FOS 6.2.

0 wireless features
update
July 2019
Integrated Wireless 6.2
Key features

Visibility Functionality Ease of Use

& Certifications

• Enhanced Diagnostics & Logs - Deep state • API and SNMP on FAP • Customize certs from GUI
analysis
• WPA3/OWE support • VLAN Probe Tool
• Wireless Client Health Dashboard
• Suppress Phishing SSID • WFA Voice Certification
• WiFi Location Maps
• Airtime Fairness •…
• Wireless Fabric Security Rating checks
•…

CONFIDENTIAL
Integrated Wireless 6.2
Complete list of changes

• Enhanced Diagnostics & Logs • FortiAP Configuration mode

• VLAN probe tool • FAP direct SNMP support

• WiFi Location Maps • FAP direct REST API

• AirTime Fairness • FAP-C24JE - Feature Parity catchup

• QoS – WMM to DSCP marking • Drop legacy management protocols

• Show true noise floor • Report scanned BLE to FortiPresence

• New wireless Device Access List • WFA Voice Enterprise certification

• Report and Suppress Phishing SSID • WPA3 support & certification

• Wireless Fabric Security Rating checks • Wireless controller event log filtering

• Fabric Devices - FortiWLC integration

• Customize WiFi certificates through the GUI

© Fortinet Inc. All Rights Reserved.

VISIBILITY

CONFIDENTIAL
Enhanced Diagnostics & Logs
Background

• With wireless issues can come from multiple layers

• We expanded our logging capability on several key areas
• So syslog receivers & Wireless Health dashboard can correlate key messages
• And provide the client connectivity experience

• Supported on any type of VAP (Tunnel, Bridge* & Mesh)

• New troubleshooting logs from FAP sent to AC/FortiCloud
• WiFi client association
• WPA PSK 4-way handshake
• Radius authentication
• 802.11r FT roaming
• OKC roaming
• CMCC
• Tunnel mode CWP
• DHCP
• DNS
* Also working in Local-Standalone
© Fortinet Inc. All Rights Reserved.
 Enhanced Diagnostics & Logs
Sample PSK connection

5- DHCP

4- 4-way handshake

3- Association

2- Authentication

1- Probe

© Fortinet Inc. All Rights Reserved.

Enhanced Diagnostics & Logs
DNS & PSK issue

• Invalid PSK

• Failing DNS Requests

© Fortinet Inc. All Rights Reserved.

WiFi Location Maps

• Once an AP is deployed
• It is very difficult to find the SN
• Requires diligent numbering/naming of the Aps

• This new map allows the admin

• To visually track where the APs are located in the building, world, …
• To quickly get elements

• Any picture can be uploaded

• Supported file types are PNG, JPEG, GIF

© Fortinet Inc. All Rights Reserved.

WiFi Location Maps

• Add new map

© Fortinet Inc. All Rights Reserved.

WiFi Location Maps

• Upload new map

© Fortinet Inc. All Rights Reserved.

WiFi Location Maps

• Map now part of the configuration

© Fortinet Inc. All Rights Reserved.

WiFi Location Maps

• FAP Positioning

1. Unlock Map
2. Click to place FAP
3. Drag and drop on the map

© Fortinet Inc. All Rights Reserved.

WiFi Location Maps

• Mouse over view  Elements shown on mouse over:

» AP name
» AP serial #
» AP Profile
» AP Status
» Firmware version
» Per Radio (1 and 2):
 Band
 Channel
 Clients count
 TX power
 Channel-Utilization (aka Duty-cycle)

© Fortinet Inc. All Rights Reserved.

WiFi Location Maps

• FAP status view

 Per AP bubble view (drop down menu)
» Clients Total
» Clients (2.4GHz)
» Clients (5.0GHz)
» Channels (2.4GHz)
» Channels (5.0GHz)
» TX power (2.4GHz)
» TX power (5.0GHz)
» Channel-Utilization (2.4GHz)
» Channel-Utilization (5.0GHz)

© Fortinet Inc. All Rights Reserved.

FortiAP Drill-down
Managed FortiAP Drill-down
view
FortiAP Summary
FortiAP
Health Summary

Radio-1 Health

Radio-2 Health

© Fortinet Inc. All Rights Reserved.

FortiAP Drill-down
Locate Managed FortiAP on Map
view
Managed FortiAP
will blink

© Fortinet Inc. All Rights Reserved.

FortiAP
FortiAP details
Drill-down view

© Fortinet Inc. All Rights Reserved.

FUNCTIONALITY
CONTROLLER

CONFIDENTIAL
Report
Concept
and Suppress Phishing SSID

• On top of existing rogue AP detection

• A new option to detect phishing SSID is introduced

• Feature is detecting
• Same SSID as defined on FortiGate, but broadcasted from an uncontrolled AP
• This is considered as Fake SSID
• User-defined matching criteria
• For example, any SSID containing the word Fortinet or FTNT
• This is considered as Offending SSID

Phishing SSID = Fake SSID + Offending SSID

• At least one Radio must be set to “Monitor” Mode to de-associate stations

© Fortinet Inc. All Rights Reserved.

Report
Actions
and Suppress Phishing SSID

• Wireless event log, generated every 15 minutes, with severity warning

• Automatic suppression of the phishing SSID

• Exceptions can be added to avoid unnecessary logs

• The exception can be configured under “config wireless ap-status” from CLI

© Fortinet Inc. All Rights Reserved.

 Report
Configuration
and Suppress Phishing SSID

• Global Wireless settings

config wireless-controller setting Action : Log and/or
set phishing-ssid-detect enable
Suppress
Maximum of 128 set fake-ssid-action log
offending patterns config offending-ssid
edit 1
across all models
set ssid-pattern “academ*"
set action log suppress
next
edit 2
set ssid-pattern "Private"
set action log
next
end
end

Pattern cannot have more than one wildcard (*)

© Fortinet Inc. All Rights Reserved.
 Report and Suppress
Offending SSID - Logs
Phishing SSID

3- AP reported
as Offending

2- User configured
the AP as Rogue

1- Offending AP
Detected
(from Offending list)

© Fortinet Inc. All Rights Reserved.

 Report and
Fake SSID - Logs
Suppress Phishing SSID

4- Fake AP
Automatically
Suppressed

3- Fake AP
reporting

2- Fake AP
classification

1- Rogue AP
detected

© Fortinet Inc. All Rights Reserved.

 Report and
Fake SSID - debugs
Suppress Phishing SSID

• List Rogue APs

# diagnose wireless-controller wlac -c ap-rogue

CMWP AP: vf bssid ssid ch rate sec signal noise age sta mac wtp cnt ici band
...
UNNF AP: 0 70:4c:a5:43:44:b1 IOT 6 130 WPA2 Personal -40 -95 6 00:00:00:00:00:00 2 /2 53->0 11AC_2G(wave2)
N PS223E3X17000086 IOT 6 130 WPA2 Personal -42 -95 164 10.0.28.2:5246-0 3
N PS221E3X17000080 IOT 6 130 WPA2 Personal -40 -95 6 10.0.28.4:5246-0 2
UNNF AP: 0 70:4c:a5:43:44:b9 IOT 128 130 WPA2 Personal -38 -95 6 00:00:00:00:00:00 1 /1 none 11AC(wave2)
N PS221E3X17000080 IOT 128 130 WPA2 Personal -38 -95 6 10.0.28.4:5246-1 2
UVNN AP: 0 0-70:4c:a5:43:7a:f8 IOT 6 130 WPA2 Personal -61 -95 6 00:00:00:00:00:00 2 /2 45->0 11AC_2G(wave2)
V PS223E3X17000086 IOT 6 130 WPA2 Personal -50 -95 164 10.0.28.2:5246-0 3
V PS221E3X17000080 IOT 6 130 WPA2 Personal -61 -95 6 10.0.28.4:5246-0 2
UVNN AP: 0 0-70:4c:a5:43:7b:00 IOT 64 130 WPA2 Personal -64 -95 7 00:00:00:00:00:00 2 /2 34->0 11AC(wave2)
V PS223E3X17000086 IOT 64 130 WPA2 Personal -61 -95 250 10.0.28.2:5246-1 3
V PS221E3X17000080 IOT 64 130 WPA2 Personal -64 -95 7 10.0.28.4:5246-1 2
UVNN AP: 0 0-70:4c:a5:43:7b:10 IOT 6 130 WPA2 Personal -31 -95 6 00:00:00:00:00:00 1 /1 none 11AC_2G(wave2)
V PS221E3X17000080 IOT 6 130 WPA2 Personal -31 -95 6 10.0.28.4:5246-0 2
UVNN AP: 0 0-70:4c:a5:43:7b:18 IOT 64 130 WPA2 Personal -43 -95 7 00:00:00:00:00:00 1 /1 none 11AC(wave2)
V PS221E3X17000080 IOT 64 130 WPA2 Personal -43 -95 7 10.0.28.4:5246-1 2

C - Configured (G:accept, B:rogue, S:suppress, U:unconfigured)

M - AC managed (V:vdom, C:AC, N:unmanaged)
W - On wire (Y:yes, N:no)
P - Phishing (F:fake, O:offending, N:no)
Total Rogue-AP:148 Rogue-AP-WTP(displayed):259 Rogue-AP-WTP(total):259
Total Entries: 148

© Fortinet Inc. All Rights Reserved.

Drop legacy management protocols

• TELNET and HTTP are too vulnerable

• All Fortinet equipment are now only allowing secure management protocols like
• SSH
• HTTPS

• Upon upgrade for FAP administrative access (inside WTP Profiles)

• If TELNET was enabled before upgrade, SSH will automatically be enabled
• If HTTP was enabled before upgrade, HTTPS will automatically be enabled

• FAP 6.2 firmware is required to get it properly working

© Fortinet Inc. All Rights Reserved.

ATF -
Use case
AirTime Fairness

• Enterprise deployment Air time repartition

10%

Staff
40%
VoIP
30%
Guest
IoT

20%

© Fortinet Inc. All Rights Reserved.

 ATF - AirTime Fairness

• ATF Total Airtime

Non WI-FI
Total usable air time WI-FI Interferences
Interferences

Management
Data Frames Control Frames
Frames

Total air time Total mgmt air time Total control air time

What we care SSID 1 SSID 2 SSID 3

about % Allowed % Allowed % Allowed

© Fortinet Inc. All Rights Reserved.

ATF - AirTime
What we do support
Fairness

• ATF policy is applied only in the downlink direction

• FAP transmitting frames to the clients

• ATF policy is limited to data frames

• Other management and control frames are unaffected

• ATF is configured per-SSID / VAP

• Each VAP is granted airtime according to the configured % allocation (default 20%)

• ATF is supported on both 2.4 & 5 GHz radios

• ATF can be applied on any type of VAP (Tunnel, Bridge & Mesh)
• ATF can be enabled/disabled on wtp-profile based on the radio level
• ATF drops the frames that exceed the airtime configured % allocation

© Fortinet Inc. All Rights Reserved.

ATF - AirTime
How to configure it
Fairness ATF Weight in %
Default is 20%
If Sum of all weight is over 100%
• SSID Level FAP will adapt them
config wireless-controller vap
edit "Corp"
set atf-weight 80
next
end

• Per Radio inside WTP Profile

config wireless-controller wtp-profile

edit "LAB-S221E"
config radio-1
set airtime-fairness enable
end
config radio-2
set airtime-fairness enable
end
end

© Fortinet Inc. All Rights Reserved.

SECURITY FABRIC

CONFIDENTIAL
Wireless Fabric Security Rating

AL06.1 All discovered APs should be classified as rogue, accepted or suppressed.

Requires FortiGuard Security Rating Service

© Fortinet Inc. All Rights Reserved.

Wireless Fabric Security Rating

© Fortinet Inc. All Rights Reserved.

EASE OF USE

CONFIDENTIAL
VLAN
Concept
probe tool It’s not always the Wi-Fi!

• Wi-Fi has many complex layers of communication

• Which can cause user issues

• It can come from the RF / wireless side

• However some are also not caused by Wi-Fi at all
• This tool helps to identify where an issue may be occurring in the data path/config
without the need to send an engineer to site
• It is doing a DHCP Discover on the specified VLAN
• Making sure a station can properly connect

© Fortinet Inc. All Rights Reserved.

 VLAN probe
Possible failures
tool It’s not always the Wi-Fi!

• Failures can occur everywhere

DHCP Server • DHCP server


• Misconfigured
• Down


• Out of leases
FortiGate
• Failing due to relay helper
FortiSwitch • …
FortiAP
802.1Q • VLAN
• Wrong VLAN on port
• Missing VLAN on port / Trunk
Staff VLAN
IoT VLAN • …
Client
Guests VLAN

© Fortinet Inc. All Rights Reserved.

 VLAN
Concept
probe tool It’s not always the Wi-Fi!

• FortiAP is sending out a DHCP

DHCP Server Discover on each specified VLAN
• If DHCP Offer is received, VLAN will
be marked as Discovered
• If no DHCP Offer is received, VLAN
FortiGate will be marked as Missing
FortiSwitch • DHCP server implementation-
FortiAP
802.1Q specific timeout mechanism is used
to decide when to reuse an offered
address (RFC-2131 – section 4.3.2 )
Staff VLAN
Client IoT VLAN
Guests VLAN

© Fortinet Inc. All Rights Reserved.

 VLAN probe
Start the probe
tool start-vid Starting VLAN to probe
Start to start probing 0 All ports (depending on the FAP)
Stop to interrupt a probing 1 Port1 (eth0) end-vid Ending VLAN to probe
Clear to clear all probing scans 2 Port2 (eth1, if available) retries Amount of DHCP probe retries (max 224)
timeout DHCP probe timeout (max 225 seconds)
• From Controller

# diagnose wireless-controller wlac -c vlan-probe-cmd

wlac -c vlan-probe-cmd wtp action(0:start 1:stop 2:clear) wan-port(0|1|2) [start-vid end-vid retries timeout]

# diagnose wireless-controller wlac -c vlan-probe-cmd PS221E3X17000090 0 0 1 4095 3 10

Sending VLAN probe command to PS221E3X17000090: action=start wan-port=1 vlan=[1,4095] retries=3 timeout=10

Sending VLAN probe command to PS221E3X17000090: action=start wan-port=2 vlan=[1,4095] retries=3 timeout=10

• From FAP

# cw_diag -c vlan-probe-cmd action(0:start 1:stop 2:clear) intf [start-vlan end-vlan retries timeout]

# cw_diag -c vlan-probe-cmd 0 eth0 2 300 3 10

VLAN probing: start intf [eth0] vlan range[2,300] retries[3] timeout[10] ...

© Fortinet Inc. All Rights Reserved.

VLAN probe
Probing report
tool

• VLAN probing report can be obtained from Controller with

# diagnose wireless-controller wlac -c vlan-probe-rpt <wtp> <wan_port>

# diagnose wireless-controller wlac -c vlan-probe-rpt PS221E3X17000090 0

VLAN probing status on eth0: Done

intf eth0 VLAN_ID=0100 gateway=10.100.0.1/24 probed_at=Wed Nov 14 10:53:46 2018
intf eth0 VLAN_ID=0101 gateway=10.199.100.62/28 probed_at=Wed Nov 14 10:53:46 2018
intf eth0 VLAN_ID=0102 gateway=10.199.100.78/28 probed_at=Wed Nov 14 10:53:47 2018
intf eth0 VLAN_ID=0200 gateway=10.200.0.1/24 probed_at=Wed Nov 14 10:53:47 2018

• VLAN probing
VLAN probing report
status canDone
on eth1: be obtained from FAP with

# cw_diag -c vlan-probe-rpt

WTP VLAN probing status: Probing In Progress

VLAN probing report on intf[eth0] vlan range[100,300] retries[3] timeout[10]:

VLAN_ID=0100 gateway=10.100.0.1/24 age=18

VLAN_ID=0101 gateway=10.199.100.62/28 age=18
VLAN_ID=0102 gateway=10.199.100.78/28 age=18
VLAN_ID=0200 gateway=10.200.0.1/24 age=18
© Fortinet Inc. All Rights Reserved.
VLAN
Logs
probe tool

• New Wireless Logs

Detected VLANs
Not detected VLANs

Probe started

© Fortinet Inc. All Rights Reserved.