Fortinet FortiAP: WLAN SSID and Network Segmentation

This section walks through the best practices for configuring SSIDs on Fortinet FortiAPs to achieve secure, scalable, and manageable wireless network deployments.

• Step 1: Plan Your SSID Architecture
  Define the use-cases for each SSID (e.g., internal, guest, IoT). Group users and devices based on access levels, applying the principle of least privilege. Each group should correspond to a distinct SSID and VLAN.
• Step 2: Use Consistent SSID Naming Conventions
  SSID names should be clearly descriptive and easily identifiable. Avoid using sensitive internal identifiers.
  Example:
  
  • Corp-Internal – for employees
  • Guest-WiFi – for visitors
  • IoT-Devices – for unmanaged network-connected devices
• Step 3: Configure SSID Broadcast Settings
  Choose whether the SSID should be visible to users or hidden to reduce unnecessary exposure. Hidden SSIDs slightly improve obscurity but may affect usability with some client devices.
• Step 4: Select the Right Security Mode
  Use the most secure authentication method available for each SSID type:
  • Corporate SSIDs: Use WPA2-Enterprise or WPA3-Enterprise with 802.1X authentication via RADIUS or FortiAuthenticator.
  • Guest SSIDs: Use WPA2-PSK or configure a captive portal with terms of use. Rotate passphrases regularly if using PSK.
  • IoT SSIDs: Use WPA2-PSK with strong, unique credentials per VLAN to isolate access.
• Step 5: Map the SSID to a VLAN
  Assign each SSID to its own VLAN to enable traffic segmentation and apply network policies independently. Ensure VLANs are trunked properly between FortiAPs, switches, and FortiGate interfaces.
• Step 6: Apply Additional Wireless Settings
  Fine-tune your SSID configuration:
  • Enable Band Steering for 5GHz optimization.
  • Limit client count per AP if needed for capacity control.
  • Enable Fast Roaming with 802.11r for real-time applications like VoIP.

Note: Each SSID configuration should consider both security and usability. Testing with different client device types is strongly recommended before production deployment.

This section provides a practical, step-by-step approach to implementing effective network segmentation with Fortinet FortiAP environments. Robust segmentation helps enhance security, simplify policy enforcement, and limit the possible impact of threats.

• Step 1: Define Network Segments and VLAN Strategy
  Begin by identifying different groups of users and devices that require logical or security separation (e.g., employees, guests, IoT, printers). Assign each group a unique VLAN ID.
  • Example: VLAN 10 – Corp-Internal, VLAN 20 – Guest, VLAN 30 – IoT.
• Step 2: Configure VLANs on Switching Infrastructure
  Create the necessary VLANs on your switches. Make sure trunk ports between switches and FortiAP uplinks are configured to allow all relevant VLANs.
  • Ensure APs and FortiGate are connected to trunk ports carrying SSID-mapped VLANs.
• Step 3: Create VLAN Interfaces on FortiGate
  On your FortiGate, create a VLAN interface for each segment and assign IP addresses and required DHCP scopes. This allows routing and policy enforcement for each VLAN.

      Example:
      - VLAN 10: 192.168.10.1/24
      - VLAN 20: 192.168.20.1/24
      

• Step 4: Map SSIDs to VLANs
  In the FortiGate Wireless Controller, assign each SSID to its designated VLAN. This ensures wireless clients are dynamically placed in the correct network segment based on the SSID they join.
• Step 5: Implement Firewall Policies for Inter-VLAN Traffic
  Craft granular firewall policies on FortiGate to control traffic between VLANs. Allow only the necessary flows and restrict or monitor all others. For example, block IoT to Corporate, but allow Corporate to Internet.
  • Use policy objects for ease of management and future scalability.
• Step 6: Enable Intra-SSID/Intra-VLAN Isolation as Needed
  Configure FortiAPs or FortiGate to prevent clients within the same SSID or VLAN from communicating directly if required, further reducing attack surfaces for high-risk segments.
• Step 7: Validate Segmentation and Monitor
  Test isolation between segments by attempting cross-segment communication. Utilize FortiGate logging and monitoring tools to ensure your segmentation is performing as intended and adjust policies as you identify network needs or threats.

Note: Good network segmentation balances security and operational simplicity. Regularly review and refine your segmentation model as network requirements and threats evolve.

This section outlines a step-by-step workflow for configuring FortiAP and FortiGate for secure, segmented wireless networks. Follow these steps for streamlined deployment:

• Step 1: Prepare and Connect Infrastructure
  Rack and cable your FortiAP units and ensure they're powered. Connect each AP’s uplink port to a switch port that is configured for trunk mode (carrying all relevant VLANs). Verify the FortiGate is reachable.
• Step 2: Configure VLANs on Switches and FortiGate
  Define all required VLANs on your network switches. In the FortiGate web interface, create matching VLAN interfaces, assign appropriate VLAN IDs, set unique IP addresses, and enable DHCP for each.

      Example VLAN interfaces on FortiGate:
      - VLAN 10: 192.168.10.1/24 (Employees)
      - VLAN 20: 192.168.20.1/24 (Guests)
      - VLAN 30: 192.168.30.1/24 (IoT)
      

• Step 3: Discover and Authorize FortiAPs
  Power up the FortiAPs and ensure they receive IP addresses (DHCP). In the FortiGate management GUI, navigate to WiFi & Switch Controller > Managed FortiAPs. Authorize each new AP detected to bring it under central management.
• Step 4: Create SSIDs and Assign to VLANs
  In WiFi & Switch Controller > SSIDs, create a unique SSID for each user group or segment. Map each SSID to the corresponding VLAN interface created earlier.
• Step 5: Assign SSIDs to FortiAP Profiles
  Configure FortiAP Profiles in WiFi & Switch Controller > FortiAP Profiles. Assign the newly created SSIDs to the desired profile and push the profile to the correct APs.
• Step 6: Create Firewall and Security Policies
  Go to Policy & Objects > IPv4 Policy on the FortiGate. Define granular firewall rules to govern traffic between VLANs, restrict unnecessary access, and apply security profiles such as web filter, antivirus, and IPS as needed.
• Step 7: Validate Connectivity and Segmentation
  Test wireless access by connecting to each SSID. Confirm client devices receive correct network/IP settings based on their SSID and VLAN. Attempt communication across VLANs to confirm policy enforcement and security segmentation.
• Step 8: Monitor and Maintain
  Use FortiGate’s monitoring and logging features to track activity and troubleshoot issues. Regularly review SSID associations, firmware versions, and wireless performance for continuous improvement.

Tip: Backup your FortiGate configuration after any major changes. Document all VLAN, SSID, and policy assignments for future reference and audits.

This section outlines practical, step-by-step examples for deploying FortiAP-based SSID and network segmentation according to common real-world scenarios. These templates offer guidance for meeting business, guest, and IoT connectivity needs.

• Step 1: Corporate/Employee Network
  Purpose: Provide secure wireless access to internal resources for employees.
  Key Configuration Points:
  • Create SSID Corp-Internal
  • Map to VLAN 10
  • Enable WPA2/WPA3-Enterprise authentication (802.1X)
  • Allow full LAN access; restrict Internet access only as necessary
  • Apply network security policies (firewall, AV, IPS)
• Step 2: Guest Access Network
  Purpose: Offer secure, Internet-only access for visitors without exposing internal resources.
  Key Configuration Points:
  • Create SSID Guest-WiFi
  • Map to VLAN 20
  • Use WPA2-PSK, WPA3-SAE, or captive portal with terms of use
  • Block access to LAN, allow only Internet
  • Enforce bandwidth and session limits if required
• Step 3: IoT Devices Segment
  Purpose: Provide tightly controlled wireless connectivity for smart devices and sensors.
  Key Configuration Points:
  • Create SSID IoT-Devices
  • Map to VLAN 30
  • Use a unique WPA2-PSK per VLAN for device isolation
  • Restrict outbound access to the minimum required (e.g., block LAN/guest, allow only updates or telemetry)
  • Enable client isolation to prevent device-to-device communication
• Step 4: Printers and Shared Devices
  Purpose: Allow employees to use network printers and shared equipment safely.
  Key Configuration Points:
  • Create SSID Printers
  • Map to VLAN 40
  • Restrict access to and from this VLAN except for approved employee VLANs
  • Monitor access logs for anomalies

Tip: Regularly review and refine use cases as business needs, compliance, and risks evolve. Test all access and segmentation scenarios before production roll-out.

This section provides a step-by-step diagnosis and troubleshooting guide for resolving common issues with FortiAPs, WLAN SSIDs, and network segmentation configurations in Fortinet environments.

• Step 1: SSID Not Visible/Broadcasting
  
  • Verify the SSID is enabled and broadcast is active within the Wireless Controller configuration.
  • Ensure access point profiles are assigned the correct SSIDs and are pushed successfully.
  • Check that the AP is within RF range and not facing interference.
• Step 2: FortiAP Not Connecting or Offline
  
  • Confirm the AP is powered and network cables are securely connected.
  • Check that the AP has received an IP address via DHCP on the management VLAN/interface.
  • Review switch trunk port settings for correct VLAN tagging.
  • Validate that the FortiAP is authorized in the controller.
  • Restart the AP if it does not appear after initial checks.
• Step 3: Wireless Client Fails to Connect
  
  • Ensure client credentials and SSID security settings (WPA2/WPA3, PSK, 802.1X) match those configured on the AP.
  • Update client Wi-Fi drivers and reboot if necessary.
  • For devices that repeatedly disconnect, check for power saving settings and roaming sensitivity issues.
• Step 4: Client Connects but Gets No IP Address
  
  • Verify DHCP is enabled and properly scoped for the target VLAN/interface.
  • Double-check switch trunking and VLAN configuration from AP to FortiGate.
  • Inspect if DHCP server/exclusions conflict with assigned ranges.
• Step 5: Network Segmentation or VLAN Routing Issues
  
  • Validate that SSIDs are mapped to correct VLANs in both AP and Wireless Controller.
  • Check firewall policies for intended isolation or allowed flows between VLANs.
  • Test inter-VLAN routing by pinging between clients on different segments. Adjust policies as necessary.
• Step 6: Performance or Stability Problems
  
  • Conduct a site RF survey and check AP logs for congestion or channel overlap.
  • Separate 2.4GHz and 5GHz SSIDs as needed to address device compatibility or interference.
  • Review client and AP firmware; update to recommended versions.
• Step 7: Advanced Troubleshooting (CLI & Tools)
  
  • Use controller/sniffer debug commands to trace client association attempts and AP/controller communication.
  • Leverage FortiGate and AP logs for failure messages or crash indicators.
  • Access the AP via Telnet/SSH and run troubleshooting commands if deeper inspection is needed.

Tip: Always document configuration changes and test after each troubleshooting step. Use FortiGate and FortiAP monitoring dashboards to review real-time statistics and logs for rapid issue identification.