Fortinet FortiAP: FortiGate Controller (Integrated or Cloud)

The FortiGate Integrated Wi-Fi Controller enables centralized management and monitoring of FortiAP access points directly from a FortiGate firewall. It delivers secure wireless access, supports automatic AP discovery, and simplifies policy enforcement with minimal infrastructure overhead.

• Step 1: Connect FortiAP to FortiGate Interface
  Ensure that each FortiAP is physically connected to a PoE-enabled FortiGate interface or a switch upstream from the FortiGate. Make sure the interface provides DHCP services or assign the FortiAP a static IP.
• Step 2: Enable CAPWAP on FortiGate Interface
  Navigate to Network > Interfaces in the FortiGate GUI. Edit the port to which APs are connected and enable CAPWAP under Administrative Access. This allows FortiGate to automatically discover and manage FortiAPs.
• Step 3: Authorize FortiAP Devices
  Go to WiFi & Switch Controller > Managed FortiAPs. Any detected FortiAPs will be displayed as unauthorized. Click Authorize to bring them under management.
• Step 4: Create FortiAP Profile
  Under WiFi & Switch Controller > FortiAP Profiles, create a new profile and configure parameters such as country code, radio channels, transmit power, and SSID settings. Assign this profile to the AP models you are deploying.
• Step 5: Define SSIDs and Security Settings
  In WiFi & Switch Controller > SSID, create your network SSIDs. Assign authentication modes such as WPA2-Enterprise or WPA2-PSK, and apply VLAN tagging for network segmentation as needed.
• Step 6: Assign Profiles and SSIDs to FortiAPs
  Return to the Managed FortiAPs section. Edit each FortiAP and apply the appropriate FortiAP Profile. Select radio interfaces (2.4GHz or 5GHz) and assign broadcast SSIDs as configured.
• Step 7: Configure Wireless Firewall Policies
  Go to Policy & Objects > IPv4 Policy and create policies that allow traffic from wireless SSIDs to the internal LAN or WAN. Implement web filtering, application control, and UTM profiles as required.
• Step 8: Monitor Wi-Fi Performance and Clients
  Navigate to WiFi & Switch Controller > Monitor to view connected APs, wireless clients, channel utilization, and health metrics. Use this to troubleshoot interference, capacity, or roaming issues.

The FortiGate Cloud-managed WLAN Controller delivers powerful, centralized control of FortiAP access points through the FortiGate Cloud portal. This approach provides easy remote management, monitoring, and agile deployment for distributed sites or organizations seeking streamlined wireless operations via the cloud.

• Step 1: Register for FortiGate Cloud
  Sign up for a FortiGate Cloud account and log in to the FortiGate Cloud portal. Register your FortiGate appliance if not already associated.
• Step 2: Add FortiAP to Inventory
  Locate the unique FortiCloud activation key on the FortiAP device label. In the Cloud portal, go to AP management, select Add Device, and enter the key to claim your FortiAP unit.
• Step 3: Connect FortiAP to the Network
  Physically connect the FortiAP to a PoE-enabled network port with Internet access. The unit will automatically attempt to reach the FortiGate Cloud for provisioning.
• Step 4: Create and Assign AP Network
  In FortiGate Cloud, create a logical AP Network that reflects your location or branch. Assign your newly registered FortiAP to this network group for simplified policy management.
• Step 5: Configure SSIDs and Security Settings
  Define wireless network names (SSIDs) and security settings (such as WPA2, WPA3, or enterprise authentication) within the AP Network configuration. Optionally, use VLAN tagging for segmentation of user groups or traffic types.
• Step 6: Deploy Policies and Review Status
  Apply wireless, security, and connectivity policies to your SSIDs and APs within the Cloud dashboard. Monitor deployment success, AP status, client connections, channel utilization, and health metrics from the cloud interface.
• Step 7: Ongoing Management and Optimization
  Use FortiGate Cloud’s tools for firmware updates, analytics, alerting, and reporting. Schedule periodic reviews of network performance and security events. Adjust settings such as channel allocation, power levels, and SSID assignments as needed.

Tip: FortiGate Cloud supports multi-site, multi-tenant deployments and enables zero-touch AP provisioning for remote or large-scale rollouts.

This step-by-step checklist streamlines the initial setup and successful deployment of FortiAP access points with a FortiGate Controller (either integrated or cloud-managed). Follow each step methodically to ensure reliable operation and secure wireless coverage.

• Step 1: Pre-Deployment Preparation
  - Confirm network switch ports deliver PoE (Power over Ethernet) and are configured to the appropriate VLAN.
  - Ensure DHCP is active on the AP-connected subnet, or note the static IP details to use for manual configuration.
  - Gather device serial numbers and FortiCloud keys (if using cloud management).
• Step 2: Connect the FortiAP
  - Plug the FortiAP into a PoE-capable port on your switch or FortiGate interface.
  - Wait for the device to power up (indicator LEDs will flash or light up steadily when ready).
• Step 3: Controller Discovery
  - By default, FortiAP will attempt automatic controller discovery. It can locate the FortiGate via Auto, Static IP, DHCP Option, DNS entry, or FortiCloud credentials.
  - If necessary, use the local GUI (default IP: 192.168.1.2) for manual configuration of discovery settings.
• Step 4: Authorize FortiAP on Controller
  - Log in to the FortiGate or FortiGate Cloud portal.
  - Navigate to WiFi & Switch Controller > Managed FortiAPs.
  - Authorize the discovered device so it moves from “unmanaged” to “managed” status.
• Step 5: Assign Profiles and Configure Radios
  - Apply a relevant FortiAP Profile to define the regulatory domain, radio channels, and transmit power.
  - Designate which SSIDs each radio will broadcast (2.4 GHz and/or 5 GHz).
• Step 6: Create and Assign SSIDs
  - Set up your wireless networks under WiFi & Switch Controller > SSID.
  - Specify authentication methods (WPA2, WPA3, captive portal, etc.) and assign VLAN IDs for segmentation.
• Step 7: Define Wireless Policies
  - Go to Policy & Objects > IPv4 Policy.
  - Create policies allowing wireless users access to internal resources or the Internet, applying appropriate security services and filtering.
• Step 8: Verify Operation and Monitor
  - Confirm SSIDs are available and clients can connect.
  - Use the Monitor dashboard to review connected APs, client statistics, signal quality, and potential issues.
  - Periodically check firmware versions and apply updates to both the FortiGate and FortiAP units as recommended.
• Step 9: Ongoing Management & Optimization
  - Adjust channel plans, radio power, or SSID settings for optimal coverage and performance.
  - Implement regular backups of configuration to facilitate rapid recovery or scaling.

Tip: For multi-site or remote deployments, leverage FortiGate Cloud for zero-touch provisioning and centralized monitoring.

Unlock enhanced capability and optimize deployment by leveraging the advanced features available with FortiAP and FortiGate Controllers. Use these configuration options to tailor wireless networks for robust security, performance, and seamless integration with existing infrastructure.

• Step 1: Configure Mesh Networking
  - Set up a wireless mesh to enable APs in locations without structured cabling to wirelessly backhaul to a root AP.
  - In the controller, create a mesh SSID and designate mesh root and leaf APs.
  - Assign the mesh SSID profile via the FortiGate to eligible APs.
  - Optionally configure mesh uplink priority and enable Ethernet bridge mode on leaf APs to support downstream wired clients.
  - Adjust the maximum mesh hop count as needed for topology scalability.
• Step 2: Set Data Channel Security
  - Choose the level of encryption for the data tunnel between AP and Controller:
  • Clear-text (high performance, suitable for trusted networks)
  • DTLS (for encrypted data over CAPWAP)
  • IPsec VPN (provides strong encryption and can leverage hardware acceleration where available)
  - Configure the dtls-policy per AP profile using the CLI as needed for security requirements.
• Step 3: Integrate with Third-Party Switches
  - FortiAPs may be powered and connected through any standards-compliant, PoE-enabled network switch.
  - Ensure proper VLAN tagging and routing so APs can discover and communicate with their FortiGate controller.
  - This allows seamless integration into existing network topologies using multi-vendor switching hardware.
• Step 4: Utilize Advanced SSID and Radio Features
  - Enable 802.11k/v/r assisted roaming features for faster client roaming and better load balancing.
  - Configure band steering, multicast enhancement, and IGMP snooping to optimize performance in high-density or multicast-rich environments.
  - Assign airtime fairness and Quality of Service (QoS) profiles for bandwidth-sensitive applications such as voice or video.
  - Manage Layer 3 firewall profiles and access controls directly at the wireless edge.
• Step 5: Backup & Restore Configurations
  - Regularly back up wireless and controller configurations to protect against accidental loss and to support rapid redeployment.
  - Use the GUI or CLI to save configuration files locally, to network storage, or to FortiCloud.
  - Restore configuration from backup files as required for disaster recovery or provisioning new sites.

Tip: Take advantage of platform-specific features, such as SNMP integration, phishing SSID detection, and role-based radio power tuning for custom deployments. Always validate firmware versions before deploying advanced features.