Month: September 2018

Intro into Fortinet WLAN configuration

Simple, secure, sensible – Koroush Saraf, Fortiner VP of Product Management, emphasized these words in his recent MFD3 presentations. While any vendor can claim their products share these attributes, it’s usually the complexity of workflow that reveals the betrayal of one or all of these characteristics. Watching this Mobility Field Day demo, however, the simplicity of setting up a basic Fortinet WLAN SSID, applying security policies, and even setting up automation for quarantining an infected machine boiled down to just a few steps.

Step oneCreate your SSID.

In Fortinet world, creating an SSID creates a virtual interface.  At first, this seems like a strange construct to be involved in a WLAN setup process, but later in the process, the logic and flexibility of having this virtual interface becomes apparent.

To create your basic SSID, navigate to WiFi & Switch Controller, click on SSID, click Add New.  You can select if this SSID will be a Tunnel, Bridge, or Mesh SSID, as well as configure parameters such as IP address, DHCP server options, Default Gateway, DNS servers, etc…

Keep in mind that to avoid clutter, the GUI presents the essential and the most commonly used options for configuration. Some more advanced configuration may not be seen in the GUI but available via CLI.

Step 2: Attach or create an AP Profile.

The FortiAP Profile is where things like radio bands, transmit power, channel and channel width, etc… are configured and controlled in a manner that can be applied to multiple APs.

To create a new AP profile, navigate to WiFi & Switch Controller, and click on FortiAP Profiles, click Add New

To attach an already created AP Profile to an AP, navigate to WiFi & Switch Controller, click Managed FortiAPs, select your AP, and apply the appropriate profile to the AP. This screen is also where you would configure AP specific options that would not apply to all APs using the profile selected. Note, this assumes you have already setup your basic controller parameters so that APs can be automatically discovered.  For more information, see the documentation cited at the end of this post.

Step 3: Create interface policies.

This step brings together the SSID virtual interface created and the security policies that need to be applied to the SSID.  The virtual interface allows for the straight-forward application of security policies such as allowed/denied ports and protocols, along with UTM features and application restrictions.

For engineers that have configured Fortigate firewalls, this part of the process will feel the most familiar since it’s leverages the same process of policy creation used to create traditional firewall rules. 

Bonus step: Configuring an automation alert for compromised clients.

Now that you have your SSID and AP online, you can head over to Automation and quickly setup workflow for what should happen when the Fortigate sees a compromised host. You can see from the screen shot below that not only can the host be quarantined automagically, but an email could be sent to inform those taking the calls from the angry virus-spreading-machine owners that these machines have been blocked.Note this type of automation can apply not just to WLAN clients, it is a feature that can be used globally for all detected endpoints.

To see this demo in action, check out this MFD presentation in which Fortinet makes a compelling case for the idea that the lives of IT engineers shouldn’t be made so difficult all the time. Now if only all IT vendors thought this way…

And for even more Forti-content, check out these posts from fellow delegates:

Lee BadmanClarity and Confusion- Fortinet and Arista at Mobility Field Day 3

Scott LesterForti What

Jim PalmerA Story of Three Companies

 

 

Note: This post is based on the basic setup and topolgy given in the video presentation, for more advanced configuration information, please check out Fortinet’s documentation that can be found here. Also, Fortinet has an pretty awesome demo site here which allows you to log in and look around in pretty much any Fortinet product you’d like to see.

Disclaimer: While Mobility Field Day, which is sponsored by the companies that present, was very generous to invite me to the fantastic MDF3 event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

Published 9/30/2018

Solving 802.11ad challenges

The 802.11ad (60GHz) market has been interesting to watch, especially now that products utilizing the technology are becoming more prevalent.  Vendors leveraging 802.11 in a frequency band whose propagation properties differ significantly from the traditional 802.11 bands of  2.4 and 5GHz mean new engineering challenges to overcome.

The AP-387 point to point unit announced by Aruba earlier this year seeks to address these challenges in a few interesting ways.  Rain fade is primary concern when working with high frequencies such as 60GHz.  In order to combat this, the AP-387 has two radios, a 60GHz and a 5GHz radio, with the unit aggregating the throughput of both radios.

Should a storm roll through, the unaffected 5GHz radio will sustain the link, and the access point’s programming will dynamically adjust the amount of traffic sent to the deteriorated 60GHz radio.   Additionally, the physical design of the AP includes a lip that acts as an umbrella, keeping sheets of rain from coating the 60GHz antenna.

387-picture

The other key and quite snazzy feature of this PTP unit is the self aligning properties of the 60GHz radio, and it’s ability to dynamically scan and realign the link after heavy winds or vibrations.  Inside the access point are two 60GHz antenna elements and a chipset that allows the radio to scan +/- 40 degrees horizontally and +/- 10 degrees vertically in order to acquire or realign the link.

With such a wide scanning angle and the ability to self acquire the link, the need for precision in line of sight deployments is severely lessened.  I love the way Eric Johnson (Director of Product Management for Aruba) put it in his Mobility Field Day 3 presentation, “only minutes to deploy and hold my beer.”

The AP-387 has an extremely narrow (10 degree) beam-width, meaning units could theoretically be placed ~5 meters apart and still use the same channel. PoE+ is recommended for the AP-387, but it will operate with the 60GHz radio backed off by 3 db if 802.3af is used.

It’s important to note that there is a 500 meter distance limitation with these units..The product development reasoning behind the distance limitation is due to size and cost considerations of the high gain antenna elements for the 60GHz radios.  The current unit is rather small in comparison to other 60GHz products in this space, as you can see from the picture below.

AP-387

If you are interested in learning more about this 802.11ad PTP solution, I highly recommend this post  by Hendrik Lüth as well as the MDF3 video which includes an awesome demo of the dynamic fallback between the 60GHz and 5GHz radios.

Aruba Powering Next Gen Mobility with Eric Johnson and Onno Harms from Stephen Foskett on Vimeo.

 

Disclaimer: While Mobility Field Day, which is sponsored by the companies that present, was very generous to invite me to the fantastic MDF3 event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

Published 9/23/2018