Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Home FortiAP / FortiWiFi 7.4.2 FortiWiFi and FortiAP Configuration Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.1
7.2.0
7.0.4
7.0.2
7.0.1
7.0.0
6.4.6
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.2
6.2.0
6.0.5
6.0.4
6.0.3
5.6.4
5.4.3

Configuring a FortiWiFi unit as a wireless client

Configuring a FortiWiFi unit as a wireless client

Tooltip

Wireless client configuration is only available on select FortiWiFi models. See FortiWiFi unit as a wireless client for the list of supported models.

For most models, the FortiWiFi unit cannot operate as an AP while also operating in client mode. However, select models such as the FortiWiFi 80F series can support AP and client mode concurrently.
Caution

Before setting up the FortiWiFi unit as a wireless client using the steps described below, make sure to remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members using the CLI or GUI.
To configure wireless client mode - GUI:

  1. Go to WiFi and Switch Controller > Local WiFi Radio and change the Mode to Wireless Client.

    Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.

  2. Click Add Network and enter the name of the SSID you want to use.
  3. On 8xF/6xF/40F models, you can select a Security mode; other models will default to WPA/WPA2 Personal.

  5. Enter a Passphrase if needed.

  6. Click OK to save the WiFi Network Connection Setting.

  7. From the Local WiFi Radio page, verify that the WiFi network is connected.

  8. Go to Policy & Object > Firewall Policy and click Create New to create a firewall policy.

  9. Enter the following policy information:

    Incoming Interface (srcintf)

    wifi

    Source Address (srcaddr)

    all
    Caution

    For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.

    For more information on the aplink interface, see Understanding FortiWiFi aplink interface.

  10. Configure remaining fields as needed, when you are finished, click OK.

To configure wireless client mode - CLI:

  1. Change the wireless mode to client.

    config system global
  set wireless-mode client
end

    Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.

  2. Set up a wifi-network entry under interface "wifi".

    config system interface
  edit "wifi"
    config wifi-networks
      edit 1
        set wifi-ssid "FOS_61F_psk"
        set wifi-passphrase *
      next
    end
  next
end

  3. Create a firewall policy from "internal" to "wifi".

    Caution

    For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.

    		 
    config firewall policy
  edit 1
    set name "lan"
    set srcintf "internal"
    set dstintf "wifi"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set nat enable
  next
end

  4. Connect a wired client to the internal ports of the FortiWiFi to verify that it can pass traffic to the Internet.

Controlled AP selection support in FortiWiFi client mode

Use the following CLI commands to provide a more controlled AP selection method (supported in FortiWiFi client mode).

Syntax:

config system interface

edit {name}

set wifi-ap-band {any | 5g-preferred | 5g-only}

next

end

Configuring a FortiWiFi unit to run in concurrent AP and wireless client mode

FortiWiFi 80F/81F-2R-XX models support concurrent AP and Client mode. When the FortiWiFi is configured to run in wireless client mode and the FortiWiFi local radio connects to a third-party SSID, the local radio can concurrently operate in AP mode to provide service to wireless clients.

To configure concurrent AP and wireless client mode - CLI:

  1. Configure the FortiWiFi unit to operate in client mode.

    config system global
  set wireless-mode client
end

  2. Connect to a third-party SSID, in this example FOS_101F_psk.

    config system interface
  edit "wifi"
      config wifi-networks
        edit 1
          set wifi-ssid "FOS_101F_psk"
          set wifi-passphrase *
        next
      end
  next
end
    Tooltip

    Optionally, you can configure the wireless client to use a static IP or DHCP by modifying the addressing mode of the WiFi interface:

    config system interface
  edit "wifi"
    set vdom "root"
    set mode static # For static IP. Use “set mode dhcp” for DHCP
    set ip 10.20.80.3 255.255.255.0 # For static IP only
    set allowaccess ping fabric
    set type wireless
    config wifi-networks
      edit 1
        set wifi-ssid "FOS_101F_psk"
        set wifi-passphrase *
      next
    end
  next
end

  3. Verify the connection between the local radio and the third-party SSID with diag wireless-controller wlsta cfg.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg
STA intf        name: wlan17
              status: up
                  ip: 192.168.81.2
                 mac: d4:76:a0:18:e0:8f
        auto connect: yes
           auto save: no
             ap band: any
    wifi network cnt: 1
                   1: FOS_101F_psk, 8, 1
           connected: FOS_101F_ psk

  4. Verify the local radio status when working in AP mode with diag wireless-controller wlac -c wtp.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -c wtp FW81FP-WIFI0 | grep connection
connection state : Connected

    The FortiWiFi unit can now operate in both AP mode and client mode.

To configure VAP and SSID interfaces on the FortiWiFi local radio profile - CLI:

By default, the FortiWiFi local radio has a FWF-default profile; no other profiles can be applied to the local radio. You can modify the band, channel, and SSID selections in the FWF-default profile to apply to the local radio. Wireless clients that connect to the local radio are subject to the FortiWiFi firewall policies.

  1. Create a new VAP interface and select it in the FWF-default profile.

    config wireless-controller vap
  edit "wifi1"
    set ssid "FOS_lab_psk"
    set passphrase *
  next
end
config wireless-controller wtp-profile
  edit "FWF-default"
    config radio-1
      set vap-all manual
      set vaps "wifi1"
    end
    config radio-2
      set vap-all manual
      set vaps "wifi1"
    end
  next
end

    The local radio applies the profile setting when broadcasting SSIDs.

  2. Verify that these settings are applied with diag wireless-controller wlac -c wtp.

  3. Create a firewall policy from "wifi1" to the "aplink" interface to allow wireless clients to pass traffic from the unit.

    config firewall policy
  edit 1
    set name "wifi1"
    set uuid e0140546-1d0d-51ee-da6c-53fb724051ac
    set srcintf "wifi1"
    set dstintf "aplink"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set nat enable
  next
end

  4. Connect a wireless client through the local radio of the FortiWiFi and verify that it has the correct IP and can pass traffic to the Internet with diagnose wireless-controller wlac -d sta online.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -d sta online
   vf=0 mpId=0 wtp=1 rId=2 wlan=wifi1 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user= group= signal=-45 noise=-95 idle=0 bw=0 use=5 chan=108 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
Previous
Next

Configuring a FortiWiFi unit as a wireless client

Tooltip

Wireless client configuration is only available on select FortiWiFi models. See FortiWiFi unit as a wireless client for the list of supported models.

For most models, the FortiWiFi unit cannot operate as an AP while also operating in client mode. However, select models such as the FortiWiFi 80F series can support AP and client mode concurrently.
Caution

Before setting up the FortiWiFi unit as a wireless client using the steps described below, make sure to remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members using the CLI or GUI.
To configure wireless client mode - GUI:

  1. Go to WiFi and Switch Controller > Local WiFi Radio and change the Mode to Wireless Client.

    Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.

  2. Click Add Network and enter the name of the SSID you want to use.
  3. On 8xF/6xF/40F models, you can select a Security mode; other models will default to WPA/WPA2 Personal.

  5. Enter a Passphrase if needed.

  6. Click OK to save the WiFi Network Connection Setting.

  7. From the Local WiFi Radio page, verify that the WiFi network is connected.

  8. Go to Policy & Object > Firewall Policy and click Create New to create a firewall policy.

  9. Enter the following policy information:

    Incoming Interface (srcintf)

    wifi

    Source Address (srcaddr)

    all
    Caution

    For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.

    For more information on the aplink interface, see Understanding FortiWiFi aplink interface.

  10. Configure remaining fields as needed, when you are finished, click OK.

To configure wireless client mode - CLI:

  1. Change the wireless mode to client.

    config system global
  set wireless-mode client
end

    Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.

  2. Set up a wifi-network entry under interface "wifi".

    config system interface
  edit "wifi"
    config wifi-networks
      edit 1
        set wifi-ssid "FOS_61F_psk"
        set wifi-passphrase *
      next
    end
  next
end

  3. Create a firewall policy from "internal" to "wifi".

    Caution

    For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.

    		 
    config firewall policy
  edit 1
    set name "lan"
    set srcintf "internal"
    set dstintf "wifi"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set nat enable
  next
end

  4. Connect a wired client to the internal ports of the FortiWiFi to verify that it can pass traffic to the Internet.

Controlled AP selection support in FortiWiFi client mode

Use the following CLI commands to provide a more controlled AP selection method (supported in FortiWiFi client mode).

Syntax:

config system interface

edit {name}

set wifi-ap-band {any | 5g-preferred | 5g-only}

next

end

Configuring a FortiWiFi unit to run in concurrent AP and wireless client mode

FortiWiFi 80F/81F-2R-XX models support concurrent AP and Client mode. When the FortiWiFi is configured to run in wireless client mode and the FortiWiFi local radio connects to a third-party SSID, the local radio can concurrently operate in AP mode to provide service to wireless clients.

To configure concurrent AP and wireless client mode - CLI:

  1. Configure the FortiWiFi unit to operate in client mode.

    config system global
  set wireless-mode client
end

  2. Connect to a third-party SSID, in this example FOS_101F_psk.

    config system interface
  edit "wifi"
      config wifi-networks
        edit 1
          set wifi-ssid "FOS_101F_psk"
          set wifi-passphrase *
        next
      end
  next
end
    Tooltip

    Optionally, you can configure the wireless client to use a static IP or DHCP by modifying the addressing mode of the WiFi interface:

    config system interface
  edit "wifi"
    set vdom "root"
    set mode static # For static IP. Use “set mode dhcp” for DHCP
    set ip 10.20.80.3 255.255.255.0 # For static IP only
    set allowaccess ping fabric
    set type wireless
    config wifi-networks
      edit 1
        set wifi-ssid "FOS_101F_psk"
        set wifi-passphrase *
      next
    end
  next
end

  3. Verify the connection between the local radio and the third-party SSID with diag wireless-controller wlsta cfg.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg
STA intf        name: wlan17
              status: up
                  ip: 192.168.81.2
                 mac: d4:76:a0:18:e0:8f
        auto connect: yes
           auto save: no
             ap band: any
    wifi network cnt: 1
                   1: FOS_101F_psk, 8, 1
           connected: FOS_101F_ psk

  4. Verify the local radio status when working in AP mode with diag wireless-controller wlac -c wtp.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -c wtp FW81FP-WIFI0 | grep connection
connection state : Connected

    The FortiWiFi unit can now operate in both AP mode and client mode.

To configure VAP and SSID interfaces on the FortiWiFi local radio profile - CLI:

By default, the FortiWiFi local radio has a FWF-default profile; no other profiles can be applied to the local radio. You can modify the band, channel, and SSID selections in the FWF-default profile to apply to the local radio. Wireless clients that connect to the local radio are subject to the FortiWiFi firewall policies.

  1. Create a new VAP interface and select it in the FWF-default profile.

    config wireless-controller vap
  edit "wifi1"
    set ssid "FOS_lab_psk"
    set passphrase *
  next
end
config wireless-controller wtp-profile
  edit "FWF-default"
    config radio-1
      set vap-all manual
      set vaps "wifi1"
    end
    config radio-2
      set vap-all manual
      set vaps "wifi1"
    end
  next
end

    The local radio applies the profile setting when broadcasting SSIDs.

  2. Verify that these settings are applied with diag wireless-controller wlac -c wtp.

  3. Create a firewall policy from "wifi1" to the "aplink" interface to allow wireless clients to pass traffic from the unit.

    config firewall policy
  edit 1
    set name "wifi1"
    set uuid e0140546-1d0d-51ee-da6c-53fb724051ac
    set srcintf "wifi1"
    set dstintf "aplink"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set nat enable
  next
end

  4. Connect a wireless client through the local radio of the FortiWiFi and verify that it has the correct IP and can pass traffic to the Internet with diagnose wireless-controller wlac -d sta online.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -d sta online
   vf=0 mpId=0 wtp=1 rId=2 wlan=wifi1 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user= group= signal=-45 noise=-95 idle=0 bw=0 use=5 chan=108 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
Previous
Next