FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > Wireless Networking

Wireless Networking

New wireless networking features include:

FortiAP Management

How FortiAP units are managed by a FortiGate unit has changed in several ways.

Manually Selecting AP Profiles

AP profiles are no longer assigned automatically. Instead, a default or custom profile must be chosen when the connection to the FortiAP unit is configured.

The Background Scan option has also been replaced by Spectrum Analysis (for more information, see New Wireless Health Charts) and either 20MHz or 40MHz must be selected for Radio 1’s channel width.

You can choose to override some options set in the profile for a particular FortiAP unit. To do this, go to WiFi Controller > Managed Access Points > Managed FortiAPs and, under Wireless Settings, select Override Settings. This allows you to change WiFi radio settings, including SSIDs, TX power, and rogue AP scanning. This can also be configured in the CLI:


config wireless-controller wtp

edit <name>

set override-profile enable



AP Scanning

AP scanning, including rogue AP detection, is now part of WIDS Profiles. It can be found by going to WiFi Controller > WiFi Network > WIDS Profiles. It can also be configured through the CLI:


config wireless-controller wids-profile

edit 0

set ap-scan {enable | disable}

set ap-bgscan-period <interval>

set ap-bgscan-intv <interval>

set ap-bgscan-duration <interval>

set ap-bgscan-idle <interval>

set ap-bgscan-rpot-intv <interval>

set ap-bgscan-disable-day <day>

set ap-fgscan-repot-intv <interval>

set rogue-scan {enable | disable}



Radio Settings Summary

The Radio Settings Summary table can be found by going to WiFi Controller > Managed Access Points > Managed FortiAPs and editing a FortiAP unit. The table shows information on the FortiAP unit's Radio 1 and 2 (if applicable), including settings, channels, and SSIDs.

CLI Console Access

The CLI console on a FortiGate unit can now be used to connect directly to a managed FortiAP unit that has been configured to enable login-enable. To access the FortiAP, use the command execute telnet <ip>, using the IP address of the FortiAP.

Telnet must be used, as FortiAPs do not support SSH/HTTPS admin access.

The console can also now be accessed by going to WiFi Controller > Managed Access Points > Managed APs and selecting the option Connect to CLI. The console will appear in a pop-up window.

If login-enable is set to default or disable on the FortiAP unit, or the FortiAP is offline, this option will not appear.

Split Tunneling for Wireless Traffic

Split tunneling can now be used for wireless traffic, allowing you to optimize WiFi traffic flow by directing only corporate traffic back to the FortiGate unit's wireless controller, while local application traffic remains local. With split tunneling, a remote user associates with a single SSID, can get access to corporate resources (for example, a mail server) and local resources (for example, a local printer).

Split tunneling should be only used for SSIDs in tunnel mode.
  1. Enabling split tunnelling for an SSID.

config wireless-controller vap

edit <name>

set split-tunneling enable




  1. Setting the IP lists for split tunneling

config w-c {wtp-profile | wtp}

set split-tunneling-acl-local-ap-subnet enable

config split-tunneling-acl

edit <ID>

set id <ID>

set dest-ip <IP_address>



Captive Portal for WiFi

Several changes have been made for captive portal security on wireless networks. Wireless captive portals can also use the new features for all captive portals described in Authentication.

New Configuration Options

The following options can now be configured for captive portals that use wireless interfaces:

  • Security exempt list names can be added to a captive portal. This option is only available when user groups are selected as part of the SSID configuration, rather than being a match for groups in the security policy.
  • URL redirection is available after the disclaimer/authentication screen.
  • Four types of portals are available: authentication, authentication with disclaimer, disclaimer only, or email collection. When the mode is email collection or disclaimer only, the options for setting user groups or having an external captive portal are not available.

config wireless-controller vap

edit <name>

set security captive-portal

set portal type {auth | auth+disclaimer | disclaimer | email-collect}

set security-exempt-list <name of list>



WPA Personal Security + Captive Portal

A new option has also been added that uses WPA Personal security as well as a captive portal. This option also allows groups to be imported from the policy.

New Wireless Health Charts

Two new charts have been added to the Wireless Health Monitor showing spectrum analysis information on the sources of wireless interference.

In order for these widgets to appear, spectrum analysis must first be enabled. This is done by editing the AP profile used by your FortiAP units and selecting Spectrum Analysis for all applicable radios.

Spectrum analysis can also be enabled in the CLI.


config wireless-controller wtp-profile

edit <name>

config <radio>

set spectrum-analysis enable





After spectrum analysis has been enabled, view the Top Wireless Interference widget found in the Wireless Health Monitor. A chart icon will appear in the Channel column. Selecting this icon will open the new WiFi charts: Spectrum Analysis and Top Wireless Interference.

The Spectrum Analysis chart shows WiFi signal interference as detected by a particular FortiAP.

The Top Wireless Interference chart shows SSIDs that are interfering with a particular FortiAP unit.

RADIUS Accounting

RADIUS accounting is now supported for wireless networks, allowing RADIUS accounting messages to be sent that contain a wireless user's name and IP address.

If an accounting server has been enabled for RADIUS, the wireless client information will be sent to it.

802.11ac and DARRP Support

802.11ac support has been added for FortiOS 5.2, allowing a FortiGate unit to manage FortiAP models 221C and 320C. Distributed Automatic Radio Resource Provisioning (DARRP) is also supported for 802.11ac radio.


config wireless-controller wtp-profile

edit {fap221c | fap320c}

config radio-2

set darrp enable



Date Channel DTLS in Kernel

Data channel Datagram Transport Layer Security (DTLS) can now be enabled in kernel using the CLI.


config wireless-controller wtp-prof

edit wtpprof

set dtls-in-kernel enable