FortiAPs collect and report usage information about applications accessed by wireless clients in specific networks. The application data available in FortiEdge Cloud provides greater visibility and risk assessment capability over the networks that are managed by FortiEdge Cloud. The FortiAPs collect and report the application usage information at the configured time interval.

• Application Detection – Enable FortiAP to collect and report data about applications that are accessed by wireless clients for this SSID.

• Application Report Interval – Configure the time interval for the FortiAP to collect and send the application usage data. The valid range is 30 – 864000 seconds and the default is 120 seconds.
  Note: Currently, you cannot set the interval to less than 120 seconds.

Provides a layer of security for wireless management frames by ensuring that traffic comes from legitimate sources. Network attackers and malicious entities are unable to disrupt legitimate wireless connections by sending spoofed clear text wireless management frames.

• Disable - Disables the usage of 802.11w management protection frames.

• Optional - Allows wireless clients that do not support 802.11w along with those that support 802.11w to associate with the SSID.

• Required - Allows only those wireless clients to associate with the SSID that support 802.11w and prevents clients that do not support 802.11w from associating.

• PMF Association Comeback Timeout (seconds) - Specifies the time which an associated client must wait before the association can be tried again when first denied. The valid range is 1 -20 seconds with a default value of 1 second.

• PMF SA Query Retry Timeout (milliseconds) - Specifies the amount of time the controller waits for a response from the wireless client for the query process. If there is no response from the client, it is dis-associated. The supported values are 100, 200, 300, 400, and 500 milliseconds with a default value of 200 milliseconds

Note: Any change in the PMF configuration requires the controller to delete and then add the SSID. This disrupts existing connections.

This feature allows faster roaming for Wi-Fi clients by enabling swift BSS transitions between APs. This minimizes delay caused due to a client transitioning from one BSS to another in a multi-AP deployment.

• Mobility Domain ID – This parameter acts as a network identifier. The clients attempt 802.11r enabled roaming only when the same mobility domain ID is configured for both the networks. The valid range is 1 to 65535 and the default is 1000.
• R0 Key Lifetime – This parameter indicates the duration after which the R0 key in the FortiAP expires. For WPA/WPA2 PSK authentication methods, the R0 key is derived from the PSK and for enterprise, it is derived after the EAP handshake with the RADIUS server is complete. The valid range is 1 to 65535 minutes and the default is 480 minutes.

• Radio Measurements (802.11k) - 802.11k network assisted roaming allows a potential roaming wireless client to collect from its current AP the list of compatible neighbour APs. This saves the wireless client from performing full scan on both bands. The wireless client selects and moves to the optimal neighbour AP from the list. The 802.11k also provides support for Radio Resource Management (RRM) such as APs querying the associated wireless clients for beacon reports and perceived RSSI used to prepare the compatible neighbour AP list for wireless clients.

• BSS Transition Management (802.11v) - 802.11v network assisted roaming allows the wireless network to send requests to associated clients, recommending better APs to associate with while roaming. This is beneficial for both load balancing and in guiding clients with poor connectivity.
  The BSS Transition feature allows the roaming client to initiate a BSS transition query to the associated AP for a candidate list of other APs it can re-associate with, the associated AP responds with a BSS transition request containing the requested AP list. The AP can also send an unsolicited BSS transition request to the client. The client can accept the request and re-associate with the suggested APs or it can reject the request and continue its association with the current AP.

Note: The Voice Enterprise (802.11kv) configuration is not available with release 24.1. If you were using the 802.11kv setting in the previous release, then in the current version both 802.11k and 802.11v will be enabled.

Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.

• Applicable only on downlink traffic.

• Applicable only on data, management and control functions are excluded.

• Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.

• Applicable on all authentication modes.

Airtime Fairness is supported with FOS 6.2.0 and on all FortiAP-S and FortiAP-W2 models.
Note: Enable ATF processing on desired radios in AP Platform Profile.

Suppresses the transmission of specific broadcast traffic to secure the wireless network and optimize airtime usage. When the received broadcast traffic exceeds the threshold, the interface discards it until the broadcast traffic drops below a specific threshold.
Since broadcast packets sent to wireless clients connected to a FortiAP occupy valuable airtime, unnecessary and potentially detrimental packets can impact network throughput.
By default, ARP Replies, ARPs For Known Clients, DHCP Uplink, DHCP Downlink, and DHCP Unicast broadcast suppression is enabled. The following methods are supported.

• ARP Poison - Suppress ARP poison attacks from malicious Wi-Fi clients. Prevent malicious WiFi clients from spoofing ARP packets.
• ARP Proxy - Suppress ARP request packets broadcast by the Ethernet downlink to known Wi-Fi clients. Instead, send ARP reply packets to the Ethernet uplink, as a proxy for Wi-Fi clients.
• ARP Replies - Suppress ARP reply packets broadcast by Wi-Fi clients. Instead, forward the ARP packets as unicast packets to the clients with target MAC addresses.
• ARPs For Known Clients - Suppress ARP request packets broadcast to known Wi-Fi clients. Instead, forward ARP packets as unicast packets to the known clients.
• ARPs For Unknown Clients - Suppress ARP request packets broadcast to unknown Wi-Fi clients.
• DHCP Uplink - Suppress DHCP discovery and request packets broadcast by Wi-Fi clients. Forward DHCP packets to the Ethernet uplink only. Prevent malicious Wi-Fi clients from acting as DHCP servers.
• DHCP Downlink - Suppress DHCP packets broadcast by the Ethernet downlink to Wi-Fi clients. Prevent malicious Wi-Fi clients from acting as DHCP servers.
• DHCP Unicast - Convert downlink broadcast DHCP messages to unicast messages.
• DHCP Starvation - Suppress DHCP starvation attacks from malicious Wi-Fi clients. Prevent malicious Wi-Fi clients from depleting the DHCP address pool.
• IPv6 - Suppress IPv6 broadcast packets. This is useful when the network is configured to support only IPv4.
• NetBIOS Name Services - Suppress NetBIOS name services packets with UDP port 137.
• NetBIOS Datagram - Suppress NetBIOS datagram services packets with UDP port 138.
• All Other Broadcast - Suppress broadcast packets not covered by any of the specific options.
• All Other Multicast - Suppress multicast packets not covered by any of the specific options.

To block intra-SSID network traffic.

Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
FortiEdge Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.

• Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.

• Tunnel Fallback Interval: The time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 0 to 65535 seconds; default is 7200 seconds.

DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
Note: This feature is supported with FOS 6.2.0 and above.

• Circuit ID: The AP information is inserted in the following formats:
  • Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
  • Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".

  Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".

• Remote ID: The MAC address of the client device is inserted in the following format:
  Style-1 - ASCII string composed of the client MAC address. For example,"00:12:F2:00:00:59".

This enhancement is set to improve the performance of applications using multicast traffic over a wireless network. Consider an example, where a media streaming application uses multicast packets, this can potentially compromise the media (audio/video) quality through packet loss and induced latency. With this release, you can convert the multicast packets into unicast and send them over the wireless medium. This ensures high reliability and performance due to the high data rates used for unicast packets.

• Multicast-to-Unicast Conversion - You can enable the conversion of multicast packets into unicast to improve performance.

• Multicast Enhance Disable Threshold - Configure the threshold to disable multicast to unicast conversion automatically, when the number of multicast listeners connected to the SSID exceed this threshold. The permissible range is 2 to 256 and the default value is 32.

• Multicast Rate - The data rate used for multicast packet transmissions over the wireless network. The permissible data rates are, default, 6 Mbps, 12 Mbps, and 24 Mbps. When Default is selected, the FortiAP decides the data rate.

The FortiAP snoops wireless IGMP packets and maintains a subscription list of all multicast groups joined by the wireless clients. This data is used to manage multicast packets for enhanced performance.