, the event is removed from both the Compromised Hosts page on FortiAnalyzer, and
the Compromised Hosts by Verdict widget on FortiGate.

LAN Edge 7.0 Study Guide 292

Port Security

DO NOT REPRINT
© FORTINET

You can view the list of quarantined devices on the FortiGate GUI by accessing the Quarantine widget
available on the dashboard. Alternatively, you can display them on the FortiGate CLI by running the
commands shown on the slide. Note that the list of quarantined IP addresses (IP ban action) and the list of
quarantined MAC addresses (access layer quarantine action) are obtained using different CLI commands.

LAN Edge 7.0 Study Guide 293

Port Security

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure port authentication on
FortiSwitch and FortiAuthenticator.

LAN Edge 7.0 Study Guide 294

Integrated Wireless

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to configure and use integrated wireless features on FortiOS using
FortiManager.

LAN Edge 7.0 Study Guide 295

Integrated Wireless

DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide.

LAN Edge 7.0 Study Guide 296

Integrated Wireless

DO NOT REPRINT
© FORTINET

In this section, you will learn how to provision and update FortiAPs centrally using FortiManager.

LAN Edge 7.0 Study Guide 297

Integrated Wireless

DO NOT REPRINT
© FORTINET

You can provision many aspects of wireless configuration on FortiGate using FortiManager. It is important to
note that it is still FortiGate that supports the AP wireless network. All the required configuration for AP
discovery and CAPWAP configuration must be in place.

FortiManager can provision the majority of settings required to publish a wireless network and configure the
APs. FortiManager uses profiles to control AP configuration, SSID configuration, and other profiles to control
other wireless-related functions. These profiles are stored on FortiManager and can be applied to multiple
FortiGate wireless controllers and APs.

LAN Edge 7.0 Study Guide 298

Integrated Wireless

DO NOT REPRINT
© FORTINET

Before starting to install and configure APs, you may need to perform some prerequisite configuration.

By default, some FortiGate devices do not show the Wi-Fi controller option in the menu. If you don’t see the
option on the main configuration menu, you can enable it using the System Visibility option in the System
menu.

You can also configure this option using FortiManager. It is not possible to use a provisioning template, but a
CLI configuration can be enabled for the wireless controller. This can be found by clicking:

Device Manager > Device & Groups > Device > CLI Configuration > system > settings > gui-wireless-
controller.

If you plan to broadcast completely open wireless networks (networks without any form of encryption or
authentication), you will also need to enable the Wireless Open Security option under Additional Features.
If you do not enable this feature, the open network options will not be shown.

LAN Edge 7.0 Study Guide 299

Integrated Wireless

DO NOT REPRINT
© FORTINET

When configuring wireless AP radio settings, it is important to know what regulatory domain you are operating
in. By default, the wireless controller uses the North American regulations that govern channel usage and
transmission power. If you are operating APs in any other part of the world, you will need to change the
country code before creating any AP profiles or adding any APs.

The country code can be configure on the controller CLI using the following commands:

# config wireless-controller setting

(setting) # set country GB
(setting) # end

To see a full list of country codes, use the help option.

FortiManager can configure individual controllers with a country code using the CLI Configurations option for
individual devices. By default, the CLI Configurations option is not visible until you it enable it through
Display Options, either at the ADOM level or by customizing. Many aspects of the wireless controller can be
configured here.

It is not possible to apply the country code setting as part of a provisioning template. Only a small set of CLI
configuration settings are available in a template, and there are no wireless controller settings included.

LAN Edge 7.0 Study Guide 300

Integrated Wireless

DO NOT REPRINT
© FORTINET

Before an AP can be managed by FortiGate, the AP and controller have to discover each other. The process
is initiated by the AP during its start-up process. The AP will use multiple methods to try and determine the IP
address of the local controller to connect to, or, if intending to use the cloud, the cloud-based host. By default,
the FortiAP discovery method is set to auto, which means the AP will cycle through the discovery methods in
the sequence shown on this slide, to locate a wireless controller. For every discovery type, FortiAP sends out
discovery requests and sets a configurable timeout of between 2 and 180 seconds. The default setting is 5
seconds.

If the FortiAP times out and fails to connect to the controller, it will switch to the next discovery type and repeat
the process until the last discovery method fails. This will lead to the SULKING state. After approximately 30
seconds, FortiAP will enter the AC_IP_DISCVER state. After the AC IP is found, it will enter the IDLE state,
and will eventually enter the DISCOVERY state, then repeat the process.You can use static IP or DNS
hostname methods when the AP is not deployed on the same subnet as the wireless controller, and cannot be
reached by the multicast or broadcast method. You must make this configuration change on FortiAP devices
manually, before deploying them. You can configure a static IP or DNS on a FortiAP using the GUI or CLI.
You can also use the serial port on FortiAP to make this configuration change.

By default, FortiAP uses DHCP option 138 to receive the wireless controller’s IP address. You need to convert
the IP address of the wireless controller into hexadecimal. Convert each octet value separately, from left to
right, and concatenate them. For example, 192.168.0.1 converts to C0A80001. If option 138 is used for
some other purpose on your network, you can use a different option number, if you configure the AP units to
match. The AP unit sends a multicast discovery request and the controller replies with a unicast discovery
response message to the AP. The AP and the controller do not need to be in the same broadcast domain if
multicast routing is correctly configured. The default multicast destination address is 224.0.1.140. You can
change it using the CLI, but you must make the changes to both the controller and AP.

LAN Edge 7.0 Study Guide 301

Integrated Wireless

DO NOT REPRINT
© FORTINET

CAPWAP is the network protocol that is used to provision and manage FortiAPs using FortiGate. CAPWAP
allows an AC to manage a collection of wireless APs. In the Fortinet Integrated Wireless Solution, CAPWAP
enables you to manage configuration, manage the device, and push firmware upgrades to FortiAPs.

CAPWAP uses UDP port 5246 as the control channel and 5247 as the data channel.

CAPWAP-enabled devices can, optionally, create a secure data channel to the controller using DTLS
encryption or IPsec. Using IPsec will benefit FortiGate devices that can offload CAPWAP to hardware,
resulting in greatly increased performance. DTLS encrypted CAPWAP cannot be offloaded. Where APs are
located in a LAN, data plane encryption is not usually required, however if an AP is remotely based across a
public WAN link data plane encryption is strongly recommended. Enabling encryption can impact throughput,
particularly when using DTLS, which requires encryption/decryption in the CPU. IPsec performance can be far
greater if FortiGate can offload to an NP.

CAPWAP provides direct administrator access to a FortiGate interface, so it must be enabled on the interface
that the FortiAPs will be connecting to.

The CAPWAP discovery process:

1. FortiAP sends a discovery request.
2. FortiGate responds with a discovery response.
3. Both devices establish a secure DTLS session.
4. After FortiGate authorizes the FortiAP, the CAPWAP discovery and join phase takes place.
5. After the CAPWAP tunnel is established, FortiGate sends all required management and WLAN-
related configuration to FortiAP.

LAN Edge 7.0 Study Guide 302

Integrated Wireless

DO NOT REPRINT
© FORTINET

On FortiGate, choose an interface to which you will connect FortiAPs. You must enable CAPWAP access on
any interface that will connect FortiAPs, even if they have intervening switched or routed links. CAPWAP
access is now included as part of the Security Fabric Connection administrative access. Access has to be
configured on a per-device basis, access can not be assigned using a provisioning template.

If required, enable the DHCP server option to allow FortiGate to assign IP addresses to FortiAPs. It is also
possible to use other DHCP servers (such as Microsoft DHCP), but those servers must be configured to pass
DHCP options, when required.

LAN Edge 7.0 Study Guide 303

Integrated Wireless

DO NOT REPRINT
© FORTINET

After you have configured the appropriate discovery method on FortiGate (if configuration is required), and
you have enabled CAPWAP, you can turn the AP on, and it will begin trying to discover the controller.

After FortiGate receives a discovery from an AP, you must authorize FortiAP to establish a CAPWAP tunnel
between an AP and FortiGate. This indicates to the controller that it is now responsible for the management of
the AP. When you authorize a FortiAP, it uses the default FortiAP profile that is determined by AP model and
applies a default configuration based on the AP hardware.

When the ADOM managing FortiGate is in Central Management mode, it is possible to authorize the AP
directly from FortiManager. The user requires the Read-Write JSON API access right configuring in their
account details before they can authorize APs using FortiManager.

If the ADOM is in Per-device Management mode, the APs have to be authorized from FortiGate before they
become visible in FortiManager

After a CAPWAP tunnel is established between the two devices, you will see a green check mark beside the
listed FortiAP. The green check mark indicates that FortiAP can communicate with FortiGate and has
received the initial configuration.

LAN Edge 7.0 Study Guide 304

Integrated Wireless

DO NOT REPRINT
© FORTINET

FortiManager allows you to preauthorize FortiAPs that will be added to your network. You must add all
FortiAPs manually, one-by-one, to FortiManager using the AP serial number and specifying the name (which
can be the serial number) and AP profile.

After the preauthorized FortiAPs come online and are discovered by FortiGate, FortiManager/FortiGate
authorizes the FortiAPs automatically. FortiGate will establish a CAPWAP tunnel to the FortiAP devices and
push the configuration to them, based on the assigned AP profile.

LAN Edge 7.0 Study Guide 305

Integrated Wireless

DO NOT REPRINT
© FORTINET

After an AP is authorized, you can perform various tasks using the FortiGate GUI. On the Managed FortiAPs
page, you can:

• Change the status of an AP (authorized to de-authorized)

• Perform an AP firmware upgrade
• Change the assigned AP profile
• Restart FortiAP
• Show the AP on a map
• View the spectrum and client information.

The table is updated approximately every three minutes. As a result, changes in an AP may not be displayed
immediately.

LAN Edge 7.0 Study Guide 306

Integrated Wireless

DO NOT REPRINT
© FORTINET

Before continuing with the AP setup process, it is a good idea to confirm the current recommended firmware
version for use with the release of FortiOS installed on FortiGate. The Fortinet support website contains up-to-
date copies of the firmware for APs and a compatibility matrix, which allows you to select the appropriate
version of FortiAP firmware for use with FortiGate. Ensure that you review the release notes for the version of
firmware you’re planning to install because it may include important information relating to the upgrade.

FortiManager maintains a repository of the AP and switch firmware versions. You can update the APs directly
from FortiManager, either individually or in groups of APs of the same type. You can find the list of supported
APs by clicking FortiGuard > Firmware Images and selecting FortiAP from the Product tab. FortiManager
does not automatically download all the firmware versions; it downloads only when an update is requested or
if you click the Download icon next to the AP. You can also change the AP firmware version that is used by
clicking Change.

LAN Edge 7.0 Study Guide 307

Integrated Wireless

DO NOT REPRINT
© FORTINET

You update APs managed in per-device or central configuration mode in the same way. You can update
single APs or multiple APs that are the same model number. When you upgrade, FortiManager shows a
choice of AP firmware images with the latest image listed at the top. Select the image you require and then
click Upgrade Now to start the upgrade. The upgrade process will display a real-time progress report, which
you can close if required, and you can also monitor the process from System Settings > Task Manager. If
the AP is remotely located, you can download the upgrade image directly from FortiGuard instead of the
FortiManager server.

LAN Edge 7.0 Study Guide 308

Integrated Wireless

DO NOT REPRINT
© FORTINET

You can group FortiAPs in FortiManager. APs of the same type and APs that are connected to the same
controller can be part of the same group but can be members of only one group.

You can use groups to organize APs geographically. For example, all the FortiAP U431F APs located in the
canteen can be organized in a group. Grouping APs by location can help with the monitoring and
troubleshooting of issues.

In wireless networks, many issues are related to the physical location of the APs and clients. You can use
groups to help focus on geographical sets of APs.

LAN Edge 7.0 Study Guide 309

Integrated Wireless

DO NOT REPRINT
© FORTINET

In this section, you will learn how to configure FortiAP radio settings using FortiManager.

LAN Edge 7.0 Study Guide 310

Integrated Wireless

DO NOT REPRINT
© FORTINET

To view and manage FortiAP profiles in FortiManager, click AP Manager > WiFi Profiles > AP Profile. The
layout you see depends on the ADOM mode, In Central Management mode, only the profiles available on
FortiManager are shown. You have the option to import a profile from a managed FortiGate. In Per-device
Management mode, you can view profiles stored on each FortiGate. Changes in profiles are synchronized.

Not all profiles are displayed. By default, only those profiles that are compatible with the installed FortiAPs are
displayed. In Central Management mode, you can view a full list of support AP profiles by selecting View all
Profiles.

When an AP is assigned a profile, that profile controls the management and radio settings used for the
channel setting, channel widths, transmission power levels, and wireless networks broadcast.
Because there are many types of APs, there are many types of hardware in use. Each type of hardware may
require slightly different configuration settings, which requires that each type of AP has its own default profile
to define the scope of the settings allowed.

You can create multiple profiles by creating new ones or cloning existing ones. You can have multiple profiles
for the same AP type, but each profile may specify slightly different configuration settings. When APs are no
longer using a profile, you can delete any unused profile.

LAN Edge 7.0 Study Guide 311

Integrated Wireless

DO NOT REPRINT
© FORTINET

AP profiles control the various configuration options for APs and their radios.

Because different AP models have different capabilities, one profile type cannot control all AP models. Each
profile has different options depending on the capability, type, and number of the radios.

The AP profile is where you decide which channels and power levels the AP will use when it is assigned the
AP profile.

You also control which wireless networks broadcast on which wireless interfaces. For example, it is possible
to broadcast a network only on the 5 GHz interface by configuring it only on radio interface 2.

Other profiles, such as the WIDS profile, may also be referenced by the AP profile.

Changes to a profile will apply to all APs that are assigned that profile. The changes are applied as part of the
device settings that can be applied to a FortiGate device from FortiManager.

LAN Edge 7.0 Study Guide 312

Integrated Wireless

DO NOT REPRINT
© FORTINET

FortiGate automatically assigns a default AP profile to an AP when it is discovered and authorized. The profile
is assigned based on the AP model detected during discovery.

FortiManager does not automatically assign a profile. You can define the profile by configuring it or by pre-
authorizing the AP. After you apply a profile, because device settings are not automatically applied, you will
need to apply them through the install wizard.

Both FortiGate and FortiManager have a set of default profiles based on the model of the AP. These are
contained and updated as part of FortiOS. ADOM Central Management mode uses profiles located on
FortiManager. Per-device Management mode uses profiles located on FortiGate.

After a CAPWAP tunnel is established between FortiGate and an AP, FortiGate uses the CAPWAP control
channel to push all AP profile parameters to the AP. You will likely want to assign an AP profile that is different
from the default, because you will have specific channel settings or AP settings you will want to deploy. It is
important to note that you can assign an AP profile to one or multiple APs, but you cannot assign multiple
profiles to a single AP. All APs that use the same AP profile receive the same configurations from FortiGate.

For more flexibility and granularity, you can override the AP profile configuration on a per-AP basis. You must
assign an AP profile to an AP, but you can modify the settings on an individual AP basis using the GUI on
FortiManager, or using the CLI and GUI on FortiGate.

LAN Edge 7.0 Study Guide 313

Integrated Wireless

DO NOT REPRINT
© FORTINET

An essential part of the profile configuration is the setting of the wireless radio channels. You define the
channels that the AP can use by selecting the correct country code and required channel width. By default, 40
MHz channels are recommended for the 5 GHz range, and 20 MHz channels for the 2.4 GHz range.

After you select the channel width and country code, the legally allowed radio channels that the AP can use
are indicated by the selected checkboxes. You will see that some of the 5 GHz channels have an asterisk (*).
The asterisk indicates channels that are subject to DFS regulations.

The use of DFS channels is a design decision. In some countries, the use of certain DFS channels is
regulated, so you should be familiar with any local requirements. Many low-cost wireless clients are not DFS
certified. As a result, they are not able to see APs configured for DFS channels. APs using DFS channels can
also suffer from DFS events, causing them to change channels. This can cause issues for networks that
support latency-sensitive applications, such as voice over IP (VOIP).

FortiAP automatic channel selection (ACS) is used when either no channels, or multiple channels are
selected. The AP will perform a channel quality assessment on AP startup. It will assess the number of APs in
each channel, measure the noise level and channel utilization, and then choose the channel with the least. It
will perform a second check somewhere between 2 and 15 minutes later and change channel if a better
channel is available. After that point, no further selection process takes place.

The optional distributed radio resource provisioning mechanism (DARRP) can manage initial channel
allocation and ongoing channel optimization. It is an enhanced method of channel selection that uses the
central information stored on FortiGate. It is optional and has to be enabled.

If a single channel is selected, the APs configured with that profile will use the channel selected.

LAN Edge 7.0 Study Guide 314

Integrated Wireless

DO NOT REPRINT
© FORTINET

The easiest method for allocating channels to APs is to use the distributed automatic radio resource
provisioning mechanism (DARRP). This automated function runs on FortiGate and collects information from
the RF environment to enable efficient planning of channels. It will then automatically assign channels to the
interfaces, based on the channels allowed in the profile. Other than setting the allowed channels in the AP
profile, it requires little management and runs automatically. It works well for small to medium-sized wireless
networks.

When using DARRP, the AP selects the best channel available to use based on the scan results of
BSSID/Received Signal Strength Indicator (RSSI) to AC. To prevent interference between APs, DARRP
measures utilization and interference on the available channels and selects the clearest channel at each AP.
DARRP uses AP background scan results as input, scans occur every 600 seconds and can be overridden
and adjusted by configuring the ap-bgscan-period timer in the appropriate FortiManager WIDS profile in AP
Manager > WiFi Profiles > WIDS Profile.

The data from the scans is used in the DARRP calculation. A large number of APs results in a complex
calculation that will consume resources. If the calculation determines that there are more suitable channels to
use, FortiGate performs a channel change. By default, the DARRP calculation runs every 86400 seconds (or
24 hours) and will run for a variable amount of time, depending on the number of APs. You can configure the
darrp-optimize timer to reduce the interval as part of the Device Manager > Devices & Groups > Device >
CLI Configurations > wireless-controller > setting on FortiManager.

Note that DARRP doesn’t do a continuous spectrum analysis, so it may not detect intermittent interference
sources such as microwave ovens.

LAN Edge 7.0 Study Guide 315

Integrated Wireless

DO NOT REPRINT
© FORTINET

In more extensive networks with many APs, the DARRP process can consume significant resources when
planning channels. After the calculation is complete, FortiGate will change the AP channels. Both of these
processes can be disruptive. The computation takes resources on the controller, and a complex RF
environment can generate multiple channel changes, which can be disruptive to client connectivity.

You can enable scheduling to control when the DARRP calculation occurs. You can configure a firewall
schedule to limit the time during which the DARRP calculation and subsequent channel changes are made. A
common practice is to schedule these activities to occur overnight, when the network is quieter.

You can use the default schedule, or, you can create a custom schedule. When limiting calculations to a small
number of hours, you must ensure that the darrp-optimize timer is adjusted to allow at least one calculation
attempt inside the period defined.

You can deploy firewall schedules from FortiManager as part of Policy & Objects > Object Configurations
> Firewall Objects > Schedules. You can use FortiManager to enable DARRP scheduling under Device
Manager > Devices & Groups > Device > CLI Configurations > wireless-controller > setting. DARRP
scheduling is enabled on a per-controller basis; you cannot enable it as part of a provisioning template.

LAN Edge 7.0 Study Guide 316

Integrated Wireless

DO NOT REPRINT
© FORTINET

The DAARP process is usually the most efficient method for managing the AP channels. However, on
occasion, it is necessary to control the channel configuration more precisely. You can set channels on each
individual AP or override them manually.

Assigning channels manually may be necessary if parts of the radio spectrum are suffering continued
interference, or if a site survey is performed. Typically, surveys will specify channel settings and power levels
after a full passive or active scan. Sometimes, implementing the survey design recommendations instead of
using DARRP is required.

APs still require an AP profile, which defines the majority of the AP settings. You can configure individual APs
through the AP manager by selecting an AP in turn and editing its configuration. You will notice that not all AP
settings can be overridden. For example, it is not possible to override the AP Mode or Client Load
Balancing settings; the AP profile sets these. You can selectively enable override on the radios and then
select the channel required. Note that you should choose only the channel required. Any change that you
make is not applied until the Device Settings are applied using the Install Wizard.

After you override an AP, you will see a message in the AP Profile column of the Managed APs table that
indicates that you have applied manual settings. If you change the profile, the override will persist until the
changes are reverted manually.

LAN Edge 7.0 Study Guide 317

Integrated Wireless

DO NOT REPRINT
© FORTINET

It is crucial to ensure that the transmission power of your AP radios is optimized. A physical site survey is the
best way to perform power measurements in each of the locations that require wireless coverage. However,
this is not often practical for cost or other reasons. A simulated survey can provide suggested power settings
based on a predictive design, which simulates the RF propagation through the building where you are
installing the APs. If you are deploying your network using power settings and channels defined by a site
survey, you can use the TX Power Control in manual mode to set the transmission power as a percentage.
The percentage is based on the maximum transmission power that is allowed in the regulatory domain for the
AP. The maximum allowable transmission power for 2.4 GHz radios might be 20 dB, so 70% power would
equal approximately 14 dBm. Be aware that setting the power too high or too low in many 2.4 GHz
environments will cause significant issues. Automatic power control will use signal strength measurements
made between the APs that FortiGate is supporting. Every 30 seconds, the wireless controller will measure
the signal strength of any other APs connected to FortiGate. Other APs not connected, not broadcasting an
SSID, or advertising an infrastructure mode network, will not be used in the calculation. The wireless
controller is only interested in its own APs, not any neighboring ones. If the detected signal strength of the
measured FortiGate managed AP is above or below a target of -70 dBm, the controller will adjust the
transmission power of that AP. By default, the range of adjustment is between 10 and 17 dBm. This range of
adjustment is sufficient for the majority of 2.4 GHz networks. Because 5 GHz networks are configurable with a
greater number of channels, the chance of overlap is less. Therefore, depending on the number of channels
configured, it is possible to increase the maximum transmission power and still avoid co-channel interference.
For the majority of installations, automatic transmission power control is recommended and can be configured
using an AP profile or by override. You must be careful setting the power level on 5 GHz radios. Some
channels have different power level settings, so setting a profile that is too high for some channels will cause
the profile to fail installation.

LAN Edge 7.0 Study Guide 318

Integrated Wireless

DO NOT REPRINT
© FORTINET

CAPWAP tunnel overhead can increase packet size which can result in fragmentation. Fragmentation occurs
when an IP packet is larger than the allowed MTU size. Fragmentation can cause issues such as data loss,
latency, decreased throughput, and, in some cases the inability to manage FortiAPs. One of the solutions to
this problem is to control the packet size on the managed APs. You can decrease the MTU size for CAPWAP
tunnels by modifying the uplink and downlink tunnel MTU size in the AP profile configuration on the CLI. You
can also override this setting for a specific AP.

The tcp-mss-adjust option is set by default. It causes FortiAP to limit the maximum segment size (MSS) of
TCP packets sent by wireless clients. FortiAP does this by adding a reduced MSS value to the SYN packets
sent by FortiAP when negotiating with a wireless client to establish a session. This results in the wireless
client sending packets that are smaller than the tun-mtu-uplink setting, so that when the CAPWAP headers
are added, the CAPWAP packets have an MTU that matches the tun-mtu-uplink size. To enable, enter the
required maximum byte size that the link will support before fragmentation. Start with a default value of 1500
and, if fragmentation is still an issue, reduce this value.

The icmp-unreachable option affects all traffic (UDP and TCP) between wireless clients and FortiAP. This
option causes FortiAP to drop packets that have the Don't Fragment bit set in their IP header and that are
large enough to cause fragmentation and then send an ICMP packet—type 3 ICMP Destination unreachable
with code 4 Fragmentation Needed and Don't Fragment was Set back to the wireless controller. This
should cause the wireless client to send smaller TCP and UDP packets.

In a LAN environment, fragmentation is not likely to be an issue because of the nature of the infrastructure.
However, remotely based APs could suffer fragmentation where different WAN link configurations are used in
between the AP and FortiGate.

LAN Edge 7.0 Study Guide 319

Integrated Wireless

DO NOT REPRINT
© FORTINET

In this section, you will learn how to configure and broadcast SSID from a FortiGate using FortiManager.

LAN Edge 7.0 Study Guide 320

Integrated Wireless

DO NOT REPRINT
© FORTINET

You can configure three types of SSIDs on FortiGate: tunnel mode, bridge mode, and wireless mesh.

By default, tunnel mode SSID is selected when you define an SSID on FortiGate. In this mode, all traffic within
CAPWAP DTLS or non-DTLS tunnels is sent to FortiGate before it is allowed on the LAN or internet.

There are two main advantages to using this mode:

• Traffic is subject to firewall policies and security threat scanning. Traffic must go through a security
profiles inspection and firewall policies examination before it is placed on the egress interface. This
ensures that all security threats are addressed before a device is given access to internal or external
resources.
• Traffic is processed at the session level. This gives FortiGate complete visibility of user and device
activities on the network. FortiGate can track and log user activities, and control access at the user level.

In local bridge mode SSID, wireless traffic is bridged directly to the local LAN that the AP is connected to. This
mode is useful when deploying APs at remote locations that connect to a wireless controller over a WAN link.
To ensure all traffic is scanned for security threats, consider deploying compatible APs in this type of
deployment.

tunneled back to the controller.

If you need to add additional subnets to the list, it has to be configured using a CLI configuration on an
individual AP (or wtp). To do this, navigate to Device Manager > Devices & Groups > CLI Configurations.
If the CLI Configurations option is not available, enable it from Display Options.

In CLI Configurations, navigate to wireless-controller > wtp and edit the AP requiring changes to the ACL.
At the bottom of the options, you will find the split-tunneling-acl table where subnets can be added for this
individual AP. This setting has to be applied to individual controllers and then installed using the Install
Wizard.

LAN Edge 7.0 Study Guide 324

Integrated Wireless

DO NOT REPRINT
© FORTINET

In local bridge mode SSID, wireless traffic is bridged directly to the local LAN that the AP is connected to. This
mode is useful when deploying APs at remote locations, that connect to a wireless controller over a WAN link.
To ensure all traffic is scanned for security threats, consider deploying compatible APs in this type of
deployment.

Local traffic is switched at FortiSwitch, but CAPWAP control traffic still goes to the wireless controller.

LAN Edge 7.0 Study Guide 325

Integrated Wireless

DO NOT REPRINT
© FORTINET

If a bridge mode SSID is configured for a managed FortiAP model which supports security profiles, you can
add a security profile group to the wireless controller. This configuration allows you to apply the following
security profile features to the traffic over the bridge SSID:
• Antivirus (including botnet protection)
• Intrusion prevention
• Application control
• Web filter

This is supported only in bridge mode. Tunneled SSID traffic will be inspected by FortiGate, as usual.

Integrated Wireless

DO NOT REPRINT
© FORTINET

There are differences in how wireless networks are published when using the two ADOM management
modes.

In Per-device Management mode, you manage each FortiGate individually. Profiles are unique to each
FortiGate but stored centrally on FortiManager. When you create an SSID profile in Per-device Management
mode, you are creating for a specific FortiGate, and FortiManager knows this.

When you create profiles for a controller and when you install the device settings, FortiManager will
automatically push them all to FortiGate regardless of whether they are used or not.

When you want to broadcast an SSID, you need to configure the AP profile that is being used by the APs that
are to transmit it. You can broadcast SSIDs on a per-interface basis; each interface has an SSIDs option that
can you can set to one of three modes:

Tunnel: Any tunnel mode SSID profiles installed on FortiGate will broadcast.
Bridge: Any bridge mode SSID profiles installed on FortiGate will broadcast.
Manual: You can select a mix of SSIDs to broadcast.

Where you have the same model of AP broadcasting different combinations of SSID, you will need to clone or
create separate AP profiles.

To make the profile changes active, they need to be installed on FortiGate using the Install Device Settings
option in the Install Wizard.

LAN Edge 7.0 Study Guide 330

Integrated Wireless

DO NOT REPRINT
© FORTINET

When you create profiles in Central Management mode, you are creating profiles that you can apply to
multiple controllers. They are stored on FortiManager, but FortiManager will not know which FortiGate will
need which profiles. As a result, by default, no profiles are pushed to FortiGate when using the Tunnel or
Bridge options.

The profiles are pushed when you make a specific link between an AP and an SSID. You do this by defining a
manual SSID mapping in an AP Profile. The Tunnel and Bridge options will still work for any SSID profiles
that are already on FortiGate, but these options will not cause all the profiles that exist on FortiManager to be
pushed. In a sizeable FortiManager installation, a large number of SSID profiles can exist. Automatically
pushing all of these profiles to each FortiGate, would not be desirable.

Older versions of FortiOS use a slightly different SSID assignment mechanism. Auto would automatically
assign all tunnel mode SSID profiles, while Manual would allow a manual selection.

LAN Edge 7.0 Study Guide 331

Integrated Wireless

DO NOT REPRINT
© FORTINET

The creation of tunnel mode SSID profiles is the same for both modes of management; however the interface
for creating profiles differs slightly.

After you create the SSID profile, you cannot change the traffic mode or interface name. To do this, you will
need to delete and recreate the profile.

Tunnel SSID is treated as a separate virtual interface on FortiGate. Because of this, you must configure the IP
address, mask, and an appropriate firewall policy, before clients can connect to the tunnel SSID and pass
traffic.

You may want to consider adding administrative access services, depending on your requirements.

Clients attaching to a tunnelled SSID will require an IP address. This can be supplied by enabling the onboard
DHCP server and either enabling a local scope or enabling DHCP relay to another third-party server.

Integrated Wireless

DO NOT REPRINT
© FORTINET

It is important to note that, depending on the settings configured, FortiManager will hide or display applicable
settings on the GUI automatically.

For example, if WPA2 Personal security mode is selected, FortiGate will not display the option to configure
authentication and show only the options for pre-shared keys.

This also applies to options such as local or RADIUS authentication, multiple pre-shared keys, and so on, that
are available only for the WPA2 personal option.

Some elements of additional configuration, for example, the RADIUS server entry shown on the slide, are
directly configurable for the interface. The additional configurations set up here will be applied when the profile
is applied to the controller using the Install Wizard. If you configure a RADIUS server entry here, as part of an
SSID configuration, it will not be removed if the SSID profile is subsequently removed. It will remain
configured at FortiGate.

The RADIUS server can also be configured as a separate item as part of a CLI configuration. This is defined
by configuring an entry using Device Manager > Device & Groups > Device > CLI Configurations > user >
radius.

LAN Edge 7.0 Study Guide 336

Integrated Wireless

DO NOT REPRINT
© FORTINET

As an extension of the original PSK standard, it is possible to enable multiple PSKs (MPSK) for a wireless
network. MPSK allows the use of multiple security keys to allow access to the same wireless network.
Traditionally, pre-shared key networks would only allow one key. It often meant that these keys became well
known and, as a result, the administrator could lose control over who had access to the network.

Enabling MPSK allows the wireless controller to dynamically assign a VLAN to each group based on its key
and, if configured, based on the MAC address.

MPSK can make key management more straightforward because all users and devices have unique
credentials. If a user leaves, a device is lost, or if a key becomes well-known, you can change the multiple
pre-shared key for that one user or device without having to change all devices that connect to that network. It
is also possible to limit the number of times each MPSK is used, which can now limit the number of devices
that can use that key to connect to the network.

The number of PSKs allowed depends on the specification of FortiGate.

You can generate the keys for each user connecting or import the keys from a CSV file.

The MPSK can be configured centrally from FortiManager using an SSID profile but is available only on
wireless networks that allow WPA2-PSK authentication.

LAN Edge 7.0 Study Guide 337

Integrated Wireless

The captive portal is used as a landing page after a user connects to a network. This is mostly used for guest
access and networks that require a disclaimer. You can also authenticate your users on a captive portal page
that requests the user’s name and password. Until the user authenticates successfully, the authentication
page is returned in response to any HTTP request. After successful authentication, the user accesses the
requested URL and can access other web resources, as permitted by security policies. Optionally,
the captive portal itself can allow web access to only the members of a specified user group.

LAN Edge 7.0 Study Guide 338

Integrated Wireless

In this section, you will learn how to configure some additional, optional wireless network features using
FortiManager.

LAN Edge 7.0 Study Guide 339

Integrated Wireless

The option to add dynamic VLANs to SSID is available on FortiGate in both tunnel and bridge mode. You can
apply a dynamic VLAN to SSIDs in which WPA2 Enterprise or WPA3 Enterprise have been selected in the
Security Mode drop-down list, and RADIUS Server has been enabled in the Authentication field.

The RADIUS server is responsible for sending all the required attributes after a successful authentication. The
RADIUS server must send the following attributes to FortiGate:

• IETF 64 set it to VLAN: This attribute tells FortiGate that VLAN information is attached to the RADIUS
response.
• IETF 65 set it to IEEE 802: This attribute tells FortiGate that the IEEE 802 attribute is attached to the
RADIUS response.
• IETF 81 set it to VLAN ID: This attribute tells FortiGate to attach the user to the specified VLAN ID
interface.

The RADIUS server can then pass back the following optional attributes as part of the RADIUS accept
response.

• Fortinet-Group-Name attribute
• Filter-ID
• Tunnel-Type
• Tunnel-Medium-Type
• Tunnel-Pvt-Group-ID

You must configure all the VLANs on FortiGate along with corresponding firewall polices either directly or by
using FortiManager.

Integrated Wireless

NAC policies contain the device, user patterns, FortiClient EMS tag to check on a device, before the VLAN.
Like firewall policies, NAC policies are checked from top to bottom until a policy that matches all the defined
patterns is found.

After the device or user is detected and a NAC policy is matched, FortiGate assigns the device the VLAN
selected in the Assign VLAN drop-down list in the Wireless Controller Action section. Note that if changes
are made on the NAC policy, all previously matched NAC devices will be deleted and re-evaluated through
the list of NAC policies.

LAN Edge 7.0 Study Guide 350

Integrated Wireless

When a wireless device is connecting to an SSID that has a NAC profile enabled, the VLAN ID to assign this
device depends on the previous status of the connecting device. To avoid assigning a new IP address by
multiple DHCP servers, if the device was connected to the same SSID and got disconnected for less than 10
minutes, it would be assigned the same VLAN it had prior to disconnecting, given the condition that no
changes were made to the matched NAC policy.

Connected devices undergo a re-evaluation process every 120 seconds to determine the VLAN ID for each
device. As long the NAC policy exists on the same virtual domain (VDOM), the NAC policy must remain active
and device patterns must match the connected device. This is, of course, as long the SSID in question still
has a NAC profile enabled and is pointing to the same onboard VLAN.

LAN Edge 7.0 Study Guide 351

Integrated Wireless

You can see the list of matched devices on the FortiGate GUI and CLI. By navigating to NAC Policies, you
can switch the view to display devices that matched NAC policies for both FortiSwitch and FortiAP. Note that
if the device hostname has been detected by FortiGate, the GUI will display the device hostname instead of
its MAC address.

Other CLI commands, such as wlac_hlp -c sta-nac, display the information about the device that
matched the wireless NAC policies in particular. You can also use wlac_hlp -c nacprof to display
configured wireless NAC profiles each with its onboarding VLAN reference.

LAN Edge 7.0 Study Guide 352

Integrated Wireless

This slide shows the steps performed on the traffic received from FortiAP on SSID configured as NAC
wireless network.

The NAC policy is defined based on any significant field with the user device list entry. Devices within the list
may have a NAC policy applied and are using the IoT device identification database.

LAN Edge 7.0 Study Guide 353

Integrated Wireless

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure and use FortiManager to
centrally configure the integrated wireless features of FortiGate.

LAN Edge 7.0 Study Guide 354

Guest Access

In this lesson, you will learn how to configure and use integrated wireless features on FortiOS and
FortiAuthenticator to deploy a captive portal guest network.

LAN Edge 7.0 Study Guide 355

Guest Access

After completing this lesson, you should be able to achieve the objectives shown on this slide.

LAN Edge 7.0 Study Guide 356

Guest Access

In this section, you will learn about managing guest access using FortiGate.

LAN Edge 7.0 Study Guide 357

Guest Access

FortiGate provides multiple ways to securely manage guest access for wireless networks. You can deploy a
completely separate wireless network using the existing hardware. FortiGate uses virtual AP (VAP) to deploy
multiple SSIDs that are completely isolated from each other. This allows you to have complete control over
the traffic, including the ability to assign firewall policies, security profiles, and so on.

FortiGate also has a local captive portal that you can use as a landing page for guests before they are allowed
to access the network or local resources. To manage secure guest access, FortiGate offers local guest
management tools that you can use to temporarily create and distribute guest accounts. Alternatively, you can
redirect guests to an external captive portal server for authentication, disclaimer, and so on. FortiGate will
allow access to resources only after it receives a valid response from the external server.

LAN Edge 7.0 Study Guide 358

Guest Access

You can use an IP address or an FQDN to point to the captive portal server. If HTTPs is being enforced, the
portal address needs to be an FQDN, and match the CN on the certificate that is being used on FortiGate.

LAN Edge 7.0 Study Guide 364

Guest Access

Create a firewall policy from the guest interface to the internet. If you are using a guest user group, make sure
you assign it to the firewall policy as the Source User Group. When you do this, FortiGate allows access to
the internet only for authenticated users who are part of that group.

Do not enable the Exempt from Captive Portal option on this firewall policy; otherwise, all the traffic to the
internet will be allowed without the users being presented with a captive portal page.

LAN Edge 7.0 Study Guide 365

When FortiGate redirects a user to the external captive server, it adds the parameters shown on this slide to
the HTTPS request. You can easily decode the information that FortiGate provides to the external captive
portal server. The first part of the redirected URL includes the external server’s address, followed by the
address of the FortiGate interface address that has the captive portal enabled on it. The magic parameter is
the session ID that is used to track the request information.

LAN Edge 7.0 Study Guide 369

Guest Access

This slide contains a list of all the parameters that are sent to the external captive portal from a wireless
network on FortiGate.

LAN Edge 7.0 Study Guide 370

Guest Access

In this section, you will learn about the guest portal options available on FortiAuthenticator.

LAN Edge 7.0 Study Guide 371

Guest Access

The guest portal on FortiAuthenticator extends the functionality of the captive portal available on FortiGate.
The FortiAuthenticator captive portal is available through only one URL; however, portal match is based on
the mapping rules and RADIUS client profile, which makes this type of configuration very flexible and
scalable. You can configure multiple guest portals on FortiAuthenticator that can serve users connecting to
different FortiGate devices or networks. FortiAuthenticator uses HTTP POST parameters that are sent by
FortiGate in the captive portal request, along with RADIUS client configurations, to map incoming captive
portal requests to their respective guest portals. You can define mapping rules based on the subnet address,
AP MAC address, SSID, AP location, and so on. All these parameters are sent by FortiGate to
FortiAuthenticator using HTTP POST.

The guest portal offers pre-login and post-login services for users who are authenticating using
FortiAuthenticator. As the name suggests, pre-login services are available to users without authentication, and
post-login services are offered after successful authentication. Pre-login services include creating guest
accounts with the option to validate by email or SMS, a social login option, form-based information gathering,
disclaimer, password reset, and so on.

Guest Access

On the same configuration page, you can also select what post-login services users will have access to. Post-
login services will be available only to users after they authenticate. Profile options will allow users to view or
edit their account information, such as name, email, phone number, and so on. You can also give users the
ability to change their password. Token Registration options allow users to self-provision or request a new
token from the administrator. The Smart Connect option allows users to download a smart connect profile for
their networks. The Device Tracking and Management option allows administrators to assign all guest
devices to a device group. Users must register all their devices before they are allowed to access the network.

LAN Edge 7.0 Study Guide 376

Guest Access

Before you can enable captive portal, you must create a RADIUS client. You do this on the Clients page. The
RADIUS client is necessary so that FortiAuthenticator can accept RADIUS authentication requests from
FortiGate. (FortiGate becomes registered as an authentication client.)

You will also need to create a RADIUS policy and assign the RADIUS client to that policy. The policy defines
the way that FortiAuthenticator processes RADIUS communications with the client, including Authentication
type, Identity source, Authentication factors, and so on.

Note that self-registered guest users will be added to the local FortiAuthenticator database. Make sure that
the RADIUS profile is configured to use a realm that allows the processing of local user authentication.

LAN Edge 7.0 Study Guide 377

Guest Access

Guest Access

Within the Authentication type option, you can also define the type of authentication (user or device) as well
as whether you want to use it for account login and/or social login.

The social user login option allows users to authenticate using third-party SSO services such as Facebook,
LinkedIn, and so on. You must configure social login profiles to use this method. Account login means that
user credentials will be provided by FortiAuthenticator’s internal database or remote authentication server.

You configure the back-end authentication details on the Identity sources page. If you have enabled social
users as an authentication type, you will select the social platforms that will be available for user
authentication. The options are Facebook, Google, Twitter, Linkedin, Phone number, and Email. For each
option, other than phone number and email, you will need to configured a remote OAUTH server.

In the Local/Remote Users section, you will select the desired username format and realms. Each selected
realm can be filtered down to the group level.

LAN Edge 7.0 Study Guide 382

Guest Access

You define authentication requirements, such as mandatory two-factor authentication, password-only

authentication, and so on, on the Authentication factors page. The RADIUS response page provides a
summary of the RADIUS response for each authentication result.

LAN Edge 7.0 Study Guide 383

Guest Access

FortiAuthenticator allows administrator and user accounts that have sponsor permission to sponsor guest
accounts for their visitors. Sponsor accounts are temporary accounts that are created by an administrator or
user for visitors. Local users can log in to FortiAuthenticator and sponsor one or more guest accounts. There
are three creation modes: Express, From CSV file, and Manual Input.

Express mode bulk creates multiple users and their login details automatically. Users must define the account
expiry date and time before they can create a guest account. You can also select the number of guest
account, and the sponsor and groups assigned to them. When you create the accounts, FortiAuthenticator will
display the login information in a table. You can choose to send this information to guests directly using SMS
or email. Alternatively, you can print or export the login information to a CSV file.

From CSV file creation mode allows administrators to create one or more guest accounts using parameters
from a CSV file. Format each line of the CSV with the following values:

<first name>, <last name>, <email>, <mobile>, <group>

Manual Input mode requests the administrator or users to manually fill in the information for their guests,
such as name, address, phone number, and so on. They must also manually define the username and
password when using this mode.

LAN Edge 7.0 Study Guide 384

Guest Access

Enhanced Wireless

Compromised wireless hosts are treated in the same way as compromised wired hosts; FortiAnalyzer
identifies them using threat detection services, and then sends the IOC verdict to the root FortiGate of the
Security Fabric group.

If an automation stitch is configured for compromised hosts, then that can be also be implemented.

The IOC verdict assigned to a compromised host triggers the actions specified in the automation stitch.
Access Layer Quarantine is a Layer 2 action that places the host machine in isolation.

You can configure automation stitches at each FortiGate or apply a device configuration if a FortiManager
manages FortiGate. You apply the setting on a per-device basis, it cannot be applied using a template.

LAN Edge 7.0 Study Guide 396

Enhanced Wireless

The quarantine process for wireless clients is very similar to wired clients; however the configuration is slightly
different.

LAN Edge 7.0 Study Guide 402

Enhanced Wireless

There are two ways to configure a FortiAP to detect rogue APs:

• As a dedicated monitor (can assign one or both radios)

• In idle periods during AP operation, referred to as a background scanning

You can also use one radio of an AP for scanning and reserve the other radio for normal AP use. However,
this will limit you to using only one frequency―2.4 GHz or 5 GHz―because you can use only one band per
radio. When a rogue AP is connected, an attacker tries to use it for unauthorized access. FortiOS
automatically detects and lists the rouge AP in the Rogue APs widget. You can suppress it to avoid security
threats.

LAN Edge 7.0 Study Guide 403

Enhanced Wireless

How does rogue AP detection on FortiOS work? It uses a radio to listen for and detect other APs. If your
FortiAP is not using all of its radios, you can dedicate one of them to monitoring for rogue APs. Otherwise, you
can configure the AP to run a background scan when a radio is idle.

If you do not use a dedicated AP or a radio for scanning, you can configure the AP to run a background scan
when a radio is idle or at a defined threshold.

A background scan is opportunistic. During idle periods, FortiAP briefly switches the radio from acting as an
AP, to monitoring. By default, a scan period starts every 600 seconds, and each second a different channel is
monitored for 20 ms until all channels in the radio frequency have been checked. If the radio is dual-band
capable, it will not switch to the other frequency.

Enhanced Wireless

You can configure phishing SSID detection centrally on a per-controller basis using a CLI Configuration. By
default, fake SSIDs are detected and logged only, and no offending SSIDs are defined.

You can add offending SSIDs to the offending-ssid table with the option to log, or, to log and suppress.
Wildcards are supported, in the example shown on this slide, a ssid-pattern of FTNT* is specified. Any
SSIDs that broadcast a wireless network SSID beginning with FTNT are classified as an offending SSID.

You should then enable Phishing-ssid-detect to detect offending SSIDs.

After you import a FortiGate device into the inventory, you can add the FortiGate device into a controller
group.
Controller groups allow the grouping of controllers together, typically based on geographical location. Where
multiple controllers exist in a single location, it could make sense to organize them into a single group.
Controller groups are used for simple monitoring and administration purposes and are non-hierarchical; this
means that there are no subgroups. There is no limitation to what type of controllers can be in a group, but a
controller can belong to only one group.

When you add a controller to a group, it is immediately taken out of any other group that it is a member of. To
make a controller a member of a group, edit it in the device inventory where you will find the menu option
allowing you to select an existing group.

LAN Edge 7.0 Study Guide 415

Enhanced Wireless

You can also group APs. APs groups are used for monitoring as well as for notification purposes. It is possible
to use notifications to inform select administrators about problems with groups of APs. For example, all APs
on a particular campus can be grouped together and then assigned to a notification profile. When a set of
criteria is met, an email notification can be sent to a distribution group containing administrators responsible
for the campus.

AP groups are hierarchical; each group can have multiple subgroups. Groups can be built dynamically based
on a set of rules, for example, all APs of a particular type that are installed on a specific controller can be
placed into a dynamic group. This avoids the need to maintain the group membership manually; any new APs
that match the rules are automatically added to the group when installed. You can also build groups manually.
Edit an AP in the inventory, and you’ll see an option to make it a member of a group or groups. An AP can be
a member of multiple groups; typically, groups also represent geographical locations. However, subgroups will
give the ability to further organize APs, for instance, into floors and rooms of a building.

Currently, AP groups are used for monitoring and notification purposes only. Device administration groups are
currently supported only on FortiWLC-based networks.

LAN Edge 7.0 Study Guide 416

Enhanced Wireless

One of the main benefits of using FortiWLM is the ability to visualize the wireless network. You can import
maps and floor plans and then use them to display useful information about your network in the form of heat
maps for monitoring purposes or RF planning using the RF Planner function.

You can import maps and plans at multiple levels. At the topmost level, it is possible to display groups of
buildings on a campus. Organizations can have numerous campuses; each campus can have a metro map
associated with it that shows the location of buildings and landmarks. Each building can then have multiple
floors associated with it; each floor can have its own floor plan, which can be used to place APs on or for use
with the RF Planner function.

Maps and plans should be in the PNG, JPEG, BMP, or GIF format and no more than 2 MB in size. Floor
plans should be scaled and cropped to exclude as much white space around the plan as possible. When you
import the file, you are asked for the dimensions. For instance, if the floor is 60 meters by 40 meters, you
enter these dimensions. Network Manager will then scale the imported plan to 60 by 40 meters; however, if
there is white space around the floorplan, this will cause the RF simulation to be incorrect because this white
space is counted as part of the dimensions.

If you use FortiPlanner to plan your wireless networks, you can export the plans in a ZIP format and import
directly into FortiWLM.

LAN Edge 7.0 Study Guide 417

Enhanced Wireless

You can configure FortiWLM to send notification emails warning about issues with wireless network. To do
this, you will need to define an email server.

You can define both primary and secondary servers. Servers are to support SMTP using TLS, SSL, or there
is also the option to use no security.

Once the email server is set up, it can be referenced in a notification profile.

LAN Edge 7.0 Study Guide 418

Enhanced Wireless

The lower the signal strength, the lower the ability of the radio to use higher modulation rates. The lower those
rates, the lower the connection performance of the client. Low signal scenarios can occur for a number of
reasons. Most commonly, someone is trying use the wireless network from a location that was never
designed to support wireless devices. As a result, they are simply standing too far away from the AP. At that
point, the user must choose to either move to a location that is designed to be supported by the wireless
network or, if the location warrants it, install a new AP to improve the signal strength.

Low signal strength may also indicate that an AP has stopped running. The network is designed with overlap
to allow for RF redundancy. In the event of an AP failure, there is usually another AP within range, even if it
has a much lower signal strength. The result is that the client will associate with that other AP, but will appear
as a low signal strength client.

In a more complex RF environment, a client might maintain a connection to the original AP. After the client
moves to another location, they remain stuck to the original AP and are known as a sticky clients. In these
types of design scenarios, low signal strength stations can be a fact of life. It may not be possible to eliminate
low signal strength stations completely, but it is possible to monitor the number of devices that are poorly
connected.

LAN Edge 7.0 Study Guide 423

Enhanced Wireless

The transmit and receive link rates show the data rates that are being used by the AP, which is the TX or
transmit rate, and client, which is the RX or receive rate. Both are closely linked to signal strength—they often
go hand in hand, but are also impacted by other factors. The AP keeps a record of the link rates used when
transmitting to and from each associated client. The ultimate aim for all wireless implementations is to ensure
that the link rates are as high as possible for clients. A high link rate means that both the signal strength and
the signal quality are good. Because it is possible to measure the upstream link rate directly, this is a great
way to check if the client is suffering from RF issues.

The higher the link rates, the faster data is transferred, and the less air time is used for transmissions. This not
only ensures high performance for the client, but also allows maximum opportunity for other clients to transmit
as well, improving their overall performance. The link rates are calculated by the wireless chipset, based on
signal strength, the SnR, and the retry and loss rate of frames. A client might have very good signal strength
but a low link rate, which could indicate that the noise floor is higher than is optimal because the SnR is
potentially quite small. This prevents the client from using the upper link rates regardless of how strong the
signal is. The frame retry and loss rates will also cause a lower connection rate. If either the client or the AP
radio is struggling to send frames because, for example, there are a large number of collisions because of
stations on neighboring APs, the radio can reduce its link rate to attempt to make transmissions more reliable.

Lower link rates may also indicate that the wireless client might be an older client and, as such, might only
support older wireless standards where the link rates are a lot lower. For maximum efficiency, it is often
worthwhile to ensure that these older clients are replaced as soon as possible with newer-standard clients that
support more efficient link rates. Finally, upstream link rates can be reduced when a client enters power save
mode. Many handheld devices will aggressively reduce link rates when they are not transmitting data because
this can save significant amounts of battery power. However, this does make the client appear as if it is having
a poor experience because the signal strength is often strong. Lower link rates are relevant in this scenario
when you can see that the client is transmitting data. The radio should be trying to attain the highest link rates
possible, and the fact that it isn’t indicates that the client might have an RF issue.
LAN Edge 7.0 Study Guide 424
Enhanced Wireless

Channel utilization is the primary indicator of capacity around an interface. When enabled, the AP constantly
monitors the amount of wireless traffic it can decode in the channel and provides a measure. It is not only
accounting for traffic transmitted by its own clients, it is also is accounting for other wireless traffic on the
channel, which could be coming from neighboring APs and wireless clients not associated with your wireless
network. The neighboring APs and wireless clients still use capacity, even though they are not part of your
network, and your network cannot transmit data while those other transmissions are occurring.

The higher the channel utilization, which is measured in percent, the less the spare airtime that is available.
Channel utilization is the most important indicator of wireless capacity.

In the Interfering SSIDs widget, you can click a radio to reveal a table of interfaces. You can sort these tables
to highlight radios that are interfering the most.

The widgets can quickly show essential information that you can use to diagnose potential causes of poor
performance and connection reliability. You can also convert them into monitors.

LAN Edge 7.0 Study Guide 428

Enhanced Wireless

Starting at FortiGate, the Managed FortiAPs table also contains useful information about the status of
connected APs.

Found under Wi-Fi & Switch Controller > Managed FortiAPs, it provides three different views.

AP View is the default view and groups radio interfaces together under an AP.

The Radio option is more useful for assessing load because it allows you to easily sort the radios to highlight
interfaces that are in trouble. Note that you can add useful columns, such as Channel Utilization, to a view.

LAN Edge 7.0 Study Guide 429

Enhanced Wireless

When you right-click an AP, you get the option to select View More Details. You can see a more detailed
summary of the individual AP details and can perform basic actions on the AP, such as upgrade, restart, or
de-authorize. It is also possible to edit the configuration directly, which will override the profile settings.

You will see color-coded health indicators in the upper-right corner, which will give you an immediate
indication as to the status of the AP and its radios. The colors indicate the severity of the issue, using the
colors red, green, and yellow to indicate the severity.

The table shows the configuration and the status of the radios by default. The Clients tab shows all the clients
that are associated with the AP. You can also drill down into the individual clients, if required. The logs view
filters the wireless events just for this AP. Double-clicking on each event will shows the event details.

The CLI access option allows direct access to the APs CLI, if required. If the AP is capable and is configured
for dedicated operation, then you will be able to enable spectrum analysis. Not all APs are capable of
spectrum analysis—refer to the release notes for more information. The spectrum analysis view shows the
real-time view of the wireless spectrum, together with any detected interferers.

LAN Edge 7.0 Study Guide 430

Enhanced Wireless

The WiFi Clients table provides detailed information about clients that are currently connected.

Again, you can add additional columns to provide useful information about a client’s connection state, such as
the signal strength the AP is receiving from the station, the downstream link rate, the channel configuration,
and so on.

Again, you can sort and filter to highlight clients that are in trouble.

LAN Edge 7.0 Study Guide 431

Enhanced Wireless

Select a station in the client list. Then, right-click and select Diagnostics and Tools to open diagnostics
about a station.

From here, you can perform basic actions, such as quarantine or disassociate workstation. The health icons
are color-coded and will give an immediate indication of any issues, such as poor signal strength or SnR.

There is an option to display a graph which, by default, will show bandwidth but can also show SnR. The
graphing is limited to approximately 10 minutes of data.

If you select the Logs tab is possible to see a logical log of a station connection events. This log is useful for
quickly diagnosing common connectivity issues, such as incorrect passwords or pre-shared keys, because
the association and authentication steps the wireless client performs are listed in the log. You can see details
of each log event by clicking the Details button. This can show further information about any failures.

Filter the log and export its contents into a text file for a more detailed analysis.

LAN Edge 7.0 Study Guide 432

Enhanced Wireless

The Events table provides a whole-controller historical view of the wireless network. You can use this to
identify events that affect both clients and APs over time.

Adding additional columns and filtering allows you to focus in on wireless clients or APs that are misbehaving.

LAN Edge 7.0 Study Guide 433

Enhanced Wireless

When FortiManager is installed in the network, you can use it to perform basic monitoring of the status of APs
and clients. The main benefit of using FortiManager is that you can get an overall view of the APs installed on
the network without having to go to each FortiGate in turn. However, the amount of information available on
FortiManager, specifically about the status of radios, is less than what is being available on FortiGate.

The Managed APs view is mostly used for configuration, rebooting, upgrading, or assigning profiles.
However, you can also see useful metrics here. The total number of managed APs is shown, together with a
count of the APs that are offline and online. Clicking on the rogue AP count icon will take you to a complete list
of the rogue APs detected by all of the APs on the network. Likewise, clicking the client's connected icon will
take you to a table that shows all clients connected to all of the APs managed by FortiManager.

You can also group APs for display and monitoring purposes. These groups are used inside FortiManager
only. Groups to organize the displays so you can drill down and monitor APs in a more organized way. APs
can belong to multiple groups, but the groups are specific to a controller and an AP type.

LAN Edge 7.0 Study Guide 434

Enhanced Wireless

FortiManager also includes the ability to perform a centralized spectrum analysis. Some FortiAPs can operate
their wireless chipset in two modes. The first mode is normal mode, which supports wireless client
connectivity, and the second put the radio into spectrum analysis mode. Refer to the AP datasheet to see if an
AP is capable of spectrum analysis. To put the radio into spectrum analysis mode, you will need to configure
both radios of an AP as dedicated sensors. The best way to do this is to create and assign an AP profile.
Once done, you will be able to right-click an AP and select View Spectrum Analysis.

By default, the 2.4 GHz range is selected for analysis, although you can choose 5 GHz as well. When
selecting 5 GHz, you will need to choose a range of channels to scan. There are three useful pieces of
information displayed.

The first two graphs cover signal interference—all the power of the interfering signal. This is usually a
measure of how close the interference source is. The smaller the negative number, the more powerful the
signal is. You can see the instantaneous value as well as a plot of the signal strength over the last 60
seconds.

You also see two events-based tables. The Station Activity Log shows more events specific to that
particular workstation, and Events shows the frequency of these events occurring over time. Large numbers
of events occurring inside a particular time frame might indicate that the station is struggling with some
element of connectivity. In other words, the more circles you have, the more issues there might be potentially.
Like other views, it is possible to vary the time frame over which this data is displayed. This can be very useful
when you are investigating historical issues, because you can review import historical metrics going.

LAN Edge 7.0 Study Guide 441

Enhanced Wireless

On initial inspection, the heatmap function can be misleading. Many wireless professionals are familiar with
predictive planning tools, such as FortiPlanner and Ekahau site survey. These tools allow the import of floor
plans, the drawing of walls, and the prediction and display of signal strength based on complex algorithms.
One of the measures that you can visualize using the FortiWLM heatmap, is signal strength. The FortiWLM
heatmap will display the estimated receive signal strength of the associated workstations, and then plot it onto
the floor plan. However, this is not a measure of the actual signal strength in different places on the floor. It is
simply a color-coded estimate. The FortiWLM heatmap cannot perform any of the complex predictive signal
planning that accounts for signal absorption by walls. It performs a basic calculation of radio power and
distance, based on the floor plan's scale and size. It is possible to visualize the following heatmap types:

Number of Stations: This shows the relative number of stations across all the APs on the floor, which is very
useful for identifying overloaded APs.

Channel Utilization: This shows the relative channel utilization across the APs on the floor, which is very
useful for identifying overloaded APs, or potential channel conflict issues.

Loss: This is a visual indication of the loss rate for each of the APs.

Throughput: This is a visual indication of the throughput and at each AP, which is very useful for identifying
areas of the network that are overloaded.

The benefit of heatmaps is realized when you import all of your building's floorplans. You can quickly review
large numbers of APs by browsing each floor and looking for red colors. It makes the identification of problem
areas quick and easy.

LAN Edge 7.0 Study Guide 442

Enhanced Wireless

FortiWLM can also send notifications. These notifications are entirely self-contained and unique to FortiWLM
and require access to an email server.

There are two elements to notifications. The Notification Profile is effectively an email group, a comma-
separated list of the email addresses. These profiles define groups of users, usually with different
responsibilities inside the network. The Notification Filter will define the events that trigger the email sent.

The notification filter is highly flexible. It is possible to send a notification based on alarm severity, or you can
drill down and select individual alarms. It is possible to specify individual controllers, APs, or groups of APs.

When you have enterprise networks with large numbers of network administrators responsible for different
campuses, it is possible to send relevant emails to the administrators who are managing the other parts of the
system.

LAN Edge 7.0 Study Guide 443

Enhanced Wireless

Finally, the key to using monitoring tools properly is understanding what a good and bad metrics are. You can
then use the tools to identify parts of the network that are in trouble. Regular monitoring is essential, and you
should aim to keep your wireless metrics within the ranges shown on this slide.

The lower the channel noise, the better. Signal strength is measured in negative decibels—the greater the
negative number, the weaker the signal. For noise, a signal weaker than -92 is considered optimal. A signal in
the high -80s is acceptable. A signal in the low -80s or -70s indicates significant interference that you should
investigate using a spectrum analyzer.

The wireless network is designed and specified with a target signal strength for clients. You should make sure
that the majority of your clients have that minimum signal strength or greater. It is not unusual to have a small
number of weaker stations. For example, wireless devices enter and leave buildings, which can cause small
numbers of low signal strength clients to appear and disappear. Generally, you should see signal strengths of
-64 or stronger, with a good SnR of at least 15, but preferably 25 or more. Newer, higher speed standards
generally require a higher signal strength and a greater SnR, but these numbers provide a good baseline and
allow most wireless connections to work.

Finally, the ultimate indicator of health is the link rates that the client and AP use to communicate with each
other. Before you can make a judgment on the link rate, you first need to understand the specifications of the
wireless client to identify the maximum link rate you can use. Often, devices will be equipped with one or twop
stream 2.4 GHz-capable and 5 GHz-capable clients. Analysis of the link rates being used may show that,
rather than connecting near the theoretical maximums of 433 Mbps (for a one stream 802.11ac client) or 866
Mbps (for a two stream client), which you might expect, they are connecting closer to 65 Mbps. Often, this is
simply a result of the clients connecting to the 2.4 GHz radio rather than a more suitable 5 GHz radio. Equally,
link rates will be reduced if the underlying metrics (loss, retry, signal strength, and noise) are impacted.

LAN Edge 7.0 Study Guide 444

Enhanced Wireless

In this section, you will learn about some of the best practices that you can adopt when deploying a wireless
network.

LAN Edge 7.0 Study Guide 445

Enhanced Wireless

A big source of issues with a wireless network can be incorrect channel settings.

Regardless of whether channels are set manually, or by an automated system such as Radio Resource
Provisioning, it is possible to reach a scenario where AP radios have channel or power settings that cause
CCI.

Automated systems can change channels to adapt to changes in local RF conditions, such as a new moving
in and installing their own wireless network. This can cause your APs to attempt to recalculate their channel
settings.

Or, in the case of 5 GHz dynamic frequency selection (DFS) channels, a radar signal is detected which can
cause APs to change channels.

However it happens, APs that are close together should avoid being on the same channel. It is important to
make sure that your AP population is configured in the best way possible, in accordance with conditions.

Enhanced Wireless

AP handoff is a load balancing method that is used by FortiGate to increase wireless performance and use
the resources on APs more efficiently. AP handoff is a way of load balancing wireless clients among managed
APs on FortiGate. AP handoff works in two ways:

1. If the number of clients exceeds the maximum number of clients configured for an AP, the client with the
lowest RSSI value will be forced to join another AP.
• The RSSI value must meet the signal strength on the nearby AP.
2. If the number of clients is already at the defined threshold, new clients will be redirected to join the least
busy nearby AP.
• The least busy nearby AP will respond to the client’s join request.

Handoff-sta-thresh defines the value after which the handoff protocol is initiated for new client. FortiGate will
instruct the least busy nearby AP to respond to the join request for any new client that tried to connect to an
overloaded AP, as long as the configured RSSI value condition is met. You must enable the AP handoff
feature on all radios on an AP. The handoff-rssi value threshold defined in the AP profile is used when
handed off client tries to connect to the second AP. The client`s signal strength must be equal to or more than
the defined RSSI value on the AP. Signal strength is determined based on the RSSI value—a higher RSSI
value means better signal strength.

The best practice is to monitor the client load across the APs. If you see a regular imbalance between APs
relatively close together, enabling AP handoff can help balance the load between APs. It is typically a high-
density environment that suffers imbalances because of the large numbers of clients and the necessary
proximity of APs. Be aware that some clients, particularly low-cost and simple IoT type devices, do not
respond well to being load balanced and refuse to be directed to another AP. This can cause a connectivity
issue, and load balancing may need to be avoided for these types of clients.

LAN Edge 7.0 Study Guide 450

Enhanced Wireless

Frequency handoff is a band steering technique that FortiGate uses to encourage clients to use the 5 GHz
frequency instead of the 2.4 GHz.

Clients that support the 5 GHz frequency benefit from faster speeds and decreased interference. This also
benefits clients that do not support 5 GHz, because there will be less interference on 2.4 GHz because of the
reduced number of clients.

FortiGate continuously probes the clients to identify if they can operate on the 5 GHz frequency. FortiGate
maintains a table to track which clients support both frequencies, and records the RSSI value, along with the
other information for each frequency.

When a client tries to connect, FortiGate checks whether it can support 5 GHz and, if so, how good the
signals are. If a client supports the 5 GHz frequency and the signal is strong enough to connect, FortiGate will
ignore the client’s requests to join the network on 2.4 GHz until the request times out. The client will then
automatically try to join the same network using 5 GHz. FortiGate will instruct the AP to respond to the join
request and allow the client to connect.

LAN Edge 7.0 Study Guide 451

Enhanced Wireless

Signal strength is one of the major factors in wireless performance. Clients with poor signal strength to and
from the AP will likely have poor performance. They will also cause poor performance for other clients
connected to the same AP because of the excessive amount of airtime they will take to transmit and receive
their data.

The wireless client is in control of the AP selection process in a Fortinet integrated and cloud network.
Because of the quirks of RF, and the possible poor quality of the wireless client hardware or drivers, it is
possible for wireless clients to make poor decisions when connecting to APs. A client may choose to connect
to an AP farther away when there may be a closer, more suitable AP to connect to, for example. This results
in a connection that has poor signal strength and poor link rates, resulting in performance issues. The
AP/controller does have limited control in how a client connects. Part of the client’s connection process
involves a probe request and a probe response process that occurs during the initial association. This can
give the AP the opportunity to not respond to a probe request from a client that is too far away. If the client
does not get a probe response from an AP, it should carry on looking for other suitable APs to connect to. The
AP can measure the signal strength of the client’s probe request. If it decides the signal is too weak, then it
can choose to not respond with a probe response frame. The signal strength the AP uses is defined by the
probe response threshold and is measured in dBm.

The probe response threshold applies only when the client is attempting to connect to an AP. If the client is
already connected and starts moving away from the AP, resulting in the signal strength dropping below the
threshold, then it will not be forcibly disconnected by the AP/controller. However, if the connection drops for
any other reason, the client will need to probe to reconnect. At that point, the client will be below the threshold
and will not get a probe response.

LAN Edge 7.0 Study Guide 452

Enhanced Wireless

The probe response threshold is applicable to the VAP/SSID. You can configure it only on the CLI. By default,
the threshold is -80 dBm. This requires that any probe request frame that comes to any of the wireless radios
that are broadcasting the SSID should be measured at -80 or stronger, before the AP will respond. -80 allows
for clients with a relatively weak signal strength to make the connection. While this may be acceptable for
some networks, performance in high-density networks could suffer substantially if these slow clients are
allowed to connect and exchange small amounts of data across low-speed links, using large amounts of
airtime. Most wireless networks should be designed with a target signal strength in mind for their clients,
which is usually around -64. It is a good practice to monitor clients that are connecting to the network, and
monitor the signal strength. If you have large numbers of clients that are connecting with poor signal strength,
it could indicate the following:

• Clients are trying to connect from an area that does not have wireless coverage. In this case, you will need
to investigate whether additional coverage is required. Perhaps a new part the building has opened and
now requires wireless service. In this case, you would need to consider deploying more APs.
• Clients are connecting to a suboptimal AP. Variations in radio frequency caused by multipath and
reflections can make an AP look more attractive to the client than they should. Wireless client quality can
also be a big factor in AP selection. Poorly designed, engineered, or tested drivers can make poor AP radio
selection decisions in an enterprise environment.

If you find that large numbers of clients are connecting at poor signal strength without any other obvious
issues, you can reduce the probe response threshold for the VAP/SSID. Reduce it in increments, and monitor
the effect. Always remember that decibels are logarithmic. Small changes in decibel count can mean quite
large changes in signal strength, so choose an increment of around 5 dB. After you change the probe
response threshold, spend more time monitoring the client connections, and reduce the threshold, if required.

LAN Edge 7.0 Study Guide 453

Enhanced Wireless

By default, multicast traffic is sent at a lower wireless transmission rate. If a lot of multicast traffic is being
passed by the network, then this can needlessly consume airtime.

Converting multicast traffic to unicast traffic might well increase the amount of traffic sent because each
multicast message will be converted to a unicast message for each wireless client connected to the wireless
SSID. However, because the unicast traffic is transmitted at a much higher wireless data rate, the net effect
on wireless performance is positive because each frame will be consuming much less airtime.

The effect on the network will obviously be dependent on the amount of multicast traffic that is generated on
your network; however, enabling conversion by default will likely have little negative effect.

LAN Edge 7.0 Study Guide 454

Enhanced Wireless

All wireless standards are designed to be backwards compatible. This means that even the newest wireless
standards have to accommodate the wireless connection that was originally specified as part of a standard
that is a more than 20 years old.

The original 802.11b standards mandated that management frames should be sent out at the lowest MCS
connection rate, which, for 802.11b, was 1 Mbps. This means that modern networks have to also transmit
management frames at this low MCS rate, even when the vast majority of, or perhaps all, clients support
newer standards. This results in large amounts of wasted airtime.

Disabling 802.11b rates means that the management frames are now transmitted at a minimum of 6 Mbps,
improving airtime efficiency. This comes at the cost of no longer supporting extremely old 802.11b clients, and
removing those legacy rates from the network. This also has the side effect of preventing clients from
connecting from an extreme range. Even the latest wireless clients will revert to the old 802.11b rates when
trying to connect to an AP that is far away. Prohibiting these rates also stops excessive airtime use by clients
that are too far away to make the best use of the wireless network.

If you choose to disable these rates, you should be aware that clients will no longer be able to connect, and
the receive range of your APs will also be less. However, if your network is designed correctly, clients that
require wireless coverage will have signal strength high enough to allow a good connection. So, it should not
be necessary for your clients to revert to the legacy rates.

LAN Edge 7.0 Study Guide 455

Enhanced Wireless

It is also possible to support data rates in a more granular way. If required, it is possible to customize the
individual rates for each SSID/VAP broadcast. For example, you can configure a corporate SSID/VAP that is
used to support known client types can to support only higher data rates in both the 2.4 and 5 GHz frequency
ranges. Because the client specification is known, it should be easy to select appropriate data rates to
optimize wireless performance. A guest SSID/VAP may have a wide variety of different wireless clients
connecting to it, therefore it may be better to leave the SSID supporting the default data rates.

Adjusting the data rates appropriately will prevent clients from sticking to an AP after the initial association;
that is, when the client roams, the updated link rates will ensure that the client moves to a more suitable AP
more quickly because of the increase in supported rates. It will also provide a significant barrier to clients that
are connecting with poor signal strength during the association process. It will not be possible for clients with
poor signal strength to meet the requirements for associating with APs that have a higher basic link rate
requirement.

Rates are configurable on the CLI only, and on a per-VAP basis. It is possible to configure rates separately for
2.4 GHz 802.11bg, and 8021.11n. For 5 GHz it is possible to configure separately for 802/11a, 802.11n, and
802.11ac.

When specifying a/b/g rates, you must set at least one basic rate. The lowest basic rate that is advertised by
an AP is the rate at which management traffic is broadcast. Once the basic rates have been defined, then you
can also define the optional, or supported rates, the clients can use if they meet the signal strength
requirements.

When configuring 802.11n and 802.11ac rates, you need to specify only the required supported rates.

LAN Edge 7.0 Study Guide 456

Enhanced Wireless

While it is possible to alter the supported rates for 802.11n and 802.11ac, there is currently no best practice
that suggests it is necessary to do so.

When using the legacy wireless standards in a congested or high-density environment, you can improve
airtime efficiency by eliminating the low-rate connections. Allowing low rate connections also creates the
possibility of clients sticking, or connecting inappropriately to APs.

You can change the supported rates on the CLI only, on a per-VAP/SSID basis. This allows for different
wireless networks to be broadcast from the same AP, but with different supported rates.

Disabling rates will restore the default settings on the VAP. To revert to default rates using the CLI, use the
following commands:

# config wireless-controller vap

# edit <vap>
# unset rates-11bg
# unset rates-11a
# end

LAN Edge 7.0 Study Guide 457

Enhanced Wireless

The fnbamd real-time debug shows that the issue is with OCSP request. The issue, in this case, is that
FortiGate is configured with the wrong OCSP URL.

The LDAP lookup of the UPN string in the certificate is valid, and it finds one valid user with that UPN.

LAN Edge 7.0 Study Guide 475

Solutions

The fnbamd debug shows you that the OCSP response timed out, which basically means that FortiGate was
unable to connect to OSCP, which is FortiAuthenticator.

LAN Edge 7.0 Study Guide 476

Solutions

To fix the issue, change the OCSP server IP address to 10.0.1.150:2560. You must also specify a port
number for the configuration to work properly.

LAN Edge 7.0 Study Guide 477

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiGate 7.6 Administrator Study Guide
100% (1)
FortiGate 7.6 Administrator Study Guide
558 pages
Fortinet FortiClient EMS Study Guide
No ratings yet
Fortinet FortiClient EMS Study Guide
348 pages
Fortinet FortiClient EMS Lab Guide For FortiClient EMS 7.0
No ratings yet
Fortinet FortiClient EMS Lab Guide For FortiClient EMS 7.0
110 pages
FortiAuthenticator Study Guide
No ratings yet
FortiAuthenticator Study Guide
480 pages
FortiSwitch Study Guide For Fortiswitch 7.4
No ratings yet
FortiSwitch Study Guide For Fortiswitch 7.4
462 pages
Fortinet Fortimanager Study Guide For Fortimanager 72
100% (1)
Fortinet Fortimanager Study Guide For Fortimanager 72
372 pages
LAB 04 Firewall Authentication
No ratings yet
LAB 04 Firewall Authentication
17 pages
(FCSS Cloud) - Public Cloud Security Architect FortiOS 7.6 - Study Guide
100% (2)
(FCSS Cloud) - Public Cloud Security Architect FortiOS 7.6 - Study Guide
237 pages
(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide
100% (2)
(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide
555 pages
Mastering WebFiltering in FortiGate Firewall Configuration 1717349652
No ratings yet
Mastering WebFiltering in FortiGate Firewall Configuration 1717349652
96 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
100% (1)
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
171 pages
FortiNAC-7.2 F-FortiGate Endpoint Management Integration Guide
No ratings yet
FortiNAC-7.2 F-FortiGate Endpoint Management Integration Guide
42 pages
NSE7 - OT Security FortiOS 7.2 - Study Guide
100% (2)
NSE7 - OT Security FortiOS 7.2 - Study Guide
317 pages
(Fcss NW) - Sd-Wan Fortios 7.2 - Study Guide
No ratings yet
(Fcss NW) - Sd-Wan Fortios 7.2 - Study Guide
381 pages
(FCSS NW) - Enterprise Firewall Administrator FortiOS 7.4 - Study Guide
100% (1)
(FCSS NW) - Enterprise Firewall Administrator FortiOS 7.4 - Study Guide
384 pages
Enterprise Firewall 7.2 Lab Guide-Online U
No ratings yet
Enterprise Firewall 7.2 Lab Guide-Online U
158 pages
FortiGate Authentication
No ratings yet
FortiGate Authentication
77 pages
81-Active Authentication AD
No ratings yet
81-Active Authentication AD
9 pages
Secure Access 6.4 Study Guide-Online-Desbloqueado
No ratings yet
Secure Access 6.4 Study Guide-Online-Desbloqueado
446 pages
FortiAnalyzer-7 4 1-Administration - Guide
No ratings yet
FortiAnalyzer-7 4 1-Administration - Guide
425 pages
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
100% (1)
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
126 pages
FortiGate 7.4 Administrator Study Guide-Online v2 Español
No ratings yet
FortiGate 7.4 Administrator Study Guide-Online v2 Español
818 pages
NSE-8 Certification Public-Handbook
No ratings yet
NSE-8 Certification Public-Handbook
19 pages
FortiOS 7.4.3 Administration Guide
No ratings yet
FortiOS 7.4.3 Administration Guide
3,620 pages
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
No ratings yet
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
209 pages
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
100% (3)
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
216 pages
(FCP Sec Ops - NSE5) - FortiEDR 5.0 - Study Guide
100% (1)
(FCP Sec Ops - NSE5) - FortiEDR 5.0 - Study Guide
257 pages
FortiGate Security 7.0 Study Guide-Online H
No ratings yet
FortiGate Security 7.0 Study Guide-Online H
628 pages
NSE7 - Enterprise Firewall FortiOS 7.0 - Study Guide
100% (1)
NSE7 - Enterprise Firewall FortiOS 7.0 - Study Guide
528 pages
Firewall 1737069466
No ratings yet
Firewall 1737069466
76 pages
(FCSS ZT - NSE7) - Zero Trust Access FortiOS 7.2 - Study Guide
100% (1)
(FCSS ZT - NSE7) - Zero Trust Access FortiOS 7.2 - Study Guide
192 pages
FortiOS 7.4 AWS Administration Guide
100% (1)
FortiOS 7.4 AWS Administration Guide
221 pages
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
100% (1)
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
247 pages
(FCSS Cloud - NSE7) - Public Cloud Security Fortigate 7.2 - Study Guide
No ratings yet
(FCSS Cloud - NSE7) - Public Cloud Security Fortigate 7.2 - Study Guide
194 pages
FortiGate Infrastructure 7.2 Study Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Study Guide-Online
388 pages
Fortinet Network Security Support Engineer Study Guide For Fortios 72
No ratings yet
Fortinet Network Security Support Engineer Study Guide For Fortios 72
536 pages
FortiOS 7.0.1 Administration Guide
No ratings yet
FortiOS 7.0.1 Administration Guide
2,150 pages
(FCSS Sec Ops) - Security Operations Analyst FortiAnalyzer 7.4 - Study Guide
No ratings yet
(FCSS Sec Ops) - Security Operations Analyst FortiAnalyzer 7.4 - Study Guide
158 pages
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
No ratings yet
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
390 pages
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
100% (1)
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
533 pages
FortiGate 7.4 Operator Lesson Scripts
100% (1)
FortiGate 7.4 Operator Lesson Scripts
33 pages
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
No ratings yet
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
224 pages
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
No ratings yet
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
42 pages
Fortinet Fortiedr Lab Guide For Fortiedr 50
No ratings yet
Fortinet Fortiedr Lab Guide For Fortiedr 50
104 pages
B Fortinet Fortisoar Administrator Study Guide For Fortisoar 73
No ratings yet
B Fortinet Fortisoar Administrator Study Guide For Fortisoar 73
310 pages
Fortinet NSE4 FGT 7.2 - 2023.06.22 194Q v2.0
100% (1)
Fortinet NSE4 FGT 7.2 - 2023.06.22 194Q v2.0
106 pages
NSE7 - SD-WAN FortiOS 6.4.5 - Study Guide
No ratings yet
NSE7 - SD-WAN FortiOS 6.4.5 - Study Guide
229 pages
LAB 02 Firewall Policies and NAT
100% (1)
LAB 02 Firewall Policies and NAT
23 pages
LAB 06 Certificate Operations
100% (1)
LAB 06 Certificate Operations
15 pages
FortiGate Infrastructure 6.2 Study Guide-Online
No ratings yet
FortiGate Infrastructure 6.2 Study Guide-Online
414 pages
Fortigate Security Study Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Security Study Guide: Do Not Reprint © Fortinet
459 pages
NSE7 - Advanced Analytics FortiSIEM 6.3 - Study Guide
No ratings yet
NSE7 - Advanced Analytics FortiSIEM 6.3 - Study Guide
476 pages
FortiAuthenticator Student Guide-Online
67% (3)
FortiAuthenticator Student Guide-Online
455 pages
Do Not Reprint © Fortinet: Fortimanager Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortimanager Lab Guide
182 pages
Rtu560 CMR02
0% (1)
Rtu560 CMR02
4 pages
FortiGate Infrastructure 7.2 Lab Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Lab Guide-Online
123 pages
LAB 7 - High Availability (HA)
100% (1)
LAB 7 - High Availability (HA)
17 pages
Secure Access 6.0 Study Guide-Online PDF
No ratings yet
Secure Access 6.0 Study Guide-Online PDF
428 pages
FortiNAC Demo Walkthrough
No ratings yet
FortiNAC Demo Walkthrough
13 pages
FortiAnalizer NSE5
No ratings yet
FortiAnalizer NSE5
32 pages
Fortinac Admin Operation 83 PDF
No ratings yet
Fortinac Admin Operation 83 PDF
2,020 pages
Nse8 811
No ratings yet
Nse8 811
62 pages
LAB 01 System and Network Settings
No ratings yet
LAB 01 System and Network Settings
22 pages
Customizing in SAP S/4HANA Asset Management
No ratings yet
Customizing in SAP S/4HANA Asset Management
20 pages
Fortinac™: Data Sheet
No ratings yet
Fortinac™: Data Sheet
12 pages
LAB 5 - Firewall Authentication
No ratings yet
LAB 5 - Firewall Authentication
12 pages
Fortigate Troubleshooting Tips: Windows Ad Sso
No ratings yet
Fortigate Troubleshooting Tips: Windows Ad Sso
8 pages
NSE 8 Certification Public Handbook 2017
No ratings yet
NSE 8 Certification Public Handbook 2017
26 pages
NSE Partner Guide 102015
No ratings yet
NSE Partner Guide 102015
13 pages
NSE 8 Immersion: Course Description
No ratings yet
NSE 8 Immersion: Course Description
2 pages
Ibm Spectrum Protect (TSM) Training
100% (1)
Ibm Spectrum Protect (TSM) Training
38 pages
Parts of A Computer System Unit (Components)
No ratings yet
Parts of A Computer System Unit (Components)
31 pages
99 FTMK Academic Handbook Ug Terkini
No ratings yet
99 FTMK Academic Handbook Ug Terkini
183 pages
GIGABYTE GeForce 210 Video Card Manual - 3
100% (1)
GIGABYTE GeForce 210 Video Card Manual - 3
32 pages
Applying Artificial Intelligence at Scale in Semiconductor Manufacturing - McKinsey
No ratings yet
Applying Artificial Intelligence at Scale in Semiconductor Manufacturing - McKinsey
25 pages
Simatic S7-1200 Simatic S7-200 To Simatic S7-1200 Software Conversion Tool V11
No ratings yet
Simatic S7-1200 Simatic S7-200 To Simatic S7-1200 Software Conversion Tool V11
36 pages
The C Character Set
No ratings yet
The C Character Set
6 pages
Microsoft Case Study
No ratings yet
Microsoft Case Study
19 pages
Introduction To Computer Security
No ratings yet
Introduction To Computer Security
38 pages
Maya Render Log
No ratings yet
Maya Render Log
102 pages
Chfi Notes
No ratings yet
Chfi Notes
6 pages
User Manual: M-Bus Master / Modbus Slave - Converter
No ratings yet
User Manual: M-Bus Master / Modbus Slave - Converter
43 pages
It100-4 1
No ratings yet
It100-4 1
62 pages
Lab Report 1 - CPU Scheduling - 202353080023
No ratings yet
Lab Report 1 - CPU Scheduling - 202353080023
11 pages
Microsoft Word, Excel, Powerpoint & Adobe PDF Files On Your Smartphone or Pda
No ratings yet
Microsoft Word, Excel, Powerpoint & Adobe PDF Files On Your Smartphone or Pda
2 pages
Oliver
No ratings yet
Oliver
29 pages
Interface Description For Dynamic Library of CDM6240 Cash Dispenser PDF
No ratings yet
Interface Description For Dynamic Library of CDM6240 Cash Dispenser PDF
51 pages
Ueit601 - Artificial Intelligence
No ratings yet
Ueit601 - Artificial Intelligence
2 pages
CNC DDCS
No ratings yet
CNC DDCS
2 pages
21CS44 - Operating Systems - Module-2
No ratings yet
21CS44 - Operating Systems - Module-2
44 pages
AKLABETH
No ratings yet
AKLABETH
22 pages
Face Recognition in Image Processing
No ratings yet
Face Recognition in Image Processing
7 pages
JARKOM - Setting Modem Yang Digunakan Untuk Layanan Internet Pascabayar (Telkom Speedy)
No ratings yet
JARKOM - Setting Modem Yang Digunakan Untuk Layanan Internet Pascabayar (Telkom Speedy)
14 pages
Sagar Inplant Report Final
No ratings yet
Sagar Inplant Report Final
16 pages
Electronic Assignment Coversheet: Student Number
No ratings yet
Electronic Assignment Coversheet: Student Number
12 pages
Temperature Monitor Using Bluetooth Module and An NTC Thermistor
No ratings yet
Temperature Monitor Using Bluetooth Module and An NTC Thermistor
11 pages
HVCCTV
No ratings yet
HVCCTV
4 pages
Business Plan
No ratings yet
Business Plan
2 pages