1218921, 10:34 AM FortOS 6.2 Wireless Best Practices - Forinet GURU FértinetGuRU y (https://www.twitter.com/FortinetGURU) f (https://www.facebook.com/fortinetguru) © (https://www.instagram.com/fortinetguru) dp (https://www. youtube.com/c/FortinetGuru) REPLY (/2019/06/FORTIOS-6-2.WIRELESS-EST-PRACTICES/?REPLYTOCOM=2242264RESPOND) FortiOS 6.2 Wireless Best Practices Wireless The following section contains a list of best practices for wireless network configurations with regard to encryption and authentication, geographic location, network planning, power usage, client load balancing, local bridging, SSIDs, and the use of static IPs. Encryption and authentication It is best practice to always enable the strongest user authentication and encryption method that your client supports. Fortinet recommends the following security, in order of strongest to weakest | PA2 - Enterprise 802.1x/EAP - Personal pre-shared key (8-63 characters) | WPA - Enterprise 802.1x/EAP - Personal pre-shared key (8-63 characters) | WEP128 - 26 Hexadecimal digit key | WEP64- 10 Hexadecimal digit key I None - Open system Geographic location Ensure that the FortiGate wireless controller is configured for your geographic location. This ensures that the available radio channels and radio power are in compliance with the regulations in your region The maximum allowed transmitter power and permitted radio channels for Wi-Fi networks depend on the region in which the network is located, By default, the WiFi controller is configured for the United States. If you are located in any other region, you need to set your location before you begin configuring wireless networks. The location setting can only be changed from CLI. To change the country to France, for example, enter the following: A htpshwwfortine\gur.com2019106/fortos-6-2-wireless-best practices! wna1218921, 10:34 AM FortOS 6.2 Wireless Best Practices - Forinet GURU config wireless-controller setting set country FR end To see the list of country codes, enter a question mark ("") in place of the country code. Using an incorrect geographic location is a common error that can lead to unpredicable results on the client side, Network planning Itis recommended that you perform a proper site survey prior positioning the wireless access point. In order to evaluate the coverage area environment, the following criteria must be taken into account: | Size of coverage area | Bandwidth required I Client wireless capabilities Wireless 38 After completing a RF site survey, youtll have a good idea of the number and location of access points needed to provide users with adequate coverage and performance. However, prior to installing the access points, be sure to determine the RF channel(s) you plan to use. This will ensure that users can roam throughout the facility with substantial performance. To avoid co-channel interference, adjacent Wi-Fi APs must be configured to use non-overlapping channels, Otherwise, you'll ind poor performance will degrade because of interference between access points. It is recommended to statically configure the non-overlapping channels on every access point, using one Custom AP profile per AP (or group of APS). If static configuration cannot be used, the FortiOs Wi- Fi Controller includes the Automatic Radio Resource Provisioning (ARRP) feature. Lowering the power level to reduce RF interference Relevant Product(s): FortiAP Reducing power reduces unwanted coverage and potential interference to other WLANs. Areas of unwanted coverage are a potential security risk. If possible, reduce the transmitter power of your wireless access point so that the signal is not available beyond the areas where it is needed. Auto Tx Power Control can be enabled to automatically adjust the transmit power. In cases where customers complain about slow wireless traffic through a FortiAP, it might be necessary to try to reduce the possibility of RF interference. It is best practice not to locate FortiAPs near stee! beams or other interfering materials. You can try using a wireless sniffer tool to collect the wireless packets and then analyze the extent of air interference, ‘A.common mistake is spacing FortiAPs based upon the 5Ghz radio frequency. The 2.4Ghz signal travels further. You have two options when confronted with slow wireless traffic through a FortiAP: htpshwwfortine\gur.com2019106/fortos-6-2-wireless-best practices! ana1218921, 10:34 AM FortOS 6.2 Wireless Best Practices - Forinet GURU Option #1: Reducing transmit power Perform a speed test and record the results. Set one of the radios on a FortiAP to be in dedicated Monitoring mode. Then observe how many APs are detected. if the number of APS is too high (i.e., greater than 20), try reducing the transmit power in the WTP profile for the FortiAPs until the number of dedicated APs has dropped significantly. Repeat the speed test. Option #2: Ensuring that VAPs are distributed over the available channels No built-in tools are available to measure RF interference directly. However, FortiOS 5.0 does allow for automatic power adjustment, which should minimize the occurrence of RF interference, Wireless 39 Wireless client load balancing Wireless load balancing allows your wireless network to more efficiently distribute wireless traffic among wireless access points and available frequency bands. FortiGate wireless controllers support the following types of client load balancing: * Access Point Hand-off - The wireless controller signals a client to switch to another access point. * Frequency Hand-off - The wireless controller monitors the usage of 2.4GHz and 5GHz bands, and signals clients to switch to the lesser-used frequency. Local bridging Whenever possible, use local bridging to offload the CAPWAP tunnel, Note that in this case, Wi-Fi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN. The vian ID can only be configured from the CLI: config wireless-controller vap edit "vaplocalbridge” set vdom “root” set ssid “testvaplocalbridge” set local-bridging enable set vianid 40 —> only available in CLI next end Advertising SSIDs htpshwwfortine\gur.com2019106/fortos-6-2-wireless-best practices! ans12/824, 1036 AM Fortis 6.2 Wireless Best Practoes ~ Fortinet GURU * Itis highly recommended to advertise the SSID. It makes it easier for customers and wireless clients. Also, if you ‘hide’ the SSID (known as ‘network cloaking), then clients will always look for it when they're outside the coverage area, which searches for known SSIDs, in effect leaking the SSID anyway. Refer to RFC (http://tools.ietf.org/html/rfc3770) 3370 (http://tools.ietf.org/htmi/rfc3770). Furthermore, many of the latest Broadcom drivers do not support hidden SSID for WPA2, * For security reason, you might want to prevent direct communication between your wireless clients. In this case, enable Block Intra-SSID Traffic in the SSID configuration). * Ina network with multiple wireless controllers, you need to change the mesh SSID so that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi & Switch Controller > SSID) to change the SSID. Fortinet also recommends that you create a new preshared key instead of using the default. Using static IPs in a CAPWAP configuration Ina large FortiAP deployment with more than 20 FortiAPs connecting to a Fortigate Wireless Controller (AC), it is recommended to use static IPs on the access points instead of DHCP, setting the AC IP statically and the AC discovery type to static (Type 1), instead of learning it through broadcast, multicast, or DHCP. This makes management of the APs easier since you know the exact IP of each access point. Troubleshooting also becomes easier as the debug of the AC controller won't continuously attempt the different discovery methods in sequence (broadcast > multicast > static). Share this: ‘w (hitps://www fortinetguru.com/2019/06/fortios-6-2-wireless-best-practices/?share=twitter&nb=1) Eq (https:/www fortinetguru.com/2019/06/fortios-6-2-wireless-best-practices/?share-facebook8&nb=1) BB) (https:/www fortinetguru.com/2019/06/fortios-6-2-wireless-best-practices/?share=linkedin&inb=1) + (https:/wwu fortinetguru.com/2019/06/fortios-6-2-wireless-best-practices/?share=tumblr&nb=1) o& (httpsi/mww fortinetguru.com/2019/06/fortios-6-2-wireless-best-practices/?share-reddit&anb=1) Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel (https://www.youtube.com/c/FortinetGuru)! Want someone else to deal with it for you? Get https://www.fortinetguru.com/get-consulting/) some consulting from Fortinet GURU! Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions! a - FortinetGuru YouTube Channel (https://www.youtube.com/c/FortinetGuru) htpshwwfortine\gur.com2019106/fortos-6-2-wireless-best practices! ans1218921, 10:34 AM FortOS 6.2 Wireless Best Practices — + FortiSwitch Tr: 7UZzu0D2GRI) ripe GURU PLKTHOtTArHoSul67iQcTZ- ig Videos (https://www-youtube.com/playlist?li june 14, 2019 (https://wwnw.fortinetguru.com/2019/06/fortios-6-2-wireless-best-practices/) ‘Administration Guides (https://www.fortinetguru.com/category/administration-guides/) FortiOs 6.2 (https://www-fortinetguru.com/category/fortios/fortios-6-2/) 1 Comment (nttps:/www.fortinetguru.com/2019/06/fortios-6-2-wireless-best-practices/i#comments) 2 Mike (https://www.fortinetguru.com/author/mike/) (2844 Posts) Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora 5 xR QU anaireSeHihaTARRER DUE have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at 3 much lower price than Fortinet Professional Services View all author's posts » (https://www.fortinetguru.com/author/mike/) 4FortiO 6.2 Explicit proxy Best Practices FortiOS 6.2 Logging and Reporting Best Practices» (hteps:/wwr fortinetguru.com/2019/06/fortios-6-2-explicit-_(httpsi//www fortinetguru.com/2019/06/fortios-6-2-logging- proxy-best-practices/) and-reporting-best-practices/) One response to “FortiOS 6.2 Wireless Best Practices” rai, March 31, 2021 at 9:15 PM (httpsi//www.fortinetguru.com/2019/06/fortios-6-2-wireless-best- practices/#comment-224228) Prats,igkir videos and articles are amazing, They have definitely helped me not only in my home lab but at my company {52¥RI, Keep up the good work! LEAVE A REPLY Your comment * Your Name * Your Email * Your Website htpsiwwufortine\gur.comi201/06/forios-6-2-wireless-best practices! 5131218921, 10:34 AM FortiOS 6.2 Wireless Best Practices — inet GURU Cisave my name, email, and website in this browser for the next time | comment. Notify me of follow-up comments by em: Notify me of new posts by emai POST COMMENT This site uses Akismet to reduce spam. Learn how your comment data is processed (httpsi//akismet.com/privacy) Search LATEST VIDEOS oA Health Checks htpshwwufortine\guru.com’201106/forios-6-2-wireless-best practices! ens10:38 AM Fortios 6.2 Wireless Best Pract ‘One Way VOIP Audio Quick Fix (https://youtu.be/rYJuMFn6iTk) htpsuhwwaornelguru.com/2019106Horlos-6-2-wreless-besl- practices!1218921, 10:34 AM Fortis 6.2 Wireless Best Practices - Forinet GURU a a ‘SD-WAN and Use Cases (https://youtu.be/mOw3VAjQLsE) , AUER ir - ” oRnner Importing Policy to FortiManager (https://youtu.be/af26a643X0w) hitpssww fortinetgur.com201108Mfort0s- 6-2. s-best practices! ans1218921, 10:34 AM FortOS 6.2 Wireless Best Practices - Forinet GURU 10 PAVORITE Importing Policy to FortiManager (https://youtu.be/8Rq3xTj2plk) ORTIANALYZER oy oa ad cermin ‘a OPER AgiINGIM@DES Importing Policy to FortiManager (https://youtu.be/1C8uSEoHShw) aaa aa Don't Use FortiO 6.2.4 (https://youtu.be/HBtcbZdISQ4) htpssiwww fortinetgur.com2019i06iorlos-6-2-wieless-best-pracices! ons1218921, 10:34 AM FortOS 6.2 Wireless Best Practices - Forinet GURU SS FortiGate Application Control (https://youtu. be/IkDIXQFfkCAk) Free Fortinet Training}! Get It Now! Free Fortinet Training! (https://youtu.be/6Ti4zWnbLIk) STRAIGHT FROM THE GURU * Before and Afters (https://www.fortinetguru.com/category/before-and-afters/) + Businesss Suggestions (https://www.fortinetguru.com/category/businesss-suggestions/) * Buy Fortinet Hardware (https://www.fortinetguru.com/category/buy-fortinet-hardware/) * Consulting Stories (https://www.fortinetguru.com/category/consulting-stories/) ‘+ Fortinet GURU (https:/Awww fortinetguru.com/category/fortinet-guru/) * FortinetGURU Videos (https://www.fortinetguru.com/category/fortinetguru_videos/) + How To (https://www_fortinetguru.com/category/how-to/) ‘+ Network Photos (https://www fortinetguru.com/category/network-photos/) * Personal Network (https://www-fortinetguru.com/category/personal-network/) © Questions (https://www.fortinetguru.com/category/questions/) * Tips and Tricks (https://www.fortinetguru.com/category/tips-and-tricks/) FORTINET DOCUMENTATION * Administration Guides (https://www.fortinetguru.com/category/administration-guides/) htpshwwfortine\gur.com2019106/fortos-6-2-wireless-best practices! 101312/824, 1036 AM Forti 6.2 Wireless Best Practoes ~ Fortinet GURU + FortiAnalyzer (https://www.fortinetguru.com/category/fortianalyzer/) + FortiAP (https://www.fortinetguru.com/category/fortiap/) * FortiAuthenticator (https://www.fortinetguru.com/category/fortiauthenticator/) ‘+ FortiBalancer (https://www fortinetguru.com/category/fortibalancer/) + FortiBridge (nttps://www fortinetguru.com/category/fortibridge/) + FortiCache (https://www.fortinetguru.com/category/forticache/) + FortiCamera (https://www.fortinetguru.com/category/forticamera/) * FortiCarrier (https://www fortinetguru.com/category/forticarrier/) + FortiClient (https://www fortinetguru.com/category/forticlient/) * FortiCloud (https://www.fortinetguru.com/category/forticloud/) + FortiConverter (https://www-fortinetguru.com/category/forticonverter/) + FortiCore (https://www.fortinetguru.com/category/forticore/) + FortiExplorer (https://www fortinetguru.com/category/fortiexplorer/) ‘+ FortiExtender (https://www_fortinetguru.com/category/fortiextender/) + FortiGate (https://www.fortinetguru.com/category/fortigate/) * FortiGuard (https:/www.fortinetguru.com/category/fortiguard/) + FortiGuard News (https://www fortinetguru.com/category/fortiguard-news/) + Fortiypervisor (https://www_fortinetguru.com/category/fortihypervisor/) © FortiMail (https://mww fortinetguru.com/category/fortimail/) ‘+ FortiManager (https://www fortinetguru.com/category/fortimanager/) * Fortinet (https://www.fortinetguru.com/category/fortinet/) + Fortinet Datasheets (https://www.fortinetguru.com/category/fortinet-datasheets/) + Fortinet Videos (https://www fortinetguru.com/category/fortinet-videos/) * FortiOs (https://www.fortinetguru.com/category/fortios/) ‘+ FortiOs 5.2 Best Practices (https://www.fortinetguru.com/category/fortios/fortios_ S- 2_best_practices/) * FortiOs 5.4 Best Practices (https://www.fortinetguru.com/category/fortios/fortios 5- 4 best_practices/) * FortiOs 5.4 Handbook (https://www.fortinetguru.comn/category/fortios/fortios-5-4-handbook/) ‘+ FortiOS 5.6 (https://www.fortinetguru.com/category/fortios/fortios-5-6/) + FortiPlanner (https://www_fortinetguru.com/category/fortiplanner/) * FortiPresence (https://www.fortinetguru.com/category/fortipresence/) + FortiRecorder (https://www.fortinetguru.com/category/fortirecorder/) + FortiSandbox (https://www.fortinetguru.com/category/fortisandbox/) + FortiSlEM (https://www-fortinetguru.com/category/fortisiem/) + FortiSwitch (https://www fortinetguru.com/category/fortiswitch/) * FortiToken (https://www.fortinetguru.com/category/fortitoken/) ‘+ Fortiview (https://www.fortinetguru.com/category/fortiview/) + Fortivoice (https://www.fortinetguru.com/category/fortivoice/) + FortiWAN (https://www.fortinetguru.com/category/fortiwan/) + FortiWeb (https://www_fortinetguru.com/category/fortiweb/) * Product Info (https://www.fortinetguru.com/category/product-info/) * Release Notes (https://www fortinetguru.com/category/release-notes/) htpshwwfortine\gur.com2019106/fortos-6-2-wireless-best practices! nia1218921, 10:34 AM FortOS 6.2 Wireless Best Practices - Forinet GURU ‘+ Third Party Reports (https://www fortinetguru.com/category/third-party-reports/) * Vulnerabilities (https://www fortinetguru.com/category/vulnerabilities/) IMPORTANT LINKS * FortinetGuru @ Youtube (https://www.youtube.com/c/FortinetGuru) + Buy Fortinet Hardware (https://store fortinetguru.com/) * Fortinet GURU Forums (http://forums.fortinetguru.com) * Fortinet Cookbook (http://cookbook fortinet.com/) ‘+ Office of The CISO (https://www.officeoftheciso.com) RECENT POSTS What Features Do You Want In FortiOS? (https://www fortinetguru.com/2021/05/what-features-do- you-want-in-fortios/) FortiOS 7 Features | am Excited About (https:/www.fortinetguru.com/2021/04/fortios-7-features-i- am-excited-about/) FortiOS 6.6 Brings LTS and Mike Got Fat! (https://www_fortinetguru.com/2021/01 /fortios- Its-and-mike-gotfat/) brings- Collectors and Analyzers - FortiAnalyzer - FortiOS 6.2.3 (https://www.fortinetguru.com/2020/08/collectors-and-analyzers-fortianalyzer-fortios-6-2-3/) High Availabilty - FortiAnalyzer - FortiOS 6.2.3 (https://www.fortinetguru.com/2020/08/high- availability-fortianalyzer-fortios-6-2-3/) Two-factor authentication - FortiAnalyzer - FortiOS 6.2.3 (https://www. fortinetguru.corm/2020/08/two factor-authentication-fortianalyzer-fortios-6-2-3/) Global Admin - GUI Language - Idle Timeout - FortiAnalyzer - FortiOS 6.2.3 (https://www. fortinetguru.com/2020/08/global-admin-gui-language-idle-timeout-fortianalyzer-fortios- 6-23/) Global Admin - Password Policy - FortiAnalyzer - FortiOS 6.2.3 (https://www.fortinetguru.com/2020/08/global-admin-password-policy-fortianalyzer-fortios-6-2-3/) Global administration settings - FortiAnalyzer - FortiOS 6.2.3 (https://www.fortinetguru.com/2020/08/global-administration-settings-fortianalyzer-fortios-6-2-3/) SAML admin authentication - FortiAnalyzer - FortiOs 6.2.3 (https://www.fortinetguru.com/2020/08/saml-admin-authentication-fortianalyzer-fortios-6-2-3/) htpshwwfortine\gur.com2019106/fortos-6-2-wireless-best practices! sa1218921, 10:34 AM FortOS 6.2 Wireless Best Practices - Forinet GURU Fortinet GURU is not owned by or affiliated with Fortinet (https://wwwfortinetguru.com). | IT Services are provided by Plaric IT, LLC (http://Awmw.plaricit.com) | Subscribe To The YouTube Channel! (hitps://www.youtube.com/c/FortinetGuru), Ifyou are in Montgomery Alabama there is always someone to talk to in relation ta Montgomery Psychiatry (https://www.southeastpsychiatry.com) htpshwwfortine\gur.com2019106/fortos-6-2-wireless-best practices! sa