Académique Documents
Professionnel Documents
Culture Documents
Release Notes
FortiAPTM v4.0 MR2
20-420-123747-20100518
Release Notes FortiAP v4.0 MR2 – FortiAP-220A
Table of Contents
1 FortiAP v4.0 MR2 ......................................................................................................................................................................... 1
1.1
Summary
of
Enhancements
Provided
by
v4.0
MR2 ............................................................................................................................... 1
1.2
Product
Operation ............................................................................................................................................................................................... 1
1.3
Connectivity
Options ........................................................................................................................................................................................... 2
1.4
FortiAP
Quick
Start ............................................................................................................................................................................................. 4
1.5
Wireless
LAN
Controller
Quick
Start ........................................................................................................................................................... 4
1.6
Operation
with
External
POE.......................................................................................................................................................................... 6
1.7
How
to
configuration
DHCP
option
138
on
FortiGate: ........................................................................................................................ 7
2 Special Notices ............................................................................................................................................................................ 9
2.1
General...................................................................................................................................................................................................................... 9
3 Upgrade Information............................................................................................................................................................... 10
3.1
Upgrading
the
FortiGate.................................................................................................................................................................................10
3.2
Upgrading
the
FortiAP.....................................................................................................................................................................................10
4 Fortinet Product Integration and Support ..................................................................................................................... 11
4.1
FortiGate
Support ..............................................................................................................................................................................................11
5 Expected Behaviors................................................................................................................................................................ 12
6 Resolved Issues in FortiAP v4.0 ........................................................................................................................................ 14
6.1 Troubleshooting.................................................................................................................................................................... 15
6.2
Understanding
Discovery
Process ...............................................................................................................................................................15
6.3
Connection
Ports.................................................................................................................................................................................................17
6.4
FortiAP
Clock........................................................................................................................................................................................................17
7 Image Checksums ................................................................................................................................................................... 18
Change Log
Trademarks
Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.
Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:
https://support.fortinet.com
The officially released image of FortiOS to support the FortiAP device is based off of
FortiOS v4.0 MR2 – fg_4_thin_ap_openssl/build_tag_6322.
The build number for this images in the System > Status page and the output from the
"get system status" CLI command displays 6322.
To confirm that you are running the proper build, the output from the "get system
status" CLI command has a "Branch point:" field. This should read 106.
The FortiAP and FortiGate can be connected via the following methods.
Direct connection: in this method the FortiAP is directly connected to the FortiGate with no additional switches in the middle. This
configuration is common for locations where the number of FortiAP’s matches up with the number of ‘internal’ ports available on the
FortiGate. In this configuration the FortiAP will request IP address from the FortiGate and will enter discovery mode and should
quickly find the FortiGate WLC. See wirecloset deployment ‘1’ in figure below.
Switched Connection: In this topology the FortiAP is connected to an Ethernet Switch operating on L2 switching mode or L3 routing
mode. The only requirement in this toplogy is that there is a routable path between the FortiAP and FortiGate and that ports 5246 and
5247 are open. See Gateway deployment ‘2’ in figure below
Connection over WAN: in this method of connectivity, the FortiGate controller can be placed off premises and the connectivity is
achieved over a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP
address of the WLC. Each FortiAP can be configured with three WLC IP addresses for redundant failover. Please see Datacenter
remote management ‘3’ in figure below.
2. Once power is applied, the FortiAP goes through boot procedure and requests an IP address from the DHCP server.
3. If the IP address is retrieved successfully, the FortiAP enters discovery mode to locate a FortiGate wireless controller.
4. If this is the first time connecting the FortiAP to the controller, only the power light and Port 0 LED is lit. If the
FortiAP has been pre-provisioned in the controller, the Wireless LED is also lit.
5. Verify that the FortiAP has successfully connected to the controller. In FortiGate controller Web Config, go to
Wireless Controller > Configuration > Access Point. A successfully discovered unit displays a half-filled circle symbol.
For configuration please see Wireless LAN Controller Quick Start Section.
5) If all settings are correct, the configuration is automatically downloaded from the FortiGate unit to the FortiAP and the
Wireless LED on the access point will lights up and will blink with traffic activity.
2 Special Notices
2.1 General
The FortiAP-220A is pre-loaded with build106.
IMPORTANT!
• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to
be viewed properly.
Step 4) Upgrade the AP from CLI. Use all to upgrade all APs or type specific serial number
exec wireless-controller reset-wtp <all | SN>
5 Expected Behaviors
1)
Expected Behavior: connection between FortiAP and Wireless LAN controller may not be available for approximately 1 minute after
any configuration change
Description: When new configuration is pushed to the FortiAP, the accesspoint will disconnect, commit the new configuration and
attempt to reconnect back to the Controller. During this time the connection to FortiAP is not available. Depending on network
topology, this discovery and join process can take upwards of 1 minute and is normal.
2)
Expected behavior: FortiAP or FortiWiFi-thinAP will disconnect from WLC if they receive bad configuration from WLC
Description: if there is a mismatch between the configuration in AP profile and capability of FortiAP, the FortiAP will disconnect
from the WLC. The WLC configuration will need to be corrected first then FortiAP be configured from discovered to admin state.
The condition described can be observed for example if the FortiAP-220A radio configurations are reversed from expected. FortiAP-
220A radio 1 is 2.4GHz Radio and Radio 2 is the 5GHz radio. Simply correct the radio configuration and the FortiAP will rejoin the
WLC. FortiWiFi-ThinAP’s only have 1 radio; therefore ensure that the AP profile for these units has the 2nd radio’s disabled.
3)
Expected Behavior: do not exceed 7 Virtual AP’s per Radio.
Description: If there are more VAPs configured than the radio allows, the system will choose any 7 at Random. Therefore for
deterministic behavior please ensure that no more than seven VAPs are assigned to any radio at one time.
4)
Expected Behavior: air scanning is limited to each radio’s frequency band
Description: please note that FortiAP-220A has two dedicated radios; Radio1 is dedicated for 2.4Ghz band and Radio 2 for 5Ghz
band. Therefore when in background or dedicated air monitor mode, each radio will scan its own band. If full scanning of 2.4 and
5Ghz range is needed, please configure both radio 1 & 2 in background scan or dedicated scan mode.
5)
Expected Behavior: in Monitor mode the Rogue AP Map is only available if 3 or more FortiAP’s pickup the signal from the rogue.
Description: The Rogue AP location map uses triangulation technique based on received signal strength (RSSI.) Naturally
triangulation algorithm needs 3 datapoints to be able to locate the Rogue AP. The availability of triangulation data is indicated by the
MAP icon for each row.
6)
Expected Behavior: Rogue AP map is only available if FortiAP coordinates have been given
Description: Rogue AP triangulation algorithms needs to know the location of each FortiAP using X,Y coordinate system. Please
update these coordinates accurately for triangulation map to function. Please note that 0,0 origin is in bottom left corner of the GUI.
7)
Expected Behavior: air monitor results may be delayed in Background scan mode
Description: Background scan as the name implies only occurs when the FortiAP is idle. Therefore if the AP is continuously
transmitting or receiving, it may not have time to perform background scan. In this situation, the background scan results will not be
available until an idle time is found for scanning. If continuous scanning is necessary, please use dedicated scan mode.
8)
Expected Behavior: up to 4 VAPs can be configured for WEP encryption
9)
Expected Behavior: If client is idle for longer than 5 minutes, it will be de-authenticated
Description: The default idle timer for client inactivity is set to 300 seconds or 5 minutes. This idle timeout ensures that if a user’s PC
is not using the wireless system, or has become inoperative, the wireless system resources are reclaimed for other users. This timeout
value can be changed using the following CLI command.
10)
Expected Behavior: auto Channel mode selects best idle channel. This channel may change over time.
Description: Auto-channel configuration should be the default selection. The FortiAP will scan all available channels and will
automatically select the least busy channel for self configuration. This results in optimum channel allocation for the location of that
AP. This setting should not be changed, unless IT has more specific channel assignment plan in mind.
11)
Expected Behavior: TKIP configuration is not supported on 802.11n.
Description: If TKIP configuration is used with 802.11n configuration, the radio will remain in 802.11g or 802.11a mode and 802.11n
mode will be disabled. Please ensure that only AES is used if 802.11n high performance wireless is expected.
12)
Expected Behavior: the refresh button will not poll each FortiAP for new data.
Description: the refresh button is intended to update the GUI screen if there is new data in the WLC. But it will not cause the WLC to
poll the FortiAP’s for new data. The FortiAP’s will update the WLC only when new data is available and the reporting period can not
be controlled by the GUI.
6.1 Troubleshooting
6.2 Understanding Discovery Process
The communication between FortiAP and the Controller uses CAPWAP protocols (RFC 5415). A FortiAP in operation setup two
tunnels, for control message and data respectively, to the controller. When a FortiAP is connected into the network, it first identifies
the proper controller with which to establish the CAPWAP connections. This process is called Discovery.
Discovery
Methods
FortiAP can use one of four methods to locate the controller.
1. Broadcast
FortiAP
sends
Discovery
Request
message
as
UDP
broadcast
to
the
network.
The
controller
replies
it
with
Discovery
Response
message
in
unicast.
This
method
requires
AP
and
the
controller
to
be
in
the
same
broadcast
domain.
2. Multicast
FortiAP
sends
Discovery
Request
message
as
multicast.
The
controller
replies
it
with
Discovery
Response
message
in
unicast.
This
method
requires
AP
and
the
controller
to
be
in
the
same
broadcast
domain.
The
default
destination
address
is
224.0.1.140.
It
can
be
changed
through
CLI.
The
address
must
be
same
on
the
controller
and
FortiAP.
To
change
the
multicast
address
on
the
controller,
config wireless-controller global
set discovery-mc-addr 224.0.1.250
end
To
change
the
multicast
address
on
FortiAP,
cfg –a AC_DISCOVERY_MC_ADDR=”224.0.1.250”
3. Static
IP
If
FortiAP
and
the
controller
are
not
in
the
same
subnet,
broadcast
and
multicast
packets
cannot
reach
the
controller.
The
admin
can
specify
the
controller’s
static
IP
on
FortiAP.
FortiAP
send
Discovery
Request
message
in
unicast
to
the
controller.
To
specify
the
controller’s
IP
address
on
FortiAP,
cfg –a AC_IPADDR_1=”192.168.0.1”
4. DHCP
Using
the
last
method,
the
admin
can
explicitly
specify
the
controller’s
IP
address
on
all
FortiAP,
but
it
is
not
convenient
when
a
lot
of
FortiAP
are
going
to
be
deployed
or
when
the
controller’s
IP
address
needs
to
be
changed.
This
method
starts
by
FortiAP
initiating
a
DHCP
request.
The
admin
can
pre-‐configure
the
controller’s
IP
address
on
the
DHCP
server,
so
when
the
request
is
received
by
the
DHCP
server,
the
server
will
send
the
response
with
a
specific
option
including
the
controller’s
IP
address.
FortiAP
will
send
the
Discovery
Request
message
to
this
address
in
unicast
packet.
Discovery
method
can
be
configured
on
FortiAP
using
following
command
cfg –a AC_DISCOVERY_TYPE=1
0: Auto Mode
1: Static IP
2: DHCP
5: Broadcast
6: Multicast
By
default,
FortiAP
starts
the
Discovery
process
with
Auto
mode
(0).
It
uses
all
four
methods
in
the
order
of
Static
IP
-‐>
DHCP
-‐>
Multicast
-‐>
Broadcast.
For
each
method,
FortiAP
sends
Discovery
Request
messages
and
wait
for
the
response.
If
no
controller
is
discovered,
FortiAP
move
to
the
next
method.
When
all
methods
are
attempted
without
locating
any
controller,
FortiAP
starts
over
again
from
Static
IP
and
keeps
trying
until
at
least
one
controller
is
found.
If
FortiAP
and
the
controller
are
in
the
same
broadcast
domain,
they
can
find
each
other
automatically
through
Broadcast
method
without
any
configuration.
This
is
the
easiest
deployment
scenario.
If
FortiAP
and
the
controller
are
in
the
different
broadcast
domain,
admin
has
to
input
the
AC’s
IP
address
either
to
FortiAP
or
to
the
proper
DHCP
server.
Join Request
At
the
controller
side,
once
a
Discovery
Request
message
is
received,
the
controller
adds
a
new
entry
to
Access
Point
List.
The
serial
number
of
the
AP
is
displayed
and
the
status
of
the
new
entry
is
set
to
‘Discovery’.
At
this
time,
FortiAP
is
not
connected
to
the
controller
yet.
Admin
has
to
manually
change
the
status
to
‘Enabled’
and
assign
an
AP
profile
to
the
AP.
At
the
FortiAP
side,
the
discovery
process
stops
when
at
least
one
controller
is
located.
FortiAP
tries
to
setup
the
control
channel
to
the
controller.
The
control
channel
is
a
DTLS
connection.
It
is
established
by
exchanging
FortiAP
and
the
controller’s
certificates
and
encryption
key.
FortiAP
sends
Join
request
to
the
controller
through
the
control
channel.
If
the
corresponding
AP
entry
is
enabled,
the
controller
allows
FortiAP
to
connect
by
sending
a
Join
response
message
with
the
code
to
indicate
the
connection
is
successfully
established.
For
high
availability
installations
it
is
possible
that
multiple
controllers
respond
to
the
Discovery
request
during
the
Discovery
process.
FortiAP
calculates
the
priority
of
these
controllers
based
on
their
load.
The
Join
Request
is
sent
to
the
controller
with
the
least
load.
If
the
Join
Request
fails
for
any
reason,
for
example,
if
the
FortiAP
is
not
enabled
at
the
controller
side,
FortiAP
remove
this
controller
from
its
local
list
and
sends
another
Join
Request
to
the
next
best
controller
in
the
list.
If
FortiAP
fails
to
establish
connection
to
all
controllers,
it
starts
the
Discovery
process
again.
After
the
control
channel
between
FortiAP
and
the
controller
is
established,
the
data
channel
is
also
created
to
transmit
wireless
data
packets.
Every
30
seconds,
a
keep-‐alive
message
is
exchanged
between
FortiAP
and
the
controller
using
7 Image Checksums
The MD5 checksums for the firmware images are contained in a file in the download directory on the Fortinet Customer Support
website (https://support.fortinet.com).