Brave-Dumps.

com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

Study Guide
FortiGate 7.6
 Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

2/5/2025
 Brave-Dumps.com
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 LAN Edge Overview 4

02 Authentication 33
03 Centralized Management 75
04 SD-Branch 117
05 Zero Trust LAN Access 160
06 Advanced Features 192
07 Quarantine and Monitoring 236
08 Guest Access 259
09 Monitoring and Troubleshooting 295
 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

LAN Edge Introduction

FortiOS 7.6
Last Modified: 3 February 2025

In this lesson, you will learn about LAN Edge and its main components.

LAN Edge 7.6 Architect Study Guide 4

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Understand LAN Edge
• Understand LAN Edge as a solution
• Understand the role of FortiGate in a LAN Edge solution
• Understand LAN Edge devices and protocol
• LAN Edge use case scenarios

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of LAN Edge, you will be able to understand and apply LAN
Edge concepts, recognize basic designs and components, and identify common use cases for LAN Edge
solutions.

LAN Edge 7.6 Architect Study Guide 5

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Overview

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn more about LAN Edge.

LAN Edge 7.6 Architect Study Guide 6

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
A Journey of Integration
• Separate wired and wireless
infrastructures
Traditional Network
• Rise of mobility and BYOD
• Advances in network technology Router
• Emergence of the LAN Edge concept
Firewall

Ethernet Switch

Wireless AP

Clients / IoT

© Fortinet Inc. All Rights Reserved. 4

In the early days of computer networking, wired and wireless networks were often managed as separate
infrastructures. Wired networks provided the backbone, while wireless networks were initially considered as
convenient for mobile users but a less secure option.

As mobile devices became more common and employees began to follow a bring your own device (BYOD) to
work trend, secure wireless connectivity became mandatory. These changes in the network users highlighted
the need for better integration between wired and wireless networks.

New solutions were developed to unify management, enhance security, and reduce the complexity and cost of
network operations by integrating wired and wireless networks.

Advances in network technology, such as improvements in Wi-Fi, software-defined networks (SDN), network
virtualization, and cloud-based management, provided the foundation for a new approach to network
management that integrates both wired and wireless connectivity at the edge of the network.

LAN Edge 7.6 Architect Study Guide 7

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
What Is LAN Edge?

Key characteristics:
• Unified management
• Enhanced security
• Seamless connectivity Secure Simple Intelligent
• Scalability and flexibility
Convergence of Adaptive and Adaptive and resilient
• Simplified deployment security and network integrated platform that networking through
access eliminates appliance, extensive data,
configuration, and allowing AI/ML to drive
licensing sprawl better outcomes and
user experiences

© Fortinet Inc. All Rights Reserved. 5

In response to a need for solution that integrates wired and wireless networks, Fortinet has developed a
unique approach to wired and wireless LAN edge technology.

The Fortinet LAN Edge solution is a security-driven approach to networking through convergence that is:

• Secure, through convergence of security and network access. This includes firewall capabilities, intrusion
prevention, and secure access controls, all managed as one entity.

• Simple, through an adaptive and integrated platform that eliminates appliance, configuration, and licensing
sprawl. Fortinet LAN Edge enables centralized management of both wired and wireless networks through a
single interface. This unified approach simplifies configuration, monitoring, and troubleshooting, reducing
the operational burden on IT teams.

• Intelligent, with adaptive and resilient networking through extensive data. This allows artificial intelligence
(AI) and machine learning (ML) to drive better outcomes and user experiences.

LAN Edge supports a wide range of network sizes and can adapt to changing requirements, whether
expanding coverage areas, increasing device densities, or implementing new services. Also, it’s easy to
deploy, thanks to its intuitive design and comprehensive support for various network topologies.

LAN Edge 7.6 Architect Study Guide 8

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Key Components of the Fortinet LAN Edge Solution
• Devices:
• FortiGate FortiGate
• FortiManager
• FortiAP
• FortiSwitch
• FortiAuthenticator FortiLink
FortiSwitch
• FortiExtender
• FortiAIOps
• Protocol:
• FortiLink

FortiAP

© Fortinet Inc. All Rights Reserved. 6

LAN Edge as a solution includes basic components to provide comprehensive network management and
security for both wired and wireless environments.

Devices:
• FortiGate: acts as the central hub, providing a single pane of glass for managing both security and network
functions.
• FortiSwitch: integrates seamlessly with FortiGate to enhance overall network security and management.
• FortiManager: provides centralized management for Fortinet devices deployed at the LAN edge.
• FortiAP: ensures scalability and flexibility through seamless integration, and provides security features to
wireless users.
• FortiSwitch: plays a critical role in the LAN Edge solution by providing advanced switching capabilities and
integrating with the Fortinet Security Fabric.
• FortiAuthenticator: enhances security in the LAN Edge solution by providing centralized authentication and
identity management.
• FortiExtender: provides reliable and secure 4G/5G connectivity for remote sites, branch offices, and
network edge deployments.
• FortiAIOps: is an AI-powered analytics and automation platform that enables proactive issue detection,
performance optimization, and streamlined troubleshooting.

Protocol:
• FortiLink: transforms FortiSwitch and FortiAP into extensions of FortiGate. This integration allows the entire
network to be managed as a single unit with a unified management system.

LAN Edge 7.6 Architect Study Guide 9

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Basic Designs for FortiGate as a Secure LAN Controller

• SD-Branch • Dedicated Controller

© Fortinet Inc. All Rights Reserved. 7

There are two primary design approaches for using a FortiGate as a secure LAN controller.

The software-defined branch (SD-Branch) design uses the main internet access FortiGate to directly control
secure LAN devices, which is ideal for branch and small-to-medium sized offices. In these types of
deployments, FortiSwitch devices are access layer models that provide power over ethernet (PoE) to FortiAPs
and connect directly to FortiGate.

The dedicated secure LAN controller or internal segmentation firewall (ISFW), also known as an overlay
design, is ideal for campus networks with many FortiAP devices and an existing switching network. In this
setup, FortiGate is dedicated to Wi-Fi traffic, acting as a Wi-Fi controller, traffic concentrator, and security
inspection point, but not as the primary internet uplink. FortiAP devices can tunnel to FortiGate through the
existing switch network or dedicated FortiSwitches can be deployed to support the FortiAP devices.

LAN Edge 7.6 Architect Study Guide 10

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Fortinet Security Fabric Network
Operations
Security
Operations

• Broad visibility and protection of the entire digital

attack surface to better manage risk
• Integrated solution that reduces management
complexity and shares threat intelligence Cloud
Security

• Automated self-healing networks with AI-driven Zero Trust

Access
security for fast and efficient operations
FortiGuard
Threat
Intelligence

Secure Open
Networking Ecosystem

© Fortinet Inc. All Rights Reserved. 8

The Fortinet Security Fabric is an integrated cybersecurity platform designed to provide broad, automated,
and integrated protection across the entire digital attack surface. It unifies Fortinet components, offering
comprehensive security and visibility.

Security Fabric key features include:

• Broad protection: covers the entire attack surface, including network, endpoints, applications, and cloud
environments.

• Integration: combines security and networking components into a cohesive system. It’s a solution that
reduces management complexity and shares threat intelligence.

• Automation: streamlines threat detection, response, and remediation, reducing manual effort and response
times.

LAN Edge 7.6 Architect Study Guide 11

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Components

© Fortinet Inc. All Rights Reserved. 9

In this section, you will learn about the core LAN Edge components and their role in its design.

LAN Edge 7.6 Architect Study Guide 12

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
LAN Edge—Operational Challenges

Too much data to monitor

!
High level of expertise required across
wireless, LAN, WAN / SD-WAN
!
Ops Team
! Time-consuming troubleshooting process
Vague and fragmented issues
require highly skilled and time-intensive
investigation and remediation
!
Triaging skillset varies by vertical and scenario

Unused or poorly utilized network resources

© Fortinet Inc. All Rights Reserved. 10

As part of an IT environment that is becoming increasingly complex, networking engineers must possess
expertise in WLAN, LAN, WAN, and cloud technologies. When users report vague complaints about slow
internet speeds, diagnosing the problem often involves gathering logs and debugging across multiple
devices—PCs, wireless equipment, routers, firewalls, cloud services, and Software-as-a-Service (SaaS)
platforms. This process can be time-consuming, due to the volume of data involved, making it challenging to
effectively triage issues at scale.

Ideally, these engineers not only troubleshoot, but also provide recommendations. They monitor numerous
data points, establish performance baselines, and identify optimal paths or solutions to enhance network
performance.

LAN Edge 7.6 Architect Study Guide 13

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
What Is FortiManager?
• Centralized management
• Configuration management
• Backup and recovery
• Automated workflows

FortiGate FortiManager

© Fortinet Inc. All Rights Reserved. 11

What can FortiManager do?

• Provision firewall policies across your network.

• Act as a central repository for configuration revision control and security audits.
• Provide central management of FortiSwitch.
• Act as a private FortiGuard Distribution Server (FDS) for your managed devices.
• Script and automate device provisioning, policy changes, and more, using JSON APIs.

Centralized management through FortiManager can help you to manage many deployment types with many
devices, and to reduce the cost of operation.

LAN Edge 7.6 Architect Study Guide 14

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiManager Role In LAN Edge
• Manage FortiSwitch
• Centralized management with templates
• FortiSwitch per-device management

• Manage FortiAP
• Centralized management of FortiAP devices
• Wi-Fi maps
• Wi-Fi profiles

© Fortinet Inc. All Rights Reserved. 12

FortiManager provides a unified solution for secure networking through one platform, one network, one
security system, and one unified single-pane manager.

FortiManager features ensure efficient management, enhanced security, and streamlined operations in the
Fortinet LAN Edge solution.

As a key component for managing the LAN Edge solution, FortiManager offers centralized management that
simplifies the deployment and configuration of FortiGate, FortiSwitch, and FortiAP devices.

FortiManager includes predefined FortiSwitch and FortiAP templates that streamline the deployment and
management of these devices. These templates are designed to simplify configuration, ensure consistency,
and reduce the time and effort required to set up and maintain these devices.

In summary, FortiManager enhances operational efficiency through automation and centralized control.

LAN Edge 7.6 Architect Study Guide 15

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Zero-Touch Deployment

Deploy Configure Run

Ship FortiSwitch, FortiAP, FortiGate sends a message Deployment server pushes

and FortiGate devices to the to the deployment server configuration to FortiGate,
site, plug all devices in, and FortiSwitch, and FortiAP
connect them to the internet

© Fortinet Inc. All Rights Reserved. 13

Deploying network devices can be challenging. Resource constraints, a lack of on-site IT staff, or insufficient
technical expertise can make complex device configurations and setups difficult. Manual configuration
processes are time-consuming and prone to errors, leading to operational delays.

Also, ensuring all branches adhere to organizational security policies and standards is difficult without
centralized control.

Zero-touch provisioning (ZTP), when integrated with FortiManager, is a solution that assists in automating the
deployment and configuration of Fortinet devices, significantly simplifying the process of bringing new devices
online. ZTP allows devices to be preconfigured before they are shipped to their deployment location, enabling
plug-and-play functionality upon connection to the network.

LAN Edge 7.6 Architect Study Guide 16

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate Role in LAN Edge
• Centralized security
• Device management
• Traffic management
• Policy enforcement
• Scalability and growth
• PoE support

© Fortinet Inc. All Rights Reserved. 14

FortiGate plays a critical role in LAN Edge design by centralizing security, managing network devices, and
ensuring consistent policy enforcement, enhancing the network's security, scalability, and efficiency.

FortiGate combines security enforcement, FortiAP and FortiSwitch management, and secure network fabric
traffic into a unified whole: security-driven networking. Security is enforced not only at the perimeter, but
extended out of the edge to the network, where the clients connect to FortiAP and Fortiswitch devices.

LAN Edge 7.6 Architect Study Guide 17

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate Is a Wireless Switch and Controller
• Every FortiGate has a built-in wireless/switch controller

1800F +
2048/4096 APs
196 FSWs
600F
512/1024 APs
96 FSWs
80F
48/96 APs
40F 24 FSWs
8/16 APs
8 FSWs

© Fortinet Inc. All Rights Reserved. 15

FortiGate is a fully capable Wi-Fi and switch controller, able to manage FortiAP and FortiSwitch devices to the
edge of the LAN as part of the Fortinet LAN Edge solution.

As a Wi-Fi and switch controller, FortiGate manages FortiAP and FortiSwitch devices through FortiLink,
extending the Fortinet Security Fabric throughout the LAN where end devices connect.

A single-pane-of-glass interface allows for the management of all LAN access ports through FortiSwitch and
FortiAP.

LAN Edge 7.6 Architect Study Guide 18

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiSwitch Role in LAN Edge

FortiGate

FortiLink
FortiSwitch

© Fortinet Inc. All Rights Reserved. 16

A managed FortiSwitch is an extension of a FortiGate device. In this way, FortiSwitch extends the visibility of
the Fortinet Security Fabric up to layer 2. Using FortiView physical and logical topology views, you can
visualize different security segments together with the stacked FortiSwitch and connected end devices.

The FortiSwitch devices, in combination with FortiGate, when managing the former using FortiLink, offer a
solution to tackle all access requirements in a seamless, smooth implementation.

The LAN Edge solution is built on the ground where FortiSwitch devices are managed and work in
combination with FortiGate devices using FortiLink.

LAN Edge 7.6 Architect Study Guide 19

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAP—Security-Driven WLAN Networking
• Secure
• Convergence of security and network access
• Flexible deployment and cost
• Scalable to support enterprises of all sizes
• Full line, from large to small secure access
appliances
• Flexible management options
• No additional license required to enable built-in
wireless controller
• Integration
• Integrates with FortiGate for centralized
management
• Scalability and flexibility
Wide range of deployment sizes, from small offices
to large campus environments

© Fortinet Inc. All Rights Reserved. 17

Wi-Fi is an important network medium in every type of business, from small to medium to large enterprises,
and in millions of homes.

Controller-managed wireless solutions that aren't integrated don't fit small and medsize businesses (SMB),
and pure cloud-managed solutions don't offer comprehensive security, which could expose users to the
growing number of cyberthreats.

Fortinet secure wireless LAN (WLAN) meets the needs of these different use cases without sacrificing
comprehensive security. It has several deployment models with an integrated wireless controller in FortiGate
and FortiLAN Cloud.

The Fortinet integrated wireless solution provides single-pane-of-glass management for security and access.
The integrated wireless solution includes the FortiGate network security platform, FortiAP devices, and
centralized management. FortiGate consolidates WLAN control, firewall, VPN gateway, a network intrusion
prevention system (IPS), data loss prevention (DLP), malware protection, web filtering, application control,
and endpoint control on a single device. FortiGate does not require any additional licenses to enable built-in
wireless controller functionality.

LAN Edge 7.6 Architect Study Guide 20

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
LAN Edge Topology With FortiAP and FortiSwitch
Security Fabric > Physical Topology

© Fortinet Inc. All Rights Reserved. 18

In the example shown on this slide, the Security Fabric physical topology view shows the FortiSwitch location
in the network, as well as its directly connected FortiAP device.

LAN Edge 7.6 Architect Study Guide 21

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator
• FortiAuthenticator is a user
authentication and identity manager
• Provides standards-based secure
authentication to a network
• Centralizes the management and storage of
user identity information
• FortiAuthenticator Serves as the gatekeeper
of the Fortinet Security Fabric to establish
identity at the entry points
• Some of the key features include:
• RADIUS and LDAP services
• Two-factor authentication
• Wired/wireless authentication using the 802.1X
standard
• Certificate management
• Captive portal
• Self-serve portal
• Fortinet Single Sign-On (FSSO)

© Fortinet Inc. All Rights Reserved. 19

FortiAuthenticator is a user authentication and identity management device. It provides standards-based,

secure authentication to network devices. FortiAuthenticator provides RADIUS, LDAP, 802.1X wireless
authentication, certificate management, and Fortinet Single Sign-On (FSSO).

FortiAuthenticator is compatible with FortiToken to provide two-factor authentication when using multiple
FortiGate and third-party devices. Together, FortiAuthenticator and FortiToken deliver cost-effective, scalable,
secure authentication to your entire network infrastructure.

FortiAuthenticator is a key component in the Fortinet LAN edge solution. FortiAuthenticator provides
authentication, which is used by FortiGate, or controllers, or both to assign appropriate access to clients.
Based on the configuration and roles defined on FortiGate, authentication rules can be enforced for wireless
and wired clients.

In a LAN Edge solution, FortiAuthenticator ensures that only authorized users and compliant devices can
access network resources.

LAN Edge 7.6 Architect Study Guide 22

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiExtender

© Fortinet Inc. All Rights Reserved. 20

FortiExtender is valuable component of the LAN Edge solution when implementing a secure branch scenario.
It provides reliable WAN connectivity using LTE/5G networks, which complements LAN Edge devices such as
FortiGate, FortiAP, and FortiSwitch.

By integrating with FortiGate, FortiExtender ensures continuous and secure internet connectivity, even in
areas where traditional wired connections may be unreliable or unavailable. FortiExtender supports the overall
security and performance of the branch network, while integrating in your existing FortiManager or FortiGate
dashboard for simple start up and provisioning.

You can take advantage of ZTP to simplify the deployment of FortiExtender devices.

LAN Edge 7.6 Architect Study Guide 23

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiLink Role in LAN Edge
Integrated security
• FortiSwitch integrated into FortiGate as an FortiGate NGFW
extension of the NGFW
• Firewall and switch ports equally secure
• Built-in NAC features to address IoT as well as
owned devices
FortiSwitch FortiLink
Simplicity
• Ease of deployment and management through
FortiGate interface
• Flexible architecture, scales as needs change
Lower cost of ownership
• Access management included with FortiOS—no
licenses required
FortiAP

© Fortinet Inc. All Rights Reserved. 21

FortiLink, also known as the switch controller function, allows FortiGate firewalls to remotely manage
FortiSwitch devices. FortiLink defines the management interface and remote management protocol between
FortiGate and FortiSwitch, enabling seamless control and integration.

This protocol integrates FortiSwitch devices with FortiGate, centralizing management and enhancing security.

FortiLink protocols enable FortiGate to manage the Fortinet network access layer. FortiLink drives the
simplicity, the automated provisioning of the access layer, and the visibility, because everything is centered
around FortiGate.

It provides for a flexible architecture that scales as your needs change, and it enables FortiGate to offer a high
level of security to the ports on the switch.

LAN Edge 7.6 Architect Study Guide 24

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AIOps

© Fortinet Inc. All Rights Reserved. 22

AIOps refers to the application of artificial intelligence (AI) and machine learning (ML) techniques to enhance
and automate IT operations.

AIOps is part of the solution that enables network engineers to monitor networks more comprehensively,
detect issues earlier, diagnose problems accurately, and proactively manage and optimize network
performance, ultimately enhancing operational efficiency and reducing downtime.

AI helps by:

• Processing event logs from all network devices across the deployment
• Predicting failure type based on trained ML models
• Reviewing status and configurations to quickly drive to root cause
• Providing client-level remediation to overcome the failure

LAN Edge 7.6 Architect Study Guide 25

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
The Solution—FortiAIOps

Monitoring AI
Troubleshooting FortiAIOps Insights

© Fortinet Inc. All Rights Reserved. 23

FortiAIOps is the merging of monitoring, troubleshooting, and AI insights inside a single platform.

FortiAIOps delivers a simple and easy way to oversee LAN Edge components, including: FortiAP, FortiSwitch,
FortiGate, and FortiExtender.

The FortiAIOps network monitoring functionality puts visibility and in-depth understanding at your fingertips. From
layer 1 diagnostic information to layer 7 application visibility, FortiAIOps covers Wi-Fi, Ethernet, SD-WAN, and
5G/LTE gateway technologies. Its built-in troubleshooting tools allow active testing of network components to find
faults and verify functionality.

LAN Edge 7.6 Architect Study Guide 26

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Use Cases

© Fortinet Inc. All Rights Reserved. 24

In this section, you will learn about the common use case scenarios for a LAN Edge solution.

LAN Edge 7.6 Architect Study Guide 27

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
LAN Edge Use Cases

CAMPUS SD-BRANCH OT

© Fortinet Inc. All Rights Reserved. 25

There are two main LAN Edge uses cases: campus and SD-Branch.

• Campus: It can be small offices up to large multi-building deployments.

• SD-Branch: It is an extension of SD-WAN including WAN, wired and wireless LAN, security, and network
access control.

Another application is in operational technology use cases, where FortiSwitch rugged models are used.

LAN Edge 7.6 Architect Study Guide 28

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Secure Campus Use Case

Core
FortiGate

Core FortiSwitch

Aggregation
FortiSwitch

Access
FortiSwitch

© Fortinet Inc. All Rights Reserved. 26

Campus use cases include a broad range of applications from small offices to networks that cover large
physical areas like universities, hospitals, corporate campuses, and government facilities.

In campus use cases, LAN Edge components connect numerous buildings, departments, and outdoor spaces
to support a wide array of users, devices, and applications. This includes wired and wireless connectivity
options to allow access to diverse devices and support user mobility.

Campus use cases must provide reliable, secure, and scalable connectivity.

In secure campuses use cases, a very commonly used physical design is a hierarchical design. In a
hierarchical design, there are two or three levels between the access switch and the core equipment, like
firewalls or routers. This type of design allows the network to grow and it minimizes the number of uplinks
required while providing reliability. By using a series of cascading, high-bandwidth fiber-optic connections
between switches, a hierarchical design can overcome the reach limitations found in designs where Ethernet
over copper links are used.

LAN Edge 7.6 Architect Study Guide 29

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Secure SD-Branch Use Case
• SD-WAN provides secure, business-
outcome-driven WAN
• Simplifies traditional WAN complexity
• Better cloud application performance
Device LAN WAN
• 5G/LTE wireless WAN Edge Edge Edge
• LAN Edge protects the access edge Corporate
Client Secure
SD-WAN
• Consolidation through convergence of
security and network access
User
• NAC protects the device edge Contractor
Mobile
BYOD NAC Wireless Switch

• Discovery, classification, and secure Guest

onboarding of IoT devices 5G /LTE

Wireless WAN
IoT

© Fortinet Inc. All Rights Reserved. 27

Secure SD-Branch secures the network edge at the branch. Remote locations need a defense that conforms
to the unique risks they face.

Secure SD-Branch enhances both security and network performance at the access layer by integrating WAN
and LAN environments. It automates discovery, classification, and security of IoT devices when they request
network access. It also automatically provides anomaly detection and remediation processes based on
defined business logic. Finally, it allows distributed organizations to rapidly scale their operations across new
offices and geographic locations.

Secure SD-Branch is extension of SD-WAN, including wired and wireless LAN, security, and network access
control.

• SD-WAN: Provides seamless WAN connectivity with enhanced cloud application performance through
local breakout, including 5G/LTE wireless WAN as a primary or backup

• LAN Edge: Provides comprehensive access protection, integrating wireless and switching for converged
network and security solutions

• NAC: Protects the device edge through device discovery, classification, and secure IoT onboarding
processes

Secure SD-Branch consolidates the network access layer within a secure platform that provides visibility and
security to the network and all devices that connect to it.

LAN Edge 7.6 Architect Study Guide 30

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
OT Solutions
• Lossless redundancy with PRP/HSR
• Precision Time Protocol (PTP)
transparent clock
• Media Redundancy Protocol (MRP)
redundancy
• PoE
• Compact form factor to fit in cabinets

© Fortinet Inc. All Rights Reserved. 28

Operational technology (OT) plays a crucial role in industrial sectors, such as manufacturing, energy, utilities,
transportation, and healthcare. This types of industry require specialized cybersecurity and management
solutions to ensure operational continuity, safety, and efficiency.

FortiSwitch rugged devices are increasingly utilized in OT environments due to their robust security features,
which are tailored for the industrial and critical infrastructure sectors.

These rugged models offer lossless redundancy with Parallel Redundancy Protocol/High-Availability
Seamless Redundancy (PRP/HSR) and flexible voltage options from 18-125 volts direct current (VDC),
among other features.

LAN Edge 7.6 Architect Study Guide 31

 LAN Edge Introduction
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Understand LAN Edge
 Understand LAN Edge as a solution
 Understand the role of FortiGate in a LAN Edge solution
 Understand LAN Edge devices and protocol
 LAN Edge use case scenarios

© Fortinet Inc. All Rights Reserved. 29

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to understand LAN Edge concepts,
recognize basic LAN Edge designs and components, and identify common use cases for LAN Edge solutions.

LAN Edge 7.6 Architect Study Guide 32

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

Authentication

FortiOS 7.6
Last Modified: 3 February 2025

In this lesson, you will learn how to configure and troubleshoot LDAP and RADIUS authentication on
FortiGate. You will also review some FortiAuthenticator fundamentals.

LAN Edge 7.6 Architect Study Guide 33

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Integrate FortiAuthenticator with the Fortinet Security Fabric
• Understand LDAP bind flow
• Understand RADIUS query flow
• Configure and use a certificate authority (CA) in FortiAuthenticator
• Configure syslog single sign-on (SSO) on FortiAuthenticator
• Configure RADIUS SSO (RSSO) on FortiAuthenticator
• Create public key infrastructure (PKI) users on FortiGate

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in remote authentication and FortiAuthenticator, you will be able to understand
LDAP bind flow, RADIUS query flow, and the integration of FortiAuthenticator with FortiGate. Additionally, you
will also gain insight into syslog SSO and RSSO configuration.

LAN Edge 7.6 Architect Study Guide 34

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiAuthenticator

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about the fundamentals of FortiAuthenticator.

LAN Edge 7.6 Architect Study Guide 35

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Integrating FortiAuthenticator Into the Security Fabric

Management

Controller and security

Access

Clients

© Fortinet Inc. All Rights Reserved. 4

FortiAuthenticator is a key component for integrating the Security Fabric within a LAN Edge solution.

FortiAuthenticator enhances network security by providing centralized authentication, authorization, and

accounting (AAA) services. FortiAuthenticator integrates with LDAP/Active Directory for user synchronization
and acts as a RADIUS server to manage user policies, roles, and guest access. Additionally, through FSSO,
FortiAuthenticator provides user identity information to FortiGate, allowing it to apply relevant security policies
based on user roles and groups.

This allows the right users to access the right resources at the right time. Its multi-factor authentication (MFA)
capabilities greatly contribute to this objective.

Also, it’s the bridge that engages multiple devices at different levels like FortiSwitch, FortiAP, FortGate, and
diverse clients using different mediums. By integrating FortiAuthenticator with FortiSwitch, FortiAP, and
FortiGate, your organization ensures consistent authentication policies across all access points, whether
wired or wireless.

LAN Edge 7.6 Architect Study Guide 36

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator Key Differences
Feature Key differences compared to FortiGate
RADIUS RADIUS authentication and authorization server
RADIUS authentication and accounting proxy
Rule-based rewrite of RADIUS accounting packets for FSSO
Two-factor authentication Centralized two-factor authentication for users and tokens
FSSO Restrict number of devices per FSSO user
FSSO user/group/IP filtering to FortiGate
Kerberos FSSO (with NTLM fallback)
SAML service provider
SAML identity provider
Active Directory Rule-based auto-sync with Windows Active Directory
Reset Active Directory password
Wi-Fi/Hotspot Social authentication: Facebook, Twitter, LinkedIn
Google authentication
Guest/BYOD Certificate authority (SCEP, OCSP, endpoint auto-enrollment)

CA Certificate authority

© Fortinet Inc. All Rights Reserved. 5

FortiAuthenticator and FortiGate are both crucial components but they serve different roles, particularly when
it comes to authentication.

As a dedicated authentication device, FortiAuthenticator centralizes user authentication and authorization,

allowing for consistent policy enforcement across multiple devices and applications.

The list shown on this slide contains some of the key differences between FortiGate and FortiAuthenticator in
terms of RADIUS, two-factor authentication, FSSO, Active Directory, Wi-Fi authentication, and guest
management.

LAN Edge 7.6 Architect Study Guide 37

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
The CHAP and LDAP Dilemma
• If FortiGate uses LDAP for user authentication, neither CHAP, MS-CHAP, nor MS-
CHAPv2 can be used
• This might affect IPsec VPN and Protected Extensible Authentication Protocol (PEAP) wireless users

IPsec user
with CHAP

FortiGate LDAP
Users do not send the
password in cleartext,
but a one-way hash of ???
the password
Expecting password
Wireless user
with PEAP/MSCHAP2
in cleartext

© Fortinet Inc. All Rights Reserved. 6

Now, you will explore another benefit of adding FortiAuthenticator to your LAN Edge solution.

If FortiGate is configured to authenticate clients using a remote LDAP server, VPN and wireless clients using
CHAP schemes are not able to authenticate. That is the case for wireless clients using PEAP or Microsoft
Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2), or both, and IPsec VPN clients with
extended authentication (XAuth) and CHAP. The same applies for any other device or application using
CHAP, MS-CHAP, or MS-CHAPv2 for authenticating against a FortiGate device that uses an LDAP server as
the back end.

The reason is that during CHAP, MS-CHAP, and MS-CHAPv2 authentication, a client sends a one-way hash
of the password. However, the LDAP server, which is on the back end, is expecting the password itself.
FortiGate, which is acting as the LDAP client, does not have the client passwords, nor can it convert a hashed
password to a cleartext password.

LAN Edge 7.6 Architect Study Guide 38

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Solutions to the CHAP and LDAP Dilemma
• Use Password Authentication Protocol (PAP)
• Unsecure
• May not be supported by all applications or implementations
• Use RADIUS
• Use FortiAuthenticator to join the Windows domain
• Allows FortiAuthenticator to authenticate against Windows AD using Kerberos
• User authentication will use New Technology LAN Manager (NTLM)
FortiGate configured as Windows AD configured as an LDAP
a RADIUS client on server on FortiAuthenticator with
IPsec user FortiAuthenticator Windows AD authentication
with CHAP

FortiAuthenticator Windows AD
FortiGate

RADIUS NTLM

Wireless user User authentication happens over NTLM

with PEAP/MSCHAP2 with event ID 4776

© Fortinet Inc. All Rights Reserved. 7

Two possible methods that you can use to solve the CHAP and LDAP problem are:

• Use PAP: You must configure FortiGate to use PAP instead of CHAP when authenticating clients. This
approach is unsecure, because of the nature of PAP.
• Use RADIUS: Change your back-end server from LDAP to RADIUS.

If you are using Windows AD as your LDAP server, an alternative is to use FortiAuthenticator as an
authentication proxy. FortiAuthenticator would be located between FortiGate and the Windows server. You
must also configure FortiAuthenticator to log in to the Windows domain using the credentials of a Windows
administrator. This adds FortiAuthenticator as a trusted device on the Windows AD domain, allowing
FortiAuthenticator to proxy the password hash from the client to the Windows server, using NTLM.

LAN Edge 7.6 Architect Study Guide 39

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Remote Authentication Servers—LDAP
• You can configure FortiAuthenticator to connect to an existing LDAP server
Authentication > Remote Auth. Servers > LDAP

Select the server type

to apply LDAP scheme

Required for CHAP, MS-CHAP, and MS-CHAPv2

© Fortinet Inc. All Rights Reserved. 8

FortiAuthenticator can store the user database locally. It can also proxy authentication requests from a client
to a back-end authentication server.

Now, you will learn how to configure FortiAuthenticator to proxy authentication requests to a remote LDAP
server, which can be a Windows AD server.

You must configure the following settings: Name, Primary server name/IP, Base distinguished name, Bind
type and administrator Username and Password for regular bind type. Note that the Base distinguished
name sets the root node where LDAP starts searching for user accounts.

There are predefined LDAP templates you can select in the Server type section. They include default
attribute settings for well-known LDAP servers, such as Windows AD, OpenLDAP, and Novell eDirectory.

If you want FortiAuthenticator to relay CHAP, MS-CHAP, and MS-CHAPv2 authentication to a Windows AD
server, you must enable Windows Active Directory Domain Authentication and enter the credentials for a
Windows administrator. FortiAuthenticator logs in to the domain as a trusted device, allowing
FortiAuthenticator to proxy CHAP, MS-CHAP, and MS-CHAPv2 authentication, using NTLM.

LAN Edge 7.6 Architect Study Guide 40

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
RADIUS Remote Authentication Server
• You can configure FortiAuthenticator to connect to existing RADIUS servers
• If the local user database is not used, FortiAuthenticator proxies RADIUS authentication requests

Authentication > Remote Auth. Servers > RADIUS

Select RADIUS
scheme

© Fortinet Inc. All Rights Reserved. 9

FortiAuthenticator can act both as a RADIUS server and a RADIUS proxy. As a RADIUS server, it provides
comprehensive AAA service and seamless integration with Fortinet devices. As a RADIUS proxy, it enhances
security by forwarding authentication requests to remote RADIUS servers while applying local policies.

The slide shows is an example of the configuration required for FortiAuthenticator to proxy authentication
requests to a remote RADIUS server.

LAN Edge 7.6 Architect Study Guide 41

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Adding Users to FortiAuthenticator
• Local users
• Manually add users
• Import users from a CSV or FortiGate configuration file
• Remote users
• Remote LDAP users:
• Import into FortiAuthenticator through remote LDAP servers only
• Remote RADIUS users
• Can be created in FortiAuthenticator based on the remote RADIUS server
• Can be migrated to LDAP users, edited, and deleted
• Can be assigned user role or administrator role

© Fortinet Inc. All Rights Reserved. 10

There are two ways you can add local users to FortiAuthenticator:
• Manually add users.
• Import users from a CSV file or FortiGate configuration file.

Note that FortiAuthenticator includes a self-service portal where users can register themselves.

You add remote LDAP and RADIUS users to FortiAuthenticator in different ways:
• For remote LDAP users, you must import users into the FortiAuthenticator user database from their remote
LDAP servers.
• For remote RADIUS users, you can create them based on a remote RADIUS server. You can migrate
remote RADIUS users to LDAP users, as well as edit and delete them. You can also flag remote RADIUS
users with the user role or administrator role.

LAN Edge 7.6 Architect Study Guide 42

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
RADIUS Clients
• FortiAuthenticator accepts RADIUS authentication requests only from clients that have
been added as RADIUS clients
Authentication > RADIUS Service > Clients

© Fortinet Inc. All Rights Reserved. 11

FortiAuthenticator accepts RADIUS authentication requests only from approved RADIUS clients. This means
that for a device or application to send authentication requests to FortiAuthenticator, it must first be explicitly
configured and recognized as a trusted client within the FortiAuthenticator system. This way,
FortiAuthenticator ensures that only authorized devices can interact with its RADIUS service.

After you configure remote authentication servers or a local user database, you must allow FortiGate to make
authentication requests to FortiAuthenticator. This is done under RADIUS clients on the FortiAuthenticator.

LAN Edge 7.6 Architect Study Guide 43

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
RADIUS Policies
• You must assign your RADIUS client to a policy
• FortiAuthenticator follows the settings configured for the matching RADIUS policy

Authentication > RADIUS Service > Policies

© Fortinet Inc. All Rights Reserved. 12

After you configure a RADIUS client, you must assign it to one or more RADIUS policies. A RADIUS policy
contains the authentication settings that FortiAuthenticator follows when processing authentication requests
sent by your RADIUS client.

When FortiAuthenticator receives a RADIUS authentication request, it identifies the request attributes and
then finds a matching policy using a top-down approach. If there is no matching policy, FortiAuthenticator
rejects the RADIUS authentication request.

LAN Edge 7.6 Architect Study Guide 44

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Debug Logs on FortiAuthenticator
Debug logs are categorized based
on the service being used
https://<FortiAuthenticator_IP>/debug

Debug mode is enabled, allowing

you to send test authentication
requests

Debug logs can be useful

when troubleshooting issues
on FortiAuthenticator

© Fortinet Inc. All Rights Reserved. 13

Unlike FortiGate, FortiAuthenticator does not have real-time debug commands. Instead, you can access
extended logs for individual services. You can access the debug log page using the URL
https://<FortiAuthenticator_IP>/debug. You can use these logs to troubleshoot issues with
services running on FortiAuthenticator.

In the case of the debug logs for RADIUS authentication, you can enable debug mode, which allows
administrators to test RADIUS authentication using the credentials of a test user from the debug logs window.

LAN Edge 7.6 Architect Study Guide 45

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiAuthenticator as a CA

© Fortinet Inc. All Rights Reserved. 14

In this section, you will review how FortiAuthenticator can act as a CA.

LAN Edge 7.6 Architect Study Guide 46

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator as a CA
Certificate Management > Certificate Authorities > Local CAs
• FortiAuthenticator can act as:
• CA
• Root and/or intermediate
• Certificate revocation list (CRL)
• Simple Certificate Enrollment Protocol
(SCEP) registration authority (RA)
• Online Certificate Status Protocol
(OCSP) server

© Fortinet Inc. All Rights Reserved. 15

FortiAuthenticator can act as a self-signed or local CA for issuing and revoking digital certificates. This
functionality allows FortiAuthenticator to manage certificates internally, providing a trusted source for digital
certificates within the organization.

As a CA, the administrator can also import trusted CA certificates and certificate revocation lists.

FortiAuthenticator can also act as an OCSP server, for certificate revocation checks, and a SCEP RA, for
receiving certificate signing requests (CSR) and issuing certificates. This ensures that certificates are checked
for validity at the time of use, improving security and reducing the reliance on periodically updated CRLs.

LAN Edge 7.6 Architect Study Guide 47

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Generating Certificates
Certificate Management > End Entities
• FortiAuthenticator can generate the
following types of certificates:
• User certificates
• Clients/end users
• Used to identify users, services, and devices
• Allows download of private key (one time only)
• Local service certificates
• Server certificate
• Used to identify servers
• Applies to local services enabled on the
FortiAuthenticator only
• Cannot retrieve the private key

© Fortinet Inc. All Rights Reserved. 16

User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN
network resources. Mutual authentication, also known as two-way authentication, ensures that both the client
and the server verify each other's identity before establishing a secure connection, this helps to prevent
unauthorized access and allows communication only between trusted parties.

You can create a user certificate on FortiAuthenticator or import and sign a CSR. User certificates, external
service certificates, and device certificates are all fundamentally the same type of certificate, issued by a CA
to authenticate the identity of the holder and facilitate secure communications.

The ability of FortiAuthenticator that can create user certificates and import and sign CSRs helps to ensure
that all certificates are managed consistently and securely.

Note that End Entities certificates can be used only to verify client identity and cannot be used to sign other
certificates.

LAN Edge 7.6 Architect Study Guide 48

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator Signing Certificates
Certificate Management > End Entities > Users

Subject field

User Principal
Name (UPN)

Include the URL where the

CRL can be downloaded

Include the OCSP

server URL

© Fortinet Inc. All Rights Reserved. 17

After you create a CA certificate, FortiAuthenticator can start issuing certificates to users. This process
involves defining various attributes within each user certificate so the certificate can deliver appropriate
identification, validity, and revocation management.

In each user certificate, you can define the subject field, expiration date, UPN, URL where the CRL can be
downloaded, and the OCSP URL. The detailed configuration of those attributes allows accurate identification
and timely revocation checks.

LAN Edge 7.6 Architect Study Guide 49

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator as a SCEP RA
• Two types of enrollment:
• Automatic
• Administrator preapproves the CSR before it arrives
• Preapproval requires you to set a challenge password
• Challenge password is used by the requester when submitting the CSR
• Manual
• Requester submits the CSR first
• CSR remains on FortiAuthenticator as pending until the administrator approves it

© Fortinet Inc. All Rights Reserved. 18

FortiAuthenticator supports SCEP. This protocol simplifies the process of certificate issuance and
management, particularly in large-scale deployments where manual certificate handling can be time
consuming and prone to errors. When acting as a SCEP server, FortiAuthenticator can receive CSRs from
any device in your network enabling automated certificate enrollment and lifecycle management.

There are two types of SCEP enrollments:

• Automatic: Administrators preapprove the CSR before it arrives at the FortiAuthenticator SCEP server.
After it arrives, FortiAuthenticator replies with the signed certificate. This preapproval mechanism allows
FortiAuthenticator to efficiently handle incoming CSRs and promptly respond with signed certificates,
expediting the certificate issuance process.

• Manual: The manual process involves administrative oversight at each step. In the manual enrollment
process, the workflow requires that CSRs are submitted by the requesters before any certificate issuance
takes place. Once the CSRs are submitted, they remain in a pending state on FortiAuthenticator until an
administrator reviews and approves them. This option is suitable for high-security environments and allows
administrators to enforce compliance with security policies and verify the legitimacy of each certificate
request.

FortiAuthenticator support for SCEP enables efficient and secure certificate management through both
automatic and manual enrollment processes.

LAN Edge 7.6 Architect Study Guide 50

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Syslog SSO

© Fortinet Inc. All Rights Reserved. 19

In this section, you will learn about syslog SSO using FortiAuthenticator.

LAN Edge 7.6 Architect Study Guide 51

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Syslog SSO
• Username and IP address is parsed from syslog server by FortiAuthenticator
• Sent to FortiGate for Fortinet Single Sign-On (FSSO)

Filtered traffic flows

User logs in
User, IP address,
and group sent
through FSSO

Login Info collected Username and IP

RADIUS/AD Server address parsed
Syslog Server

© Fortinet Inc. All Rights Reserved. 20

Syslog SSO involves using syslog messages to monitor authentication events and correlate them with user
activities.

As part of its Security Fabric capabilities, FortiAuthenticator features syslog parsing capabilities with FSSO.
This allows FortiAuthenticator to parse user information from syslog messages and inject it into FSSO,
enabling FortiGate devices to enforce authentication policies based on real-time user data.

FortiAuthenticator can parse username and IP address information from a syslog feed provided by a third-
party device, and inject this information into FSSO for use in FortiGate authentication policies.

LAN Edge 7.6 Architect Study Guide 52

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Syslog Matching Rules—Configuration
Fortinet SSO Methods > SSO > General

Step 1

Step 2
Fortinet SSO Methods > SSO > Syslog Sources > Matching Rules

© Fortinet Inc. All Rights Reserved. 21

Syslog objects include sources and matching rules. Sources are the devices that send syslog messages,
which can be network switches, routers, firewalls or access points. Matching rules define how these
messages are parsed to extract user information. These rules determine how FortiAuthenticator processes
the syslog messages to obtain user identity data, such as usernames and IP addresses.

The correct configuration of these components ensures that FortiAuthenticator can accurately map user
activities to authentication policies.

FortiAuthenticator ignores messages coming from nonconfigured sources.

After you enable Syslog SSO, the next step is to create a matching rule for use by your syslog source.

LAN Edge 7.6 Architect Study Guide 53

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Syslog Matching Rules—Configuration (Contd)
Fortinet SSO Methods > SSO > Syslog Sources > Matching Rules

Strings representing the pattern to

match for extracting login information

© Fortinet Inc. All Rights Reserved. 22

There are preconfigured matching rules for some third-party syslog server formats, but you can create custom
matching rules to match the format of any syslog server feed.

In the Fields To Extract section, you can specify the string patterns that FortiAuthenticator uses to trigger
logon, update, and logoff messages. FortiAuthenticator uses these fields to extract the username and IP
address from the messages to convert them to FSSO events.

LAN Edge 7.6 Architect Study Guide 54

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Syslog Matching Rules—Preconfigured Rules
• Three preconfigured syslog matching rules:
• FortiNAC
• Aruba
• Cisco

Fortinet SSO Methods > SSO > Syslog Sources > Matching Rules

© Fortinet Inc. All Rights Reserved. 23

Three preconfigured matching rules for some third-party syslog server formats are:

• FortiNAC
• Aruba
• Cisco

LAN Edge 7.6 Architect Study Guide 55

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Syslog Sources—Configuration
Fortinet SSO Methods > SSO > Syslog Sources > Syslog Sources

Step 3

Syslog server
source IP address

Select matching rules to be

used to extract login information
from the syslog message or
create new matching rules

© Fortinet Inc. All Rights Reserved. 24

The next step is to create a syslog source. You must type values in the Name and IP address fields, and then
select a rule in the Matching rule field.

LAN Edge 7.6 Architect Study Guide 56

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Debug Logs
• Viewing debug logs from a specific service

• Debug logs can be helpful when troubleshooting

SSO-related issues
• Display information-level logs from the selected service
• View service logs that are relevant to the FSSO method that
is encountering issues
• Most recent logs are at the bottom

© Fortinet Inc. All Rights Reserved. 25

You can also view SSO-related logs that are specific to a single SSO source, such as RADIUS accounting or
the syslog feed. For example, you can view the RADIUS attributes that are sent in the accounting message,
or view the raw syslog feed that FortiAuthenticator is receiving.

LAN Edge 7.6 Architect Study Guide 57

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

RSSO

© Fortinet Inc. All Rights Reserved. 26

In this section, you will learn how to implement RSSO to be used with FortiAuthenticator and FortiGate.

LAN Edge 7.6 Architect Study Guide 58

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Deployment Considerations
• RADIUS environment must be configured to send accounting records
• For direct RADIUS to FortiGate RSSO:
• RADIUS server must be configured with appropriate group names and users added
• For RADIUS to FortiAuthenticator to FSSO:
• LDAP directory must be configured with appropriate group names and users added
• Three ways to deploy RSSO:
• FortiGate RSSO
• RSSO accounting messages directly to the FortiGate
• FortiAuthenticator RSSO to FortiGate RSSO
• RSSO accounting messages are sent to FortiAuthenticator, which then forwards the packets to FortiGate or a
third-party device
• FortiAuthenticator RSSO to FSSO
• RSSO accounting messages are converted to FSSO updates and distributed to all FortiGate devices
configured as FSSO clients on FortiAuthenticator

© Fortinet Inc. All Rights Reserved. 27

RSSO allows FortiGate to use RADIUS accounting messages for user authentication and authorization.

Consider the following important aspects before using RSSO:

• You must configure the RADIUS environment to send accounting records. How to configure every possible
RADIUS server is beyond the scope of this lesson.
• For direct RADIUS to FortiGate RSSO, you must configure the RADIUS server with appropriate group
names and users added to them.
• For RADIUS to FortiAuthenticator to FSSO, you must configure your LDAP directory with appropriate
group names and users added to them.

There are three different ways to deploy RSSO:

• FortiGate RSSO: RSSO accounting messages directly to FortiGate.

• FortiAuthenticator RSSO to FortiGate RSSO: RSSO accounting messages are sent to FortiAuthenticator,
which then forwards the packets to FortiGate or a third-party device.
• FortiAuthenticator RSSO to FSSO: RSSO accounting messages are converted to FSSO updates and
distributed to all FortiGate devices configured as FSSO clients on FortiAuthenticator.

Now, you will look at each of the three methods in more detail.

LAN Edge 7.6 Architect Study Guide 59

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate RSSO
• RADIUS accounting messages are sent directly to FortiGate
• FortiOS supports RADIUS start, stop, and interim update messages

Filtered traffic flows

User logs in

RADIUS start record sent

RADIUS

© Fortinet Inc. All Rights Reserved. 28

FortiOS supports the use of RADIUS update messages to authenticate and manage active users
transparently. These messages are sent by RADIUS clients to report user session details such as start time,
stop time, interim updates, and other relevant session information.

• RADIUS start message: sent when a user session begins, indicating the start of the session and providing
initial details such as the username, IP address, and session ID
• RADIUS stop message: sent when a user session ends, providing details about the session duration, data
usage, and reason for session termination
• RADIUS interim update message: sent periodically during an active session to provide updates on session
status, including data usage and session duration

You can configure FortiGate to receive and use these messages.

LAN Edge 7.6 Architect Study Guide 60

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate Configuration for RSSO
• Configure interface to receive RADIUS accounting records Network > Interfaces

• Configure RSSO agent

• Create user group with RADIUS Attribute Value
Security Fabric > External Connectors

Use the FortiGate CLI to configure

additional options for RSSO agent

config user radius

edit “RSSO Agent"
set rsso enable
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret ENC ****
set rsso-endpoint-attribute User-Name
set sso-attribute Class
User & Authentication > User Groups
RADIUS attribute User-Name

RADIUS attribute Class

© Fortinet Inc. All Rights Reserved. 29

You must perform a few configuration steps to enable RSSO on FortiGate. First, you must enable RADIUS
Accounting in the Administrative Access section on the FortiGate interface where you expect to receive
RSSO messages. Then, you must click Security Fabric > Fabric Connectors, define an RSSO agent, and
configure it with a unique name and RADIUS shared secret that matches the one configured on the RADIUS
accounting server. This enables a form of authentication between the RSSO agent (FortiGate) and the
RADIUS accounting server (or RSSO server). You also must create an RSSO user group locally on FortiGate.
In the RSSO user group, you must set the RADIUS Attribute Value, which is used for user group matching.
You can then use the RSSO user groups on a firewall policy to enable access for RSSO users.

RSSO user group matching works as follows:

1. When FortiGate receives the RADIUS accounting message, FortiGate checks the value for the attribute
set as sso-attribute in the RSSO agent configuration. In the example shown on this slide, the sso-
attribute is set to Class.
2. FortiGate checks its local RSSO user groups. If the value of the Class attribute contained in the
accounting message matches the value set as the RADIUS Attribute Value in the RSSO user group,
then FortiGate associates the RADIUS user with the RSSO user group. In the example shown on this
slide, the configured RADIUS Attribute Value is IT.

In addition, FortiGate extracts the username from the attribute set as rsso-endpoint-attribute. In the
example shown on this slide, the attribute is set to User-Name.

LAN Edge 7.6 Architect Study Guide 61

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator RSSO to FortiGate RSSO
• RADIUS accounting through FortiAuthenticator RADIUS accounting proxy to FortiGate

Filtered traffic flows

User logs in User, IP address,

and group sent
through RSSO

Active Directory server

RADIUS start record sent Group lookup
RADIUS

© Fortinet Inc. All Rights Reserved. 30

FortiAuthenticator supports the use of RADIUS start, stop, and interim update messages to authenticate and
manage active users transparently. It receives RADIUS accounting messages, performs lookups against the
LDAP server for group membership, and then forwards the RADIUS message to the FortiGate RSSO agent.
This is useful when group membership information is handled by Active Directory, or when the RADIUS
server is business-critical IT infrastructure, limiting the changes that can be made to the server configuration.

LAN Edge 7.6 Architect Study Guide 62

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator Configuration for RSSO
• Configure interface to receive RADIUS accounting start and stop messages
• Select Enable RADIUS Accounting SSO Clients
1 Network > Interfaces 2 Fortinet SSO Methods > SSO > General

Authentication > RADIUS Service > Services

For RADIUS SSO login

information
Change ports for RADIUS
accounting messages if
needed

© Fortinet Inc. All Rights Reserved. 31

Use the steps on this slide and the next to configure FortiAuthenticator when you want to implement a
FortiAuthenticator RSSO-to-FortiGate FSSO solution:

1. Enable RADIUS Accounting SSO on the interface that will receive RADIUS accounting start and stop
messages.
2. Turn on Enable RADIUS Accounting SSO clients.

When you enable RADIUS Accounting SSO, FortiAuthenticator starts to listen on UDP port 1813 by default
for incoming RADIUS accounting start and stop messages. The attributes on these messages are then used
by FortiAuthenticator to create SSO sessions that can be shared with registered FortiGate devices through
FSSO.

If you want FortiAuthenticator to track data and time usage for the RADIUS SSO users, then you must enable
RADIUS Accounting Monitor on the interface. When you enable this option, FortiAuthenticator starts to
listen by default on UDP port 1646 for incoming RADIUS accounting interim messages containing the user
data and time usage information.

Note that you can change the default ports for both RADIUS Accounting SSO and RADIUS Accounting
Monitor services if required. However, by design, FortiAuthenticator uses separate ports for each service.

LAN Edge 7.6 Architect Study Guide 63

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator Configuration for RSSO (Contd)
• Configure RADIUS server as RADIUS accounting proxy source
• Configure rule sets with required RADIUS attributes
• Add FortiGate as the RADIUS accounting proxy destination
3 Fortinet SSO Methods > Accounting Proxy > Sources

RADIUS server IP address

5 Fortinet SSO Methods > Accounting Proxy > Destination

4 Fortinet SSO Methods > Accounting Proxy > Rule Sets

FortiGate IP address

© Fortinet Inc. All Rights Reserved. 32

3. Configure the RADIUS server as a RADIUS accounting proxy source.

4. Configure rule sets with the required RADIUS attributes.

Select Add for a new attribute, and then click Browse to select the attribute. FortiAuthenticator uses the
RADIUS attribute set as Username to perform an LDAP search on the selected LDAP server, and to retrieve
group membership information. FortiAuthenticator then adds the attribute set as Attribute to the accounting
messages it forwards to FortiGate.

In the example shown on this slide, rule number 1 instructs FortiAuthenticator to add the attribute Class to
the accounting message forwarded to FortiGate. The Class attribute contains the user groups retrieved from
the LDAP server for the username set as User-Name attribute in the RADIUS accounting message received
by FortiAuthenticator.

5. Add FortiGate as the RADIUS accounting proxy destination.

This is the target for the translated accounting message. Usually, this is the FortiGate device you want to send
the accounting messages to, but it can be any RADIUS server configured to listen for accounting messages.
Make sure you assign the rule set and source correctly.

Note that the FortiGate configuration is the same as described on the slide titled FortiGate Configuration for
RSSO.

LAN Edge 7.6 Architect Study Guide 64

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator RSSO to FSSO
• RADIUS accounting through FortiAuthenticator to FortiGate
• FortiAuthenticator supports use of RADIUS start, stop, and update messages

Filtered traffic flows

User logs in User, IP address, and

group sent through FSSO

Active Directory Server

RADIUS Start Record sent Group lookup
RADIUS

© Fortinet Inc. All Rights Reserved. 33

FortiAuthenticator supports the use of RADIUS start, stop, and interim update messages to authenticate and
manage active users transparently. It receives RADIUS accounting messages, performs lookups against the
LDAP server for group membership, and then populates its FSSO cache with the correct information. This
information is then sent to FortiGate as an FSSO login. This is useful when group membership information is
handled by Active Directory, or when the RADIUS server is business-critical IT infrastructure, limiting the
changes that can be made to the server configuration.

LAN Edge 7.6 Architect Study Guide 65

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAuthenticator Configuration for RSSO to FSSO
• Configure interface to receive RADIUS accounting messages
• Select Enable RADIUS Accounting SSO clients
• Configure RADIUS Accounting SSO Client
Fortinet SSO Methods > SSO > General Fortinet SSO Methods > SSO > RADIUS Accounting Sources

Required attributes

© Fortinet Inc. All Rights Reserved. 34

You can convert RSSO messages to FSSO using FortiAuthenticator. This can be very useful in environments
that have multiple FortiGate devices deployed. FortiAuthenticator can distribute FSSO events to all FortiGate
devices that have been configured to receive FSSO updates in the network.

Use the following steps to configure FortiAuthenticator for FSSO:

1. Configure the interface to receive RADIUS accounting messages.

2. Select Enable RADIUS Accounting SSO Clients.
3. Configure the RADIUS Accounting SSO Client.

You must select the LDAP server from the drop-down field if you want to validate remote users using a back-
end LDAP server. FortiAuthenticator can retrieve group memberships from the LDAP server to verify that the
RSSO user account resides on the LDAP server. You can also categorize the user as External, which means
that the user account is not expected to be configured in the local or remote database. The RADIUS
Username attribute (default User-Name) and Client IPv4 attribute (default Framed-IP-Address) fields are
required. The User group attribute field is not required.

LAN Edge 7.6 Architect Study Guide 66

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate Configuration for FSSO
• Configure the FSSO agent
• Create user groups and add members/groups
• Configure authentication in firewall policies
Security Fabric > External Connectors

User & Authentication > User Groups

FortiAuthenticator IP address

© Fortinet Inc. All Rights Reserved. 35

You must configure FSSO on FortiGate to receive the FSSO updates from FortiAuthenticator. First, you
configure a Fortinet Single Sign-On Agent in External Connectors. Then, you can pull or create an FSSO
user group, and assign remote members to the group. You can then refer to the FSSO user group on a
firewall policy to provide network access to FSSO users.

LAN Edge 7.6 Architect Study Guide 67

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Monitor SSO Users
• FortiAuthenticator monitor shows user logged in through Radius Accounting source
Monitor > SSO > SSO Sessions

• FortiGate monitor confirms RSSO user has been authenticated as FSSO user on FortiGate
Dashboard > User & Devices > Firewall Users

FortiGate # diagnose debug authd fsso list

----FSSO logons----
IP: 10.0.1.10 User: STUDENT Groups:
CN=STUDENT,CN=USERS,DC=TRAININGAD,DC=TRAINING,DC=LAB+CN=SSLVPN,CN=USERS,DC=TRAININGAD,DC=TRAINING,DC=LAB+C
N=PKIGRP,CN=USERS,DC=TRAININGAD,DC=TRAINING,DC=LAB+CN=USERS,CN=BUILTIN,DC=TRAININGAD,DC=TRAINING,DC=LAB+CN
=DOMAIN USERS,CN=USERS,DC=TRAININGAD,DC=TRAINING,DC=LAB Workstation: 10.0.1.10 MemberOf: FSSO Group
CN=SSLVPN,CN=USERS,DC=TRAININGAD,DC=TRAINING,DC=LAB CN=PKIGRP,CN=USERS,DC=TRAININGAD,DC=TRAINING,DC=LAB
CN=USERS,CN=BUILTIN,DC=TRAININGAD,DC=TRAINING,DC=LAB CN=DOMAIN
USERS,CN=USERS,DC=TRAININGAD,DC=TRAINING,DC=LAB
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----

© Fortinet Inc. All Rights Reserved. 36

While the FortiAuthenticator Monitor page records that the user logged in through a Radius Accounting
source, you can confirm that the user was authenticated on FortiGate using the Fortinet Single Sign-On
method by looking at the Firewall Users widget.

You can also confirm this by running the diagnose debug authd fsso list command.

LAN Edge 7.6 Architect Study Guide 68

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiGate PKI Users

© Fortinet Inc. All Rights Reserved. 37

In this section, you will learn how to create PKI users on FortiGate.

LAN Edge 7.6 Architect Study Guide 69

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Local PKI Users
Name of the certificate for
config user peer the CA issuing the user
edit <user name> certificate (must be imported
into FortiGate first)
ca <CA_certificate_name>
subject <certificate_name_constraints>
cn <certificate_common_name>
Enable for two-factor
cn-type [string | email | FQDN | ipv4 | ipv6] authentication (certificate
two-factor [enable | disable] + password)

passwd [password_for_two_factor_authentication]
next
end Password for two-
factor authentication

© Fortinet Inc. All Rights Reserved. 38

You must use the CLI to create the first PKI user. After you create the first PKI user, and as long as there is at
least one PKI user, the menu option to create and administrate more PKI users will appear on the GUI.

This slide shows the CLI commands for creating a PKI user. One of the most important settings (ca) defines
the digital certificate of the CA that signed the end-entity certificate for this PKI user. This CA certificate must
have been installed previously on FortiGate.

You can combine certificate-based authentication with user credentials to offer two-factor authentication. After
you enable two-factor authentication for a PKI user, you must add the PKI user password.

LAN Edge 7.6 Architect Study Guide 70

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Authorizing PKI Users Using Principal Name
• FortiGate can use LDAP to validate the information in the certificate UPN field
• Authentication fails if no valid user has a UPN that matches the UPN in the certificate

© Fortinet Inc. All Rights Reserved. 39

On some occasions, the user certificate might include the UPN, which is a user attribute in Windows AD that
you can use to identify the user. You can configure FortiGate to use LDAP to validate this field against a
Windows AD server. The authentication fails if no valid user has a UPN that matches the user certificate.

LAN Edge 7.6 Architect Study Guide 71

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Authorizing PKI Users Using UPN
config user peer
edit “student” Enable UPN checking
set ldap-mode principal-name
ca CA_Cert_1
To match subject name on user certificate
subject student
cn trainingad.training.lab Certificate common name

cn-type string It can be string, email, FQDN, ipv4, ipv6

set ldap-server “Training-Lab

next
end Name of the LDAP server

© Fortinet Inc. All Rights Reserved. 40

To configure FortiGate to check the UPN in a user certificate, you must change the ldap-mode setting to
principal-name. Additionally, you must enter the name of the LDAP server previously configured on
FortiGate that will be used to validate the UPN.

LAN Edge 7.6 Architect Study Guide 72

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Group Filtering of PKI Users
FortiGate can authorize users based on the groups that the UPN owner belongs to

Both the peer user and the

LDAP server must be added
config user group as members of the user group
edit SSLVPN
set member “student” “Training-Lab”
config match
edit 1 The user whose UPN matches
the certificate UPN must
set server-name “Training-Lab” belong to this AD group

set group-name [email protected]

end
end

© Fortinet Inc. All Rights Reserved. 41

When you configure UPN validation for a PKI user, and the UPN belongs to a valid user, FortiGate queries the
LDAP for the user groups. You can use that information to authorize access only to users that belong to
specific groups.

LAN Edge 7.6 Architect Study Guide 73

 Authentication
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Integrate FortiAuthenticator with the Fortinet Security Fabric
 Understand LDAP bind flow
 Understand RADIUS query flow
 Configure and use a CA on FortiAuthenticator
 Configure syslog SSO on FortiAuthenticator
 Configure RSSO on FortiAuthenticator
 Create PKI users on FortiGate

© Fortinet Inc. All Rights Reserved. 42

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure LDAP and RADIUS,
FortiAuthenticatior as CA, syslog SSO and RSSO authentication on FortiAuthenticator.

LAN Edge 7.6 Architect Study Guide 74

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

Centralized Management

FortiOS 7.6
Last Modified: 3 February 2025

In this lesson, you will learn about FortiSwitch, FortiExtender, and FortiAP management on FortiManager.

LAN Edge 7.6 Architect Study Guide 75

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Review FortiManager key features
• Describe FortiGate registration on FortiManager
• Explore FortiSwitch Manager
• Explore AP Manager
• Explore Extender Manager
• Describe the zero-touch provisioning (ZTP) solution

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in centralized management, you will be able to manage FortiGate using
FortiManager, configure the FortiLink interface to manage FortiSwitch, and enable a Security Fabric
connection to manage FortiAP.

LAN Edge 7.6 Architect Study Guide 76

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiManager Overview

© Fortinet Inc. All Rights Reserved. 3

In this section, you will review FortiManager basics.

LAN Edge 7.6 Architect Study Guide 77

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
What Is FortiManager?
• Single-pane-of-glass management
• Minimizes both initial costs and ongoing operating expenses for large deployments
• Helps maintain regulatory compliance
• Reduces WAN usage with local FortiGuard cache server
• Provides centralized device management for many Fortinet devices, including
FortiSwitch and FortiAP
• Automates mass device provisioning and maintains policies
• Provides logging and reporting

© Fortinet Inc. All Rights Reserved. 4

When should you use FortiManager in your network?

In large enterprises and managed security service providers (MSSPs), the size of the network introduces
challenges that smaller networks don’t have: mass provisioning; scheduling rollout of configuration changes;
and maintaining, tracking, and auditing many changes.

Centralized management through FortiManager can help you more easily manage many deployment types
with many devices, and to reduce the cost of operation.

What can FortiManager do?

• Provision firewall policies across your network.

• Act as a central repository for configuration revision control and security audits.
• Centrally manage FortiSwitch and FortiAP devices.
• Act as a private FortiGuard Distribution Server (FDS) for your managed devices.
• Script and automate device provisioning, policy changes, and more, with JSON APIs.

LAN Edge 7.6 Architect Study Guide 78

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Device Manager—Methods of FortiGate Registration
• Method 1: Device registration wizard
1. On FortiManager, use the device registration wizard to register FortiGate
2. If the FortiGate model is supported and the details are correct, FortiManager registers the device
• Method 2: Request from FortiGate device
1. On FortiGate, request registration by adding FortiManager
2. The FortiManager administrator accepts (or denies) the request
• During registration, FortiManager and FortiGate establish a secure tunnel on TCP port
541
• After FortiGate registration, managed FortiSwitch and FortiAP devices are shown on
FortiSwitch Manager and AP Manager

© Fortinet Inc. All Rights Reserved. 5

There are two ways you can register a FortiGate device using FortiManager.

The first method involves the FortiManager device registration wizard. If the FortiGate device is supported and
all the details of the device are correct, FortiManager registers the device. This method is the one used in the
lab, and you'll learn more about this method in this lesson.

The second method involves a request for registration from the FortiGate device. This happens after you add
FortiManager on the FortiGate GUI. Then, when the FortiManager administrator receives the registration
request, the request is accepted (though it can be denied).

During device registration, FortiManager and FortiGate create a secure tunnel on TCP port 541. The tunnel is
used for checking device status and configuration, as well as configuration installation.

After FortiGate is registered on FortiManager, any FortiSwitch or FortiAP devices that are managed by that
FortiGate device are displayed on the FortiSwitch Manager and AP Manager panes, respectively.

LAN Edge 7.6 Architect Study Guide 79

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Device Manager—Level Settings
• Device-level settings can be viewed or
configured for individual managed
devices

© Fortinet Inc. All Rights Reserved. 6

To configure the device-level settings of your FortiGate devices, select the device or VDOM in the Device
Manager. In the example shown on this slide, the FortiGate device named FortiGate is selected.

You can view and configure the device-level settings of a managed FortiGate on the toolbar at the top of the
dashboard. This enables you to view or configure interfaces, high availability (HA), DNS, and log settings, to
name a few. To configure or view routes, click Network > Static Route.

In the example shown on this slide, a new static route is created.

Most of the settings that you see in this example have a one-to-one correlation with the device configuration
that you would see if you logged in locally using the FortiGate GUI or CLI.

LAN Edge 7.6 Architect Study Guide 80

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Policy & Objects—Policy Packages
• Policy & Objects > Policy Packages
• Create firewall policies in policy packages
Expand the policy package name, and then click
Firewall Policy to view the policies it contains

Firewall policy-dependent objects

Showing policies for FortiGate_root policy package

© Fortinet Inc. All Rights Reserved. 7

If you want to edit the firewall policies and dependent objects on FortiManager, click Policy & Objects.

FortiManager organizes firewall policies in policy packages. You can then customize the policy packages for
each device or VDOM, or apply a single policy package for multiple devices that require the same set of
firewall policies.

LAN Edge 7.6 Architect Study Guide 81

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Device Manager—Install Wizard
• Installs settings on one or more FortiGate devices
• Two options on the Install Wizard
Install Device Settings (only) Install Policy Package & Device Settings
• Install only device settings for a select • Install a selected policy package
set of devices • Any device-specific settings for devices
• Policy and object changes are not associated with the package are also
installed installed

• Launch the Install Wizard from Device Manager

• Select Install Device Settings (only) or Install Policy Package & Device Settings

© Fortinet Inc. All Rights Reserved. 8

After you configure the FortiGate device-level settings and firewall policies on FortiManager, the changes do
not take immediate effect—you must install the changes on FortiGate by using the Install Wizard on Device
Manager.

During installation, you must choose between two different installation types. If you choose Install Device
Settings (only), the wizard installs only device-level configuration changes made from FortiManager. If you
have made changes to the device-level configuration and policies in the policy packages, you can choose
Install Policy Package & Device Settings, which installs policy package changes and any device-level
settings.

In the example shown on this slide, Install Policy Package & Device Settings is selected, meaning you
must also select a policy package to install in the Policy Package field.

LAN Edge 7.6 Architect Study Guide 82

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Switch Controller

© Fortinet Inc. All Rights Reserved. 9

In this section, you will learn how to enable the switch controller feature.

LAN Edge 7.6 Architect Study Guide 83

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Enabling the Switch Controller
• Supported by most FortiGate models
• To enable the switch controller on FortiGate (enabled by default on most models):
config system global
set switch-controller enable
end

• To enable the switch controller GUI on FortiGate (enabled by default):

config system settings
set gui-switch-controller enable
end

© Fortinet Inc. All Rights Reserved. 10

By default, the switch controller feature is enabled on most FortiGate models. On FortiGate VM models,
however, it is not enabled by default, but you can enable it by running the CLI commands shown on this slide.

After you enable the switch controller feature, the related switch controller settings appear on the GUI by
default. If the GUI settings are not shown, make sure gui-switch-controller is enabled in the system
settings.

LAN Edge 7.6 Architect Study Guide 84

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiLink Interface—FortiGate GUI
WIFI & Switch Controller > FortiLink Interface
FortiLink interface status
Add at least one LAG member
(no members by default)
LAG interface by default

FortiLink interface IP address

Useful when connecting two or more
switches (one uplink per switch)

Automatically authorize new

DHCP settings
devices

© Fortinet Inc. All Rights Reserved. 11

All FortiGate devices come with a factory default FortiLink interface in the root VDOM dedicated to
communication between the switch controller (FortiGate) and the managed switches. By default, the interface
is created as a link aggregation group (LAG) interface.

The FortiLink interface comes with no LAG members by default. Therefore, you must add at least one
member to the FortiLink LAG interface and assign an IP address to it. FortiGate then uses the configured IP
address and netmask to configure a DHCP scope for assigning IP addresses and other network parameters
to managed switches.

By default, you must authorize the switches discovered by FortiGate before being able to manage them.
Alternatively, you can enable Automatically authorize devices to automatically authorize discovered
switches.

In addition, FortiLink split interface is enabled by default. If a FortiLink interface has two or more members,
this option instructs FortiGate to keep only one FortiLink interface port member active. This behavior is useful
when you connect your FortiLink interface from one FortiGate device to two or more switches, and the
switches do not support a multichassis link aggregation group (MCLAG) or no MCLAG has yet been
configured. Under this scenario, you lose management to one or more switches if the FortiLink split interface
is disabled. You will learn more about FortiLink in another lesson.

LAN Edge 7.6 Architect Study Guide 85

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiLink Interface—FortiManager
Device Manager > Device & Groups > Managed FortiGate > Device > Network > Interfaces
FortiLink interface Add at least one LAG member
(no members by default)
LAG interface (varies among
FortiGate models)

FortiLink interface IP address

DHCP settings

© Fortinet Inc. All Rights Reserved. 12

You can also edit the FortiLink interface on FortiManager by accessing the device interface settings on
Device Manager.

The layout and options available on FortiManager are very similar to the ones displayed by the FortiGate GUI.
The option Automatically authorize devices you see on FortiGate is not available on FortiManager, but you
can use scripts or CLI-only objects to configure the setting.

LAN Edge 7.6 Architect Study Guide 86

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiSwitch Manager

© Fortinet Inc. All Rights Reserved. 13

In this section, you will learn about the FortiSwitch Manager pane, which enables you to manage FortiSwitch
devices on FortiManager.

LAN Edge 7.6 Architect Study Guide 87

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiSwitch Manager
• Enables management of FortiSwitch devices that are managed by authorized FortiGate
devices

• Two management modes:

• Central management (default)
• Useful for deploying multiple switches with the same configuration
• Per-device management
• Useful for deploying multiple switches with different configurations

© Fortinet Inc. All Rights Reserved. 14

FortiGate can act as a switch controller, which enables you to manage FortiSwitch devices from FortiGate
rather than having to individually access each FortiSwitch for management purposes.

On FortiManager, when you register a FortiGate device acting as a switch controller, the FortiSwitch devices
that are discovered by FortiGate are also used by FortiManager and displayed on the FortiSwitch Manager
pane.

FortiSwitch Manager enables you to centrally manage FortiSwitch devices discovered by all authorized
FortiGate devices on FortiManager. Instead of accessing each FortiGate device to manage its FortiSwitch
devices, you can manage all FortiSwitch devices controlled by all FortiGate devices from a single pane on
FortiManager. This can considerably reduce the operating expenses for your network, especially for large
networks that have tens or hundreds of switches deployed.

FortiSwitch Manager supports two management modes: central management and per-device management. In
central management mode (default mode), you maintain templates and assign them to FortiSwitch devices.
Central management mode is convenient for deploying multiple devices that use the same configuration. In
per-device management mode, you apply settings and profiles to individual FortiSwitch devices, which
enables you to deploy sites that use different configurations.

LAN Edge 7.6 Architect Study Guide 88

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiSwitch Manager—Central Management
FortiSwitch Template
• Default mode Site1-Core1 Core

• FortiSwitch devices are assigned Site1-Core2

Site2-Core1
Core
Core
with a template Site2-Core2 Core

• Ideal for deploying multiple Site1-Access1

Site2-Access1
Access
Access
switches with the same
configuration
• A change in the template affects all
switches using that template

© Fortinet Inc. All Rights Reserved. 15

Central management mode is the default mode used by FortiSwitch Manager. You first configure a template
and then assign it to one or more FortiSwitch devices that require the same deployment. You make
configuration changes on the template, instead of on the individual FortiSwitch devices. Changes made on a
single template result in a configuration change on multiple devices. For this reason, central management
mode is best suited for deployments that use the same configuration on all FortiSwitch devices.

A FortiSwitch template is specific to a FortiSwitch model and, therefore, different switch models require
different templates.

In the example shown on this slide, Site 1 and Site 2 have identical network topologies. FortiManager is
configured with two FortiSwitch templates: core and access. The core template is assigned to devices acting
as a core switch on Site 1 and Site 2, while the access template is applied to devices acting as access
switches. The result is that you can manage six switches across two sites with only two templates. If you need
to deploy more identical sites, you can continue to use the same existing templates, resulting in even greater
scalability.

LAN Edge 7.6 Architect Study Guide 89

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Central Management—Managed Switches
FortiSwitch Manager > Managed FortiSwitches > Managed FortiGate Status summary

Right-click for Switch information

Select the FortiGate device
controlling the switches more options

© Fortinet Inc. All Rights Reserved. 16

When you access the FortiSwitch Manager pane, the Managed FortiSwitches page opens by default. This
page displays a table containing all the switches discovered by all FortiGate devices registered on
FortiManager. For each authorized switch, the page displays its name, serial number, model (or platform), the
current status, the FortiLink interface used (on the controlling FortiGate), the controlling FortiGate and VDOM,
the IP address it is connected through, OS version, and join time. This is the same information that you would
see on the FortiGate GUI for a switch.

On the middle menu, click Managed FortiGate if you want to view all switches discovered by all FortiGate
devices. Otherwise, click the FortiGate device that controls the switches you want to view. The page lists all
discovered FortiSwitch devices, including those that have not been authorized. Each switch displays an icon
to the left of its name that reports its current status, which is obtained by FortiManager by polling FortiGate
REST API every three minutes. The different statuses mean:

• Online: The switch is authorized and the management link with FortiGate is up.
• Offline: The switch is authorized but the management link with FortiGate is down.
• Unauthorized: The switch has been discovered by FortiGate, but it has not been authorized.
• Unknown: The switch is authorized but its status cannot be determined. This is usually the case when the
controller (FortiGate) is also offline.

When you right-click a switch, a menu with additional management actions, such as switch authorization or
firmware upgrade, is displayed.

LAN Edge 7.6 Architect Study Guide 90

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Central Management—Managed Switches—Monitors
FortiSwitch Manager > Managed FortiGate

Port connected for FortiLink

Hover over connections or ports to get details interface interface

FortiGate information

Management connection
(FortiLink interface)
© Fortinet Inc. All Rights Reserved. 17

When you click the More tab on the Managed FortiGate page, you can click Topology to view the block-
style topology representation of the connected FortiSwitch devices. On the topology, you can hover over
connection links or ports to get more details.

Another monitor tool you can click on is Faceplates. Faceplates displays a diagram of the management
connection between FortiGate and its controlled FortiSwitch devices. It also displays the status of each port
on the managed switches. The FortiGate interface used for managing switches is called FortiLink. FortiLink is
also the name of one of the protocols used by FortiGate for switch management. The protocol operates over
the switch uplink connected to FortiGate, and between switches for switch discovery. You will learn more
about FortiLink in another lesson. On the diagram, the switch port connected to the FortiLink interface is
circled in black (port24 in the example shown on this slide).

Both monitor tools display some information about the FortiGate device controlling the switch. The information
includes the serial number, management IP address, and the VDOM and FortiLink interface names. In the
example of faceplates shown on this slide, the FortiLink interface name is fortilink and it belongs to the root
VDOM. Also note that the FortiGate management IP address refers to the IP address that FortiManager uses
to communicate with FortiGate through the secure tunnel on TCP port 541.

LAN Edge 7.6 Architect Study Guide 91

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Central Management—FortiSwitch Templates
FortiSwitch Manager > FortiSwitch Templates > FortiSwitch Template Select FortiSwitch model

Change switch port

configuration

VLANs and other switch

objects configuration

Select FortiGate and

FortiSwitch
© Fortinet Inc. All Rights Reserved. 18

The FortiSwitch Templates section is where you configure the templates, VLANs, and other switch object
configurations for FortiSwitch devices. You can create a new template from scratch by clicking FortiSwitch
Template on the left menu, then clicking Create New, and then selecting the FortiSwitch model the template
will be based on. After you select the FortiSwitch model, FortiManager automatically populates the template
with the ports available in the selected switch model. In addition, FortiManager assigns a default configuration
to each switch port, which you can then change to suit your needs.

Another way to create a template is by importing its settings from the current configuration on a switch. This
option is useful when you want to build your template from the existing configuration on a production switch,
and then apply that configuration to other switches that require the same setup. To import a template, click
Import, and then select the FortiGate device and the switch you want to import the template settings from.

Before you create the template, you may want to configure the objects used by the template:
• VLAN: A FortiSwitch VLAN is a FortiGate VLAN interface bound to the FortiLink interface. The VLANs can
then be selected as the native VLAN and allowed VLANs on a switch port.
• Security Profiles: FortiSwitch supports 802.1X authentication. You configure the 802.1X authentication
policy in a security profile, and then assign the security profile to a switch port in the template.
• LLDP Profiles: FortiSwitch supports Link Layer Discovery Protocol (LLDP) and its extension LLDP for
Media Endpoint Discovery (LLDP-MED). An LLDP profile enables you to configure the type-length-values
(TLV) to advertise on a port, as well as the LLDP-MED network policy used for auto VLAN configuration on
endpoints (usually phones).
• QoS Policy: FortiSwitch supports QoS policies, which enable you to classify and mark packets entering a
port for egress priority queuing purposes.
• Custom Command: Some FortiSwitch settings and diagnostic commands are available on the FortiSwitch
device only by creating custom commands.

LAN Edge 7.6 Architect Study Guide 92

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiSwitch Manager—Per-Device Management
FortiSwitch Device Settings
• Configuration is maintained on a Site1-Core1 Site1-Core1
per-device basis Site1-Core2 Site1-Core2
Site2-Core1 Site2-Core1
• Ideal for deploying switches with Site2-Core2 Site2-Core2
different configurations Site1-Access1 Site1-Access1

• A change in the switch configuration Site2-Access1 Site2-Access1

affects only that switch

© Fortinet Inc. All Rights Reserved. 19

Per-device management is the alternative mode available for FortiSwitch Manager. Unlike central
management mode, in which you configure templates, in per-device management mode you configure
FortiSwitch devices in the same way you would if you were configuring them on the FortiGate GUI.

The advantage of per-device management mode is that you can configure each switch differently. This makes
it an ideal option when you need to deploy switches that don’t necessarily require the same setup. In addition,
because FortiManager maintains separate device settings for each switch, any changes made on a switch
affect only that switch.

LAN Edge 7.6 Architect Study Guide 93

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiSwitch Manager—Per-Device Management (Contd)
• Clear the FortiSwitch option in ADOM settings to enable per-device management
System Settings > ADOMs > Your ADOM

Clear to enable per-device

management mode

© Fortinet Inc. All Rights Reserved. 20

Central management mode is the default FortiSwitch Manager mode in an ADOM. ADOMs enable you to
create groupings of devices for administrators to monitor and manage. The purpose of ADOMs is to divide
administration of devices by ADOM and to control (restrict) administrator access.

To enable per-device management, you edit the settings of the ADOM you manage your FortiSwitch devices
on, and you clear the FortiSwitch checkbox.

In the example shown on this slide, FortiSwitch has been cleared on the root ADOM.

LAN Edge 7.6 Architect Study Guide 94

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Per-Device Management—Managed Switches
FortiSwitch Manager > Managed FortiSwitches > Managed FortiGate

© Fortinet Inc. All Rights Reserved. 21

After you enable per-device management mode, you can click Ports Configuration to edit the port
configuration of a switch instead of assigning a template to it. Also, the template column is no longer shown as
part of the information displayed for a switch.

In addition, the FortiSwitch Manager pane shows a FortiSwitch profile tab. You can use this tab for CLI
Configurations, to access settings that are not available to configure directly within the FortiSwitch Manager.

The Ports Configuration page displays all the ports available on the switch.

LAN Edge 7.6 Architect Study Guide 95

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Per-Device Management—FortiSwitch Profiles

FortiSwitch Manager > Managed FortiSwitches > VLAN

VLANs

CLI-only objects

© Fortinet Inc. All Rights Reserved. 22

The FortiSwitch Profiles section is where you can configure additional switch objects. When compared to
the FortiSwitch templates section, you find the same configuration objects plus NAC Policy.

Network access control (NAC) policies enable you to assign a VLAN and other settings to ports that connect
to devices matching a specific criterion such as the MAC address, OS, or type. The purpose is to
automatically configure a switch port with the correct settings based on the type of device connected.

In addition, you can configure additional CLI-only objects on the switch by clicking the CLI Configurations
option.

LAN Edge 7.6 Architect Study Guide 96

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

AP Manager

© Fortinet Inc. All Rights Reserved. 23

In this section, you will learn about the AP Manager pane, which enables you to manage FortiAP devices on
FortiManager.

LAN Edge 7.6 Architect Study Guide 97

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Manager
• Enables management of FortiAP devices that are managed by authorized FortiGate
devices

• Two management modes:

• Central management (default)
• A set of Wi-Fi profiles are maintained to manage all access points (AP)
• Per-device management
• Each FortiGate has its local set of Wi-Fi profiles

© Fortinet Inc. All Rights Reserved. 24

The AP Manager pane enables you to centrally manage FortiAP devices discovered by all authorized
FortiGate devices on FortiManager.

AP Manager is very similar to FortiSwitch Manager. For example, AP Manager supports two management
modes: central management and per-device management. In central management mode (default mode), you
maintain a set of shared Wi-Fi profiles and assign them to FortiAP devices, which makes it an ideal mode for
deploying multiple devices that use the same configuration. In per-device management mode, each FortiAP
has its own set of Wi-Fi profiles, which are not shared with other APs.

Because the information displayed and the options available in AP Manager are very similar to the ones in
FortiSwitch Manager, this lesson focuses on the differences.

LAN Edge 7.6 Architect Study Guide 98

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Manager—Central Management
• Default mode
• FortiAP devices are assigned with
Shared Wi-Fi profiles:
a shared Wi-Fi profile Outdoor
• Ideal for deploying multiple APs Indoor
AP-default
with the same configuration
• A change in the shared Wi-Fi profile AP AP
affects all APs using that profile FGT1 FGT2

• Different AP models require

different Wi-Fi profiles

Same AP model

© Fortinet Inc. All Rights Reserved. 25

Central management mode uses shared Wi-Fi profiles to deploy the configuration to controlled APs. Changes
made on a Wi-Fi profile result in a configuration change on multiple APs.

A Wi-Fi profile is specific to a FortiAP model and, therefore, different AP models require different Wi-Fi
profiles.

In the example shown on this slide, the two APs are the same model and are deployed with the same shared
Wi-Fi profile.

LAN Edge 7.6 Architect Study Guide 99

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Central Management—Managed APs
Status summary
AP Manager > Managed FortiAPs > Managed FortiGate

Select the FortiGate device Right-click for

controlling the APs more options Shared Wi-Fi
profile assigned
Wireless clients
connected

View rogue APs

© Fortinet Inc. All Rights Reserved. 26

The example on this slide shows the managed APs on the AP Manager pane when using the central
management mode.

It shows wireless-related information, such as SSIDs, Channel, Clients, and AP Profile. It also displays the
status for each AP, but, unlike FortiSwitch Manager, there is no Unknown status. The other statuses (Online,
Offline, Unauthorized) have the same meaning as in FortiSwitch Manager.

In addition, you can access the AP Manager pane to view Rogue APs as well as the number of wireless
clients connected (Client Connected).

When you right-click an AP, a menu with more management actions is displayed.

LAN Edge 7.6 Architect Study Guide 100

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Manager—Per-Device Management
• Each FortiGate maintains its own
set of Wi-Fi profiles - FGT1 Wi-Fi profiles: - FGT2 Wi-Fi profiles:
• Wi-Fi profiles are not shared with Conference room Lab
other FortiGate and FortiAP devices Test Gym
Office School
• Same settings in central
management are available
AP AP
FGT1 FGT2

© Fortinet Inc. All Rights Reserved. 27

Per-device management mode supports the same configuration options as in central management mode. The
only difference is that in per-device management mode, FortiManager maintains a set of Wi-Fi profiles for
each wireless controller (FortiGate), instead of having a set of profiles that are shared among all APs
controlled by all FortiGate devices.

In the example shown on this slide, FortiManager maintains three different Wi-Fi profiles for each FortiGate
device, and one of those profiles is applied to the controlling AP.

LAN Edge 7.6 Architect Study Guide 101

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Manager—Per-Device Management (Contd)
• Clear the FortiAP checkbox in ADOM settings to enable per-device management
System Settings > All ADOMs > Your ADOM

Clear to enable per-device

management mode

© Fortinet Inc. All Rights Reserved. 28

To enable per-device management, edit the settings of the ADOM you manage your FortiAP devices on, and
clear the FortiAP checkbox.

LAN Edge 7.6 Architect Study Guide 102

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Per-Device Management—Managed APs
AP Manager > Managed FortiAPs > Managed FortiGate

Select the FortiGate device

to edit the Wi-Fi profile on

© Fortinet Inc. All Rights Reserved. 29

In per-device management mode, all tabs look the same as in central management mode. The difference is
the addition of the menu options like the Operation Profiles tab. Click this tab to edit the FortiAP Profiles on
the selected FortiGate device.

The example on this slide shows only one FortiGate device. When there are multiple FortiGate devices, you
see a set of Wi-Fi profiles for each managed FortiGate.

LAN Edge 7.6 Architect Study Guide 103

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Extender Manager

© Fortinet Inc. All Rights Reserved. 30

In this section, you will learn about the Extender Manager pane, which enables you to manage FortiExtender
devices on FortiManager.

LAN Edge 7.6 Architect Study Guide 104

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Extender Manager
• Extender Manager enables the centralized configuration, monitoring, and management
of multiple FortiExtender devices across distributed locations from a single FortiManager
interface

• Extender Manager assists on:

• Managed extenders
• Extender profiles
• Data plans

© Fortinet Inc. All Rights Reserved. 31

As explained previously, FortiExtenders are devices that play a role in LAN Edge that extends network
connectivity by providing 4G/5G LTE wireless WAN connections.

The Extender Manager module on FortiManager provides a centralized platform for managing and monitoring
FortiExtenders, simplifying tasks such as firmware updates.

Through the Extender Manager you can:

• Manage extenders: allows administrators to handle various aspects of FortiExtender devices, such as
device authorization, profile assignment and firmware upgrade
• Extender profiles: allow you to configure a FortiExtender device settings remotely. Create a SIM profile and
dataplan, link them to a profile template, and then assign the template to your device.
• Data plans: helps in tracking and controlling the cellular data consumption for each FortiExtender, ensuring
that the usage stays within the limits of the subscribed mobile plan.

LAN Edge 7.6 Architect Study Guide 105

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Managed Extenders

Extender profile

Select the FortiGate device

controlling the extenders Firmware upgrade

© Fortinet Inc. All Rights Reserved. 32

The example on this slide shows the managed FortiExtender in the Extender Manager pane. This page
displays a table containing all the FortiExtenders discovered by all FortiGate devices registered on
FortiManager. The page shows info such as Model, Serial number, and FortiExtender Profile. It also
displays the status for each FortiExtender.

When you right-click a FortiExtender, a menu with more management actions is displayed.

LAN Edge 7.6 Architect Study Guide 106

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Extender Profile and Data Plan

© Fortinet Inc. All Rights Reserved. 33

FortiExtender Profile is a configuration template used within FortiManager to standardize and simplify the
management of multiple FortiExtender devices.

To configure a FortiExtender template, you must first create a data plan, and then define the SIM settings.
These elements are then incorporated into the profile template that serves as a FortiExtender blueprint. Once
the template is fully configured, you can apply it to one or more FortiExtender devices.

The Data Plan profile allows you to configure details associated with each SIM card, such as the data limits,
this allows you to monitor and control data consumption, preventing overage charges and ensuring that
devices remain within budgeted usage limits.

LAN Edge 7.6 Architect Study Guide 107

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
SD-Branch Solution

SD-Branch
• SD-Branch secure business
outcome-driven WAN
• Simplifies traditional WAN complexity
• Better cloud application performance
• 5G/LTE Wireless WAN
• Secure Connectivity protecting the
access edge
• Consolidation through convergence
of security and network access

© Fortinet Inc. All Rights Reserved. 34

SD-Branch (software-defined branch) integrates SD-WAN technology with LAN and WAN infrastructures and
security functions across distributed branch locations.

The Fortinet SD-Branch solution extends the capabilities of SD-WAN by incorporating LAN components
combining its FortiGate NGFW with FortiSwitch, FortiAP, and FortiExtender devices to deliver a unified
network architecture for branch offices.

The SD-Branch solution is designed to provide secure, high-performance, and easy-to-manage networking for
distributed branch offices that require a 5G/LTE connection as a primary or backup connection.

LAN Edge 7.6 Architect Study Guide 108

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiExtender in the SD-Branch Solution
FortiExtender

• Up to two radios
• Ethernet WAN port
• Routing capabilities
• Multiple LAN ports

© Fortinet Inc. All Rights Reserved. 35

FortiExtender plays a vital role in the SD-Branch solution by providing reliable and flexible WAN connectivity
at the branch level. FortiExtender extends the network reach by using 4G/5G LTE technology, offering primary
or backup connectivity to ensure continuous access to critical network services. In the event of a failure in the
primary wired connection, FortiExtender can seamlessly switch to the LTE network, maintaining business
operations without interruption.

Additionally, FortiExtender improves its performance by working alongside with FortiGate, FortiSwitch, and
FortiAP, allowing centralized management and policy enforcement through FortiManager.

LAN Edge 7.6 Architect Study Guide 109

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Zero-Touch Provisioning (ZTP)

© Fortinet Inc. All Rights Reserved. 36

In this section, you will learn about the ZTP solution available on FortiManager, which enables you to
configure your FortiGate and its connected devices without user intervention on the managed devices.

LAN Edge 7.6 Architect Study Guide 110

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
ZTP
• FortiGate downloads its configuration from FortiManager without user intervention
• Reduces human error
• Automates and speeds up device provisioning
• Operation
1. Administrator adds FortiGate device and applies configuration to device on FortiManager
2. FortiGate learns FortiManager IP or FQDN through DHCP
3. FortiGate contacts FortiManager
4. FortiManager identifies FortiGate by serial number (or pre-shared key)
5. FortiManager pushes configuration to FortiGate
6. FortiGate pushes configuration to connected devices (switches and APs)

DHCP
FGTXYZ
4
SN: FGTXYZ
2
1
3
6 5

© Fortinet Inc. All Rights Reserved. 37

ZTP enables you to provision devices without having to change their configuration onsite. The local technician
needs to make only the necessary network physical connections and power up the devices. This approach
reduces human error while speeding up deployments thanks to automation.

ZTP works as follows:

1. The administrator adds the FortiGate device on FortiManager and configures all of its settings. The
configured settings include the device settings, policy package, and the configuration for its connected
switches and APs.
2. When FortiGate is connected to the network, FortiGate retrieves the FortiManager IP address or FQDN
through DHCP options 240 or 241 respectively, provided the DHCP server in the local network has been
preconfigured with such options.
3. FortiGate contacts FortiManager using the network parameters provided by the DHCP server.
4. FortiManager checks the FortiGate serial number against its local database. If the serial number matches
a preconfigured device, then device registration is completed. Optionally, you can configure a pre-shared
key on both FortiManager and FortiGate for identifying the managed device.
5. FortiManager pushes the preconfigured device settings to FortiGate.
6. If there are connected devices, such as switches and APs, FortiGate also pushes the configuration
provided by FortiManager for those devices.

LAN Edge 7.6 Architect Study Guide 111

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
ZTP—Adding FortiGate on FortiManager
• Add the device in advance on Device Manager for ZTP
Device Manager > Device & Groups > Managed FortiGate > Add Device

Use pre-shared key if

SN is unknown

Device model suggested by

FortiManager if SN is used Synchronizes after
provisioning

© Fortinet Inc. All Rights Reserved. 38

The first step in achieving ZTP is to add the device to FortiManager before deploying it in the field.

When you add the device on FortiManager, you must select Add Model Device, and then type the device
details. Usually you want to match the device based on its serial number, but you could also use a pre-shared
key if the device serial number is unknown.

You must also indicate the device model. However, if you use a serial number for device matching, then
FortiManager suggests a device model based on the serial number.

After you add the device, its Config Status and Policy Package Status are shown as Unknown and
Modified, respectively. Both statuses change after the device downloads the settings from FortiManager
during provisioning.

After the device is added, you may want to configure its required settings and policies on the Device Manager
and Policy & Objects panes, respectively. Otherwise, FortiManager uses the device factory default
configuration.

LAN Edge 7.6 Architect Study Guide 112

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
ZTP—Configuring connected devices on FortiManager
• Add switches and APs on FortiSwitch Manager and AP Manager, respectively
FortiSwitch Manager > Managed FortiSwitches > Managed FortiGate > Create New

Devices are automatically authorized during

AP Manager > Managed FortiAPs > Managed FortiGate > Create New
provisioning and go online

© Fortinet Inc. All Rights Reserved. 39

You can use ZTP to provision FortiSwitch and FortiAP devices that are connected to FortiGate by adding the
devices to their FortiManager panes.

When you add the connected devices ahead of time on FortiManager, they do not appear as online. However,
after FortiGate downloads the configuration from FortiManager, which also includes the settings for its
connected switches and APs, the devices are automatically authorized and eventually appear online.

LAN Edge 7.6 Architect Study Guide 113

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
ZTP—Adding FortiManager on FortiGate
• FortiGate learns the FortiManager address through DHCP:
• Option 240: IP address
• Option 241: FQDN
• Alternatively, you can set the FortiManager address on the FortiGate GUI
Security Fabric > Fabric Connectors > Security Fabric Connectors > Central Management

FortiManager IP address or FQDN

• If a pre-shared key is used instead of a serial number, you must also run this command
on the CLI:
# execute central-mgmt register-device <fmg-sn> <psk-key>

© Fortinet Inc. All Rights Reserved. 40

FortiGate can obtain the FortiManager address through DHCP options 240 and 241. If the local DHCP server
is not configured with such options, you can manually set the FortiManager address on the GUI instead. Do
not configure the FortiManager address on the CLI because that does not initiate the secure tunnel between
FortiGate and FortiManager. This is a behavior by design.

If you have configured device matching based on pre-shared key instead of serial number, then you must also
run the CLI command shown on this slide. The command requires the user to provide the FortiManager serial
number and the configured pre-shared key.

LAN Edge 7.6 Architect Study Guide 114

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
ZTP—FortiManager Autoinstallation
• FortiGate automatically initiates the device configuration installation
Device Manager > Device & Groups > Managed FortiGate

Device gets in sync

• Installation completes

Click to see installation progress

• Connected switches and APs are shown as online after a few minutes

FortiSwitch Manager > Managed FortiGate

AP Manager > Managed FortiGate

Online

© Fortinet Inc. All Rights Reserved. 41

After FortiGate retrieves the FortiManager address, it contacts FortiManager to initiate the secure tunnel on
TCP port 541. After the tunnel is established and the device is identified, FortiManager automatically initiates
the device configuration installation and shows a notification on Device Manager. Click the notification button
to view the installation progress.

After a few seconds, the installation is completed, and the device is shown as in synchronized.

If you have configured connected devices, they are also shown as online in their respective FortiManager
panes. Just keep in mind that FortiManager may need a few minutes before displaying them as online
because the devices are rebooted upon authorization and FortiManager queries their status every three
minutes.

LAN Edge 7.6 Architect Study Guide 115

 Centralized Management
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Review FortiManager key features
 Describe FortiGate registration on FortiManager
 Explore FortiSwitch Manager
 Explore AP Manager
 Explore Extender Manager
 Describe the zero-touch provisioning solution

© Fortinet Inc. All Rights Reserved. 42

By mastering the objectives covered in this lesson, you learned how to use FortiManager to deploy
FortiSwitch and FortiAP devices. You also reviewed the topics of Extender Manager and zero touch
provisioning.

LAN Edge 7.6 Architect Study Guide 116

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

SD-Branch

FortiOS 7.6
Last Modified: 3 February 2025

In this lesson, you will learn about SD-Branch and its components, as well as FortiSwitch, FortiAP, and
FortiExtender configuration when managed by FortiGate and FortiManager.

LAN Edge 7.6 Architect Study Guide 117

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Review the SD-Branch solution
• Configure FortiSwitch VLANs, ports, and trunks
• Configure FortiAPs
• Configure SSIDs
• Review the FortiExtender LAN extension solution

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in SD-Branch and FortiExtender LAN extension as solutions, and configure
FortiAPs, SSIDs andFortiSwitch VLANs on FortiManager.

LAN Edge 7.6 Architect Study Guide 118

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

SD-Branch Overview

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about the SD-Branch solution and its components.

LAN Edge 7.6 Architect Study Guide 119

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
SD-Branch Overview

Visibility Security Scalability

Performance Management Automation

© Fortinet Inc. All Rights Reserved. 4

In an ever-changing IT environment, moving from a traditional LAN edge to SD-WAN and beyond represents
a shift in how networks are designed, managed, and secured. These new requirements and improvements
have triggered some key trends, such as:

• Accelerating digital transformation and becoming cloud-ready by investing in technologies like SD-WAN.
• Simplifying the management and deployment of new technologies, including network infrastructure.
• Enhancing visibility into network assets and the applications in use.
• Implementing robust security at the network's remote edges, allowing IT administrators to establish global
security policies.
• Reducing complexity in management and licensing to lower overall cost while enhancing performance.

With these trends in mind, and building on the foundation of SD-WAN, SD-branch extends the software-
defined approach to the entire branch network, integrating LAN, WAN management, security, and connectivity
into a unified platform.

SD-Branch, an extension of SD-WAN, provides a comprehensive solution encompassing wired, wireless,

Network Access Control (NAC), security, and WAN in a single operating system, FortiOS.

LAN Edge 7.6 Architect Study Guide 120

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
SD-Branch Architecture

Flexible and Scalable Networks Converged With Security

Choice of Management
FortiLAN Cloud FortiManager
and Deployment

Converged Accelerated
Enterprise Security

FortiExtender FortiAP FortiSwitch FortiNAC

AI Automation and FortiLink FortiMonitor FortiAIOps

FortiLink
Intelligence NAC

© Fortinet Inc. All Rights Reserved. 5

As previously mentioned, the core component of SD-Branch is SD-WAN. Combining SD-Branch and LAN
edge architectures creates a unified, software-defined environment that extends across the WAN and into the
LAN of branch offices. This integration allows organizations to manage both WAN and LAN from a single
platform.

SD-Branch architecture encompasses:

• WAN connectivity: provides intelligent and dynamic routing across multiple WAN links.
• Unified Threat Management: provides security functions, including firewalls, intrusion prevention systems
(IPS), and secure web gateways.
• Centralized Management: allows you to monitor and configure branch networks from a single platform.
• LAN and WLAN Integration: integrates both LAN and WLAN management with the same platform that
manages WAN connectivity.

Other features you must consider in SD-Branch architecture are:

•Zero Trust Network Access (ZTNA): SD-Branch solutions incorporate zero trust principles.
•Cloud Integration: SD-Branch evolved to provide seamless integration with cloud services.
•IoT Management: SD-Branch solutions provide visibility and control over IoT traffic.
•AI and Automation: The future of SD-WAN and SD-Branch will likely involve greater use of AI and machine
learning.

LAN Edge 7.6 Architect Study Guide 121

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
SD-Branch Core Product Components
FortiGate FortiAP FortiSwitch

NAC FortiExtender

© Fortinet Inc. All Rights Reserved. 6

In Fortinet SD-Branch architecture, the core SD-Branch components are: FortiGate, FortiAP, FortiSwitch,
NAC, and FortiExtender.

Here's how each of these components plays a critical role in building a secure and efficient SD-Branch
network:

• FortiGate (NGFW): provides NGFW capabilities and serves as the central hub of the SD-Branch
architecture.
• FortiAP: provides secure and high-performance wireless connectivity in a branch.
• FortiSwitch: provides secure and manageable LAN connectivity within the branch.
• NAC: enforces security policies for devices attempting to access the network and protects the device
edge by the discovery, classification, and secure onboarding of IoT devices.
• FortiExtender: extends the WAN by providing LTE or 5G connectivity as a primary or backup WAN link.

LAN Edge 7.6 Architect Study Guide 122

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Ports and VLANs

© Fortinet Inc. All Rights Reserved. 7

In this section, you will learn how to configure FortiSwitch ports and VLANs.

LAN Edge 7.6 Architect Study Guide 123

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Preconfigured VLANs
• FortiGate creates additional VLANs when the first switch is discovered
• default, quarantine, voice, video, rspan, onboarding, and nac_segment
• A DHCP scope is also configured for all VLANs except default and onboarding
• You can edit or delete VLANs
FortiSwitch Manager > Managed FortiSwitches > Managed FortiGate > VLAN

Predefined VLANs with

each assigned VLAN ID
© Fortinet Inc. All Rights Reserved. 8

When FortiGate discovers the first switch, it automatically applies configuration settings that are required for
switch management. These settings include the following VLANs:

• Default: This is the default native VLAN assigned to all switch ports.
• Quarantine: This is the default VLAN used for quarantined traffic. On FortiGate, you can quarantine a
device connected to a switch, upon which the device is placed in the quarantine VLAN.
• RSPAN: This is used for sending encapsulated mirrored traffic across the network.
• Voice: When using LLDP-MED, you can assign the switch port to this VLAN if the endpoint is detected as a
voice device.
• Video: This is the same as the voice VLAN, but used when the endpoint is detected as a video device.
• Onboarding: When NAC policies are enabled, this is the VLAN where devices that do not match any of the
configured NAC policies are placed. You will learn more about NAC policies in this lesson.
• NAC segment: This is used to prevent hosts from having to renew IP addresses when moving to another
VLAN.

In addition, a DHCP scope is configured for all the preconfigured VLANs except the default VLAN. The VLANs
are also assigned with the predefined VLAN IDs shown in the example on this slide. You can edit or delete
them as needed.

LAN Edge 7.6 Architect Study Guide 124

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Configuring VLANs
• VLANs on a managed FortiSwitch work in the same way as other FortiGate VLANs
• All the FortiOS interface settings (device detection, captive portal, and so on) are available for
FortiSwitch VLANs
VLAN must be bound
to FortiLink interface

FortiSwitch Manager > Managed FortiSwitches > Managed FortiGate > VLANs

© Fortinet Inc. All Rights Reserved. 9

When you manage a switch from FortiGate, the switch becomes an extension of FortiGate. You configure and
use FortiSwitch VLANs in the same way as FortiGate VLANs. Just keep in mind that a FortiSwitch VLAN must
be bound to the FortiLink interface. Otherwise, you won’t be able to select the VLAN when configuring the
VLAN settings on a switch port.

In addition, all interface settings usually available on FortiGate VLANs are available on FortiSwitch VLANs,
such as device detection, captive portal, and so on.

LAN Edge 7.6 Architect Study Guide 125

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Port Configuration
Managed FortiSwitches > More > Ports Configuration

Switch front view

Right-click a port to quickly

change some settings

Set Native VLAN

and Allowed VLANs

© Fortinet Inc. All Rights Reserved. 10

Ports Configuration on FortiSwitch manager displays all the ports available on the switch. On FortiSwitch
manager, you can view or edit the configuration of each port.

To edit the settings on a port, select the port and click Edit to display a new window showing the port settings
available. On this window, you can assign the Native VLAN, as well as the Allowed VLAN list for the port.
You will learn more about these VLANs in this lesson.

Additionally, right-clicking a port opens a context menu with various settings specific for that port. Moreover,
on the ports configuration page, FortiManager displays the switch front view, indicating the status of all ports
on the switch.

LAN Edge 7.6 Architect Study Guide 126

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Port VLAN Settings
VLAN Settings:
• Native VLAN
• Allowed VLAN
• Untagged VLAN

• Display PoE status:

• On FortiSwitch Manager > List > Topology > More > Faceplates

• On the FortiGate CLI

FortiGate # diagnose switch-controller switch-info poe detail
S224EPTF19006016 port1
VDOM: root
Managed Switch : S224EPTF19006016 0
…….
• Reset Power over Ethernet (PoE) on the FortiGate CLI
FortiGate # execute switch-controller switch-action poe reset S224EPTF19006016 port1
Toggling power on port1..........

© Fortinet Inc. All Rights Reserved. 11

FortiSwitch can process both tagged and untagged Ethernet frames. When you configure a port, you must
ensure that the port VLAN settings match the VLAN tagging required by the connected device for ingress and
egress traffic. Below are the VLAN settings that define how the port handles tagged and untagged traffic. Note
that the ingress and egress traffic refers to the traffic entering and leaving the switch port, respectively.

• Native VLAN: This is the default VLAN for untagged ingress traffic. Traffic from endpoints that do not tag
VLANs is placed in this VLAN. Egress traffic matching the native VLAN is also sent untagged.
• Allowed VLANs: Specifies the VLANs permitted on the port for both tagged and untagged ingress and
egress traffic. This setting is critical for inter-switch links (ISL) and FortiLink trunks, where multiple VLANs
may be tagged and transmitted. Adjust this setting for devices, like IP phones or servers, that use VLAN
tags.
• Untagged VLANs: Defines VLANs for which egress traffic is sent untagged. This setting is mainly used for
specific features, such as quarantine MAC or dynamic VLAN assignment. The untagged VLAN must be
part of the allowed VLAN list for it to be effective.

If you have PoE-powered devices connected to PoE-enabled switch ports, you can check the current PoE
status on the switch port from the faceplates section on the FortiSwitch manager. Hover over the port to view
the amount of power delivered by the port.

Alternatively, you can also display the PoE information on the FortiGate CLI by running the command shown
on the slide. Compared to FortiSwitch manager, the command displays more details about PoE, such as the
power class, voltage, current, and maximum power.

In case you want to reset the PoE delivery on a port, you can run a FortiGate CLI command like the one
shown on this slide.

LAN Edge 7.6 Architect Study Guide 127

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Configuring Trunks
FortiSwitch Manager > Managed FortiSwitches > Managed FortiGate > More > Ports Configuration

Select LAG members

© Fortinet Inc. All Rights Reserved. 12

In FortiSwitch, a trunk is a link aggregation group (LAG) interface. While other vendors use the term trunk to
describe interfaces that accept tagged Ethernet frames, FortiSwitch uses trunk to refer to a LAG interface.

When you connect two FortiSwitch devices together, or connect FortiSwitch to the FortiGate FortiLink
interface, the auto-ISL feature used by the Link Layer Discovery Protocol (LLDP) automatically forms a trunk.
Other devices connecting to FortiSwitch using a LAG require that you manually configure a trunk on
FortiSwitch. To manually configure a trunk on FortiSwitch manager, click Create New on the Ports
Configuration page to display a new window with the settings available for the trunk.

LAN Edge 7.6 Architect Study Guide 128

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Access VLANs
• Prevent intra-VLAN communication
• Devices can communicate only with FortiGate
• Can be used for isolating devices before authentication or detection is completed
• FortiGate CLI setting (enabled on the quarantine and onboarding VLANs by default):
config system interface
edit <vlan>
set switch-controller-access-vlan enable | disable
next
end
Client A Access VLAN
is enabled
192.168.1.1/24 port1
VLAN 10

192.168.1.254/24
port2 VLAN 10
192.168.1.2/24 VLAN 10

Client B

© Fortinet Inc. All Rights Reserved. 13

Access VLANs enable FortiSwitch to prevent direct communication among devices in the same VLAN.
Devices can communicate only with FortiGate. Traffic destined for other devices in the same VLAN is dropped
by FortiSwitch. Although other vendors use the term access VLAN when referring to the native or untagged
VLAN on a switch port, in FortiSwitch, access VLAN refers to a VLAN that restricts traffic to the
communication to the switch controller only.

You can use access VLANs to place devices in a temporary or onboarding VLAN before FortiGate
authenticates or identifies them, after which FortiGate moves the device to the corresponding production
VLAN. Another use case for access VLANs is to drop intra-VLAN traffic when client-to-client communication is
unnecessary. This could prevent the spread of malware by compromised hosts, reduce the amount of traffic in
the network, or prevent an attacker from gathering network information that can be later used to attack
vulnerable hosts in the same VLAN.

To enable access VLANs on a FortiSwitch VLAN, run the CLI commands shown on this slide. Note that an
access VLAN is enabled on the quarantine and onboarding VLANs by default.

In the network diagram shown on this slide, port1 and port2 on FortiSwitch are placed in VLAN 10, which is a
FortiSwitch VLAN configured on FortiGate with an access VLAN enabled. As a result, when client A sends
traffic destined to devices other than the VLAN 10 interface on FortiGate, FortiSwitch drops the traffic.

LAN Edge 7.6 Architect Study Guide 129

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Access VLANs—Allow Intra-VLAN Traffic
• Intra-VLAN communication through FortiGate can be allowed by configuring:
• Proxy ARP on FortiGate, for example:
config system proxy-arp
edit 1
set interface "VLAN 10"
set ip 192.168.1.1
set end-ip 192.168.1.253
next
end
• A firewall policy to allow traffic between the same VLAN interface Proxy ARP is enabled and
Client A Access VLAN firewall policy allows traffic
is enabled between same interfaces
192.168.1.1/24 port1
VLAN 10

192.168.1.254/24
port2 VLAN 10
192.168.1.2/24 VLAN 10

Client B

© Fortinet Inc. All Rights Reserved. 14

When access VLAN is enabled, you can still allow intra-VLAN traffic through FortiGate by configuring
FortiGate to perform proxy ARP for other hosts in the VLAN, and setting firewall policies to allow the intra-
VLAN traffic.

This slide shows an example of the proxy ARP configuration required on FortiGate, illustrated by the network
diagram. When client A sends ARP requests for resolving the MAC address of Client B, FortiGate responds
on behalf of Client B. As a result, when Client A communicates with Client B, packets from Client A to Client B
are sent through FortiGate, which is traffic that FortiSwitch allows. When traffic arrives at FortiGate, it is
forwarded to Client B because FortiGate has a firewall policy allowing the intra-VLAN traffic.

When you configure the firewall policy, you must select the same VLAN interface as the incoming interface
and the outgoing interface. You can also enable security profiles to perform inspection if required.

LAN Edge 7.6 Architect Study Guide 130

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Managing FortiAPs With FortiManager

© Fortinet Inc. All Rights Reserved. 15

In this section, you will learn how to provision and update FortiAPs centrally using FortiManager.

LAN Edge 7.6 Architect Study Guide 131

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Overview
• APs are still controlled by the FortiGate wireless controller
• APs still discover the FortiGate controller using the same methods
• Wireless controller must be enabled on FortiGate
• CAPWAP must be enabled on the ports connecting FortiAPs
• Other elements of configuration can be provisioned from FortiManager
• Device settings can control:
• Wireless country code
• CAPWAP and interface configuration
• AP profiles can control:
• AP radio configuration and AP hardware configuration
• SSID profiles can control wireless network configuration and availability
• Also deploy profiles that can provision WIDS, Bluetooth (BLE), QoS, and Bonjour
• Two modes of FortiManager central configuration:
• Central management
• Per-device management

© Fortinet Inc. All Rights Reserved. 16

You can provision many aspects of wireless configuration on FortiGate using FortiManager. It is important to
note that it is still FortiGate that supports the AP wireless network. All the required configuration for AP
discovery and CAPWAP configuration must be in place.

FortiManager can provision most of the settings required to publish a wireless network and configure the APs.
FortiManager uses profiles to control AP configuration, SSID configuration, and other profiles to control other
wireless-related functions. These profiles are stored on FortiManager and can be applied to multiple FortiGate
wireless controllers and APs.

LAN Edge 7.6 Architect Study Guide 132

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Discovery Methods and CAPWAP—Review
FortiAP devices cycle through the following six methods to locate and connect to FortiGate:
1. Static—You can configure FortiAP with a static controller IP address
2. DHCP—By default, FortiAP uses DHCP option 138 to get the controller IP address
3. DNS—FortiAP can discover the controller by using a hostname configured in the AC_HOSTNAME_1 parameter
4. FortiCloud—FortiAP uses the hostname apctrl1.fortinet.com for FortiCloud management
5. Multicast—FortiAP can discover the controller by using the multicast address 224.0.1.140
6. Broadcast—FortiAP broadcasts a discovery request to locate the controller

• FortiGate uses CAPWAP to manage centrally, through

an access controller (AC)
• Configuration and device management, firmware upgrades
• Two channels: control (UDP 5246) and data (UDP 5247)
• Data can be encrypted using DTLS or IPsec
• Must be enabled on the FortiGate interface that
connects to FortiAPs

© Fortinet Inc. All Rights Reserved. 17

FortiAPs must discover and connect to a FortiGate controller or a cloud-based host before they can be
managed. FortiAP initiates the discovery process during startup, and it uses multiple methods to locate the
controller IP address. By default, FortiAPs are set to auto-discovery, which cycles through different methods
with a default timeout of 5 seconds (adjustable between 2-180 seconds). If all discovery methods fail, the
FortiAP enters a state known as SULKING before moving to AC_IP_DISCOVER, eventually retrying the
discovery process.

In scenarios where FortiAP and the controller are not on the same subnet, you must configure a static IP
address or DNS using the GUI, CLI, or a serial port connection. FortiAPs typically use DHCP option 138 to
obtain the controller IP address, which you must convert to a hexadecimal format. If you use multicast, the
default destination address is 224.0.1.140, although you can modify this using CLI commands.

FortiGate manages FortiAPs using the CAPWAP protocol, which operates over UDP ports 5246 for control
and port 5247 for data. CAPWAP can use Datagram Transport Layer Security (DTLS) or IPsec for data
channel encryption. IPsec is recommended for remote APs across public WAN links, especially when
FortiGate can offload IPsec processing to hardware, enhancing performance. However, using DTLS may
reduce throughput because it requires CPU-based encryption. CAPWAP enables FortiGate to push
configuration, management instructions, and firmware updates to FortiAPs.

LAN Edge 7.6 Architect Study Guide 133

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Enabling CAPWAP Using FortiManager
• You must enable CAPWAP access on the interface FortiGate uses to connect FortiAPs
• It opens the required CAPWAP ports (5246 control, 5247 data)
• CAPWAP is enabled as part of the Security Fabric Connection access
• Enabled using Device Manager for FortiGate physical interfaces and VLANs
• Enabled on FortiSwitch VLANs using FortiSwitch Manager
• On either a FortiSwitch Profile or FortiSwitch Template

Device Manager > Device & Groups > Managed FortiGate > Network > Interfaces

© Fortinet Inc. All Rights Reserved. 18

On FortiGate, choose an interface to which you will connect FortiAPs. You must enable CAPWAP access on
any interface that will connect FortiAPs, even if they have intervening switched or routed links. CAPWAP
access is now included as part of the Security Fabric Connection administrative access. You must configure
access on a per-device basis—you cannot assign it using a provisioning template.

If required, enable the DHCP server option to allow FortiGate to assign IP addresses to FortiAPs. It is also
possible to use other DHCP servers (such as Microsoft DHCP), but you must configure those servers to pass
DHCP options, when required.

LAN Edge 7.6 Architect Study Guide 134

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Authorize APs Using FortiManager
• Authorize APs directly from FortiManager
• FortiManager user must have Read-Write JSON API Access
AP Manager > Managed FortiAPs > Managed FortiGate

System Settings > Administrators > Admin

You can perform

FortiManager user must have multiple actions on
Read-Write JSON API individual APs
Access

© Fortinet Inc. All Rights Reserved. 19

After configuring the discovery method on FortiGate and enabling CAPWAP, you can turn on the FortiAP,
which will start discovering the controller. After FortiGate receives a discovery request from a FortiAP, you
must authorize it to establish a CAPWAP tunnel, signaling that the controller will manage the AP.
Authorization applies a default FortiAP profile based on the AP model and hardware.

In central management mode, FortiManager can authorize APs directly if JSON API Access is set to Read-
Write. In per-device management mode, you must authorize APs from FortiGate before they become visible
on FortiManager. Once the CAPWAP tunnel is established, a green check mark indicates successful
communication and initial configuration.

FortiManager also allows for preauthorization of FortiAPs using serial numbers. Once FortiGate discovers
these APs, authorization occurs automatically, establishing a CAPWAP tunnel and applying the assigned
configuration.

You can manage authorized FortiAPs using the FortiGate GUI, where you can change their status, upgrade
firmware, change AP profiles, restart APs, map them, and view spectrum and client information. The
management table updates every 3 minutes, so changes may not appear immediately.

LAN Edge 7.6 Architect Study Guide 135

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Configuring AP Hardware Settings

© Fortinet Inc. All Rights Reserved. 20

In this section, you will learn how to configure FortiAP radio settings using FortiManager.

LAN Edge 7.6 Architect Study Guide 136

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Profiles
• Management settings
• AP password
• Administrative access to AP
• Radio settings
• Allowed radio channels
• Allowed radio power
• SSIDs that will be broadcast
• You can create as many profiles as you want

© Fortinet Inc. All Rights Reserved. 21

Profiles dictate management and radio settings, including channel settings, channel widths, transmission
power levels, and broadcast networks. Different AP models require specific profiles because of their varied
hardware and capabilities.

You can create multiple profiles by creating new ones or cloning existing ones. You can configure multiple
profiles for the same AP type with different settings, and you can delete unused profiles. Each profile
determines the channels, power levels, and wireless networks an AP will use. Changes to a profile are applied
to all APs assigned that profile through FortiManager.

LAN Edge 7.6 Architect Study Guide 137

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Profiles (Central Management)
• AP profiles are stored in and deployed from FortiManager
AP Manager > Operation Profiles > FortiAP Profiles

Local profiles can be imported

from FortiGate devices

Profiles stored on
FortiManager and can apply to
any AP on any controller

© Fortinet Inc. All Rights Reserved. 22

To view and manage FortiAP profiles on FortiManager, click AP Manager > Operation Profiles > FortiAP
Profile.
In central management mode, only profiles available on FortiManager are visible, with an option to import
from a managed FortiGate.

LAN Edge 7.6 Architect Study Guide 138

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Profiles (Per-Device Management)
• AP profiles are stored in and deployed from the local FortiGate device

AP Manager > Managed FortiAPs > Managed FortiGate > Operation Profiles > FortiAP Profiles

Profiles
Profilescreated
createdanand
apply
applied
toto
the
controller
single controller
only only

© Fortinet Inc. All Rights Reserved. 23

In per-device management mode, profiles stored on each FortiGate are visible and synchronized.

LAN Edge 7.6 Architect Study Guide 139

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Provisioning APs
AP Profile
• Using FortiManager
• Apply an AP profile
• To an individual or to multiple APs AP1 AP1
AP1
• A profile has to be assigned, either manually or by pre-authorizing
• Override settings on individual APs
• You must push Device Settings using the Install Wizard
• Using FortiGate
• Apply a profile to multiple APs on the controller
• Using the GUI or the CLI
AP has been pre-
• A default profile is automatically assigned authorized so it has an
• Override settings on individual APs AP Profile assigned

AP Manager > Managed FortiAPs > Managed FortiGate > Assign Profile

© Fortinet Inc. All Rights Reserved. 24

FortiGate automatically assigns a default AP profile to an AP when it is discovered and authorized. The profile
is assigned based on the AP model detected during discovery.

FortiManager does not automatically assign a profile. You can define the profile by configuring it or pre-
authorizing the AP. After you apply a profile, because device settings are not automatically applied, you must
apply them through the install wizard.

Both FortiGate and FortiManager have a set of default profiles based on the model of the AP. These are
contained and updated as part of FortiOS. ADOM Central Management mode uses profiles located on
FortiManager. Per-device Management mode uses profiles located on FortiGate.

After a CAPWAP tunnel is established between FortiGate and an AP, FortiGate uses the CAPWAP control
channel to push all AP profile parameters to the AP. You will likely want to assign an AP profile that is different
from the default, because you will have specific channel settings or AP settings to deploy. It is important to
note that you can assign an AP profile to one or multiple APs, but you cannot assign multiple profiles to a
single AP. All APs that use the same AP profile receive the same configurations from FortiGate.

For more flexibility and granularity, you can override the AP profile configuration on a per-AP basis. You must
assign an AP profile to an AP, but you can modify the settings on an individual AP basis using the GUI on
FortiManager, or using the CLI and GUI on FortiGate.

LAN Edge 7.6 Architect Study Guide 140

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Fragmentation of Packets in CAPWAP Tunnels
AP Manager > Operation Profiles > FortiAP Profiles >
• CAPWAP tunnel overhead increases Advanced Options
packet size, which can result in
fragmentation when APs are connected
over a WAN link
• Fragmentation can cause issues such as
data loss, latency, decreased throughput,
and even the inability to manage FortiAP
• Tunnel maximum transmission units
(MTU) can be reduced

© Fortinet Inc. All Rights Reserved. 25

CAPWAP tunnel overhead can increase packet size which can result in fragmentation. Fragmentation occurs
when an IP packet is larger than the allowed MTU size. Fragmentation can cause issues such as data loss,
latency, decreased throughput, and, in some cases, the inability to manage FortiAPs. One solution to this
problem is to control the packet size on the managed APs. You can decrease the MTU size for CAPWAP
tunnels by modifying the uplink and downlink tunnel MTU size in the AP profile configuration on the CLI. You
can also override this setting for a specific AP.

The tcp-mss-adjust option is set by default. It causes FortiAP to limit the maximum segment size (MSS) of
TCP packets sent by wireless clients. FortiAP does this by adding a reduced MSS value to the SYN packets
sent by FortiAP when negotiating with a wireless client to establish a session. This results in the wireless
client sending packets that are smaller than the tun-mtu-uplink setting, so that when the CAPWAP headers
are added, the CAPWAP packets have an MTU that matches the tun-mtu-uplink size. To enable this setting,
enter the required maximum byte size that the link will support before fragmentation. Start with a default value
of 1500 and, if fragmentation is still an issue, reduce this value.

The icmp-unreachable option affects all traffic (UDP and TCP) between wireless clients and FortiAP. This
option causes FortiAP to drop packets that have the Don't Fragment bit set in their IP header and that are
large enough to cause fragmentation and then send an ICMP packet—type 3 ICMP Destination unreachable
with code 4 Fragmentation Needed and Don't Fragment was Set back to the wireless controller. This
should cause the wireless client to send smaller TCP and UDP packets.

In a LAN environment, fragmentation is not likely to be an issue because of the nature of the infrastructure.
However, remotely based APs could suffer fragmentation where different WAN link configurations are used in
between the AP and FortiGate.

LAN Edge 7.6 Architect Study Guide 141

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Configuring SSIDs With FortiManager

© Fortinet Inc. All Rights Reserved. 26

In this section, you will learn how to configure and broadcast SSID from a FortiGate using FortiManager.

LAN Edge 7.6 Architect Study Guide 142

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
SSID Traffic Mode
• Tunnel mode
• Default SSID mode
• Wireless traffic is tunneled to FortiGate using CAPWAP data channel
• Dedicated subnet for wireless network
• Requires separate firewall policy for SSID subnet
• Bridge mode
• FortiAP forwards wireless traffic to its Ethernet interface directly
• Wireless and wired stations can share the same broadcast domain
• Wireless station traffic is untagged by default and should be assigned to a VLAN as a best practice
• Wireless mesh
• Backhaul SSID used by APs to create a mesh network

© Fortinet Inc. All Rights Reserved. 27

You can configure three types of SSIDs on FortiGate: tunnel mode, bridge mode, and wireless mesh.

By default, tunnel mode SSID is selected when you define an SSID on FortiGate. In this mode, all traffic within
CAPWAP DTLS or non-DTLS tunnels is sent to FortiGate before it is allowed on the LAN or internet.

There are two main advantages to using this mode:

• Traffic is subject to firewall policies and security threat scanning. Traffic must go through a security
profiles inspection and firewall policies examination before it is placed on the egress interface. This
ensures that all security threats are addressed before a device is given access to internal or external
resources.
• Traffic is processed at the session level. This gives FortiGate complete visibility of user and device
activities on the network. FortiGate can track and log user activities, and control access at the user level.

In local bridge mode SSID, wireless traffic is bridged directly to the local LAN that the AP is connected to. This
mode is useful when deploying APs at remote locations that connect to a wireless controller over a WAN link.
To ensure all traffic is scanned for security threats, consider deploying compatible APs in this type of
deployment.

Wireless mesh SSID is used strictly as a backhaul SSID to connect to the root AP in a mesh deployment.

LAN Edge 7.6 Architect Study Guide 143

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Tunnel Mode
• Pros
• Central place to enforce security Security
• Layer 3 traffic segmentation
• Cons
• FortiGate must be sized according to traffic
• If controller goes down, wireless network goes down
• Split Tunnel FortiSwitch FortiGate FortiAuthenticator
• When split tunneling is enabled, selected traffic is POE WLAN
sent to a local gateway, not FortiGate
• Enabled on a per-subnet basis
• Subnets need to be defined in an access control list
(ACL)
Access
Points

Data
Control
Internet/Auth

© Fortinet Inc. All Rights Reserved. 28

By default, tunnel mode SSID is selected when you define an SSID on FortiGate. In this mode, all traffic within
CAPWAP DTLS or non-DTLS tunnels is sent to FortiGate before it is allowed on the LAN or the internet.
There are two main advantages to using this mode:

• Traffic is subject to firewall policies and security threat scanning. Traffic must go through a security
profiles inspection and firewall policy examination before it is placed on the egress interface. This ensures
that all security threats are addressed before a device is given access to internal or external resources.
• Traffic is processed at the session level. This gives FortiGate complete visibility of user and device
activities on the network. FortiGate can track and log user activities, and control access at the user level.

In tunnel mode, all traffic from the SSID is sent to the FortiGate Wi-Fi controller. If you locate the AP in a
remote office, all the traffic is sent to FortiGate, even if it is destined for a remote office resource. The packets
sent to a local resource, such as an office printer, will hairpin, crossing the WAN link needlessly.

When you enable split tunneling on an SSID profile, you can configure a different egress point for the traffic.
You can split traffic; some traffic is sent to the local network, and some tunnels back to the managing
FortiGate. Split tunneling eliminates loading FortiGate with unnecessary traffic and allows direct access to
local private networks at the location of the FortiAP, even if the connection to the Wi-Fi controller goes down.

You can configure the subnets in an ACL. You then configure the ACL as the list of subnets that the SSID
tunnels to, or will bridge locally. You can also configure the AP to automatically add its own subnet to the ACL.

LAN Edge 7.6 Architect Study Guide 144

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Configuring Split Tunneling
AP Manager > SSID > Advanced Options

Enable split tunneling for an

SSID on the SSID profile

AP Manager > Operation Profiles > FortiAP Profiles > Advanced Options

Enable split-tunneling-acl-local-ap-subnet and the local AP

subnet is dynamically added to the list of subnets ACL

tunnel: Traffic matching the ACL list is tunneled back to controller

local: Traffic matching the ACL list is egressed locally

© Fortinet Inc. All Rights Reserved. 29

Split tunneling is enabled on a per-SSID basis. However, split tunneling ACLs must be defined on the FortiAP
profile or override settings on a per-AP basis.

The traffic is tunneled or bridged depending on the subnets configured in the split-tunneling-acl list. If the
split-tunneling-acl-local-ap-subnet option is enabled, the local subnet of the AP is dynamically added to the
list.

When split-tunneling-acl-path is set to local, traffic matching, the ACL remains local instead of
being tunneled.

If split-tunneling-acl-path is set to tunnel, split-tunnel-acl defines subnet(s) that are

tunneled back to the controller.

If you need to add additional subnets to the list, you must configure them using a CLI configuration on an
individual AP (or wtp). To do this, navigate to Device Manager > Devices & Groups > CLI Configurations.
If the CLI Configurations option is not available, enable it from Display Options.

In CLI Configurations, navigate to wireless-controller > wtp and edit the AP requiring changes to the ACL.
At the bottom of the options, you will find the split-tunneling-acl table where subnets can be added for this
individual AP. This setting has to be applied to individual controllers and then installed using the Install
Wizard.

LAN Edge 7.6 Architect Study Guide 145

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Bridge Mode
• Pros
• Both wired and wireless stations can
be in same subnet
Security
• Potential 1 Gbps or more (if using
link aggregation on supported APs)
LAN throughput per FortiAP FortiGate
NGFW/UTM
• Cons
• Security profiles are available only
with compatible APs
FortiSwitch FortiGate FortiAuthenticator
• Limited VLAN pooling options POE WLAN

• Supported profiles
WLAN controller
• Antivirus Access
• IPS Points

• App control
Data
• Web filter
Control
Internet/Auth

© Fortinet Inc. All Rights Reserved. 30

In local bridge mode SSID, wireless traffic is bridged directly to the local LAN that the AP is connected to. This
mode is useful when deploying APs at remote locations, that connect to a wireless controller over a WAN link.
To ensure all traffic is scanned for security threats, consider deploying compatible APs in this type of
deployment.

Local traffic is switched at FortiSwitch, but CAPWAP control traffic still goes to the wireless controller.

If a bridge mode SSID is configured for a managed FortiAP model that supports security profiles, you can add
a security profile group to the wireless controller. This configuration allows you to apply the following security
profile features to the traffic over the bridge SSID:
• Antivirus (including botnet protection)
• Intrusion prevention
• Application control
• Web filter

This is supported only in bridge mode. Tunneled SSID traffic will be inspected by FortiGate, as usual.

LAN Edge 7.6 Architect Study Guide 146

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Security Profiles Support—Bridge Mode Only
Device Manager > Devices & Groups > Managed FortiGate > AP Manger > SSIDs > Advanced Options
CLI Configurations > wireless-controller > utm-profile

Only web filter profile

can be enabled on SSID

Create a custom
Security profile group

© Fortinet Inc. All Rights Reserved. 31

You can create a security profile group and then apply it to an SSID. You can apply a web filter profile as a
standalone security profile to an SSID, but you must apply other security profiles can only be applied as part
of a security profile group which you can apply only to a bridge mode SSID.

The security profile group is created using a CLI configuration and is applied on individual controllers. You
cannot apply it using a template.

Once you install the new or updated security profile on the controller, you can configure it in an SSID profile.

Only supported FortiAP models get security profile updates from FortiGuard by a FortiGuard subscription.

LAN Edge 7.6 Architect Study Guide 147

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Configuring SSIDs With FortiManager
• SSIDs are defined using an SSID Profile AP Manager > Operation Profiles > FortiAP Profiles> Radio
> SSIDs
• In central management mode a single profile is
applied to multiple FortiGate devices
• In per-device management mode, profiles are
applied to individual FortiGate devices
• APs transmit new SSIDs when the new SSID
profile is associated with the AP profile
• Manual installs the SSID profile on the controller
and broadcasts the SSID
• Tunnel and Bridge automatically broadcast SSID
profiles that are already installed on the controller

SSIDs assigned manually

as a mix, all tunnel or all
bridged

© Fortinet Inc. All Rights Reserved. 32

Profiles are managed differently, depending on the management mode that you are using.

In central management mode, profiles are created and stored on FortiManager. An AP profile is distributed to
a controller when at least one of its supported APs is assigned the profile and the device settings are installed.
SSID profiles are delivered only when you select Manual in the SSID field.

If you create an SSID profile centrally and configure all the AP profiles to be tunnel or bridge, the SSID profile
is not delivered to FortiGate. FortiManager does not know which of the SSID profiles to distribute to which
FortiGate. Setting Tunnel or Bridge on the AP profile instructs the AP to broadcast any existing tunnel or
bridge SSID profile on the controller. A manual SSID explicitly tells FortiManager which SSID profile to
broadcast on the AP and, as a result, the required SSID profile is delivered to the controller.

Other profiles, such as the WIDS Profile, are distributed when referenced.

In per-device management mode, profiles are created and stored on FortiManager. You specify profiles on a
per-controller basis, and FortiManager automatically distributes all profiles, regardless of whether they are
used.

LAN Edge 7.6 Architect Study Guide 148

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Applying SSID—Per-Device Management Mode
AP Manager > SSIDs
• The AP profile controls which SSID profile
is distributed and broadcast
• All SSID profiles configured in
FortiManager are distributed and installed
• The AP Profile SSID setting controls what
is broadcast: WiFi & Switch Controller > SSIDs
• Tunnel: any tunnel mode SSID profiles
• Bridge: any bridge mode SSID profiles
• Manual: manually selected SSID profiles, can
be a mix
• Select on each radio
AP Manager > Operation Profiles > FortiAP Profiles
• Apply with the Install Wizard

© Fortinet Inc. All Rights Reserved. 33

There are differences in how wireless networks are published when using the two ADOM management
modes.

In per-device management mode, you manage each FortiGate individually. Profiles are unique to each
FortiGate but stored centrally on FortiManager. When you create an SSID profile in per-device management
mode, you are creating for a specific FortiGate, and FortiManager detects this.

FortiManager automatically pushes to FortiGate profiles you create for a controller and device settings you
install whether they are used or not.

When you want to broadcast an SSID, you must configure the AP profile that is being used by the APs that
are to transmit it. You can broadcast SSIDs on a per-interface basis; each interface has an SSIDs option that
you can set to one of three modes:

Tunnel: Any tunnel mode SSID profiles installed on FortiGate will broadcast.
Bridge: Any bridge mode SSID profiles installed on FortiGate will broadcast.
Manual: You can select a mix of SSIDs to broadcast.

Where you have the same model of AP broadcasting different combinations of SSID, you must clone or create
separate AP profiles.

To make the profile changes active, you must install them on FortiGate using the Install Device Settings
option in the Install Wizard.

LAN Edge 7.6 Architect Study Guide 149

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Applying SSID—Central Management Mode
• Only a Manual SSID setting will AP Manager > SSIDs
distribute an SSID profile to FortiGate
• The AP profile SSID setting controls what
is broadcast:
• Tunnel: any existing tunnel mode SSID
Bridge: any existing bridge mode SSID
AP Manager > Operation Profiles > FortiAP Profiles
Manual: manually select SSID profiles, can Multiple profiles
be a mix available

• Select on each radio

• Apply with the Install Wizard
Only one
Only manually
manually
assigned
assigned
WiFi & Switch Controller > SSIDs

© Fortinet Inc. All Rights Reserved. 34

When you create profiles in central management mode, you are creating profiles that you can apply to
multiple controllers. They are stored on FortiManager, but FortiManager does not detect which FortiGate
needs which profiles. As a result, by default, no profiles are pushed to FortiGate when using the Tunnel or
Bridge options.

The profiles are pushed when you make a specific link between an AP and an SSID. You do this by defining a
manual SSID mapping in an AP Profile. The Tunnel and Bridge options will still work for any SSID profiles
that are already on FortiGate, but these options do not cause all the profiles that exist on FortiManager to be
pushed. In a sizeable FortiManager installation, a large number of SSID profiles can exist. Automatically
pushing all of these profiles to each FortiGate would not be desirable.

Older versions of FortiOS use a slightly different SSID assignment mechanism. Auto automatically assigns all
tunnel mode SSID profiles, while Manual allows a manual selection.

LAN Edge 7.6 Architect Study Guide 150

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Configuring Bridge SSIDs
• Bridge mode has significantly fewer AP Manager > SSIDs
options
• No requirement for IP or policy because
traffic is egressed from the AP wired port
• Local standalone
• Authentication and traffic handled by FortiAP
• Ideal in a distributed network
• Can survive a controller outage
Control how clients are
treated when controller
is down or unreachable

© Fortinet Inc. All Rights Reserved. 35

Bridge modes SSID are significantly easier to configure because they simply bridge the wireless traffic to the
local Ethernet interface.

Additional options control what happens to the wireless connection if the FortiGate wireless controller
becomes unavailable. There are options to allow clients to connect and authenticate locally, in the event the
controller becomes unavailable.

The wireless controller, or the connection to it, might occasionally become unavailable, especially when
FortiAPs are deployed remotely or over a congested network. During such an outage, clients already
associated with a bridge mode FortiAP device can continue to have network access. Optionally, FortiAP can
also continue to authenticate users, if the SSID meets these conditions.

Authentication and traffic is handled by FortiAP, regardless of the connection status between FortiAP and
FortiGate. Authentication methods have expanded to include:
• Open
• Captive Portal with external authentication portal
• WPA/WPA2-Personal
• WPA/WPA2-Enterprise
• WPA3-Enterprise
• WPA3-SAE
• WPA3-SAE Transition
• WPA3-OWE

This assumes that the AP can reach the required captive portal or authentication server.

LAN Edge 7.6 Architect Study Guide 151

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
SSID Security Modes—Review
FortiManager and FortiGate wireless AP Manager > SSIDs
controller supports:
• WPA2
• Preshared keys (WPA2 personal or PSK)
• 802.1X (WPA2 enterprise RADIUS)
• WPA2 personal + captive portal
• WPA3
• Passphrase (WPA2 SAE or WPA3-personal)
• WPA3 SAE transition (passphrase and WPA2-
PSK)
• 802.1X (WPA3 enterprise RADIUS)
• Captive portal
• OSEN

© Fortinet Inc. All Rights Reserved. 36

When configuring the SSID profile, you must set up the security mode. Security modes are settings for client
authentication and traffic encryption between the wireless client and the AP. Remember, wireless is a shared
medium, so there are even more vectors of attack than for wired connections. The FortiGate wireless
controller supports multiple authentication methods:
• Username and password (WPA2/WPA3 enterprise or captive portal)
• Pre-shared keys (WPA2 personal)
• Simultaneous authentication of equals (WPA3 SAE)

Alternatively, if you need to provide guest access without authentication, you can use Captive Portal as the
Security Mode and Disclaimer Only as the Portal Type. Here is a complete list of supported formats:
• Captive portal: user authentication only and no connection encryption
• WPA2 personal: static pre-shared key-based authentication and AES connection encryption
• WPA2 personal with captive portal: key-based connection encryption and user authentication
• WPA2 enterprise: RADIUS-based user authentication and connection encryption
• WPA3 enterprise: Same as WPA2-Enterprise, supports 192-bit security mode, offering stronger
encryption than WPA2.
• WPA3 SAE, officially referred to as WPA3 personal
• WPA3 SAE transition
• Completely unencrypted and unauthenticated
• OSEN: secure on-boarding used for hotspot 2.0

WPA3 SAE transition mode is a temporary stepping stone that allows support of both WPA3-SAE and WPA2-
PSK on the same SSID. The older WPA standards (based on TKIP) are no longer supported. The open
network option will be available only if enabled in feature visibility.

LAN Edge 7.6 Architect Study Guide 152

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Multiple Pre-Shared Keys
• You can link multiple user profiles to a single SSID
• Number of maximum multiple pre-shared key allowed per SSID depends on the size of FortiGate
• WPA2-PSK only
• Enables the option to dynamically assign a VLAN
AP Manager > SSID > Edit

User1
SSID: Corp-Wi-Fi
Shared Key: H@ppc@t

User2
SSID: Corp-Wi-Fi
Shared Key:ChuckNOrr5 SSID: Corp-Wi-Fi Enable this option to
Authentication: WPA2-MPSK assign users a VLAN
User1: H@ppc@t
User2: ChuckNOrr5
User3 User3: RXYs!#gi2
SSID: Corp-Wi-Fi
Shared Key: RXYs!#gi2

Generate or import MPSK

keys from a CSV file

© Fortinet Inc. All Rights Reserved. 37

As an extension of the original PSK standard, it is possible to enable multiple PSKs (MPSK) for a wireless
network. MPSK allows the use of multiple security keys to allow access to the same wireless network.
Traditionally, pre-shared key networks would allow only one key. It often meant that these keys became well-
known and, as a result, the administrator could lose control over who had access to the network.

Enabling MPSK allows the wireless controller to dynamically assign a VLAN to each group based on its key
and, if configured, based on the MAC address.

MPSK can make key management more straightforward because all users and devices have unique
credentials. If a user leaves, a device is lost, or a key becomes well-known, you can change the MPSK for
that single user or device without having to change all devices that connect to that network. It is also possible
to limit the number of times each MPSK is used, which can now limit the number of devices that can use that
key to connect to the network.

The number of PSKs allowed depends on the specification of FortiGate.

You can generate the keys for each user connecting, or import the keys from a CSV file.

You can configure the MPSK centrally from FortiManager using an SSID profile, but this is available only on
wireless networks that allow WPA2-PSK authentication.

LAN Edge 7.6 Architect Study Guide 153

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Captive Portal
• Mostly used for guest network access
• Used as a landing page when accessing resources on a network
• Disclaimer
• Authentication page
• Terms of use
• And so on
• System grants user access only after the user accepts disclaimer or successfully
authenticates using captive portal
• Can be applied to tunnel and bridge mode SSIDs

© Fortinet Inc. All Rights Reserved. 38

The captive portal is used as a landing page after a user connects to a network. This is mostly used for guest
access and networks that require a disclaimer. You can also authenticate your users on a captive portal page
that requests the user’s name and password. Until the user authenticates successfully, the authentication
page is returned in response to any HTTP request. After successful authentication, the user accesses the
requested URL and can access other web resources, as permitted by security policies. Optionally,
the captive portal itself can allow web access to only the members of a specified user group.

LAN Edge 7.6 Architect Study Guide 154

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiExtender as LAN extension

© Fortinet Inc. All Rights Reserved. 39

In this section, you will learn about the FortiExtender LAN extension solution.

LAN Edge 7.6 Architect Study Guide 155

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiExtender LAN Extension
• New distributed network, new challenges

© Fortinet Inc. All Rights Reserved. 40

The new distributed network presents fresh challenges in the evolving IT landscape, including:

•Work-from-Anywhere: managing secure and reliable access for remote workers

•Securing Off-Net Users and Endpoints: protecting devices and users that operate outside the corporate
network
•Increased IT Complexity: rapid convergence of security and networking, adding layers of complexity
•Tool, System, and Vendor Proliferation: managing an expanding array of tools, systems, and vendors
•Security as a Service Implementation: deploying security services efficiently across the network

Networks are increasingly distributed and reliant on security at every edge.

FortiExtender LAN extension delivers a solution to these IT challenges by providing secure connectivity for
remote workforces, extending the corporate LAN to off-net users and endpoints.

LAN Edge 7.6 Architect Study Guide 156

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
LAN Extension: Extend Security

Residential
Data
Center

Small Business

Public
FortiExtender Cloud
L3 Network / Internet
FortiGate
Small Retail

SaaS
Applications
Bank ATM

© Fortinet Inc. All Rights Reserved. 41

LAN extension is a configuration mode on FortiGate that enables FortiExtender to create remote thin-edge
connectivity to FortiGate through a backhaul connection. This mode extends the LAN to remote branch
offices, offering a plug-and-play experience at these branches. Multiple branch locations connect to the
central FortiGate, with bandwidth usage monitored at the internet connection interface of the FortiExtender
Thin Edge.

Outcomes:
•Extended and Redundant Access: Provides reliable access to light branch networks without relying on
MPLS or DSL.
•Unified Security Policies: Ensures consistent security policies are enforced for both on-network and off-
network users.
•Cost-effective and Scalable Redundancy: Utilizes 5G, LTE, LAN Ethernet, or all three for scalable and
cost-effective network redundancy.

LAN Edge 7.6 Architect Study Guide 157

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
LAN Extension Network Topology
Remote
FortiExtender FortiGate FortiSwitch
Switch

LAN WAN WAN1

FortiLink

Layer 2 VxLAN
WAN2
over IPSec
Tunnel

AP

Server
Secure
Internet
Employees Access

© Fortinet Inc. All Rights Reserved. 42

Microbranches, which often need a lightweight solution for securely forwarding traffic, benefit from
FortiExtender. It acts as a powerful thin branch device, extending the LAN to a remote FortiGate through a
layer 2 VXLAN over an IPsec tunnel. The remote FortiGate serves as the DHCP server for these
microbranches and performs all next-generation firewall (NGFW) functions on the traffic before routing it to its
destination.

When FortiExtender is deployed at a remote location, it automatically detects the FortiGate AC and
establishes an IPsec tunnel back to the FortiGate. Through these IPsec tunnels, a VXLAN is created to
establish a layer 2 network connection between the FortiGate and the network behind the remote
FortiExtender.

Automatic data plane setup:

•Discovery and Authorization
•FortiGate discovers FortiExtender, which requires user authorization.
•A control plane (CAPWAP) connection is established between FortiGate and the remote
FortiExtender.
•Profile Assignment
•FortiGate assigns a default profile to FortiExtender based on its model (for example, the FEX-200
automatically receives the LAN-extension profile).
•A LAN extension interface is automatically created on FortiGate.
•Profile and Tunnel Setup
•The profile is pushed to FortiExtender.
•An IPSec tunnel is established, and a layer 2 VXLAN over the IPSec tunnel is set up to FortiGate.
•The LAN is now extended to remote sites, and FortiGate LAN assigns IP addresses to remote
endpoints connected to the FortiExtender Thin Edge.

LAN Edge 7.6 Architect Study Guide 158

 SD-Branch
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Review the SD-Branch solution
 Configure FortiSwitch VLANs, ports, and trunks
 Configure FortiAPs
 Configure SSIDs
 Review the FortiExtender LAN extension solution

© Fortinet Inc. All Rights Reserved. 43

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about SD-Branch and its components, as well
as FortiSwitch, FortiAP, and FortiExtender configuration when managed by FortiGate and FortiManager.

LAN Edge 7.6 Architect Study Guide 159

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

Zero Trust LAN Access

FortiOS 7.6
Last Modified: 3 February 2025

In this lesson, you will learn how to configure port authentication on FortiSwitch and FortiAuthenticator.

To maintain an enterprise-level approach, most of the information, instructions, and references are based on
the FortiSwitch manager pane on FortiManager. In addition, the information displayed for FortiSwitch manager
is based on per-device management mode. The lesson refers to some features and settings on the FortiGate
CLI or GUI, only when these options cannot be easily configured on FortiManager.

LAN Edge 7.6 Architect Study Guide 160

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Explore 802.1X
• Explore Extensible Authentication Protocol (EAP) methods
• Create FortiSwitch security policies
• Monitor 802.1X clients
• Configure MAC address bypass

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring port authentication, you will be able to control network access for
devices connecting to FortiSwitch.

LAN Edge 7.6 Architect Study Guide 161

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

802.1X Overview

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about 802.1X.

LAN Edge 7.6 Architect Study Guide 162

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
802.1X Overview
• Provides device layer 2 authentication
• Defines the encapsulation of the EAP
• Authentication framework for transporting the client credentials (username/password or certificate)
• Involves three players:
• The supplicant (device that wants to connect)
• The authenticator (wireless access point or switch)
• The authentication server (host that supports RADIUS and EAP)

EAP over LAN (EAPOL) EAP over RADIUS

Supplicant Authenticator Authentication server

(Client) (FortiSwitch) (FortiAuthenticator)

© Fortinet Inc. All Rights Reserved. 4

802.1X is a standard that is designed to provide authentication services to network devices that want to join a
wired or wireless network. The 802.1X standard defines an authentication protocol called EAP. It also defines
how EAP is encapsulated over the LAN (the EAPOL protocol) and RADIUS.

802.1X involves the following three parties:

• The client, also known as the supplicant, is the device that wants to join the network. Its network stack
must support 802.1X.
• The authenticator is a network device, such as a wireless access point or a switch, that acts as the broker
in the authentication process. The authenticator allows or denies network access to the supplicant based
on the response received from the authentication server.
• The authentication server is a host that supports RADIUS and EAP, such as FortiAuthenticator, that
verifies the client credentials. The client credentials can be a username and password, or a digital
certificate. The authentication server also grants the supplicant with a level of network access based on the
existing network policies.

The client is not allowed to access the network until the client credentials are validated and authorized. Using
802.1X authentication, the client provides their credentials to the authenticator, which then passes on the
information to the authentication server for verification. If the authentication server determines that the
credentials are valid, the client device is granted access to the network.

Note that the authenticator does not need to store the client credentials or have knowledge of the
authentication method (for example, PEAP or EAP-TLS). The authentication messages are tunneled from the
client to the authentication server over RADIUS.

LAN Edge 7.6 Architect Study Guide 163

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
802.1X EAP Framework
Client Authenticator Authentication server
(Laptop) (FortiSwitch) (FortiAuthenticator)

Data Blocked!
EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity
RADIUS Access-Request
RADIUS Access-Challenge
EAP-Request/Auth

EAP-Response/Auth
RADIUS Access-Request
RADIUS Access-Accept
EAP-Success

Data
Allowed

© Fortinet Inc. All Rights Reserved. 5

When a client (laptop) connects to a LAN switch that requires 802.1X authentication, the client sends its
credentials to the authenticator (FortiSwitch) using EAP over LAN (EAPOL) frames. The authenticator then
forwards the EAP messages to the authentication server (FortiAuthenticator), which is a RADIUS server that
supports EAP.

Before the client is authenticated, any non-EAPOL traffic sent by the client is blocked by the authenticator.
The client authentication process is as follows:

1. The client sends an EAPOL-Start frame to initiate the EAP authentication.

2. The authenticator replies with an EAP-Request/Identity message to request identification. All EAP
messages exchanged between the client and the authenticator are encapsulated into EAPOL frames.
3. The client responds with an EAP-Response/Identity message that contains the client identity (usually the
username).
4. The authenticator forwards the EAP-Response/Identity message to the authentication server in a RADIUS
Access-Request packet. All EAP messages exchanged between the authenticator and the authentication
server are encapsulated into RADIUS packets.
5. The authentication server replies with a RADIUS Access-Challenge packet containing an EAP-Request
message indicating the authentication method to use by the supplicant.
6. If the supplicant agrees on the requested EAP method, it responds with an EAP-Response message.
7. The client and the authentication server exchange multiple EAP-Request and EAP-Response messages
for credentials verification.
8. The authentication process finishes when the authentication server sends to the client an EAP-Success
message encapsulated into a RADIUS Access-Accept message.
9. At this point, any non-EAPOL traffic, such as IP traffic, is allowed by the authenticator.

LAN Edge 7.6 Architect Study Guide 164

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
RADIUS Access-Request Packet

FortiSwitch ID

Username

Client MAC
address

© Fortinet Inc. All Rights Reserved. 6

The packet capture on this slide shows the RADIUS Access-Request that is sent from a layer 2 switch (acting
as an authenticator) to the authentication server. It contains the switch ID, username, and switch MAC
address.

LAN Edge 7.6 Architect Study Guide 165

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
EAP Methods—EAP-MD5
• Password-based authentication
• Similar to Challenge-Handshake Authentication Protocol (CHAP)
• Sends MD5 hash of the user credentials
• Client is authenticated, but not the server
• Vulnerable to dictionary attacks
• Not recommended, and not supported by FortiAuthenticator

© Fortinet Inc. All Rights Reserved. 7

EAP-Message Digest 5 (EAP-MD5) operates like CHAP. The authentication server sends an MD5 challenge
message, to which the client replies with an MD5 hash of its credentials.

As a result, EAP-MD5 can only authenticate clients, and does not offer a mechanism for authenticating
servers. EAP-MD5 is also known to be vulnerable to dictionary attacks.

This method is not recommended and is not supported by FortiAuthenticator.

LAN Edge 7.6 Architect Study Guide 166

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
EAP Methods—PEAP
• Password-based authentication
• Encapsulates EAP into a TLS tunnel
• A TLS session is established first
• X.509 certificate is used to authenticate the server
• Inside the TLS session, the two most used inner EAP methods are:
• Protected EAP version 0 (PEAPv0) and Microsoft CHAP version 2 (MS-CHAPv2)
• Authenticate the client using MS-CHAPv2
• PEAPv1/EAP-Generic Token Card (EAP-GTC)
• User authentication supports different identification types, including one-time passwords
• Very flexible, but not commonly supported

© Fortinet Inc. All Rights Reserved. 8

In Protected EAP (PEAP), a TLS tunnel is established first. During the TLS tunnel setup, the server is
authenticated using a digital certificate. After the TLS tunnel is established, the client and authentication
server can use any inner EAP method for authentication. However, the two most commonly used inner EAP
methods are:

• PEAPv0/MSCHAPv2: authenticates the client using MSCHAPv2.

• PEAPv1/EAP-GTC: sometimes referred to as simply EAP-GTC. Uses different identification mechanisms

(including one-time passwords) for authenticating clients, which makes it very flexible. FortiAuthenticator
supports it, but it is not commonly supported by other vendors.

LAN Edge 7.6 Architect Study Guide 167

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
EAP Methods—PEAP (Contd)

Supplicant and authentication

server accepted to use PEAP
to continue 802.1X
Supplicant request to use
PEAP in the initial EAP frames

© Fortinet Inc. All Rights Reserved. 9

The supplicant (client) starts the communication by sending an EAPOL frame that includes the identity as well
as the desired authentication type to use in the EAP protocol. This is shown in the example PEAP type on the
slide. The response from the authentication server challenges the supplicant and initiates the process of
selecting which EAP method to use, ensuring it is supported by all devices. You can see that the subsequent
frame includes the type of EAP frame—Protected EAP (EAP-PEAP)—which is the method that will be
used by all devices: the supplicant, the authenticator, and the authentication server.

LAN Edge 7.6 Architect Study Guide 168

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
EAP Methods—EAP-TLS
• Certificate-based authentication
• Standard, original wireless authentication protocol
• Can also be used in wired networks
• TLS is used for encryption and authentication
• Client and server require a X.509 certificate
• Widely supported among vendors

© Fortinet Inc. All Rights Reserved. 10

EAP-TLS is one of the most popular EAP methods for authenticating both wireless and wired devices. It is
also regarded as one of the most secure methods, primarily because it not only uses TLS to encrypt the
messages exchanged between the client and authentication servers, but also authenticates both parties using
digital certificates.

LAN Edge 7.6 Architect Study Guide 169

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
EAP Methods—EAP-TLS (Contd)

Supplicant uses TLS

EAP Supplicant receives
Server Hello and the
certificate to validate

© Fortinet Inc. All Rights Reserved. 11

When the supplicant uses TLS EAP (EAP-TLS), it starts validating the server certificate (the authentication
server) with a Client Hello frame after it establishes EAP communication with the authenticator. The
authentication server then responds with a Server Hello, along with the certificate for the client to validate. The
rest of the process follows the client-authenticated TLS handshake encapsulated within EAP frames. The
client follows by providing its certificate for validation and so on.

LAN Edge 7.6 Architect Study Guide 170

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
EAP Methods—EAP-TTLS
• Certificate or password-based authentication
• A TLS session is established first
• An X.509 certificate is used to authenticate the server
• Inside the TLS session, attribute-value pairs (AVP) are interchanged
• These AVPs authenticate the client using:
• Any inner EAP method
• A legacy authentication protocol, such as Password Authentication Protocol (PAP) or CHAP

© Fortinet Inc. All Rights Reserved. 12

Another method is EAP tunneled TLS (EAP-TTLS). With this method, AVPs authenticate clients using either
any inner EAP method or a legacy authentication protocol, such as PAP or CHAP.

LAN Edge 7.6 Architect Study Guide 171

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
EAP Methods Supported by FortiAuthenticator
EAP-TLS EAP-TTLS PEAP
Protocol TLS session that Establishes a TLS Establishes a TLS session, and
validates server session, and supports two versions:
and client exchanges AVPs • PEAPv0/EAP-MS-CHAPv2 (PEAP on
certificates GUI)
• PEAPv1/EAP-GTC (EAP-GTC on GUI)
Server certificate Required Required Required
Client certificate Required Optional Optional
Server authentication X.509 certificate X.509 certificate X.509 certificate
Client authentication X.509 certificate Various identification • MS-CHAPv2
types over AVPs • Various identification types over GTC

© Fortinet Inc. All Rights Reserved. 13

FortiAuthenticator supports EAP Transport Layer Security (EAP-TLS), EAP Tunneled Transport Layer
Security (EAP-TTLS), and PEAP. Although on its GUI, FortiAuthenticator displays EAP-TLS, EAP-TTLS,
PEAP, and EAP-GTC, note that PEAP and EAP-GTC refer to PEAPv0/EAP-MS-CHAPv2 and PEAPv1/EAP-
GTC, respectively.

In all these methods, a TLS session is established first, and a digital certificate is used for authenticating the
server. The way clients are authenticated varies from one method to another.

LAN Edge 7.6 Architect Study Guide 172

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

802.1X Authentication on FortiSwitch

© Fortinet Inc. All Rights Reserved. 14

In this section, you will learn about 802.1X authentication on FortiSwitch.

LAN Edge 7.6 Architect Study Guide 173

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiSwitch Security Policies
FortiSwitch Manager > Managed FortiSwitches > Managed
FortiGate > Port Policies > Security Policies Select MAC-based when you want
to authenticate multiple hosts
behind a port

VLAN for guest users with

restricted access

Authentication delay for guest

VLANs

VLAN with restricted access for

users who fail to authenticate

Enable MAC authentication bypass

(MAB) for non-802.1X devices
Disable to terminate EAP on
FortiSwitch (not FortiGate) to
Override local reauthentication timeout value authenticate against its local
(set to 60 mins by default) database users
© Fortinet Inc. All Rights Reserved. 15

To configure 802.1X port authentication on FortiSwitch, you must first create a security policy. When you
configure a security policy, you must select Port-based or MAC-based as the Security mode. Port-based is
preferred when you expect a single host per port to authenticate, even though there may be multiple hosts
connecting to the same port. Under this scenario, FortiSwitch authenticates a single host, and opens the port
to other devices behind the port. A use case for this scenario could be an access point (AP). After the AP
authenticates against the switch, any of its connected devices can access the network despite using a
different MAC address from the one used by the AP during authentication. In addition, all devices will be
granted the same access level assigned to the AP during authentication. However, if you want to authenticate
each device behind a port, and optionally, grant each device a different access level based on the credentials
provided, then MAC-based is required. Security-wise, MAC-based is also preferred because all hosts (or
MAC addresses) behind the port must authenticate for accessing the network. Performance-wise, port-based
is better because only a single host is required to authenticate.

In cases where a device does not support 802.1X, you can configure the security profile to place that device in
the VLAN selected as Guest VLAN. Alternatively, you can enable MAC authentication bypass to allow
network access to a non-802.1X device, provided the device MAC address is authorized on the authentication
server. You can also place devices that try to authenticate through 802.1X, but fail, in the VLAN selected as
Authentication fail VLAN.

You can disable EAP pass-through if the FortiSwitch role is to authenticate users against its local users
database, or if the authentication server does not support EAP. The authentication process is only performed
by FortiSwitch. FortiGate only pushes the settings to route EAP to the authentication server. As an 802.1X
authentication server, FortiSwitch supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5. Finally, if you
enable Override RADIUS timeout, the switch overrides the local reauthentication timer with the session-
timeout attribute value received from the RADIUS server.

LAN Edge 7.6 Architect Study Guide 174

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Assigning a Security Policy to a Port
FortiSwitch Manager > Managed FortiSwitches

Select Security Policy

© Fortinet Inc. All Rights Reserved. 16

After creating the security policies, you define which policy is applied to a FortiSwitch port. 802.1X
authentication is enabled only on ports that have a security policy assigned to them.

LAN Edge 7.6 Architect Study Guide 175

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiSwitch 802.1X Settings When link goes down:
set-unauth—(default) each device will
config switch-controller 802-1x-settings
set link-down-auth {set-unauth | no-action} need to reauthenticate
no-action—Reauthentication is not
set reauth-period <minutes>
set max-reauth-attempt <attempts> required
set tx-period <seconds>
How often the client needs to re-authenticate
end
(default is 60)
Time in between 802.1X Number of reattempts if 802.1X
reattempts (default is 30) authentication fails (default is 3)

config switch-controller managed-switch

edit <switch_id>
config 802-1x-settings
each switch
Enable to override values per switch
set local-override {disable | enable}
set link-down-auth {set-unauth | no-action}
set reauth-period <minutes>
set max-reauth-attempt <attempts>
set tx-period <seconds>
end
end

© Fortinet Inc. All Rights Reserved. 17

There are four 802.1X settings that you can configure either globally or per switch on the FortiGate CLI:

• link-down-auth: By default, FortiSwitch clears the 8021.X authentication information for a device after
the port the device is connected to bounces, which results in the device having to authenticate again.
However, you can configure FortiSwitch to skip reauthentication if the port bounces.
• reauth-period: FortiSwitch requests authenticated devices to reauthenticate every hour by default. This
option allows you to adjust this timer if needed.
• max-reauth-attempt: Defines how many times FortiSwitch tries to authenticate a device after the first
failed authentication attempt.
• tx-period: Sets the amount of time between 802.1X reauthentication attempts.

LAN Edge 7.6 Architect Study Guide 176

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Monitoring 802.1X Ports
FortiGate # diagnose switch-controller switch-info 802.1X
Managed Switch : S224EPTF19006016
802.1X security mode
port2 : Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: authorized: ( )
Authentication state
Dynamic Authorized Vlan : 0
Dynamic Allowed Vlan list:
Dynamic Untagged Vlan list:
EAP pass-through : Enable
EAP egress-frame-tagged : Enable VLAN-related settings
EAP auto-untagged-vlans : Enable
Allow MAC Move : Disable
Dynamic Access Control List : Disable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 10
Allowed Vlan list: 10,4093
Untagged Vlan list: 4093
Guest VLAN : Device MAC address
Auth-Fail Vlan :
AuthServer-Timeout Vlan :
EAP method Authentication state
Sessions info:
70:88:6b:8c:4b:0e Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=11 params:reAuth=3600

© Fortinet Inc. All Rights Reserved. 18

The FortiGate CLI command on this slide displays the 802.1X status for each switch port performing 802.1X
authentication. The output indicates the 802.1X security mode in use, whether the device has been authorized
or not, as well as the EAP method used for authentication. The output also shows important information, such
as the device MAC address, quarantine VLAN, native VLAN, allowed VLANs, guest VLAN, and authentication
fail VLAN.

LAN Edge 7.6 Architect Study Guide 177

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Active Directory Machine Authentication
• Active Directory (AD) machine authentication is performed by a Windows workstation,
even before the Windows login screen appears
• Commonly occurs on startup
• FortiAuthenticator supports machine authentication
• It caches authenticated devices based on MAC address, for a configurable period (480 mins by default)

Machine Machine
authentication authentication

Supplicant Authenticator Authentication server

(Windows workstation) (FortiSwitch) (FortiAuthenticator)

© Fortinet Inc. All Rights Reserved. 19

In Windows environments, there are two types of 802.1X authentication: AD machine authentication, and user
authentication.

AD machine authentication is performed by the Windows OS, which sends its computer object credentials
before the Windows login screen appears. Machine authentication typically occurs during startup or logout,
but not when Windows devices resume from sleep or hibernation. To ensure previously authenticated devices
continue to have access to the network after they resume from sleep or hibernation states, FortiAuthenticator
caches authenticated devices based on their MAC addresses, for a configurable period of time.

Machine authentication is supported only by Windows workstations in Windows AD environments.

LAN Edge 7.6 Architect Study Guide 178

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
User Authentication
• User authentication is performed when a user is logging in to the network
• FortiAuthenticator supports user authentication

User User User

authentication authentication authentication

User Workstation Authenticator Authentication server

(FortiAuthenticator)

© Fortinet Inc. All Rights Reserved. 20

User authentication is performed by a user when that user is logging in to the network.

This is the traditional type of 802.1X authentication that is not restricted to Windows workstations. It is
supported by almost all operating systems.

LAN Edge 7.6 Architect Study Guide 179

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Machine and User Authentication
• FortiAuthenticator also supports the use of both machine and user authentication
• You can limit access to the network based on machine credentials
• User authentication can occur after machine authentication
• You can grant further access to the network based on user credentials

Machine Machine
authentication authentication

User User User

authentication authentication authentication
User Windows workstation Authenticator Authentication server
(FortiAuthenticator)

© Fortinet Inc. All Rights Reserved. 21

Windows environments can combine machine and user authentication. In these cases, you can use
FortiAuthenticator to override the user group based on which type of authentication was used by each client.

For example, you can provide limited network access to clients (for example, only Active Directory servers)
that have done machine authentication, but have not done user authentication yet. After user authentication is
successful, you can then grant further access to the network, based on user credentials. In the meantime, you
can block access to users that have done user authentication, but have not done machine authentication
(which indicates that they are connecting from unauthorized devices).

LAN Edge 7.6 Architect Study Guide 180

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Machine Authentication With FortiAuthenticator
Authentication > RADIUS Service > Policies > Authentication factors

Enable machine authentication

• You can assign different groups based on whether the client is:
• Machine-only authenticated
• For example, provide limited access
• User-only authenticated
• For example, provide limited or full access
• Both machine and user authenticated
• For example, provide full access

© Fortinet Inc. All Rights Reserved. 22

On FortiAuthenticator, you enable machine authentication by enabling Windows AD computer

authentication in the Authentication factors section of the matching RADIUS policy.

After you enable machine authentication, you can override the user group that is returned by
FortiAuthenticator for clients that have done either machine-only or user-only authentication. Since the user
group returned by FortiAuthenticator is often used by the authenticator, such as FortiSwitch, to assign a VLAN
to the device, you can control the level of network access based on the returned user group. Usually, you
want to grant full access to devices that have performed both machine authentication and user authentication,
and limited access to devices that have done machine authentication or user authentication only.

LAN Edge 7.6 Architect Study Guide 181

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Machine Authentication—Return Attributes
• Configure RADIUS attributes to assign different groups and control network access

Authentication > RADIUS Service > Policies > RADIUS response

Machine-only
authentication
Configure additional
attributes to return a
user group in case 1

© Fortinet Inc. All Rights Reserved. 23

The list of returned attributes, which can include a user group, are configured in the RADIUS response
section of the matching RADIUS policy. The following are examples of controlling network access on devices
based on their authentication status:
• Devices that do both machine authentication and user authentication are assigned their normal user
groups, and therefore, granted full network access.
• Devices that do only machine authentication can be assigned a user group that grants limited network
access. FortiAuthenticator does not return the configured (or normal) user group as a RADIUS attribute.
Instead, it offers you the option to return additional RADIUS attributes, including a different user group,
which can have limited access to the network.

LAN Edge 7.6 Architect Study Guide 182

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Machine Authentication—Return Attributes (Contd)
• Return additional attributes using a custom use case for devices using only user
authentication
Authentication > RADIUS Service > Policies > RADIUS response

User-only
authentication

Machine and user

authentication Configure additional
attributes to return a
user group in case 2

© Fortinet Inc. All Rights Reserved. 24

To limit access for unauthenticated users, you can configure additional attributes to return based on custom
use cases. Devices that do only user authentication can be assigned the normal user group, which provides
full network access, or a different user group that grants limited access.

LAN Edge 7.6 Architect Study Guide 183

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
802.1X Guest VLAN and Unauthorized Hosts
• Compatible hosts to authenticate
• If successful, assign configured VLAN
• If unsuccessful, assign failed authentication VLAN
• Incompatible hosts to assign guest VLAN
FortiSwitch Manager > Managed FortiSwitches > Port Policies > Security Policies
Guest VLAN assigned without
authentication

Failed authentication VLAN

assigned if failed to authenticate
a specific number of times

© Fortinet Inc. All Rights Reserved. 25

Create a guest VLAN and a failed authorization VLAN to dynamically assign them to hosts when they attempt
to access the network.

Unauthenticated hosts are assigned to the Guest VLAN after the 802.1X authentication times out.

In addition, hosts that fail to authenticate (for example, compatible host with incorrect credentials), are
assigned to the Authentication fail VLAN.

Each VLAN may provide DHCP service to allocate IP addresses to hosts.

LAN Edge 7.6 Architect Study Guide 184

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
MAC Authentication Bypass
• FortiSwitch can authenticate devices that do not support 802.1X
• Supplicant MAC address is used for the username and password

Supplicant Authenticator Authenticator server

(Client) (FortiSwitch) (FortiAuthenticator)

EAP-Request/Identity
EAP-Request/Identity
802.1X timeout
EAP-Request/Identity

Frame
RADIUS Access-Request

RADIUS Access-Accept

© Fortinet Inc. All Rights Reserved. 26

MAC authentication bypass (MAB) allows access to devices that do not support 802.1X authentication. When
MAB is enabled in the security policy, and the 802.1X authentication times out, FortiSwitch performs the
authentication on behalf of the connected device. For this purpose, FortiSwitch sends a RADIUS Access-
Request, using the MAC address of the device as the username, and the encrypted MAC address of the
device as the password. You can configure FortiAuthenticator with a list of MAC addresses that are allowed to
access the network without 802.1X authentication. If the MAC address of the device is included in this list, the
device is authorized.

LAN Edge 7.6 Architect Study Guide 185

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Set Order of 802.1X and MAB Authentication Methods
• The sequence in which the
authentication methods 802.1x and
CLI Console
MAB are executed can now be
config switch-controller security-policy 802-1X
managed edit “Example-Policy“
set mac-auth-bypass enable
• This enables users to prioritize one set auth-order [ *mab-dot1x | do1x-mab | mab ]
method over the other based on their set auth-priority [ *legacy | dot1x-mab | mab-do1x ]
next
specific network security requirements end

• Auth priority:
• legacy - EAP 1X has a higher priority than
MAB with legacy
• dot1x-MAB - EAP 1X has a higher priority
than MAB
• MAB-dot1x - MAB has a higher priority than
EAP 1X

© Fortinet Inc. All Rights Reserved. 27

You may need to set the priority between MAB and EAP for 802.1X.

FortiOS offers flexibility in managing the authentication priority between MAB and EAP for 802.1X on
managed FortiSwitches. Previously, EAP 802.1X had absolute priority over MAB, meaning that devices
attempted EAP authentication first, with MAB as a fallback. This rigid order could be problematic in
environments where certain devices were not compatible with EAP. Now you can tailor the authentication
process to meet specific network security needs. You can choose to maintain the legacy priority, prioritize
EAP first, or prioritize MAB first, offering greater control over the authentication flow.

Additionally, FortiOS offers a MAB-only authentication mode, which is particularly useful in scenarios where
EAP is unnecessary or unsupported. By allowing managed FortiSwitches to skip EAP and rely solely on MAB,
this mode simplifies the authentication process for certain device types, like IoT devices or legacy equipment.
These changes provide more granular control over the authentication process, enabling you to better align
network access protocols with the capabilities and requirements of connected devices.

LAN Edge 7.6 Architect Study Guide 186

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
RADIUS Access-Request Sniffer for MAB

FortiSwitch ID

User-Name is the MAC

address of the client

User-Password is the encrypted

MAC address of the client

© Fortinet Inc. All Rights Reserved. 28

The packets captured on this slide show the RADIUS Access-Request when MAB is used. It includes the
FortiSwitch ID, client MAC address (as the username), encrypted client MAC address (as the password), and
the client MAC address (as the Calling-Station-ID).

LAN Edge 7.6 Architect Study Guide 187

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
MAB and FortiSwitch

FortiSwitch Manager > FortiSwitch Policies > Security Profiles

Enable MAC Authentication

Bypass

© Fortinet Inc. All Rights Reserved. 29

In FortiSwitch, you enable MAC Authentication Bypass for each security policy.

LAN Edge 7.6 Architect Study Guide 188

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
MAB and FortiAuthenticator
Authentication > User Management > MAC Devices Authentication > User Management > User Groups

Create a MAC user group with

the MAC device(s) as member(s)

Authentication > RADIUS Service > Policies > Authentication type

Add the MAC address of
supplicants

Authentication > RADIUS Service > Policies > Identity source

Enable MAB

Enable to ensure RADIUS Access-Request is for MAB

Selected Authorized groups and Blocked groups

© Fortinet Inc. All Rights Reserved. 30

To have FortiAuthenticator work with MAB, you must add the MAC address of every supplicant on the
FortiAuthenticator MAC Devices page. After that, you must create one or more MAC groups on the User
Groups page, and then add the MAC devices to their respective MAC groups.

The next step is to enable MAC authentication bypass (MAB) in the Authentication type section of the
matching RADIUS policy. Then, in the Identity source section, select the MAB groups that are part of the
Authorized groups or the Blocked groups.

Finally, it is recommended that you enable the Require Call-Check attribute for MAC-based
authentication. Since MAB uses the device MAC address as the username and password, enabling this
option instructs FortiAuthenticator to also check that the RADIUS Access-Request received from the network-
attached storage (NAS) includes the Service-Type attribute, and it is set to Call-Check. By performing this
additional verification, FortiAuthenticator prevents processing non-MAB requests, which may also contain the
device MAC address in a RADIUS attribute, as MAB requests. Enabling Require Call-Check attribute for
MAC-based authentication does not require additional configuration on FortiSwitch. FortiSwitch always
includes the Service-Type attribute set to Call-Check in all its MAB requests.

LAN Edge 7.6 Architect Study Guide 189

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
802.1X Port-Based Authentication
Start

Is an No 802.1X MAC No
802.1X authentication bypass
client? times out enabled
Yes Yes

Start 802.1X Use MAC

authentication bypass
Invalid Valid Valid MAC Invalid MAC
credentials credentials address address

Assign to Assign to Assign to

Assign to
auth. fail user VLAN guest VLAN
user VLAN
VLAN

Done Done Done Done

© Fortinet Inc. All Rights Reserved. 31

This slide shows the authentication process when 802.1X is combined with MAB. When a physical device is
connected to an 802.1X port, FortiSwitch waits for the EAPOL-Start packet.

If FortiSwitch receives an EAPOL-Start packet from the connected device, the 802.1X authentication starts.
FortiSwitch checks the credentials against a RADIUS server, with the following results:

• If the credentials are invalid, and Authentication fail VLAN is enabled, traffic from the device is allowed
and assigned to the authentication fail VLAN.
• If the credentials are invalid, and Authentication fail VLAN is disabled, traffic from the device is blocked.
• If the credentials are valid, traffic from the device is allowed and assigned to the respective user VLAN.

If FortiSwitch does not receive EAPOL-Start packets after a certain amount of time, the 802.1X authentication
times out. After that, the source MAC address of the device is checked, with the following results:

• If MAC bypass is disabled, the traffic is assigned to the guest VLAN (or blocked, if Guest VLAN is
disabled).
• If MAC bypass is enabled, but the source MAC address is not in the MAB table, the traffic is assigned to
the guest VLAN (or blocked, if Guest VLAN is disabled).
• If MAC bypass is enabled, and the source MAC address is in the MAB table, the traffic is allowed and
assigned to the respective user VLAN.

LAN Edge 7.6 Architect Study Guide 190

 Zero Trust LAN Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Explore 802.1X
 Explore EAP methods
 Create FortiSwitch security policies
 Monitor 802.1X clients
 Configure MAC address bypass

© Fortinet Inc. All Rights Reserved. 32

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure port authentication on
FortiSwitch and FortiAuthenticator.

LAN Edge 7.6 Architect Study Guide 191

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

Advanced Features

FortiOS 7.6
Last Modified: 5 February 2025

In this lesson, you will learn about network access control (NAC), dynamic VLANs, and best practices for both
wired and wireless networks.

LAN Edge 7.6 Architect Study Guide 192

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Describe FortiLink NAC
• Discuss dynamic VLANs and VLAN pooling
• Configure WIDS and detect rogue APs
• Explore best practices for wired and wireless networks

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in these advanced features, you will be able to implement solutions that result
in a robust and secure LAN Edge network.

LAN Edge 7.6 Architect Study Guide 193

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

FortiLink NAC

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about FortiLink NAC and its application to devices connected to the network
through FortiSwitch devices.

LAN Edge 7.6 Architect Study Guide 194

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiLink NAC

Simplicity Visibility Security

• Easy deployment, no design • Automatic discovery of endpoints • Dynamic policy application

changes, no overlay and devices
• Enable devices on ports
• Defaults are ready to go • FortiGuard IoT service available or entire network

© Fortinet Inc. All Rights Reserved. 4

FortiLink NAC is a solution that combines security and networking to simplify secure device onboarding for
LAN environments. FortiLink NAC uses the FortiLink protocol to extend firewall policies across FortiSwitch
devices and FortiAP access points (AP). FortiLink NAC is a rules-based system that automates device
onboarding by placing devices in an onboarding VLAN until their security posture is verified.

The system allows you to configure rules based on device properties, such as a MAC address, ensuring
proper VLAN assignment. It also provides specific functionalities for managing Internet of Things (IoT) devices
through the Fortinet regularly updated IoT service, addressing challenges with emerging device types.

LAN Edge 7.6 Architect Study Guide 195

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Matched NAC Devices on FortiGate
• Dashboard widget
• Under Assets & Identities
• Easy to locate device
• Search and filter options

Dashboard > Assets & Identities > Matched Devices

© Fortinet Inc. All Rights Reserved. 5

The Matched NAC Devices dashboard widget in FortiOS provides a clear view of devices connected through
FortiSwitch, making it easier for you to track network assets and user identities.

It consolidates asset and identity information, helping to ensure that all connected devices are properly
identified and managed, which is essential for maintaining network security and visibility.

Additionally, the widget simplifies the process of locating devices across the network. It groups devices based
on their connections and provides detailed information, such as MAC addresses, IP addresses, and device
types. This feature allows administrators to quickly identify specific devices, ensuring they can address any
potential issues or security concerns in real time.

To further enhance usability, the search and filter options within the widget allow users to quickly pinpoint
devices based on customizable criteria. This makes it easier to manage large networks, where manually
locating devices can be time-consuming. With these tools, network administrators gain better control and
oversight of their FortiLink network infrastructure

LAN Edge 7.6 Architect Study Guide 196

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Device Detection + FortiGuard Services
• Detect any device and its vulnerabilities
• Attack surface security rating
• Iot detection
• OT security service
• Vulnerabilities
WiFi & Switch Controller > FortiSwitch Ports

© Fortinet Inc. All Rights Reserved. 6

FortiLink device detection, combined with FortiGuard Services, enables comprehensive device identification
and vulnerability detection. It allows FortiGate to automatically detect any device connected to the network
and analyze its potential security risks. By identifying device types and their associated vulnerabilities,
administrators can take proactive steps to secure the network.

If FortiGate cannot detect a device locally, it sends the unknown device's data to the FortiGuard servers,
which then provide additional information about the device. This requires FortiGate to have a FortiGuard
license and be connected to a FortiGuard server.

With the FortiGuard Attack Surface Security Service and IoT Detection, FortiGate assesses the security
posture of connected devices, especially IoT devices, which often have weak security settings. This feature
helps you to monitor and control the growing attack surface created by numerous IoT endpoints, by detecting
and identifying connected IoT devices and assessing their vulnerabilities.

You can configure NAC policies to detect IoT devices with different levels of vulnerabilities and dynamically
assign these devices to a quarantine VLAN. This ensures that devices with identified security risks are
isolated and mitigated.

LAN Edge 7.6 Architect Study Guide 197

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiLink NAC Policies—NAC With FortiGate and
FortiSwitch
• Automatic discovery of endpoints and devices
• Dynamic policy assignment based on device status
• ZTNA tags
• Vulnerabilities
• FortiVoice tags
• Leverages FortiGuard OT/IoT security services to identify any
device and its vulnerabilities
WiFi & Switch Controller > NAC Policies

© Fortinet Inc. All Rights Reserved. 7

NAC policies combined with the FortiLink protocol in FortiGate, help to discover devices and assign
appropriate policies based on their security status. This helps you to make sure the detected devices receive
correct network permissions and restrictions. NAC uses device or user information, such as the device type or
OS, to assign traffic to a specific VLAN or apply port settings. You can activate NAC on all FortiSwitch ports,
or specific ones. Initially, devices connect to an onboarding VLAN with restrictive security, where device
identification occurs. Once a device matches a NAC policy, actions like VLAN reassignment or security policy
application are taken.

FortiLink NAC supports policies that are defined based on various device attributes, such as manufacturer,
operating system, user groups, and security factors like vulnerabilities or zero trust network access (ZTNA)
and FortiVoice tags. These rules help classify devices, and based on this classification, devices are assigned
to specific VLANs. The VLAN assignment is handled through VLAN subinterfaces, which are created on the
physical interfaces that manage the network traffic for these assigned VLANs, enabling control of network
segmentation and security. This feature allows the network to automatically assign devices to specific VLANs
based on user credentials, device type, or other attributes, ensuring users or devices are placed in the correct
network segment.

Because of the frequent introduction of new devices, IoT devices present a unique challenge in the network,
particularly when applying NAC policies to those new devices. To address this challenge, you can take
advantage of the FortiGuard OT/IoT service for FortiGate, which maintains a regularly updated list of devices.
This service is integrated with FortiLink NAC, allowing for more effective and up-to-date enforcement of NAC
rules, ensuring optimal functionality in managing and securing IoT devices on the network.

LAN Edge 7.6 Architect Study Guide 198

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Virtual Patching
WiFi & Switch Controller > NAC Policies
•Isolate and protect vulnerable devices
•Dynamic policy assignment based on
device vulnerability status
•FortiLink NAC isolates device in
separate VLAN segment
•IPS virtual patching dynamically applied
to protect device
WiFi & Switch Controller > NAC Policies

© Fortinet Inc. All Rights Reserved. 8

Virtual patching is designed to isolate and protect vulnerable devices within the network. Virtual patching
provides immediate defense against security gaps, offering protection while administrators work on
permanent solutions, and includes signatures for specific OT systems developed in collaboration with
vendors.

In order to use this feature you must have a valid Attack Surface Security Rating Service license

When a device is detected as vulnerable, FortiLink NAC can automatically isolate it by placing the device in a
separate VLAN through VLAN segmentation, limiting its interaction with the rest of the network and reducing
the potential for exploitation.

IPS virtual patching can be applied dynamically to protect vulnerable devices by addressing security gaps
before a permanent fix or patch is available.

LAN Edge 7.6 Architect Study Guide 199

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Dynamic Port Policies
• Dynamically change port properties depending WiFi & Switch Controller > FortiSwitch Port Policies >
on device detected Dynamic Port Policy

• VLAN policy
• LLDP profile
• QoS policy
• 802.1X policy

• Very useful for networking devices

• Wireless APs
• IP phones
• Routers and firewalls

© Fortinet Inc. All Rights Reserved. 9

Dynamic port policies allow you to define rules that automatically adjust port configurations based on the type
of device detected.

This feature enables the automatic application of various policies, such as VLAN assignments, Link Layer
Discovery Protocol (LLDP) profiles, quality-of-service (QoS) settings, and 802.1X policies based on the device
detected.

After setting up FortiLink policy configurations on FortiSwitch, you can add dynamic port policy rules. When a
device matches the specified criteria, the switch controller automatically adjusts the port settings accordingly.
These policies are especially valuable for devices like wireless APs, IP phones, routers, and firewalls,
simplifying network management by dynamically assigning optimal configurations and reducing the risk of
configuration errors.

LAN Edge 7.6 Architect Study Guide 200

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Dynamic VLANs

© Fortinet Inc. All Rights Reserved. 10

In this section, you will learn how to configure dynamic VLAN and VLAN pooling features using FortiManager.

LAN Edge 7.6 Architect Study Guide 201

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Dynamic VLANs—Enterprise RADIUS Authentication
• The dynamic VLAN option is available when using enterprise security mode with
RADIUS authentication
• RADIUS server must send the following attributes:
• IETF 64 (tunnel type)—Set this to VLAN
• IETF 65 (tunnel medium type)—Set this to IEEE 802
• IETF 81 (tunnel private group ID)—Set this to the VLAN ID
• The RADIUS server can also send additional attributes, either standard or
vendor-specific, such as Fortinet-Group-Name
AP Manager > SSID

Dynamic VLAN becomes

available when using enterprise
security with RADIUS

© Fortinet Inc. All Rights Reserved. 11

The option to add dynamic VLANs to the SSID is available on FortiGate in both tunnel and bridge mode. You
can apply a dynamic VLAN to SSIDs in which WPA2 Enterprise or WPA3 Enterprise are selected in the
Security Mode field, and RADIUS Server is enabled in the Authentication field.

The RADIUS server sends all the required attributes after a successful authentication. The RADIUS server
must send the following attributes to FortiGate:

• IETF 64 set to VLAN: This attribute tells FortiGate that VLAN information is attached to the RADIUS
response.
• IETF 65 set to IEEE 802: This attribute tells FortiGate that the IEEE 802 attribute is attached to the
RADIUS response.
• IETF 81 set to VLAN ID: This attribute tells FortiGate to attach the user to the specified VLAN ID interface.

The RADIUS server then passes back the following optional attributes as part of the RADIUS accept
response.

• Fortinet-Group-Name
• Tunnel-Type
• Tunnel-Medium-Type
• Tunnel-Pvt-Group-ID

You must configure all the VLANs on FortiGate along with corresponding firewall polices either directly or by
using FortiManager.

LAN Edge 7.6 Architect Study Guide 202

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Dynamic VLANs—MAC RADIUS Authentication
• It is also possible to dynamically assign a AP Manager > SSID
VLAN and firewall group on non-
enterprise wireless networks
• The following RADIUS attributes are
added by FortiGate during RADIUS MAC
authentication:
• Called Station Identifier
• NAS IPv4 Address
• NAS Identifier
• NAS Port Type
• The RADIUS server can then return:
• Fortinet-Group-Name
• Filter-ID
• Tunnel-Type
• Tunnel-Medium-Type
• Tunnel-Pvt-Group-ID

© Fortinet Inc. All Rights Reserved. 12

It is also possible to add dynamic VLANs to a non-enterprise network. Traditionally, open or pre-shared key
networks did not allow for the dynamic allocation of VLANs. But, MAC filtering using RADIUS, now makes it
possible to pass back the following attributes to the RADIUS server when authenticating clients using their
MAC addresses:
• Called Station Identifier
• NAS IPv4 Address
• NAS Identifier
• NAS Port Type

This allows the RADIUS server to authenticate a device using its MAC address and a pre-shared key,
resulting in two factors of authentication. The RADIUS server then passes back the following optional
attributes as part of the MAC authentication RADIUS response:
• Fortinet-Group-Name
• Tunnel-Type
• Tunnel-Medium-Type
• Tunnel-Pvt-Group-ID

This allows the client to be assigned a VLAN and a Fortinet group name attribute to allow dynamic VLANs and
dynamic firewall policies.

LAN Edge 7.6 Architect Study Guide 203

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
IoT Device Segregation
Many internet of things (IoT) devices are difficult to control because of limited wireless
authentication support
RADIUS MAC authentication now allows:
• A single pre-shared key network to support multiple device types
• Maximizes wireless network efficiency
• Two-factor authentication: PSK or MPSK and MAC address
• Optional application of firewall polices based on MAC address
• Optional VLAN assignment based on MAC address
• Ability to optionally park other clients and apply default VLAN and firewall policy

© Fortinet Inc. All Rights Reserved. 13

Many simple IoT devices can’t support a full WPA2 enterprise supplicant. Many smart plugs, thermostats and
other wireless devices connect to a wireless network using a pre-shared key. While this level of security may
be sufficient for small home-based networks, in enterprise environments with many devices, using only a
single pre-shared key can be a significant issue to manage and troubleshoot IoT devices.

In an attempt to control IoT devices, enterprises often publish multiple pre-shared key wireless networks,
assigning each of them their own VLAN. Doing this can cause significant management overhead and potential
wireless performance issues, because of the number of networks being broadcast.

RADIUS MAC authentication allows you to control the access of IoT devices. FortiGate sends and receives
RADIUS attributes to allow the dynamic allocation of both a VLAN and a firewall policy using a suitably
configured RADIUS server. In addition to MAC authentication, you can add a second factor in the form of a
pre-shared key or, if multiple pre-shared keys are enabled, a choice of key. This enables connection
encryption and a second factor of identity.

It is now possible to publish a single, pre-shared key-based network that serves multiple purposes. It could
allow printers and IoT devices to be connected and controlled, assigning them to their own VLANs and firewall
policies, while still allowing normal pre-shared clients, such as guests, to connect and gain access.

LAN Edge 7.6 Architect Study Guide 204

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
VLAN Pooling
• Allows the assignment of VLANs to AP Manager > SSID

wireless clients using a pool

Dynamic VLAN
• Pools are defined using tag numbers Assignment must be
disabled
• There are three VLAN pooling methods:
• Managed AP Group
• Assign VLAN from pools based on AP location
• Round Robin
• VLAN with least number of clients is assigned
to new connections
• Hash
• FortiOS assigns a VLAN based on a hash of
the current number of SSID clients and the
number of entries in the VLAN pool

• VLAN pooling load balancing is available

for tunnel mode only
Enable pooling by
specifying load balance Add the VLAN tags to
method be used in the pool

© Fortinet Inc. All Rights Reserved. 14

VLAN pooling is a mechanism that allows a single SSID to egress traffic into multiple VLANs. This feature is
useful in large deployments and can break down the broadcast domain, rather than putting all wireless clients
into a single subnet. Large broadcast domains can potentially cause performance problems in a wireless
network, and traditionally /24 subnets are used to control the size of the domain. However, this can limit the
number of clients that can connect to an SSID if it supports only one VLAN. With VLAN pooling, you can
assign multiple VLANs to a single SSID, removing any client limit and preserving an efficient IP network.

VLANs are added to each SSID profile using a tag number. The VLANs are automatically created when the
SSID profile is assigned to a controller. There are two options available in the VLAN pooling configuration that
provide load balancing options for wireless clients: round robin and hash.

The Managed AP Group load balance method assigns VLANs from pools based on AP location. When you
enable the Round Robin option, the least busy VLAN is assigned to new clients. When you enable the Hash
option, a VLAN is assigned based on the hash value of the current number of clients connected to the SSID
and the number of VLANs available in the pool.

VLAN pooling load balancing is available for SSIDs operating in tunnel mode.

LAN Edge 7.6 Architect Study Guide 205

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

WIDS and Rogue AP Management

© Fortinet Inc. All Rights Reserved. 15

In this section, you will learn how to implement a wireless intrusion detection system (WIDS), and configure it
to detect and manage rogue access points (AP) and SSIDs.

LAN Edge 7.6 Architect Study Guide 206

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Wireless Threats
• A wireless intrusion attempt
• Bad actors use exploits to bypass security and access your wireless network
• Rogue AP types:
• True rogue—Malicious AP placed to compromise security
• Wired rogue AP—Connected to your network, installed inside your perimeter.
• Rogue AP—Placed inside your perimeter, but not connected to your infrastructure
• Uncontrolled APs—Placed inside your perimeter, may be connected to the infrastructure but
not for malicious purposes
• Interferer AP—An AP that is adjacent to your airspace
• Neighboring APs causing interference because of poor channel configuration

© Fortinet Inc. All Rights Reserved. 16

Bad actors are increasingly targeting wireless networks. The inability to fully control where a wireless signal
propagates makes it attractive to hackers to attack a network directly, or indirectly by setting honeypots to trap
unsuspecting end users.

Wireless threats can be broadly categorized as security threats, where malicious actors attempt to gain
unauthorized access to data on a network or on end-user wireless devices, such as credentials or personal
information. Additionally, these threats can also pose performance and reliability issues by creating radio
frequency (RF) problems in the airspace surrounding APs.

There are three primary types of threats:

• A wireless intrusion attempt: A bad actor uses various methods and known exploits to defeat and bypass the
security of a wireless network, or to deny access to the wireless network.

• The rogue AP: A bad actor places an AP either inside or adjacent to your airspace. The classification
depends on their purpose. A true rogue AP provides either unauthorized access to your network using a
backdoor SSID known to the attacker, or access to client data by attempting to attract legitimate clients to a
phishing SSID. Another type of rogue AP is an uncontrolled device.

• The interferer AP: The wireless spectrum is unlicensed and available for free use by anyone. This means
that legitimate users can install their own wireless APs to create personal networks. While these neighboring
networks are not a direct security threat, a poorly configured access point can significantly disrupt your own
network's performance.

LAN Edge 7.6 Architect Study Guide 207

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
WIDS
• The FortiGate WIDS monitors wireless AP Manager > Protection Profiles > WIDS Profiles
traffic for a wide range of security threats
by detecting and reporting on possible
intrusion attempts
• The WIDS function can also detect and
neutralize rogue APs
• Defined by WIDS profile
• Assigned to individual radios as part of
the AP profile

© Fortinet Inc. All Rights Reserved. 17

Using a WIDS profile, you can configure the detection of wireless intrusion, rogue APs, and phishing SSIDs.
Use the AP profile to assign the WIDS profile to an AP radio. Use FortiManager to centrally configure WIDS
profiles and deploy them to multiple APs and FortiGate devices as part of the FortiAP profile.

You can configure the detection of specific threats in the profile to allow the detection of a wide range of Wi-Fi-
specific security threats by monitoring and reporting on possible intrusion attempts, such as:

• Weak WEP IV encryption used to crack WEP keys

• Null SSID probe responses that cause wireless cards and devices to stop responding
• Deauthentication broadcasts that are denial of service (DoS) attacks that cause all clients to disconnect from
the AP
• Invalid MAC organizationally unique identifiers (OUI)
• Various management, Extensible Authentication Protocol (EAP), authentication, and beacon floods

Some WIDS profile options have configurable thresholds and intervals. You usually do not need to alter their
default values.

You can enable rogue AP detection in the FortiAP profile and select the method for enabling it.

LAN Edge 7.6 Architect Study Guide 208

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Rogue AP Detection
• FortiAP can scan for other • Manager > Managed FortiGate > More > View Rogue APs
AP
available APs in two ways:
• In idle periods during AP operation
• As a dedicated monitor
• If an attacker tries to use a rogue
AP for unauthorized access
• FortiOS can automatically detect it
and list it in the View Rogue APs
monitor
• Using a WIDS profile, you can
suppress a rogue AP to avoid security
threats (dedicated monitor mode)
• Monitor rogue APs:
• Centrally using AP Manager from
FortiManager
• On FortiGate using the Rogue APs
dashboard widget

© Fortinet Inc. All Rights Reserved. 18

There are two ways to configure a FortiAP to detect rogue APs:

• As a dedicated monitor (assign one or both radios)

• In idle periods during AP operation, referred to as background scanning

You can also use one radio of an AP for scanning and reserve the other radio for normal AP use. However,
this will limit you to using only one frequency―2.4 GHz or 5 GHz―because you can use only one band per
radio. When a rogue AP is connected, an attacker tries to use it for unauthorized access. FortiOS
automatically detects and lists the rogue AP in the Rogue APs widget. You can suppress it to avoid security
threats.

LAN Edge 7.6 Architect Study Guide 209

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Background Scanning
• Scans only during idle intervals, between AP work
• Can cause packet loss
• Scans only radio frequency band
• Slower rogue discovery
• Automatic if DARRP is enabled

AP serves clients and performs

background scan for rogue APs

FortiAP
Rogue AP

© Fortinet Inc. All Rights Reserved. 19

How does rogue AP detection on FortiOS work? It uses a radio to listen for and detect other APs. If your
FortiAP is not using all of its radios, you can dedicate one of them to monitoring for rogue APs. Otherwise, you
can configure the AP to run a background scan when a radio is idle.

A background scan is opportunistic. During idle periods, FortiAP briefly switches the radio from acting as an
AP, to monitoring. By default, a scan period starts every 600 seconds, and each second a different channel is
monitored for 20 ms until all channels in the radio frequency have been checked. If the radio is dual-band
capable, it will not switch to the other frequency.

During heavy AP traffic, it is possible for background spectrum analysis scanning to cause lost packets when
the radio switches to monitoring. This technique, which offers poor rogue AP detection, is enabled by default
when using distributed automatic radio resource provisioning (DARRP).

LAN Edge 7.6 Architect Study Guide 210

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Dedicated Monitor
• Performs continuous foreground scans
• Allows you to suppress rogue APs by sending deauthentication frames
• Can’t serve clients
• Faster rogue discovery

FortiAP
Rogue AP

Dedicated AP or radio continuously monitors

the environment for rogue APs

© Fortinet Inc. All Rights Reserved. 20

You should use one AP in your network as a dedicated monitor AP, because it can reduce the load on other
APs, and saves them from switching to AP and monitoring mode.

Dedicated monitor radios are reserved for scanning and suppression, if enabled. They will not broadcast
SSIDs, and will not allow any wireless clients to join them. This is the technique required to actively suppress
rogue APs.

If you are going to use a dedicated monitor AP for a normal coverage solution, you should allow one
dedicated monitor AP for four normal client connection APs. This allows for adequate rogue detection
coverage because rogue detection requires detection of only the management frames of APs. Management
frames are typically transmitted at lower link rates, which allows the signal of a potential rogue AP to
propagate further, requiring fewer rogue detection APs to cover a network.

LAN Edge 7.6 Architect Study Guide 211

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
On-Wire Rogue AP Detection
• Other APs in your AP coverage area are not always rogues
• Neighbor interference
• On-wire detection mechanism constantly compares wireless and wired client traffic to
identify if an unknown AP has joined your network
• Must be at least one Wi-Fi client connected to the suspect AP and continuously sending traffic
• If FortiGate and FortiAP see the MAC address of the wireless client on the wired network, then the
rogue AP that the client is connected to must be on-wire
• Can block either exact MAC address only or similar (adjacent)
• MAC address adjacency is configurable
• MAC address spoofing and NAT on the rogue AP can make on-wire rogue detection more difficult
• False positives are a possibility in MAC adjacency

© Fortinet Inc. All Rights Reserved. 21

Another useful technique for rogue AP detection is on-wire detection. When you enable on-wire detection,
FortiOS compares MAC addresses in wireless and wired traffic—in both Wi-Fi frames from clients, and from
the APs. If FortiOS and FortiAP see the wireless client's MAC address on the wired network, then the rogue
AP that the client is connected to must be on-wire. This normally requires the rogue AP to be a layer 2 bridged
AP, instead of a layer 3 wireless router. Otherwise, the wireless controller will see only the wireless router's
Ethernet MAC address and not the wireless client's MAC address. Two rogue detection methods are used by
the on-wire scan:

• Exact MAC address match: If the same MAC address is seen in frames on the wired LAN and on the Wi-Fi
network, this means that the wireless client is connected to the LAN. In your FortiOS configuration, if you
did not authorize the AP that the client is using, then FortiOS will treat that AP as an on-wire rogue.
• MAC adjacency: If an AP is a wireless router, it applies network address translation (NAT) to Wi-Fi
packets. This can make rogue detection more difficult, because the frames in wired and wireless traffic
won’t have the same MAC address. However, an AP’s Wi-Fi interface MAC address is usually similar to its
wired MAC address. So, the MAC adjacency rogue detection method matches LAN and Wi-Fi network
MAC addresses that have close hexadecimal numbers. By default, the MAC adjacency value is 7.

You can change MAC adjacency value setting using this CLI command: set rogue-scan-mac-
adjacency {integer}.The integer value 0 to 31 represents the maximum numerical difference between
an AP’s Ethernet and wireless MAC values, to match for rogue detection. The default value is 7.

If an AP is found through on-wire detection, it will appear on the AP monitor with a green check mark in its On
Wire column.

Note that because of the nature of the MAC adjacency method, there is a possibility of false positives.

LAN Edge 7.6 Architect Study Guide 212

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Suppressing Rogue APs
• Check your regional laws and regulations before enabling suppression
• Uses monitoring radio
• Requires a dedicated monitoring radio
• Actively interferes with the connectivity of clients and rogue APs
• Uses on-wire detection
• When suppression is activated:
• Wireless controller sends deauthentication messages to rogue APs clients, mimicking rogue AP
• Also sends deauthentication messages to the rogue AP, mimicking its clients

FortiAP
AP sends
Create new AP Group Rogue AP
deauthentication
frames
Dedicated Monitor

© Fortinet Inc. All Rights Reserved. 22

After you detect a rogue AP, you will usually want to actively prevent your users from connecting to it. You can
use your FortiAP radios to suppress rogue APs.

Before enabling the rogue suppression feature, verify that rogue suppression is compliant with the applicable
laws and regulations of your region.

Because rogue suppression is an active process, it requires that you dedicate one FortiAP radio to the
process it. You can’t use rogue suppression with a background scan.

How does rogue suppression work? While pretending to be the rogue AP, the FortiGate Wi-Fi controller uses
the dedicated monitoring radio on a nearby AP. It sends deauthentication messages to the rogue AP clients.
This makes it difficult for the clients to maintain a connection with the rogue AP because FortiOS also mimics
the rogue AP clients, sending deauthentication messages to the rogue AP.

Note that suppression of rogue APs is becoming increasingly more difficult, because new wireless security
standards are beginning to mandate management frame protection (802.11w). This requires that clients
authenticate management frames as being legitimate, preventing spoofing attacks. Because rogue
suppression is a form of spoofing attack, an AP that the client is not connected to is trying to send
deauthentication frames and, as a result, 802.11w prevents the client from taking notice of the dedicated
monitoring AP.

LAN Edge 7.6 Architect Study Guide 213

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Rogue AP Monitor
• The Rogue APs monitor lists all the discovered APs
• You can mark them as Accepted or Rogue
• This is only a designation to help you track APs in your environment
• You must configure suppression to actively block users from these APs
AP Manager > Managed FortiAPs > Managed FortiGate > Rogue APs

On-wire indicates
detection by MAC
address on the
wired network

Select the AP
to mark it as Select to suppress
rogue or a rogue AP
accepted

© Fortinet Inc. All Rights Reserved. 23

When FortiGate detects a new, unauthorized AP that AP is listed in the Rogue APs dashboard widget on
FortiGate and the View Rogue APs table.

You can sort and filter this list. Sorting by Signal Interference is especially useful because it sorts the APs
with the strongest detected signal to the top of the list.

In the example shown on this slide, not only is the unauthorized AP in your air space, indicated by the signal
strength being relatively strong, but it is also connected to your wired infrastructure, and it is also broadcasting
a fake AP. You might be using equipment from different wireless vendors in your network to broadcast your
corporate network, in which case, FortiGate will detect it as a rogue AP and fake SSID. If this is the case, then
you may need to mark this equipment as accepted. On the other hand, the AP could also be a bad actor
attempting to perform a man-in-the-middle attack. Either way, the suspect devices should be investigated and
appropriately classified.

You can mark APs as either Accepted or Rogue, which helps you to track which APs are authorized by you,
or not. By default, when you mark an AP as a rogue, it does not affect anyone’s ability to use these APs. For
that, you need to configure suppression.

When you mark an AP as Accepted, it removes that AP from the default rogue AP list. This usually indicates
that the AP is not a threat to network security, but the presence of that AP will need to be considered as a
source of interference. If that AP is on the same channel, co-channel interference (CCI) or adjacent channel
interference could be a problem. You may need to alter your network channel configuration, if interference of
high channel utilization becomes an issue.

LAN Edge 7.6 Architect Study Guide 214

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Phishing and Fake SSIDs
• In addition to detecting rogues APs, it is also possible to detect APs broadcasting
illegitimate SSIDs
• If your wireless network is broadcasting the official SSID of Fortinet:
• A rogue AP that also broadcasts a Fortinet SSID is considered a Fake SSID
• A rogue AP that broadcasts FTNT or F0rtinet is considered an Offending SSID
• Criteria for defining an offending SSID is user definable
• Phishing SSIDs can be suppressed
• Log events for fake or offending SSIDs are generated every 15 minutes
• SSIDs can be exempted
• Configurable centrally using FortiManager or FortiGate CLI only

© Fortinet Inc. All Rights Reserved. 24

As well as detecting rogue APs, it is also possible to look for networks that might have been set up to perform
phishing operations. Bad actors often attempt to attract connections from legitimate clients, by broadcasting
an SSID that is the same as, or very similar to, the official network SSID.

You can configure the FortiAP devices to detect duplicate SSIDs and classify them as fake. You can then log,
and optionally suppress, these fake SSIDs.

As well as looking for identical matches in the SSID, it is also possible to look for user-defined SSIDs. This
can be useful to detect SSIDs that do not quite match the broadcast SSID, but may seek to look official
enough for clients to attempt to connect. These SSIDs are classified as offending. You can choose to log and
suppress them. Up to 128 offending SSIDs can be defined on all controller models, and it is possible to use a
single wildcard match.

You can suppress phishing SSIDs in the same way as rogue APs. However, ensure that the suppression
operation complies with the applicable laws and regulations in your region.

Any fake or offending SSIDs that are detected are logged every 15 minutes until they are classified.

LAN Edge 7.6 Architect Study Guide 215

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Phishing and Fake SSID Detection
Device Manager > Device & Groups > Managed FortiGate > CLI Configurations
> wireless-controller > setting

Log and/or suppress fake SSIDs

Enable offending SSID detection

Define SSID patterns for offending SSIDs

Configure up to 128 offending SSIDs

© Fortinet Inc. All Rights Reserved. 25

You can configure phishing SSID detection centrally on a per-controller basis using a CLI Configuration. By
default, fake SSIDs are detected and logged only, and no offending SSIDs are defined.

You can add offending SSIDs to the offending-ssid table with the option to log them, or log and suppress
them. Wildcards are supported; in the example shown on this slide, a ssid-pattern of FTNT* is specified. Any
SSIDs that broadcast a wireless network SSID beginning with FTNT are classified as an offending SSID.

You should then enable Phishing-ssid-detect to detect offending SSIDs.

The FortiGate GUI does not support the configuration of offending SSID detection. You can enable it using the
CLI.

LAN Edge 7.6 Architect Study Guide 216

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Wired Networking Best Practices

© Fortinet Inc. All Rights Reserved. 26

In this section, you will learn about some of the best practices that you can adopt when deploying a wired
network.

LAN Edge 7.6 Architect Study Guide 217

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Network Design Principles

Network design planning

• Oversubscription
• Redundancy and resiliency
• QoS
• Future-proofing

© Fortinet Inc. All Rights Reserved. 27

Designing a network involves balancing various elements to optimize performance, reliability, and scalability.
Network design should account for current and future traffic demands to avoid becoming obsolete as more
devices connect to the network. Technologies like multigigabit Ethernet (2.5 GbE, 5 GbE) add complexity to
planning, as the network must be capable of supporting high data rates across multiple access technologies.

Fundamental network design principles:

• Oversubscription
• Redundancy and resiliency
• QoS
• Future-proofing

LAN Edge 7.6 Architect Study Guide 218

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Oversubscription
Core firewalls

Links: 8x 100GbE
(4 per switch)
Core FortiSwitch
Oversubscription
from 5:1 to 1:1

Links: 4x 25GbE per

access layer.
Aggregation Oversubscription
FortiSwitch from 10:1 to 1:1
(depending on
number of switches)

Main building Building #5

Access

© Fortinet Inc. All Rights Reserved. 28

One fundamental principle is oversubscription, where the upstream bandwidth is designed to handle less than
the combined maximum bandwidth of all connected devices. This helps prevent over-provisioning while
ensuring that bottlenecks don't affect performance.

Historically, networks had high oversubscription ratios (for example, 20:1 at the access layer), but with higher
bandwidth demands, networks are evolving toward lower ratios.

The bandwidth ratios between the access, aggregation, and core layers are crucial. As modern networks
introduce more powerful hardware, the oversubscription ratio drops. This ensures that even if one switch or
link fails, the network continues to function effectively.

LAN Edge 7.6 Architect Study Guide 219

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Redundancy and Resiliency

HA
Full mesh
With traffic load balancing

MCLAG
Redundant links

© Fortinet Inc. All Rights Reserved. 29

Network design must incorporate redundancy and resiliency to prevent single points of failure. Redundant
links and switches ensure that if one component fails, traffic is automatically rerouted to maintain uptime.
Multichassis link aggregation (MCLAG) and fast convergence mechanisms, like the FortiGate Clustering
Protocol (FGCP), help minimize downtime.

For example, in the access layer, FortiSwitch devices should be dual-homed for redundancy, meaning they
connect to two switches. The design must distribute uplinks across multiple switches to reduce the impact of a
failure. If one aggregation switch fails, uplinks to the core ensure that the remaining links maintain the required
performance level.

LAN Edge 7.6 Architect Study Guide 220

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Quality of Service

© Fortinet Inc. All Rights Reserved. 30

QoS plays a crucial role in prioritizing network traffic, especially during congestion or outages. Modern
networks can often rely less on QoS within the main offices, as increased bandwidth reduces bottlenecks.
However, when extending to the cloud or remote locations, prioritizing critical applications like voice and video
conferencing becomes important.

FortiSwitch devices offer QoS configurations to ensure that high-priority traffic receives preference. These
switches also support queue management to minimize packet loss during congestion, ensuring that voice and
video traffic is impacted less than lower-priority flows.

LAN Edge 7.6 Architect Study Guide 221

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Future-Proofing

© Fortinet Inc. All Rights Reserved. 31

And finally, you need to look to the future requirements of your company. Bandwidth demands are growing by
as much as 50% per year, and a network must be future-proofed to avoid frequent upgrades to its
infrastructure.

As part of your design considerations, you must anticipate the need for increased wired capacity and cloud-
based traffic. Using network solutions like FortiSwitch can assist you in ensuring that adding new devices is
simple and that infrastructure upgrades require minimal reconfiguration.

Also, integrating the Security Fabric into network management provides enhanced visibility, helping you plan
for future demands. Implementing FortiGate clustering and core switches supporting 100 GbE links into your
network design offers capacity and redundancy, allowing the network to grow.

Advances in multigigabit Ethernet and cloud traffic management require networks that are highly scalable and
efficient.

LAN Edge 7.6 Architect Study Guide 222

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Wireless Networking Best Practices

© Fortinet Inc. All Rights Reserved. 32

In this section, you will learn about some of the best practices that you can adopt when deploying a wireless
network.

LAN Edge 7.6 Architect Study Guide 223

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Access Point Channelization
Adjacent APs on
Problem: same channel
overlap = higher
Inappropriate channel settings can cause co- retry/loss as
channel interference (CCI) transmission
between APs and
• Channel configuration can change clients collide

• Local environment can change

• Must regularly review to ensure that plan is still
suitable
• Dual-band APs are increasingly hard to
configure successfully APs with same
channel are
further apart,
reducing the CCI
and potential for
collisions

© Fortinet Inc. All Rights Reserved. 33

A big source of issues with a wireless network can be incorrect channel settings.

Regardless of whether channels are set manually, or by an automated system such as DARRP, it is possible
to reach a scenario where AP radios have channel or power settings that cause CCI.

Automated systems can change channels to adapt to changes in local RF conditions, such as a new business
moving in and installing its own wireless network. This can cause your APs to attempt to recalculate their
channel settings.

Or, in the case of 5 GHz dynamic frequency selection (DFS) channels, a radar signal is detected which can
cause APs to change channels.

However it happens, APs that are close together should avoid being on the same channel. It is important to
make sure that your AP population is configured in the best way possible, in accordance with conditions.

Note that it can be difficult in modern networks to balance the needs of 5 GHz clients with older 2.4 GHz
clients. Newer 5 GHz standards can mean that APs need to be much close together to ensure the best
performance. This can make 2.4 GHz clients very difficult to deploy from the same sets of APs, because 2.4
GHz signals tend to propagate farther.

This can be too difficult to accommodate by, for instance, turning down the transmission power. So, in many
modern networks, it is now common practice to turn off select 2.4 GHz radios, or assign them to another task,
such as dedicated rogue detection.

LAN Edge 7.6 Architect Study Guide 224

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AP Channelization (Contd)
• Review the channel map and identify adjacent
APs that are on the same channel
• Especially for 2.4 GHz APs
• Remember to account for APs on the floors above
and below
• Review the adjacent APs
• In the Top Wireless Interference table in the Wi-Fi
Health Monitor
• Sort the table to show the strongest interfering
neighbours on the same channel
Dashboard > WiFi > Interfering SSIDs
• The AP CLI using: These are neighboring
APs outside of your
cw_diag -c his-chutil network that you will
cw_diag -c all-chutil likely not be able to
change
• Identify the APs that are strongest
• -80 dBm or stronger are likely to cause an issue

© Fortinet Inc. All Rights Reserved. 34

When reviewing the AP channels, the Wi-Fi map is very useful. It allows you to view the channel settings for
each AP, instantly seeing which AP interfaces could be interfering with each other. It is possible to view each
frequency individually. You should pay particular attention to the 2.4 GHz interfaces, because these are the
ones that usually experience issues.

The Top Wireless Interference table, when sorted, also shows the APs that are potentially interfering. You
can sort to highlight the strongest interfering radios. Some of these radios may well be your own, in which
case, you might be able to do something about them. However, it is also equally likely that radios from
surrounding wireless networks have a signal strength strong enough to cause a potential issue for you. You
may have to consider changing your AP channels to avoid any highly used neighboring networks.

As a guideline, you should consider that radios in the same channel that are stronger than -80 might cause
issues.

LAN Edge 7.6 Architect Study Guide 225

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Access Point Channelization (Contd)
Solution:
• For APs in your network:
FortiGate > WiFI & Switch Controller > Managed FortiAPs
• Review the power settings for the interfering radios
and, if required, reduce by overriding the radio
• If already at a low setting (minimum of 10 dB),
override the channel setting with a more suitable
channel
• If you cannot select a more suitable channel,
consider disabling the radio by adding the AP to a
new profile with the interface disabled
• For APs outside your network:
• Third-party APs that are outside your control are
difficult to deal with
• Often the only solution is to configure your AP radio to
avoid the interfering radio, or accept the loss in
performance

© Fortinet Inc. All Rights Reserved. 35

If you identify AP radios in your own network that are interfering with each other, then the first thing to do is
review the power settings in use. By default, the automatic power management algorithm will automatically
vary the power between 10 and 17 decibels. If the radio is already at the minimum 10 decibels, then it is
inadvisable to reduce that further because it will begin to have a significant impact on any connected clients.

Rather than reduce the power any further, you should investigate setting the radio to another channel. In the
2.4 GHz range, this can be difficult because of the limited number of channels available (1,6,11).

Ultimately, if you cannot reduce the power or change the channel, one of the final things to consider is to
disable the radio interface. This will allow other radio interfaces that were previously being interfered with to
increase their power and provide service.

If you identify APs outside the network, it is likely that they are outside of your control and, as such, it would
be difficult to reduce their power or change the channel. As a result, the only potential option for your radios
that are being interfered with is to change the channel to avoid CCI.

Note that the amount of CCI is very much dependent on the amount of wireless traffic being transmitted. If the
neighboring network is small and under used, then the amount of disruption that it could potentially cause to
your network may be acceptable.

To change individual radios, you can override them by configuring each AP in Managed FortiAPs or by
overriding them in FortiManager.

LAN Edge 7.6 Architect Study Guide 226

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Excessive SSID Broadcast
• Each SSID that an AP broadcast requires
Number of APs Number of SSIDs
an amount of management traffic on same Channel
1 2 3 4 5 6 7 8 9 10
(frames) 1 3% 6% 10% 13% 16% 19% 23% 26% 29% 32%

2
• These frames carry no data—they simply 6% 13% 19% 26% 32% 39% 45% 52% 58% 64%

3
allow the network to operate 10% 19% 29% 39% 48% 58% 68% 77% 87% 97%

4 13% 26% 39% 52% 64% 77% 90% 100% 100% 100%
• All frames use airtime 5 16% 32% 48% 64% 81% 97% 100% 100% 100% 100%

• All APs within range and on the same 6 19% 39% 58% 77% 97% 100% 100% 100% 100% 100%

channel use airtime 7 23% 45% 68% 90% 100% 100% 100% 100% 100% 100%

8 26% 52% 77% 100% 100% 100% 100% 100% 100% 100%
Best practice:
• Try to limit the number of SSIDs that you
advertise
• Ideally limit to five Aps, but be aware that
neighboring APs also contribute to
overhead

© Fortinet Inc. All Rights Reserved. 36

A key best practice to consider is reducing the number of wireless networks broadcast by your APs. This
applies to all types of wireless networks and vendors.

The temptation to broadcast multiple wireless networks for various purposes is common. However, each
wireless network broadcast from an AP generates wireless management traffic. This traffic consists of
management frames that do not carry any data but occupy airtime and wireless capacity. By default, these
management frames are usually broadcast at low data rates. As a result, broadcasting numerous virtual
access points (VAPs) or SSIDs can consume a significant amount of airtime and substantially increase the
number of management frames transmitted.

The table on this slide provides an approximate calculation of airtime used when multiple APs in a channel
broadcast several SSIDs.

For instance, if a single AP broadcasts ten networks or SSIDs, around 32% of the available airtime may be
consumed by sending and receiving management frames without any meaningful data exchange. This
calculation is based on an ideal scenario with minimal to no interference. In real-world conditions, additional
capacity could also be lost due to interference.

Note that it does not matter if it is your APs or a neighboring network's APs; the same overhead applies.
Management frames take airtime wherever they come from.

To minimize the effects, it is best practice to limit the number of broadcasting networks to five, but preferably
fewer. Note that various mechanisms, such as dynamic VLANs, can help limit the need to have multiple
wireless networks broadcast.

LAN Edge 7.6 Architect Study Guide 227

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Load Balancing AP Handoff
Problem: AP Manager > Operation Profiles > FortiAP Profiles

By default, client load is not managed

between APs; therefore, APs in close
proximity can become unbalanced,
resulting in performance issues
Solution:
• AP handoff
• If the number of clients exceeds the maximum
number of clients configured:
• FortiGate moves the client with the lowest
RSSI value to join another AP, or redirects new Device Manager > Device & Groups > Managed FortiGate >
CLI Configurations > wireless controller > wtp-profile
clients

Best practice:
• Monitor AP load and enable AP Handoff
if APs are regularly overloaded

© Fortinet Inc. All Rights Reserved. 37

AP handoff is a load balancing method FortiGate uses to enhance wireless performance and use AP
resources more efficiently. It balances wireless clients among managed APs on FortiGate. AP handoff
operates in two ways:

1. If the number of clients exceeds the maximum number of clients configured for an AP, the client with the
lowest received signal strength identifier (RSSI) value will be forced to join another AP.
• The RSSI value must meet the signal strength on the nearby AP.
2. If the number of clients is already at the defined threshold, new clients will be redirected to join the least
busy nearby AP.
• The least busy nearby AP will respond to the client’s join request.

The handoff-sta-thresh parameter defines the threshold value that triggers the handoff protocol for new
clients. When a new client attempts to connect to an overloaded AP, FortiGate directs the least busy nearby
AP to respond to the join request, provided that the configured RSSI value condition is satisfied.

To use this feature, enable AP handoff on all radios of the AP. The handoff-rssi threshold defined in the AP
profile applies when a handed-off client tries to connect to the second AP. The client's signal strength must be
equal to or greater than the defined RSSI value on the new AP. Signal strength is assessed based on the
RSSI value—higher RSSI values indicate better signal strength.

The best practice is to monitor the client load across the APs. If you notice a consistent imbalance between
nearby APs, enabling AP handoff can help distribute the load more evenly. This issue typically arises in high-
density environments, where many clients are near several APs.

LAN Edge 7.6 Architect Study Guide 228

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Load Balancing Frequency Handoff
Problem: AP Manager > Operation Profiles > FortiAP Profiles

Some dual-band clients connect to 2.4

GHz
Solution:
• Frequency handoff:
• Use band steering to encourage clients to use
the 5 GHz frequency instead of 2.4 GHz
Best practice:
• Monitor and enable if appropriate
• Older clients may benefit from handoff due to
poor wireless drivers
• New clients usually choose the correct band

© Fortinet Inc. All Rights Reserved. 38

Frequency handoff is a band steering technique that FortiGate uses to encourage clients to use the 5 GHz
frequency instead of the 2.4 GHz.

Clients that support the 5 GHz frequency benefit from faster speeds and decreased interference. This also
benefits clients that do not support 5 GHz, because there will be less interference on 2.4 GHz due to the
reduced number of clients.

FortiGate continuously probes the clients to identify if they can operate on the 5 GHz frequency. FortiGate
maintains a table to track which clients support both frequencies, and records the RSSI value, along with the
other information for each frequency.

When a client tries to connect, FortiGate checks whether it can support 5 GHz and, if so, how good the
signals are. If a client supports the 5 GHz frequency and the signal is strong enough to connect, FortiGate
ignores the client’s requests to join the network on 2.4 GHz until the request times out. The client will then
automatically try to join the same network using 5 GHz. FortiGate triggers the AP to respond to the join
request and allow the client to connect.

LAN Edge 7.6 Architect Study Guide 229

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Probe Response Threshold
Strong signal
• The AP responds to probe requests from measured
clients that have a receive signal strength AP responds to
above a certain level probe request
• Known as the probe response threshold
• AP measures the signal strength of client probing
• The default allows for a wide range of clients to
connect
• Can result in distant clients connecting Poor signal measured
inappropriately by AP when receiving
• Can result in excessive airtime usage because of low prove request frame
link rates
No probe response

© Fortinet Inc. All Rights Reserved. 39

Signal strength is one of the major factors of wireless nerwork performance. Clients with poor signal strength
to and from the AP will likely have poor performance. They also cause poor performance for other clients
connected to the same AP because of the excessive amount of airtime they require to transmit and receive
data.

In a Fortinet integrated and cloud network, the wireless client controls the AP selection process. Due to
differences in RF behavior and potential limitations in wireless client hardware or drivers, clients may not
connect reliably to APs. For example, a client might connect to an AP that is farther away instead of a closer,
more suitable AP. This can lead to weak signal strength and low link rates, which result in performance
issues.

While clients have the primary role in determining their connections, the AP/controller does have some
influence over the connection process. During the initial association, the client sends a probe request, and the
AP can either respond or not. If the AP determines the client is too far away, it won't reply to the probe
request. If the client does not receive a response from an AP, it continues searching for other suitable APs to
connect to.

The AP can also measure the signal strength of the client's probe request. If the signal is too weak, it can
doesn't send a probe response frame. The probe response threshold defines this response and is measured
in dBm.

The probe response threshold applies only when the client is attempting to connect to an AP. If the client is
already connected and starts moving away from the AP, resulting in the signal strength dropping below the
threshold, then the AP/controller doesn’t disconnect from it.

LAN Edge 7.6 Architect Study Guide 230

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Probe Response Threshold (Contd)
• Threshold is configurable
config wireless-controller vap
• On a per-VAP/SSID basis
edit <vap_name>
• On FortiGate using CLI, or using a FortiManager set probe-resp-suppression enable
SSID profile
set probe-resp-threshold <level_int>
• Configurable from -20 to -95 with default value of -80. end
Best practice:
• Monitor poorly connected clients
• Use the Wi-Fi Client monitor to view all connected Setting -70 will require clients to be have a
clients; sort and filter by signal strength detected signal strength of -70 or stronger before
the AP will respond to a probe
• If high numbers of low-signal-strength clients
AP Manager > SSIDs > Advanced
are connecting
• Investigate their physical location – should they area
have wireless access?
• Consider decreasing the threshold by 5 dB if clients
are connecting to an AP that is too far away

© Fortinet Inc. All Rights Reserved. 40

The probe response threshold applies to the VAP/SSID and can only be configured through the CLI. By
default, this threshold is set to -80 dBm. This means that any probe request frame received by any of the
wireless radios broadcasting the SSID must have a signal strength of -80 dBm or stronger for the AP to
respond. A threshold of -80 dBm allows clients with relatively weak signal strengths to connect, which may be
acceptable for some networks. However, in high-density environments, allowing slow clients to connect can
significantly degrade performance as they may exchange small amounts of data over low-speed links,
consuming a large amount of airtime.

Most wireless networks should be designed with a target signal strength for clients, typically around -64 dBm.
You should monitor the clients connecting to the network, paying close attention to their signal strength. If a
considerable number of clients are connecting with poor signal strength, it may indicate the following issues:

• Clients are attempting to connect from an area that lacks wireless coverage. In this situation, you should
investigate whether additional coverage is necessary. For example, if a new part of the building has
opened and now requires wireless service, you may need to consider deploying more APs.

• Clients might be connecting to a suboptimal AP. Variations in RF caused by multipath interference and
reflections can lead an AP to appear more appealing to the client than it is. Additionally, the quality of
wireless clients can significantly impact AP selection. Poorly designed, engineered, or tested drivers can
result in ineffective radio selection decisions in an enterprise environment.

If you notice that many clients are connecting with poor signal strength and there are no other obvious issues,
you can consider reducing the probe response threshold for the VAP or SSID. Adjust in small increments and
monitor the effects closely.

LAN Edge 7.6 Architect Study Guide 231

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Multicast to Unicast Conversion
• Multicast data is sent at a lower data config wireless-controller vap
rates over Wi-Fi edit <vap_name>
• Uses considerable air time set multicast-enhance enable
• Multicast to unicast causes stream to be end
sent to each client at high data rate
• Reduces air time usage
AP Manager > SSIDs > Advanced
• Configurable on a per SSID/VAP basis
• Configurable on FortiGate using CLI, or
using a FortiManager profile
Best practice:
• Enable by default

© Fortinet Inc. All Rights Reserved. 41

By default, multicast traffic is transmitted at a lower wireless transmission rate. If a significant amount of
multicast traffic is flowing through the network, it can unnecessarily consume airtime.

Converting multicast traffic to unicast traffic may increase the total amount of data transmitted, as each
multicast message is sent as a separate unicast message to every wireless client connected to the wireless
SSID. However, since unicast traffic is transmitted at a much higher wireless data rate, the overall impact on
wireless performance is positive. Each unicast frame consumes significantly less airtime.

The effect on the network will depend on the volume of multicast traffic generated. However, enabling
multicast-to-unicast conversion by default is unlikely to have any significant negative impact.

LAN Edge 7.6 Architect Study Guide 232

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Disable 802.11b Rates
• All wireless standards are designed to be Enabled in AP profiles and required to be set only on
backwards compatible the 2.4 GHz radio:
• Original 802.11b protocol still supported on config wireless-controller wtp-profile
2.4 GHz radios
edit <name_string>
• Management frames at lowest link rate, config radio-1
consuming maximum airtime set powersave-optimize no-11b-rate
• Disabling increases airtime, but: end
• Removes support for older clients
• Reduces the effective range of the AP
Device Manager > Device & Groups > Managed FortiGate > CLI
Best practice: Configurations > wireless-controller > wtp-profile > radio-1 (2)

• Consider enabling in high-density

environments where:
• Support for legacy 802.11b clients is not
required
• AP density is high enough to support good
connectivity in areas requiring coverage

© Fortinet Inc. All Rights Reserved. 42

All wireless standards are designed to be backwards compatible. This means that even the newest wireless
standards have to accommodate the wireless connection that was originally specified as part of a standard
that is a more than 20 years old.

The original 802.11b standards mandated that management frames should be sent out at the lowest
Modulation and Coding Scheme (MCS) Index connection rate, which, for 802.11b, was 1 Mbps. This means
that modern networks have to also transmit management frames at this low MCS rate, even when the vast
majority of, or perhaps all, clients support newer standards. This results in large amounts of wasted airtime.

Disabling 802.11b rates means that the management frames are now transmitted at a minimum of 6 Mbps,
improving airtime efficiency. This comes at the cost of no longer supporting extremely old 802.11b clients, and
removing those legacy rates from the network. This also has the side effect of preventing clients from
connecting from an extreme range. Even the latest wireless clients will revert to the old 802.11b rates when
trying to connect to an AP that is far away. Prohibiting these rates also stops excessive airtime use by clients
that are too far away to make the best use of the wireless network.

If you choose to disable these rates, you should be aware that clients will no longer be able to connect, and
the receive range of your APs will also be less. However, if your network is designed correctly, clients that
require wireless coverage will have signal strength high enough to allow a good connection. So, it should not
be necessary for your clients to revert to the legacy rates.

LAN Edge 7.6 Architect Study Guide 233

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Disable Lower Data Rates • When changing a/b/g rates use:
# config wireless-controller vap
• Disabling lower data rates for multiple # edit <vap_name>
standards can significantly reduce • For 802.11bg:
inappropriate client connections (vap_name) # set rates-11bg <Allowed data rates
for 802.11b/g>
• Clients that are far away will be unable to • For 802.11a:
negotiate a connection (vap_name) # set rates-11a <Allowed data rates
• They will need to choose an AP that is closer for 802.11a>
to them • Specify at least one basic rate, followed by
the required supported rates:
• Roaming clients will be unable to remain • The lowest speed basic rate is used for traffic
connected to an AP management
• To see all available rates use the ?
• Once they reach the lowest allowable rate • Pption802.11n/ac rates can be changed with:
they will have to roam to a more suitable AP
set rates-11n-ss12 or
• Data rates can be disabled on an set rates-11n-ss34
individual VAP or SSID for: • There are no basic rates; only required supported
• 802.11a/b/g rates need defining
• 802.11n/ac

© Fortinet Inc. All Rights Reserved. 43

It is also possible to support data rates in a more granular way. If required, you can customize the individual
rates for each SSID/VAP broadcast. For example, you can configure a corporate SSID/VAP that is used to
support specific client types to allow only higher data rates in both the 2.4 and 5 GHz frequency ranges. Since
the client specifications are known, it should be straightforward to select appropriate data rates to optimize
wireless performance. In contrast, guest SSID/VAP may have a wide variety of different wireless clients
connecting to it, so it may be better to keep this SSID supporting the default data rates.

Adjusting the data rates appropriately will prevent clients from staying connected to an AP after the initial
association. When clients roam, the updated link rates will ensure they connect to a more suitable AP more
quickly, due to the increased supported rates. This adjustment will also create a significant barrier for clients
attempting to connect with poor signal strength during the association process. Clients with poor signal
strength will not meet the requirements to associate with APs that have a higher basic link rate requirement.

Rates are configurable only through the CLI, and are set on a per-VAP basis. It is possible to configure rates
separately for 2.4 GHz 802.11bg, and 8021.11n. For the 5 GHz band you can configure separately for
802/11a, 802.11n, and 802.11ac.

When specifying rates for a/b/g, you must set at least one basic rate. The lowest basic rate advertised by an
AP is the rate at which management traffic is broadcast. Once the basic rates have been defined, you can
also specify optional, or supported rates, that clients can use if they meet the signal strength requirements.

When configuring rates for 802.11n and 802.11ac, you need to specify only the required supported rates.

LAN Edge 7.6 Architect Study Guide 234

 Advanced Features
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Describe FortiLink NAC
 Discuss dynamic VLANs and VLAN pooling
 Configure WIDS and detect rogue APs
 Explore best practices for wired and wireless networks

© Fortinet Inc. All Rights Reserved. 44

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about NAC, dynamic VLANs, and best
practices for wired and wireless networks.

LAN Edge 7.6 Architect Study Guide 235

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

Quarantine and Monitor

FortiOS 7.6
Last Modified: 3 February 2025

In this lesson, you will learn how to configure and monitor users on FortiOS with FortiManager.

LAN Edge 7.6 Architect Study Guide 236

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Configure manual quarantine
• Implement quarantine using indicator of compromise (IOC) triggers
• Configure quarantine on FortiSwitch
• Configure quarantine on FortiAP
• Explore widgets that are useful for managing quarantined devices

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of how to configure manual quarantine settings, implement

quarantine based on IOC triggers, and enable quarantine functions on both FortiSwitch and FortiAP, you will
be able to effectively isolate compromised or unauthorized devices within a Fortinet environment.

LAN Edge 7.6 Architect Study Guide 237

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Quarantine

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn how to quarantine devices with FortiGate, FortiSwitch, and FortiAP.

LAN Edge 7.6 Architect Study Guide 238

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Layer 2 versus Layer 3 Quarantine

Feature Layer 2 Quarantine Layer 3 Quarantine

Layer Data Link (layer 2) Network (layer 3)
Based on MAC address or VLAN Based on IP address or routing/firewall
Isolation Type
assignment rules
Application Switches, NAC, 802.1X, MAB Firewalls, routers, access control lists

© Fortinet Inc. All Rights Reserved. 4

Layer 2 quarantine involves the use of switches to isolate noncompliant devices. As an example, if a device
fails 802.1x or MAC Authentication Bypass (MAB) checks, the switch can assign it to a quarantine VLAN. The
quarantine VLAN might grant access to remediation services like OS patches or antivirus updates, but prevent
broader network access.

Layer 3 quarantine uses firewalls or routers to control IP traffic from noncompliant devices. In this layer 3,
devices placed in a quarantine subnet have traffic restriction applied, allowing access to only remediation
servers or portals. Layer 3 provides broad network isolation and ensures that the device must pass
remediation before accessing other network segments.

These two methods are not mutually exclusive. They can be used in combination to deliver a robust
quarantine solution. In a Fortinet SD-Branch environment, both layer 2 and layer 3 quarantine mechanisms
can be used together. FortiSwitch devices may place devices that fail authentication checks into a quarantine
VLAN, while FortiGate firewalls enforce further restrictions at the network layer, limiting IP traffic to specific
subnets or remediation resources.

LAN Edge 7.6 Architect Study Guide 239

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
MAC Address Quarantine
• Quarantined devices are isolated (they can communicate only with FortiGate)
• If traffic is destined to FortiGate, the communication may be allowed
• Any other traffic is dropped
• Manual or automatic quarantine is supported
• FortiGate has a default quarantine VLAN named quarantine
• Traffic on the quarantine VLAN is blocked by default
• To enable MAC address quarantine on the FortiGate CLI (enabled by default):

config user quarantine

set quarantine enable
end

© Fortinet Inc. All Rights Reserved. 5

To quarantine a MAC address, FortiSwitch and FortiGate work together to isolate a device. Isolation means
that a quarantined device can communicate only with FortiGate. If the device tries to communicate with any
other host on the network, the communication is blocked. The traffic can have any of the following
destinations:

• FortiGate local: The destination is a FortiGate interface.

• Intra-VLAN: The destination is a device in the same VLAN.
• Inter-VLAN: The destination is a device in a different VLAN or network that is reached through FortiGate.

For the FortiGate local traffic, the communication is allowed if FortiGate is configured to allow the connection.
For example, a quarantined device can ping a FortiGate interface if ping access is enabled on that interface.
For other traffic, the communication is blocked by FortiGate.

You can quarantine devices by MAC address, either manually or automatically. MAC address quarantine
works as follows:

1. FortiGate monitors the device activity based on the traffic and security logs generated for the device.
2. If FortiGate determines that the device must be quarantined, either because an automated rule has been
triggered, or because of user intervention, FortiGate adds the device MAC address to its local quarantine
list.
3. FortiGate applies the quarantine-related configuration for the quarantined device to FortiSwitch using the
FortiSwitch REST API.
4. The pushed configuration instructs FortiSwitch to block the traffic from the quarantined MAC address.

To enable MAC address quarantine on the FortiGate CLI, run the commands shown on this slide.

LAN Edge 7.6 Architect Study Guide 240

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
MAC Address Quarantine (Contd)
• Two modes supported:
• By VLAN (default mode):
• Traffic from quarantined device is placed in the quarantine VLAN
• No additional configuration required to block the inter-VLAN traffic if using the default quarantine VLAN
• By redirect:
• Device is kept in the current VLAN
• A firewall policy is required to block the inter-VLAN traffic
• In both modes:
• Intra-VLAN traffic is blocked automatically by FortiGate
• Additional policies can be created to allow quarantined devices to access restricted network resources

• To change the quarantine mode on the FortiGate CLI:

config switch-controller global
set quarantine-mode by-vlan | by-redirect
end

© Fortinet Inc. All Rights Reserved. 6

FortiGate supports two MAC address quarantine modes: by VLAN and by redirect. In both modes, FortiGate
blocks the traffic from the quarantined MAC address, provided the correct configuration is in place.

In by VLAN mode, FortiGate moves the quarantined MAC address to the quarantine VLAN. If you are using
the default quarantine VLAN as your quarantine VLAN, the inter-VLAN traffic from the device is automatically
blocked because the quarantine VLAN does not have any firewall policies configured. Note that the device
can still get an IP address through DHCP because the quarantine VLAN has the DHCP server enabled by
default. However, this would require the device to restart its DHCP client, which typically requires user
intervention. This could make it difficult for an administrator to perform remediation on the device.

In by redirect mode, FortiGate keeps the device in its current VLAN, and adds the device MAC address to the
QuarantinedDevices firewall address group. The device IP address does not change, which is useful for
performing remediation. However, to block the inter-VLAN traffic, you must configure a firewall policy to
explicitly block the traffic from the QuarantinedDevices address group.

In both modes, the intra-VLAN traffic is dropped automatically by FortiGate, because the destination MAC
address of the traffic does not match the FortiGate interface. The destination MAC address of the traffic is the
MAC address of the target device located in the same VLAN. In addition, communication between the
quarantined devices and FortiGate is allowed. You can also configure additional firewall policies to explicitly
allow quarantined devices to access limited network resources, such as servers with Windows updates and
other security-related software update that are required for remediation.

To change the MAC address quarantine mode on the FortiGate CLI, run the commands shown on this slide.

LAN Edge 7.6 Architect Study Guide 241

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
By Redirect Mode Configuration
• FortiGate adds the device MAC address to the QuarantinedDevices address group
Policy & Objects > Firewall Objects > Addresses

QuarantinedDevices
address group

Quarantined
device

• Example of a firewall policy to block intra-VLAN traffic from the QuarantinedDevices address group group:
Policy & Objects > Policy Packages > Firewall Policy

Block traffic

QuarantinedDevices
address group

© Fortinet Inc. All Rights Reserved. 7

In by redirect mode, FortiGate quarantines a device by creating a firewall address object that contains the
quarantined device MAC address. FortiGate then adds the firewall address object to the
QuarantinedDevices address group.

However, FortiGate does not add a firewall policy to block the inter-VLAN traffic from the
QuarantinedDevices address group. For this reason, the administrator must manually create a firewall policy
like the one shown on this slide. Like with any firewall policy, the administrator must also make sure that the
policy is placed in the correct position in the firewall policy list, so that the quarantined traffic matches the
block policy instead of the regular firewall policies that are used for production traffic.

LAN Edge 7.6 Architect Study Guide 242

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Quarantine VLAN Interface
FortiSwitch Manager > Managed FortiSwitches > Managed FortiGate > VLAN

config user quarantine

By default, the quarantine set quarantine enable
VLAN is created if quarantine end
is enabled, and it is assigned
VLAN ID 4093

Quarantined subnet with

DHCP server enabled

Captive portal for remedial

actions

© Fortinet Inc. All Rights Reserved. 8

If you are using by VLAN mode, then you might want use the default quarantine VLAN as your quarantine
VLAN. The quarantine VLAN gets created when the first switch is discovered by FortiGate, provided the
quarantine feature is enabled under config user quarantine.

The quarantine VLAN is assigned with VLAN ID 4093 by default. In addition, the interface has DHCP Server
enabled to assign IP addresses to quarantined devices. By default, this VLAN is part of the allowed VLANs on
a managed FortiSwitch, which is needed for the quarantine feature to work. Moreover, to isolate quarantined
devices from each other, access VLAN is enabled on the quarantine VLAN by default. The access VLAN
option is only visible on the FortiGate GUI, and not on the FortiManager GUI.

In addition, the quarantine VLAN has captive portal enabled for device remediation. Part of the role of
quarantining devices is to challenge connectivity with the captive portal, which can be configured to present
custom messaging to the organization.

LAN Edge 7.6 Architect Study Guide 243

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Quarantine a MAC Address Manually—FortiSwitch Ports
WiFi & Switch Controller > FortiSwitch Ports

© Fortinet Inc. All Rights Reserved. 9

To manually quarantine a MAC address on the FortiGate GUI, browse to FortiSwitch Ports on the WiFi &
Switch Controller page, click the device listed in the Device Information column, and then select
Quarantine Host.

LAN Edge 7.6 Architect Study Guide 244

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Quarantine a MAC Address Manually—WiFi Clients
WiFi & Switch Controller > WiFi CLient

Check results through CLI

command

© Fortinet Inc. All Rights Reserved. 10

FortiGate offers the capability to quarantine wireless users connected through FortiAPs, enabling
administrators to isolate devices that exhibit suspicious behavior or violate network policies.

On the FortiGate GUI, click WiFi & Switch Controller > WiFi Clients. You will see a list of all wireless
devices currently connected to the network through FortiAP devices. Locate the device you want to quarantine
from the list of Wi-Fi clients. Each device entry provides details like IP address, MAC address, device name,
and signal strength, helping you identify the target device. Right-click the device entry to open a context menu.
Select Quarantine to immediately isolate the device from network access. Once quarantined, the device will
be prevented from communicating with other network devices, effectively restricting it from accessing critical
resources until further review.

LAN Edge 7.6 Architect Study Guide 245

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Manual Client Quarantine—WiFi Clients
• Another option is to quarantine wireless clients in the dashboard widget
• Quarantined hosts will be placed in the quarantined VLAN

Dashboard > WiFi > Clients By FortiAP

© Fortinet Inc. All Rights Reserved. 11

Another method that you can use to manage any hosts that are currently quarantined, or release hosts from
quarantine, is by using the Clients By FortiAP dashboard widget.

The Clients By FortiAP widget, located on the FortiGate GUI under Dashboard > WiFi, provides another
centralized view of all wireless clients connected through FortiAP devices.

Once a device is identified as a threat or exhibits suspicious behavior, FortiGate moves it to a dedicated
quarantine VLAN.

Clients By FortiPA is a useful widget for you to quickly identify and isolate risky devices, minimizing the
impact of security threats on the broader network.

LAN Edge 7.6 Architect Study Guide 246

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Automatic Quarantine

© Fortinet Inc. All Rights Reserved. 12

In this section, you will learn how wired and wireless clients are automatically quarantined on a FortiGate-
controlled network.

LAN Edge 7.6 Architect Study Guide 247

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Quarantine a Device Automatically
• Detection uses:
• Security Fabric (requires FortiAnalyzer with IOC license)
• Requires FortiAnalyzer
• Security events logs
• Automation stitch
• Traffic-based actions available:
• IP ban
• Block traffic from the device IP address on FortiGate (intra-VLAN traffic is still allowed)
• Access-layer quarantine
• Block inter-VLAN and intra-VLAN traffic from the device MAC address using FortiGate and FortiSwitch
• Quarantine FortiClient
• Block all traffic from the device on the device itself using FortiClient
• VMware NSX endpoint
• If an endpoint in VMware NSX environment is compromised, it will be blocked using the security tag
• FortiNAC quarantine

© Fortinet Inc. All Rights Reserved. 13

When FortiGate is a member of a Security Fabric group, the Security Fabric can quarantine devices
automatically using automation stitches.

In addition to requiring a FortiAnalyzer device to configure the Security Fabric, you also need a valid threat
detection services license on FortiAnalyzer. The license enables FortiAnalyzer to use IOCs to detect
compromised devices on the network. IOCs are events or characteristics collected about a device that
indicate, with high confidence, that the device has been compromised.

After FortiAnalyzer determines that the device has been compromised, you can configure the Security Fabric
to perform the following actions:

• IP ban: Traffic from the compromised device IP address is blocked on FortiGate, but intra-VLAN traffic is
still allowed.
• Access-layer quarantine: Inter-VLAN and intra-VLAN traffic from the compromised device MAC address is
blocked using FortiGate and FortiSwitch.
• Quarantine FortiClient: All traffic from the compromised device is blocked on the device itself, provided the
device has FortiClient installed.
• VMware NSX security tag: An endpoint in VMware NSX environment that is compromised to be blocked
based on the security tag.
• FortiNAC quarantine: The PC is quarantined and its MAC address is disabled on the configured FortiNAC
device.

LAN Edge 7.6 Architect Study Guide 248

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Automated Response
• The Security Fabric allows multiple
devices to share and leverage Security Fabric > Physical Topology
information
• If a device fails an IOC check, the entire
Fabric can react automatically
• How it works
• A device is detected as compromised by one
element of the Security Fabric
• Switches and APs can automatically
quarantine the device at the access layer

• Why it’s important

• Compromised Internet of Things (IoT) devices
are no longer a threat to the wider network
• Guest devices (if infected) will be dealt with
automatically

© Fortinet Inc. All Rights Reserved. 14

The Security Fabric allows you to detect and control compromised hosts, regardless of whether they are
connected wirelessly or through a wired connection.

If a device fails an IOC check, that device is considered to be compromised and the entire Fabric can respond
by placing the device in quarantine. Quarantining the device prevents it from becoming a threat to the wider
network.

Compromised IoT devices will be isolated. Any other types of devices, such as guest devices, will also be
isolated when they become compromised, but these devices will have the option to remediate themselves, if
required.

LAN Edge 7.6 Architect Study Guide 249

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Security Fabric Quarantine Automation

1
LAN stations trying to
access malicious site

4
FortiAnalyzer IOC
engine computing 2
logs Traffic detected
3 (or blocked)
Logs sent to by FortiGate
FortiAnalyzer

FortiAnalyzer FortiSwitch
5 FortiGate
(Detection Engine) 6
IOC detected by FortiAnalyzer
Event sent to FortiGate
Device quarantine
Access Layer

© Fortinet Inc. All Rights Reserved. 15

Known and unknown threat information is easily and efficiently shared among all elements and locations
within the Security Fabric. User-defined automation on FortiGate to quarantine compromised devices can be
strengthened with IOC services on FortiAnalyzer. This slide shows how compromised devices are
quarantined automatically, using IOC and the Security Fabric:

1. A device attempts to access content that is a security risk, such as a malicious website.
2. FortiGate blocks access to the site based on the firewall policy defined with the web filter profile.
3. FortiGate sends a log record to FortiAnalyzer regarding the violation committed.
4. FortiAnalyzer processes the logs using IOC services.
5. FortiAnalyzer makes a security risk verdict and sends it back to FortiGate.
6. User-defined automation takes action to quarantine the compromised device and place it in isolation.

LAN Edge 7.6 Architect Study Guide 250

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Security Fabric Automation Stitch
Security Fabric > Automation
Create the stitch on the root FortiGate
Trigger type
and apply on All FortiGates
Compromised Host
by IOC from
FortiAnalyzer
Actions to block
traffic from
compromised
devices

Select predefined Trigger and

Action

© Fortinet Inc. All Rights Reserved. 16

Compromised devices are identified by FortiAnalyzer using threat detection services. IOC verdicts are sent to
the root FortiGate of the Security Fabric group, in case there is an automation stitch configured for
compromised devices.

You can create the automation stitch only on the root FortiGate, and then select which of the FortiGate
devices in the Security Fabric the stitch will be applied to when triggered.

The IOC verdict assigned to a compromised host triggers the actions specified in the automation stitch.
Access Layer Quarantine is a layer 2 action that places the host machine in isolation.

After the stitch is triggered, there are many actions available. From the actions shown on the slide, the
following can block the traffic from the device: Access Layer Quarantine, FortiNAC Quarantine, and
FortiClient Quarantine.

LAN Edge 7.6 Architect Study Guide 251

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Security Fabric Automation Stitch—FortiManager
Device Manager > Device & Groups > Managed FortiGate > Security Fabric > Automation Stitch

© Fortinet Inc. All Rights Reserved. 17

FortiManager allows administrators to configure automation stitches on a per-device basis. Unlike some other
configurations, these stitches cannot be applied globally or through a template. This is because each
FortiGate device may need unique automation actions that align with its specific network and security policies.

LAN Edge 7.6 Architect Study Guide 252

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Integrated Wireless Quarantine
• Wireless clients can be quarantined AP Manager > SSIDs
automatically
• Works only with tunnel mode SSIDs
• Must be in a Security Fabric
• When quarantine is enabled on an SSID,
the required resources are automatically
created
• Quarantine soft switch
• Quarantine interface
• Default captive portal
• No quarantine firewall policy by default
• Can filter on a FortiGate level only
The replacement message
displayed when you attempt
to open a web page after
being quarantined
© Fortinet Inc. All Rights Reserved. 18

Note that it is currently possible to apply a quarantine to tunnel mode SSIDs only. For correct endpoint
analysis, the APs and FortiGate have to be in the Security Fabric together with FortiAnalyzer.

You can enable quarantine on the SSID. When quarantine is enabled, FortiGate automatically creates a soft
switch and interface, together with a captive portal. You create all of these features on FortiGate. FortiSwitch
is not required. By default, there are no policies to allow quarantined devices access to the internet. Note that
security automation can occur at only the FortiGate level, and not at the AP level.

After they are configured, wireless clients can be automatically quarantined using the same Security Fabric
automation stitches as those used for wired clients. Quarantined clients are placed in their own isolated VLAN
and then presented with a captive portal informing them that they are now isolated. You can configure this
captive portal in the same way as any other captive portal, to give users information about how to remediate
their device.

LAN Edge 7.6 Architect Study Guide 253

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Integrated Wireless Quarantine (Contd)
Network > Interfaces

Required soft switch,

interface, DHCP server,
and captive portal
automatically configured

Example policies Policy & Objects > Firewall Policy

manually created to
allow limited access to
enable remediation

© Fortinet Inc. All Rights Reserved. 19

Enabling a quarantine automatically creates a soft switch with a range of private IP addresses, together with a
system DHCP server. It also creates a captive portal, and then creates a subinterface under the quarantined
wireless network. If you want wireless clients to have access to the internet to enable them to update
themselves, install required software, or both, you will need to configure a set of policies to allow limited
access to the resources that are required. Typically, this requires DNS and specific HTTP/S access to
resources that host the required remediation files.

LAN Edge 7.6 Architect Study Guide 254

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

More Options to Monitor Quarantined Devices

© Fortinet Inc. All Rights Reserved. 20

In this section, you will learn how use widgets on FortiGate and FortiAnalyzer to monitor quarantined devices.

LAN Edge 7.6 Architect Study Guide 255

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Monitoring Compromised Devices
Dashboard > Security > Compromised Hosts by Verdict

FortiGate GUI

FortiAnalyzer GUI
FortiView > Threats > Indicator of Compromise

Click to acknowledge event

© Fortinet Inc. All Rights Reserved. 21

On the FortiGate GUI, you can view the compromised devices by IOC verdict by accessing the
Compromised Hosts by Verdict widget available on the dashboard.

You can also display the compromised devices on the FortiAnalyzer GUI by accessing the Compromised
Hosts section on FortiView. You can click Ack to acknowledge the event. After you acknowledge an event,
the event is removed from both the Compromised Hosts page on FortiAnalyzer, and the Compromised
Hosts by Verdict widget on FortiGate.

LAN Edge 7.6 Architect Study Guide 256

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Monitoring Quarantined Devices
• On the FortiGate GUI
Dashboard > Users & Identities > Quarantine

Release devices
from quarantine

You can remove all

• On the FortiGate CLI quarantined devices
View quarantined IP
# diagnose user banned-ip list all addresses or remove one
# show user quarantine device at a time
View quarantined MAC
addresses

© Fortinet Inc. All Rights Reserved. 22

You can view the list of quarantined devices on the FortiGate GUI by accessing the Quarantine widget
available on the dashboard. Alternatively, you can display them on the FortiGate CLI by running the
commands shown on this slide. Note that the list of quarantined IP addresses (IP ban action) and the list of
quarantined MAC addresses (access-layer quarantine action) are obtained using different CLI commands.

LAN Edge 7.6 Architect Study Guide 257

 Quarantine and Monitor
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Configure manual quarantine
 Implement quarantine using IOC triggers
 Configure quarantine on FortiSwitch
 Configure quarantine on FortiAP
 Explore widgets that are useful for managing quarantined devices

© Fortinet Inc. All Rights Reserved. 23

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to implement quarantine functions and
monitor compromised or unauthorized devices.

LAN Edge 7.6 Architect Study Guide 258

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

Guest Access

FortiOS 7.6
Last Modified: 3 February 2025

In this lesson, you will learn how to configure and use integrated wireless features on FortiOS and
FortiAuthenticator to deploy a captive portal guest network.

LAN Edge 7.6 Architect Study Guide 259

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Deploy a wireless network to guests
• Describe external captive portal packet flow
• Provision a guest portal on FortiAuthenticator
• Explain the guest portal workflow
• Monitor guest users

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

LAN Edge 7.6 Architect Study Guide 260

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Guest Access

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about managing guest access using FortiGate.

LAN Edge 7.6 Architect Study Guide 261

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiOS Guest Access Features
• Guest SSID
• Allows the configuration of separate guest networks, security profiles, firewall policies, and user
authentication
• Internal captive portal
• Provides a landing page before access is allowed to the network
• Guest management
• Allows configuration of temporary guest accounts
• External captive portal
• Redirects guests to an external URL for authentication, disclaimer, and so on

© Fortinet Inc. All Rights Reserved. 4

FortiGate provides multiple ways to securely manage guest access to wireless networks. You can deploy a
completely separate wireless network using the existing hardware. FortiGate uses a virtual access point
(VAP) to deploy multiple SSIDs that are completely isolated from each other. This allows you to have
complete control over the traffic, including the ability to assign firewall policies, security profiles, and so on.

FortiGate also has a local captive portal that you can use as a landing page for guests before they are allowed
to access the network or local resources. To manage secure guest access, FortiGate offers local guest
management tools that you can use to temporarily create and distribute guest accounts. Alternatively, you can
redirect guests to an external captive portal server for authentication, disclaimer, and so on. FortiGate will
allow access to resources only after it receives a valid response from the external server.

LAN Edge 7.6 Architect Study Guide 262

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Guest SSID
• Deploy a separate guest wireless network without adding additional hardware
• FortiAP supports deployment of multiple wireless LANs using same hardware
• FortiOS provides full control over guest authentication and traffic
• You should use tunnel SSIDs to deploy guest network
• Provides better security and more control over guest traffic
• Captive portal page can be used to provide disclaimer and/or authentication page
• Internal or external captive portal
• Control where guest SSID is available
• Apply a guest SSID to APs only where you expect guests

© Fortinet Inc. All Rights Reserved. 5

You should deploy a separate SSID to guests that do not require access to a corporate or private network.
You can deploy multiple SSIDs using the same hardware. Separate SSIDs mean that you will have full control
over network traffic flow. You should deploy a guest access SSID in tunnel mode to ensure that all traffic is
sent to FortiGate using a CAPWAP data channel. This ensures that FortiGate maintains full control over the
traffic flow, and can apply security profiles to eliminate security threats before placing traffic on the egress
interface.

You can use a local or external captive portal to provide guests with a landing page. You can also use a
captive portal to display a disclaimer, or to authenticate guest users using guest accounts, or both. Because
you will be using a separate wireless network for guest access, you can choose to broadcast the network on
APs that are installed in locations where you expect guest users to be.

Be careful not to transmit too many SSIDs. Excessive numbers of SSIDs can impact wireless performance,
and you should carefully plan the number and use of wireless networks.

LAN Edge 7.6 Architect Study Guide 263

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Captive Portal
• Mostly used for guest network access
• Used as a landing page when accessing resources on a network
• Disclaimer
• Authentication page
• Terms of use
• And so on
• System grants user access only after the user accepts the disclaimer or successfully
authenticates using the captive portal
• Can be applied to a wired or wireless interface

© Fortinet Inc. All Rights Reserved. 6

The captive portal is used as a landing page after a user connects to a network. This function is used mostly
for guest access and networks that require a disclaimer. You can also authenticate your users on a captive
portal page that requests the user’s name and password. Until the user authenticates successfully, the
authentication page is returned in response to any HTTP request. After successful authentication, the user
can access the requested URL and can access other web resources, as permitted by security policies.
Optionally, the captive portal itself can allow web access to only the members of a specified user group.

LAN Edge 7.6 Architect Study Guide 264

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Captive Portal Types
• Authentication: Users are prompted to supply login credentials
• Disclaimer + Authentication: Users must accept a disclaimer and authenticate using
valid credentials
• Disclaimer Only: Users need to accept the disclaimer page—local only
• Email Collection: Users must accept a disclaimer and enter an email address
FortiGate > WiFi & Switch Controller > SSID FortiManager > AP Manager > SSIDs

Enables
Enablescaptive
captiveportal
portal
© Fortinet Inc. All Rights Reserved. 7

There are four types of captive portals that you can enable on an interface: Authentication, Disclaimer +
Authentication, Disclaimer Only, and Email Collection.

Authentication type captive portals request users to authenticate before they are allowed access to the
network.

Disclaimer + Authentication captive portals present users with a disclaimer page and an authentication
page. The user must accept a disclaimer and authenticate successfully in order to get network access.

Disclaimer Only captive portals present users with a disclaimer page. Users do not have to authenticate
using a username and password; they are allowed to access the network after they accept the disclaimer.

Email Collection captive portals present users with a disclaimer page together with a mandatory email
request field. Users cannot gain access without entering an email address.

LAN Edge 7.6 Architect Study Guide 265

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Captive Portal Authentication Types
• Local: FortiGate presents the user with a login page and processes authentication
requests
• External: FortiGate redirects users to an external URL where the external captive portal
server presents the user with a login page and validates authentication
AP Manager > SSIDs

Challenge unauthenticated
user’s method

Where captive portal is

located

Authenticated users must be part

of the specified group

External captive portal server

addresses

© Fortinet Inc. All Rights Reserved. 8

If you select Authentication in the Portal Type field, you will have the option to select Local or External in
the Authentication Portal field. If you select Local, the FortiGate built-in portal page is used. All the portal
configuration, including the web page that is presented to the users as a landing page, are hosted on
FortiGate.

For external captive portals, you can select External in the Authentication Portal section, and enter the fully
qualified domain name (FQDN) or IP address of the external captive portal server. When you do this,
FortiGate redirects users to the specified server address. After the user meets the requirements of the
external captive portal server, FortiGate allows user access based on the firewall policy configuration.

LAN Edge 7.6 Architect Study Guide 266

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exempting Traffic to External Portal
• Must exempt traffic for captive portal authentication
AP Manager > SSIDs Policy & Objects > Policy Packages > Firewall Policy

Must have a corresponding

firewall policy in place

© Fortinet Inc. All Rights Reserved. 9

By default, FortiGate blocks all user traffic behind an interface that has the security mode set to captive portal.
All HTTP traffic redirects to the captive portal page, and all other traffic is blocked. However, there is an option
to exempt certain traffic, allowing it to flow through FortiGate without fulfilling captive portal conditions
(disclaimer or authentication).

If you are using an external captive portal server, you must configure a firewall policy and exempt web traffic
to the external captive portal IP address. You can exempt destination IP addresses and services on the SSID
using FortiManager. When you create the SSID, add the address objects of the destination(s) that you want to
exempt in the Exempt Destinations or Exempted Services field.

Just selecting and applying the address object and selecting the services is not enough to allow the traffic to
pass through FortiGate. You must also have a corresponding firewall policy in place that allows the pinhole
traffic to pass through FortiGate. Therefore, this is a two-step process:

1. Select the destination and services on the SSID in the Exempt Destinations or Exempted Services
section.
2. Use FortiManager to deploy a firewall policy on the captive portal interface connected to the interface
where the external captive portal server is located.

You can also specify source IP addresses that you would like to exempt from the captive portal. This can be
useful for devices that are unable to accept captive portal conditions using HTTP/HTTPs, but do require an
internet connection. For example, a printer might need to access the internet for firmware upgrades, and so
on.

LAN Edge 7.6 Architect Study Guide 267

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exempting Traffic to External Portal (Contd)
• An alternative method to exempt Policy & Objects > Policy Packages > Firewall Policy
captive portal traffic is to create a
firewall policy and enable the
Exempt from Captive Portal
option
• Deploy from FortiManager as part
of a policy package

© Fortinet Inc. All Rights Reserved. 10

Alternatively, you can configure a separate firewall policy to allow traffic to reach the external captive portal
server without authenticating on the captive portal interface.

Create a FortiManager firewall policy package and set the destination to your captive portal server, and any
other required servers such as DNS or Windows AD. This option instructs FortiGate to allow traffic to pass
through to the specified destinations, without forcing users to authenticate first.

You can use an IP address or an FQDN to point to the captive portal server. If HTTPs is being enforced, the
portal address needs to be an FQDN and must match the common name (CN) on the certificate that is being
used on FortiGate.

LAN Edge 7.6 Architect Study Guide 268

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Firewall Policy for Authenticated Users
• Apply the user group that guests Policy & Objects > Policy Packages > Firewall Policy

will be part of
• FortiGate authorizes only users
who are part of the specified
groups allowed to access the
internet
• Do not enable the Exempt from
Captive Portal option for this
policy

© Fortinet Inc. All Rights Reserved. 11

Create a firewall policy from the guest interface to the internet. If you are using a guest user group, make sure
you assign it to the firewall policy as the Source User Group. When you do this, FortiGate allows only
authenticated users who are part of that group to access the internet.

Do not enable the Exempt from Captive Portal option on this firewall policy; otherwise, all the traffic to the
internet will be allowed without the users being presented with a captive portal page.

LAN Edge 7.6 Architect Study Guide 269

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
External Captive Portal Workflow

1. Request an internet page

2. Redirect to captive portal page

3. FortiAuthenticator captive portal

4. Submit login

5. FortiAuthenticator instructs user browser to POST login credentials to FortiGate

6. Client POSTs login to FortiGate 7. Access-Request

8. Access-Accept
9. Accounting-Request

10. Accounting-Response
11. FortiGate redirects user to the original URL

12. Client allowed access to the internet

© Fortinet Inc. All Rights Reserved. 12

1. The client tries to access a website.

2. The initial HTTP traffic is intercepted by the FortiGate wireless controller and redirected to the
FortiAuthenticator web login page, defined in the FortiGate captive portal profile.
3. FortiAuthenticator presents the user with a login page.
4. The client enters their user credentials on the FortiAuthenticator web login page.
5. The login message instructs the guest user’s browser to submit the user credentials directly to the
FortiGate as an HTTPS POST for authentication processing.
6. When FortiGate receives the client credentials in the HTTPS POST, it sends a RADIUS Access-Request
to the FortiAuthenticator RADIUS server to authenticate the user.
7. FortiAuthenticator validates the Access-Request message using its user database, which can be local or
remote (LDAP/RADIUS).
8. Based on the results of the authentication and authorization processing, FortiAuthenticator responds with
either an Access-Accept or Access-Reject message. If the authentication is successful, the Access-
Accept message contains one or more RADIUS attributes to define the context of the client session.
These attributes can include, but are not limited to: session duration, bandwidth, and access permissions.
When FortiGate receives the Access-Accept message, it changes the role of the client session, allowing
the device access to the network.
9. A RADIUS accounting request is sent by FortiGate to FortiAuthenticator to verify whether the user has
already established a session, or if an existing session in progress.
10. A RADIUS accounting response is sent back after the accounting record is written on FortiAuthenticator
after the request has been verified.
11. Following a successful authentication and initiation of the user session, the client is redirected to the
originally requested URL, which should now be accessible.
12. The user should be able to access the website and a countdown for the captive portal session timeout
begins.

LAN Edge 7.6 Architect Study Guide 270

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
HTTPS POST
Device Manager > Device & Groups > Managed FortiGate > CLI
• Uses HTTPS instead of HTTP for user Configurations > user > setting
authentication
• User credentials are protected by an SSL
tunnel
• Configurable from FortiManager on a
per-device basis
• Using a CLI Configuration
• The default port used for HTTPS
authentication is 1003
• If required, you can change this port using a
FortiManager System : Settings
configuration

Redirects the user browser

HTTP challenge to HTTPS

© Fortinet Inc. All Rights Reserved. 13

During the redirection process, user credentials can be communicated, secured, and encrypted, to the captive
portal server. You can configure authentication to use HTTP over SSL by deploying a CLI configuration from
FortiManager.

The default port used for HTTPS authentication is 1003. If you need to change the port, you can change the
auth-https-port value located in Device Manager > Device & Groups > Device > System : Settings >
Advanced Options.

Both of these settings are configurable only on a per-device basis. You cannot use a provisioning template.

LAN Edge 7.6 Architect Study Guide 271

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Authentication Certificate
• By default, FortiGate presents users with a factory default certificate on the
authentication page
• An alternative certificate can be specified from FortiManager

Device Manager > Device & Groups > Managed FortiGate > CLI Configurations > user > setting

Select previously
uploaded certificate

© Fortinet Inc. All Rights Reserved. 14

If you redirect the authentication page to an HTTPS page, FortiGate presents the currently configured server
certificate.

Note that this certificate is different from the Wi-Fi certificate covered in another lesson. This certificate
secures the captive portal webpage; the Wi-Fi certificate identifies and authenticates the controller when it is
operating as the authentication server.

The FortiGate factory certificate is self signed and will generate a certificate warning in the guest's browser.
Most administrators want to avoid this. Another lesson provides details about how to install certificates on
FortiGate using FortiManager. You can use the same process to install a publicly signed certificate that you
can specify here. Assuming the browser trusts this certificate, this will prevent the certificate warnings.

LAN Edge 7.6 Architect Study Guide 272

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Captive Portal POST Parameters
• FortiGate pushes the following POST parameters to the external captive portal server
1 2

https://fac.trainingad.training.lab/guests/login/?login&post=https://auth.trainingad.trai
ning.lab:1003/fgtauth&magic=000a038293d1f411&usermac=b8:27:eb:d8:50:02&apmac=70:4c:a5:9d:
0d:28&apip=10.10.100.2&userip=10.0.3.1&ssid=Guest03&apname=PS221ETF18000148&bssid=70:4c:a
3
5:9d:0d:30

1. External server address

• IP address or FQDN
• FQDN is required for HTTPS for certificate validation
2. FortiGate IP address or FQDN
• By default, FortiGate uses port 1000 to authenticate HTTP and 1003 to HTTPS traffic.
• Use the config firewall auth-portal setting to enable the use of FQDN
• FQDN needs to resolve to the IP address of the FortiGate interface where the captive portal is enabled
3. Session ID = Magic ID

© Fortinet Inc. All Rights Reserved. 15

When FortiGate redirects a user to the external captive server, it adds the parameters shown on this slide to
the HTTPS request. You can easily decode the information that FortiGate provides to the external captive
portal server. The first part of the redirected URL includes the external server address, followed by the
address of the FortiGate interface on which the captive portal is enabled. The magic parameter is the session
ID that is used to track the request information.

LAN Edge 7.6 Architect Study Guide 273

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
POST Parameters
• apname=PS221ETF18000148
• apip=10.10.100.2
• ssid=Guest01
• bssid=70:4c:a5:9d:0d:30
• apmac=70:4c:a5:9d:0d:28
• usermac=b8:27:eb:d8:50:02
• device_type=windows-pc
• userip=10.0.3.1
• magic=06090a8f989d0517
• login=
• post=https://10.0.3.254:1003/fgtauth

© Fortinet Inc. All Rights Reserved. 16

This slide contains a list of all the parameters that are sent to the external captive portal from a wireless
network on FortiGate.

LAN Edge 7.6 Architect Study Guide 274

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Guest Portal

© Fortinet Inc. All Rights Reserved. 17

In this section, you will learn about the guest portal options available on FortiAuthenticator.

LAN Edge 7.6 Architect Study Guide 275

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Guest Portal
• Allows configuration of guest portals on a per-network or per-AP/controller basis
• Provides user account and pre-login services
• Account creation (validated by email or SMS)
• Social login option
• Form-based information gathering
• Disclaimer
• Password reset
• Provides post-login services
• Password change
• Guest information updates
• Token registration
• Smart connect profile

© Fortinet Inc. All Rights Reserved. 18

The guest portal on FortiAuthenticator extends the functionality of the captive portal available on FortiGate.
The FortiAuthenticator captive portal is available through only one URL; however, portal match is based on
the mapping rules and RADIUS client profile, which makes this type of configuration very flexible and
scalable. You can configure multiple guest portals on FortiAuthenticator to serve users connecting to different
FortiGate devices or networks. FortiAuthenticator uses HTTP POST parameters that are sent by FortiGate in
the captive portal request, along with RADIUS client configurations, to map incoming captive portal requests
to their respective guest portals. You can define mapping rules based on the subnet address, AP MAC
address, SSID, AP location, and so on. All of these parameters are sent by FortiGate to FortiAuthenticator
using HTTP POST.

The guest portal offers user account, pre-login and post-login services for users who are authenticating using
FortiAuthenticator. User account and pre-login services are available to users without authentication, and
post-login services are offered after successful authentication. User account and pre-login services include
creating guest accounts with the option to validate by email or SMS, a social login option, form-based
information gathering, disclaimer, password reset, and so on.

After the user logs in successfully, they can access the post-login services page by visiting the
FortiAuthenticator login page. On that page, users can make changes to their account, such as updating their
information, changing their password, downloading a smart connect profile, and performing token registration.

LAN Edge 7.6 Architect Study Guide 276

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Guest Group
• Create a guest user group
• Reference this group in the guest portal for automatic mapping of new users
• Configure the RADIUS attribute that is sent to FortiGate after a successful authentication
• FortiGate uses the group name sent to assign authorization to users
Authentication > User Management > User Groups

Enable Guest Group to

automatically add users in
the Guest Users list

This needs to match the

FortiGate configuration

© Fortinet Inc. All Rights Reserved. 19

When configuring the guest portal, you should start by creating a guest user group on FortiAuthenticator. You
can reference this group to the guest portal configuration, so that any user who registers through the guest
portal will be put in this group. You can enable Guest Group to add newly self-registered users to the guest
user list, for another level of administrative management. You can use RADIUS attributes, such as group
name, to associate users with a group on FortiGate. This will act as an authorization tag and you can
reference that group in a firewall policy configuration. The RADIUS attribute value is case sensitive and must
match the FortiGate guest group configuration.

LAN Edge 7.6 Architect Study Guide 277

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Defining Guest Portals
• Define multiple guest portals
Authentication > Portals > Portals

Each portal must carry

a unique name

© Fortinet Inc. All Rights Reserved. 20

Start by defining the guest portals on the Portals configuration page, using the FortiAuthenticator GUI. The
portal policy will then configure how the portal is used.

All portals will be accessible on the same URL, but the mapping of the portals will depend on the portal policy.

Portal creation consists of assigning a unique name to the portal and, if desired, an SMS gateway for end-
user notifications. If you don’t have an SMS gateway, you can use the FortiGuard Messaging Service, if you
have valid licensing for the service.

LAN Edge 7.6 Architect Study Guide 278

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Portal—User Accounts
Authentication > Portals > Portals

All guests using this

portal will be placed
in the local Configure account expiry
FortiAuthenticator time
group called Guest

Guests will have the option to

choose their own password

Guest accounts must be

validated using an email
Guests must complete the
or SMS activation code
selected fields to proceed

© Fortinet Inc. All Rights Reserved. 21

You can enable the user account services that you would like to use for this guest portal. The Account
Registration option enables guest users to create and validate their account using a form-based web page.
The Account expires after option allows you to configure the account validity period. You can apply this to all
self-registered accounts. You can also enable the administrator approval option, which would require an
administrator to enable all self-registered accounts manually.

All guest accounts created using the Account Registration option will be placed in the group defined by the
Place registered users into a group option. FortiAuthenticator can randomly generate a password for the
guest user, or you can let users pick their own password. All accounts that register through the guest portal
must be validated through SMS or email before they can be used to log in. FortiAuthenticator will send the
guest user an activation code that they will use to activate their account. In this case, administrators do not
have to manually activate each self-registered account request.

You can select the mandatory field that a user must fill out at the time of account registration. The user cannot
leave the selected field empty. The FortiToken Revocation option adds a “Lost my token” link to the guest
portal token verification page. Users can click this link to request that their existing mobile token be
reprovisioned, switch to an email token, or disable their account.

LAN Edge 7.6 Architect Study Guide 279

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Portal Post-Login Services
Authentication > Portals > Portals

Enable services and

Guests can view or edit the information
information access to
they use for registration
guests, after they
authenticate

Token services available

as post-login services

The post-login service page can be

accessed from the FortiAuthenticator
URL or IP address
© Fortinet Inc. All Rights Reserved. 22

On the same configuration page, you can also select which post-login services users will have access to.
Post-login services will be available to users only after they authenticate. Profile options allow users to view
or edit their account information, such as name, email, phone number, and so on. You can also give users the
ability to change their password. Token Registration options allow users to self provision or request a new
token from the administrator. The Smart Connect option allows users to download a smart connect profile for
their networks. The Device Tracking and Management option allows administrators to assign all guest
devices to a device group. Users must register all their devices before they are allowed to access the network.

LAN Edge 7.6 Architect Study Guide 280

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Create the RADIUS Client
• RADIUS clients are used as portal Authentication > RADIUS Service > Clients
selection criteria
• RADIUS policies will be used to define
• RADIUS attribute criteria
• Authentication type
• Identity source
• Authentication factors
• RADIUS response

© Fortinet Inc. All Rights Reserved. 23

Before you can enable captive portal, you must create a RADIUS client. You do this on the Clients page. The
RADIUS client is necessary so that FortiAuthenticator can accept RADIUS authentication requests from
FortiGate. (FortiGate becomes registered as an authentication client.)

You will also need to create a RADIUS policy and assign the RADIUS client to that policy. The policy defines
the way that FortiAuthenticator processes RADIUS communications with the client, including authentication
type, identity source, authentication factors, and so on.

Note that self-registered guest users will be added to the local FortiAuthenticator database. Make sure that
the RADIUS profile is configured to use a realm that allows the processing of local user authentication.

LAN Edge 7.6 Architect Study Guide 281

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Define APs
• APs are used as portal selection criteria

Authentication > Portals > Access Points

© Fortinet Inc. All Rights Reserved. 24

An AP is configured for use as portal selection criteria in an access policy. The APs define where an end user
is being redirected from, so that they can be directed to a specific portal.

LAN Edge 7.6 Architect Study Guide 282

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Portal Policies

Authentication > Portals > Policies > Captive Portal

Portal URL

Portal page
associated with
this policy

© Fortinet Inc. All Rights Reserved. 25

Portal policies are used to determine both the appropriate portal, and the means by which the user is
authenticated. You can configure portal polices using a policy wizard. The initial step, Policy type, is used to
provide a name and description for the policy, as well as the type of access that will be enforced. The settings
in the Type field allow you to direct users to a designated portal, which you select in the drop-down field, or
select Deny captive portal access to deny portal access. The policy match criteria are defined by the
configuration options that you set in other policy wizard steps.

LAN Edge 7.6 Architect Study Guide 283

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Portal Policies—Portal Selection Criteria
Authentication > Portals > Policies

Available HTTP parameters

© Fortinet Inc. All Rights Reserved. 26

You must configure a portal policy to present the portal page to the guest.

Guest portal rules use the incoming POST parameters and conditions defined within the rules to map the
request to guest portals. You can define one or multiple conditions that must be matched to the POST
parameter before a captive portal request is mapped to a guest portal login. You can select an HTTP
parameter and use one of the three predefined operators (exact_match, substring_match or in_range) to
add a condition. You must define values of a condition manually.

For example, if you would like to present a portal to users who connect from an IP address in the range of
10.0.3.0/24, you must set the following conditions:

HTTP parameter: userip

Operator: [ip] in_range
Value: 10.0.3.0/24

LAN Edge 7.6 Architect Study Guide 284

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Portal Policies—Authorized Clients
Authentication > Portals > Policies

Previously defined
access points

Previously defined RADIUS

servers

© Fortinet Inc. All Rights Reserved. 27

In addition to the POST parameters, page presentation can be dependent on the point of connection (the AP)
and RADIUS message source. You define the APs and RADIUS clients on the Authorized clients page, by
moving existing entries for each type to the Chosen Access Points and Chosen RADIUS Clients lists.

LAN Edge 7.6 Architect Study Guide 285

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Portal Policies—Authentication Type and Identity Sources

Authentication > Portals > Policies

Optional social login allows guests

to use external services such as
Facebook, LinkedIn, and so on

Authentication > Portals > Policies

Configure the back-end

authentication, if required
© Fortinet Inc. All Rights Reserved. 28

In the Authentication type step, you can also define the type of authentication (user or device) as well as
whether you want to use it for account login, social login, or both.

The social user login option allows users to authenticate using third-party single sign-on (SSO) services such
as Facebook, LinkedIn, and so on. You must configure social login profiles to use this method. Account login
means that user credentials are provided by the FortiAuthenticator internal database or remote authentication
server.

You configure the back-end authentication details in the Identity sources step. If you have enabled social
users as an authentication type, you will select the social platforms that will be available for user
authentication. The options are Facebook, Google, Twitter, Linkedin, Phone number, and Email. For each
option, other than phone number and email, you will need to configured a remote open authorization (OAuth)
server.

In the Local/Remote Users section, you will select the desired username format and realms. Each selected
realm can be filtered down to the group level.

LAN Edge 7.6 Architect Study Guide 286

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Portal Policies—Authentication Factors and RADIUS
Response
Authentication > Portals > Policies

Authentication > Portals > Policies

© Fortinet Inc. All Rights Reserved. 29

You define authentication requirements, such as mandatory two-factor authentication, password-only

authentication, and so on, in the Authentication factors step. The RADIUS response step provides a
summary of the RADIUS response for each authentication result.

LAN Edge 7.6 Architect Study Guide 287

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Sponsor Account
• FortiAuthenticator administrators or user accounts with the sponsor role can add guest
accounts
• Guests can use the account information to log in without registering first
Authentication > User Management > Guest Users
Express: Bulk generates usernames and passwords
From CSV file: Import users from prepared file
Manual Input: Allows you to input guest information
manually

Output from
Express creation

© Fortinet Inc. All Rights Reserved. 30

FortiAuthenticator allows administrator and user accounts that have sponsor permission to sponsor guest
accounts for their visitors. Sponsor accounts are temporary accounts that are created by an administrator or
user for visitors. Local users can log in to FortiAuthenticator and sponsor one or more guest accounts. There
are three creation modes: Express, From CSV file, and Manual Input.

Express mode bulk creates multiple users and their login details automatically. Users must define the account
expiry date and time, before they can create a guest account. You can also select the number of guest
accounts and the sponsor and groups assigned to them. When you create the accounts, FortiAuthenticator
displays the login information in a table. You can choose to send this information to guests directly, using
SMS or email. Alternatively, you can print or export the login information to a CSV file.

From CSV file creation mode allows administrators to create one or more guest accounts using parameters
from a CSV file. Format each line of the CSV file with the following values:

<first name>, <last name>, <email>, <mobile>, <group>

Manual Input mode requests the administrator or users to manually fill in the information for their guests,
such as name, address, phone number, and so on. They must also manually define the username and
password when using this mode.

LAN Edge 7.6 Architect Study Guide 288

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Guest Accounts
• System lists all self-registered guest accounts on the local user’s page
• System applies the account expiry settings configured in portal settings
Authentication > User Management > Local Users

• System lists sponsor guest accounts on the guest user’s page

• You must define account expiry settings at the time of creating the guest accounts

Authentication > User Management > Guest Users

© Fortinet Inc. All Rights Reserved. 31

It is important to note that all self-registered guest accounts are listed on the Local Users page on the
FortiAuthenticator GUI. The system automatically assigns an expiry date to all self-registered users, as
defined in the guest portal settings.

Sponsor accounts are listed on the Guest Users page on the FortiAuthenticator GUI. These accounts expire
according to the expiry date and time selected at the time of account creation.

LAN Edge 7.6 Architect Study Guide 289

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Guest Portal Workflow
• FortiGate receives HTTP GET requests from users
• Redirects them to FortiAuthenticator
• FortiGate collects and sends the following POST parameters to FortiAuthenticator:
• apname=PS221ETF18000148
• apip=10.10.100.2
• ssid=Guest01
• bssid=70:4c:a5:9d:0d:30
• apmac=70:4c:a5:9d:0d:28
• usermac=b8:27:eb:d8:50:02
• device_type=windows-pc
• userip=10.0.3.1
• magic=06090a8f989d0517
• login=
• post=https://10.0.3.254:1003/fgtauth

© Fortinet Inc. All Rights Reserved. 32

Now, you'll review the guest portal workflow. A client connects to a captive portal network on FortiGate. The
client tries to visit a website. FortiGate receives an HTTP GET request from an unauthenticated user. It
redirects the user to the captive portal URL, along with the POST parameters.

LAN Edge 7.6 Architect Study Guide 290

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Guest Portal Workflow (Contd)
• FortiAuthenticator uses POST parameters and the RADIUS client configuration to map
the request to a guest portal for authentication
https://fac.trainingad.training.lab/guests/login/?login&post=https://auth.trainingad.training.lab:1003
/fgtauth&magic=000a038293d1f411&usermac=b8:27:eb:d8:50:02&apmac=70:4c:a5:9d:0d:28&apip=10.10.100.2&use
rip=10.0.3.1&ssid=Guest03&apname=PS221ETF18000148&bssid=70:4c:a5:9d:0d:30

• If mapping conditions are met, FortiAuthenticator presents the login page to the user

© Fortinet Inc. All Rights Reserved. 33

FortiAuthenticator uses the provided POST parameters and RADIUS client configuration to search the
mapping rules. If all the conditions defined in a mapping rule are met, FortiAuthenticator uses the mapped
guest portal and presents the login page to the user.

LAN Edge 7.6 Architect Study Guide 291

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Guest Portal Workflow (Contd)
• Guest user registers and activates account
• If account was a sponsored guest, you can use that account to log in directly
• Account is added to the FortiAuthenticator local user database
• Guest user logs in
• FortiGate verifies if the user group is allowed access to the requested page
• Guest user is allowed access based on the firewall policy configuration

© Fortinet Inc. All Rights Reserved. 34

If the guest user does not have an account, they can click the link on the login page to register for an account.
FortiAuthenticator will present them with a form-based web page to fill in. After the user fills in all the required
information, including their email or phone number, or both, FortiAuthenticator will send them an activation
code. This activation code is a request to finish the self-registered account creation process. After they enter a
correct activation code, FortiAuthenticator will automatically add the account to its local user database and
redirect the user to the login page. The user can now log in using their login credentials. After a user is
authenticated, FortiAuthenticator places them in the guest group and sends the FortiGate group name using
the RADIUS attribute. FortiGate will use the attribute as authorization and allow the user to access resources,
based on the firewall policies configuration.

LAN Edge 7.6 Architect Study Guide 292

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Monitoring Guest Users
• FortiAuthenticator logs all authentication-related information in its logs
Logging > Log Access > Logs

• FortiAuthenticator forwards login information to FortiGate

Dashboard > Users & Devices > Firewall Users

Sent by FortiAuthenticator as RADIUS

attribute for authorization

© Fortinet Inc. All Rights Reserved. 35

FortiAuthenticator logs all authentication-related information. This information includes username, time of
authentication, status, IP address, guest portal used to authenticate, and so on. You can view active user
sessions on FortiGate on the Firewall Users monitor, which lists the username, user group, duration of the
session, and IP address.

LAN Edge 7.6 Architect Study Guide 293

 Guest Access
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Configure the guest access SSID
 Configure the captive portal
 Describe the captive portal packet flow
 Provision the guest portal
 Explain the guest portal workflow
 Monitor guest accounts

© Fortinet Inc. All Rights Reserved. 36

This slide shows the objectives covered in this lesson.

By mastering the objectives covered in this lesson, you learned how configure and use integrated wireless
features on FortiOS and FortiAuthenticator to deploy a captive portal guest network.

LAN Edge 7.6 Architect Study Guide 294

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

LAN Edge Architect

Monitor and Troubleshoot

FortiOS 7.6
Last Modified: 3 February 2025

In this lesson, you will learn about the FortiAIOps application on LAN Edge, monitor the wireless network, and
monitor and troubleshoot FortiLink connectivity.

LAN Edge 7.6 Architect Study Guide 295

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Objectives
• Apply FortiAIOps on LAN Edge
• Monitor a wireless network
• Manage FortiAP devices through FortiManager
• Monitor and troubleshoot FortiLink connectivity between FortiGate and FortiSwitch

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of FortiAIOPs in the LAN Edge solution, you will be able to
monitor a wireless network and troubleshoot a FortiLink connection.

LAN Edge 7.6 Architect Study Guide 296

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Deploy FortiAIOps

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn how to deploy FortiAIOps to analyze and monitor FortiGate, FortiAP, and
FortiSwitch.

LAN Edge 7.6 Architect Study Guide 297

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAIOps for Diagnosis and Optimization
• AI- and ML-driven network troubleshooting
• FortiAIOps leverages artificial intelligence (AI) and machine
learning (ML) to diagnose network issues
• Analyzes potential problems and suggests corrective actions
• ML-based analytics recommend optimizations for mobile
workers, wireless, and IoT devices
• Data collection and insights
• Gathers data from switched and wireless infrastructures,
DHCP, and authentication servers
• Displays network statistics through a comprehensive, user-
friendly dashboard
• Provides deep network visibility and insights
FortiAIOps
• AI engine capabilities
• Processes event logs from FortiGate controllers
• Identifies key issues and provides drill-down analysis
• Predicts and highlights critical network problems for quick
resolution

© Fortinet Inc. All Rights Reserved. 4

FortiAIOps enhances network diagnosis and troubleshooting through its powerful AI and ML architecture. By
collecting data from multiple sources, including wired and wireless infrastructures, it provides a holistic view of
network health. The ML capabilities suggest network optimizations and help detect anomalies before they
escalate into critical issues. The AI engine thoroughly examines the data and flags areas requiring attention,
helping IT teams address network concerns efficiently.

LAN Edge 7.6 Architect Study Guide 298

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiAIOps Key Tools
• Real-time remediation and insights
• Provides remediation suggestions for detected network issues
• Enables in-depth analysis of logged information to identify root causes
• Reviews FortiGate configurations to diagnose and troubleshoot performance problems
• Dashboard and predictive monitoring
• Web-based dashboard offers insights and root cause analysis
• Predicts issues based on learned network behaviors
• Recommends fixes for immediate and future network performance issues

© Fortinet Inc. All Rights Reserved. 5

FortiAIOps offers an intuitive web-based dashboard that presents a clear view of network insights, enabling
real-time monitoring and diagnosis. Predictive monitoring allows the AI engine to recognize normal traffic
patterns and forecast potential issues, providing proactive recommendations for resolution.

LAN Edge 7.6 Architect Study Guide 299

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Summary Widgets
Dashboard > Summary
• Centralized monitoring
• High-level view of network performance, health,
and security.

• Real-time performance metrics

• Track bandwidth, CPU and memory use, and
application performance in real-time.

• Single-pane-of-glass access to critical

information
• Provides easy, at-a-glance access to key
metrics

© Fortinet Inc. All Rights Reserved. 6

The summary dashboard provides a high-level overview of the network performance, health, and security of
FortiGate, FortiAP, and FortiSwitch devices and services. This dashboard is designed to provide quick, single-
pane-of-glass access to critical information, allowing you to monitor the status of your network at a glance.

One of the key features of this dashboard is its real-time performance metrics, which include bandwidth, CPU
and memory use, and application performance.

LAN Edge 7.6 Architect Study Guide 300

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
AI Insights
Dashboard > AI Insights
• Proactive issue detection
• Automatically cross-checks network events
and data to catch problems early
• Reduces support tickets by fixing issues
before they impact users
• Enhanced troubleshooting tools
• Spectrum analyzer for managing wireless
interference
• Service assurance feature verifies network
service levels (SLAs) from the AP perspective
• Benefits
• Improved network reliability
• Simplified troubleshooting
• Enhanced wireless experience for users

© Fortinet Inc. All Rights Reserved. 7

FortiAIOps AI-powered insights is like having an extra set of smart eyes on your network, constantly cross-
checking events and data to catch issues early and keep everything running at peak performance. Catching
potential problems before they affect users helps reduce the number of support tickets and makes
troubleshooting easier with tools that verify each part of your setup.

For wireless networks, FortiAIOps provides an easy-to-read dashboard with both live and historical data, so
you can track performance trends over time and get a complete view of radio frequency (RF) metrics. The
network heatmaps show exactly how things are working in real time, highlighting details like signal strength,
speed, and how many devices are connected. The built-in spectrum analyzer helps manage wireless
interference, while the service assurance tool checks that your service levels are being met—testing from the
access point (AP) perspective to make sure all wireless network services are working as expected.

LAN Edge 7.6 Architect Study Guide 301

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Inventory
Inventory > Managed FortiGates
• FortiGate devices need to be added to
FortiAIOps
• FortiAP and FortiSwitch devices controlled
by FortiGate are automatically added
• Changes in AP configuration are automatically
synchronized
• Managed FortiGate devices can be have
multiple actions applied to them
• ADD: Add an individual FortiGate
• IMPORT: Add multiple controllers in the form of
a CSV file
• Export All: Export all FortiGate devices into a
CSV file

© Fortinet Inc. All Rights Reserved. 8

The Inventory > Managed FortiGates option in FortiAIOps offers a centralized view of all FortiGate firewalls
in the network, displaying essential details like device model, serial number, firmware version, and uptime.

With Managed FortiGates, FortiAIOps simplifies maintenance and enhances network visibility and
compliance. Performance metrics, including CPU, memory, and bandwidth utilization, are displayed to help
identify bottlenecks and monitor resource usage.

LAN Edge 7.6 Architect Study Guide 302

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Wireless
• APs
• Centralized monitoring pane for all APs managed by FortiGate devices monitored by FortiAIOps
• Real-time status and health tracking
• Channel and coverage status
• Clients
• Real-time client list
• Access to an in-depth insight for each wireless client with a View Details option for each wireless client
• Enhanced connection quality monitoring
Wireless > Access Points Wireless > Clients

© Fortinet Inc. All Rights Reserved. 9

The Wireless > Access Points window displays the status, band, model, radio channels, applied profiles,
and broadcast SSIDs for each FortiAP in the network. This centralized view helps you monitor AP health,
optimize network coverage, and ensure configuration consistency. Additionally, a View Details option allows
you to analyze performance metrics, such as connected client data, radio utilization, and traffic statistics for
each FortiAP, allowing for targeted troubleshooting and network adjustments.

For client-specific monitoring, Wireless > Clients offers a detailed, real-time list of users currently connected
to the network through FortiAP devices. It displays essential information for each client, including their MAC
address, IP address, operating system, VLAN ID, and the channel used. This feature allows network
administrators to easily track individual devices, analyze client distribution across channels, and maintain
network segmentation with VLANs. The View Details function further extends these insights, providing in-
depth client metrics like signal quality, data usage, connection duration, and even roaming history between
APs.

By combining AP-level insights with real-time client data, FortiAIOps enhances your visibility into the network
performance and client experience. This functionality helps you to detect and address potential issues like
channel interference, client overload, or poor signal quality.

LAN Edge 7.6 Architect Study Guide 303

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Wireless (Contd)
• Channel summary
• Real-time channel performance monitoring
• Interference and utilization insights
• Channel health and optimization
• Rogue APs
• Real-time threat detection
• Detailed information about unauthorized APs
• Helps to mitigate risks from unauthorized devices
Wireless > Channel Summary Wireless > Rogue APs

© Fortinet Inc. All Rights Reserved. 10

The Channel Summary view gives you a clear and real-time view of how each wireless channel is
performing, helping you keep the network fast and reliable. It shows which bands are in use, how busy each
channel is, and if there’s interference from other nearby networks. You can also see important details about
each channel, like the number of connected clients, active radios, data speed, noise levels, and an overall
health score.
With this information, you can spot channels that are getting crowded or experienced too much interference
and make adjustments to keep things running smoothly. The Channel Summary helps balance the network
load, reduce interference, and make sure each FortiAP is set up to provide the best possible connection.

The Rogue AP Monitoring view helps you spot unauthorized or interfering APs that could be a security risk.
It gives you all the key details for each rogue AP detected, like SSID, manufacturer, and MAC address, along
with how strong its signal interference is and its status on the network. You can also see which FortiAP first
detected the rogue AP, what channel it’s using, and whether it’s connected to the wired network or just
nearby.
This view makes it easy to identify and deal with unauthorized devices that could disrupt or compromise your
network, giving you a clear view of any potential security risks so you can act fast to keep your network
secure.

LAN Edge 7.6 Architect Study Guide 304

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Switch
Switch > FortiSwitch
• Comprehensive FortiSwitch monitoring
• Essential status information for all your
FortiSwitch devices
• In-Depth port analysis
• Detailed information on each FortiSwitch
port
• Automatic FortiSwitch integration
• FortiAIOps automatically recognizes and
adds any FortiSwitch managed by a
monitored FortiGate

Switch ports info

© Fortinet Inc. All Rights Reserved. 11

The Switch view makes it easy to have access to an overview on your FortiSwitch devices by providing key
details like their status, model, firmware version, and FortiLink type. If you want to dig further into one of the
monitored Fortiswitch devices, the View Details option lets you explore each switch port and see important
information, such as the port mode, native and allowed VLANs, whether dynamic VLANs or port policies are in
play, as well as the Power over Ethernet (PoE) status and DHCP snooping settings.

FortiAIOps automatically adds any FortiSwitch that is managed by a FortiGate it monitors. This means you
can easily track all your FortiSwitch devices in one convenient place, giving you easy management access.

LAN Edge 7.6 Architect Study Guide 305

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Switch—FortiSwitch Clients
• Device overview
• Displays the total number of devices connected to each FortiSwitch
• Hardware identification
• Identifies connected hardware types, including switches, APs, extenders, and more
• Detailed client information
• Provides detailed information for each connected client, such as VLAN usage, connected ports,
MAC addresses, and IP addresses
Switch > FortiSwitch Clients

© Fortinet Inc. All Rights Reserved. 12

The FortiSwitch Clients view gives you a detailed view of all the devices connected to each FortiSwitch in
your network. You can easily see how many devices are connected and identify what type of hardware they
are, whether they’re switches, APs, extenders, PCs, or other devices. This information is invaluable for
understanding the makeup of your network and ensuring that all connected devices are accounted for.

FortiAIOPs provides important details about each connected client. You can find out which VLAN each device
is using, what port it’s connected to, and key identifying information like MAC addresses and IP addresses.
Knowing these details helps you manage network segmentation and troubleshoot any connectivity issues
more effectively.
Furthermore, by knowing which FortiGate each client is connected to, along with other relevant settings, with
these insights at your fingertips, you can make informed decisions to optimize your network.

LAN Edge 7.6 Architect Study Guide 306

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Monitoring the Wireless Network

© Fortinet Inc. All Rights Reserved. 13

In this section, you will learn how to monitor the FortiGate managed wireless network.

LAN Edge 7.6 Architect Study Guide 307

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Wireless Monitoring
• What are the important measures?

Wireless Health Wireless Capacity

• Channel noise • Channel utilization

• Signal strength • Association count
• Link rates • Data throughput
• Retry rate
• Loss rate

© Fortinet Inc. All Rights Reserved. 14

A large proportion of wireless troubleshooting revolves around ensuring that a number of wirelesses metrics
are within acceptable ranges.

The important measures belong to two broad categories—wireless health and wireless capacity.

Wireless health includes measures of factors that affect connection reliability, such as getting or staying
connected to a wireless network. It is a measure of how healthy the RF is around a specific interface.
Wireless health assesses how well wireless frames are being transmitted from the APs to the clients. You can
check wireless health by looking at the channel noise measured by the interface in a specific area, the signal
strength of the client, and the link rates that the client is using.

Wireless capacity measures factors that affect the capacity of the interface, and the channel capacity around
the interface. It is a measure of channel utilization—how busy the interface and the spectrum is and the
number of clients on an interface. The retry rate can be an indication that the collision rate is high, which can
occur when there are large numbers of clients in the network. This is also a capacity measure.

A number of metrics are relevant to both categories; however, some are more important than others.

Some of these measures, such as retry and loss rates, are not easily measurable on FortiAPs; however,
because these measures are important in the AP and client calculation of link rates, the link rate can be used
as a prime indicator of connection quality.

LAN Edge 7.6 Architect Study Guide 308

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Sources of Information
FortiGate > WiFI & Switch Controller > Managed FortiAPs > Radio AP Manager > Managed FortiAPs > Managed FortiGate > Clients

FortiGate > Dashboard > WiFi

© Fortinet Inc. All Rights Reserved. 15

So, where do you find information about these metrics?

There are multiple sources of information, depending on the products that are available in the network.

Information that is available from FortiGate is generally related to the current status of the wireless network.
The amount of historical wireless data that is available is generally less.

LAN Edge 7.6 Architect Study Guide 309

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate—Wireless Widgets
FortiGate > Dashboard
• Optional widgets that can be
added to a dashboard
• No default dashboard for wireless
• Can be added to any dashboard
• Clickable as a shortcut to further
information
• Widgets can be converted to monitor
• Some widgets have settings and
durations
• Key widgets to monitor:
• Channel Utilization
• FortiAP Status
• Signal Strength

Add wireless widgets in a

dashboard or create a new
dashboard and add new widgets

© Fortinet Inc. All Rights Reserved. 16

The wireless widgets are a great place to start. By default, wireless widgets are not added to any dashboard.
If you are regularly monitoring wireless performance and capacity, it is a good idea to create a dedicated
dashboard that consists of wireless widgets. The widgets will be color-coded to indicate their status.

Of particular interest will be the Channel Utilization and Interfering SSIDs widgets. These widgets highlight
the radio interfaces that are potentially suffering issues from high channel utilization or excessive interference.

Clicking on widget elements often displays additional information in a tabular format. Click Channel
Utilization to see a complete list of all the wireless interfaces supported by FortiGate, together with the
channel utilization.

In the Interfering SSIDs widget, you can click a radio to reveal a table of interfaces. You can sort these tables
to highlight radios that are causing the most interference.

The widgets show essential information that you can use to diagnose potential causes of poor performance
and connection reliability. You can also convert them into monitors.

LAN Edge 7.6 Architect Study Guide 310

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate—Managed FortiAPs
• Located under Wi-Fi & Switch FortiGate > Wi-Fi & Switch Controller > Managed FortiAPs
Controller
• Displays detailed information
about the installed APs
• View by AP
• Right-click column headers and add
Channel Utilization
Right-click to see
• View by radio more information
• Sort all radios by utilization and
station load
• View by group
• Place APs in separate groups
• Both AP and radio view:
• Radio utilization (when column added)
• Client count

© Fortinet Inc. All Rights Reserved. 17

Starting at FortiGate, the Managed FortiAPs table also contains useful information about the status of
connected APs.

Found under Wi-Fi & Switch Controller > Managed FortiAPs, it provides three different views.

AP View is the default view and groups radio interfaces together under an AP.

The Radio option is more useful for assessing load because it allows you to easily sort the radios to highlight
interfaces that are in trouble. Note that you can add useful columns, such as Channel Utilization, to a view.

LAN Edge 7.6 Architect Study Guide 311

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate—Managed FortiAPs (Contd)
• Focus on an AP by right-clicking FortiGate > Wi-Fi & Switch Controller > Managed FortiAPs
and selecting View More Details
• Access to important radio and AP
metrics
• Wireless health
• Wireless capacity
• Spectrum Analysis—If AP is
capable and configured
• CLI Access—Direct access to AP
CLI
• Wireless Logs—Detailed
operation log

© Fortinet Inc. All Rights Reserved. 18

When you right-click an AP, you get the option to select View More Details. You can see a more detailed
summary of the individual AP details and perform basic actions on the AP, such as upgrade, restart, or
deauthorize. It is also possible to edit the configuration directly, which will override the profile settings.

You will see color-coded health indicators in the upper-right corner, which will give you an immediate
indication as to the status of the AP and its radios. The colors indicate the severity of the issue, using the
colors red, green, and yellow to indicate the severity.

The table shows the configuration and the status of the radios by default. The Clients tab shows all the clients
that are associated with the AP. You can also drill down into the individual clients, if required. The logs view
filters the wireless events just for this AP. Double-clicking each event shows the event details.

The CLI access option allows direct access to the CLI of the AP, if required. If the AP is capable and is
configured for dedicated operation, then you will be able to enable spectrum analysis. Not all APs are capable
of spectrum analysis—refer to the release notes for more information. The spectrum analysis view shows the
real-time view of the wireless spectrum, together with any detected interferers.

LAN Edge 7.6 Architect Study Guide 312

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate—Wi-Fi Clients
• Detailed client information for all FortiGate > Wi-Fi & Switch Controller > WiFi Clients

clients currently connected

• Use to assess the client health
from the AP point of view
• The signal strength here is measured
by the AP
• It does not show the signal strength of
the AP at the client
• For more useful information, add
additional columns:
• Rate Rx/Tx—Link quality indicator Client
Clientlink
linkrate
rate.isAa Signal strength and
critical indicator of detected noise level are
• MIMO—Client capability indicator station
stationconnection
connector important underlying
• Band—Client capability indicator health metrics for link health

• Columns sortable and filterable to

isolate clients that are in difficulty

© Fortinet Inc. All Rights Reserved. 19

The WiFi Clients table provides detailed information about clients that are currently connected.

Again, you can add additional columns to provide useful information about a client’s connection state, such as
the signal strength the AP is receiving from the station, the downstream link rate, the channel configuration,
and so on.

Again, you can sort and filter to highlight clients that are in trouble.

LAN Edge 7.6 Architect Study Guide 313

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate—Wi-Fi Clients (Contd)
FortiGate > Wi-Fi & Switch Controller > WiFi Clients > Diagnostics and Tools
• Detailed client information for all
clients currently connected
• Use to assess the client health
from the AP point of view
• Provides a small amount of
historical information for:
• Bandwidth
Full connection log
• Signal-to-noise ratio (SnR)
• Detailed connection log
• See station connection errors
• Wireless connection events
• DHCP events
• Filterable
• Exportable

© Fortinet Inc. All Rights Reserved. 20

Select a station in the client list. Then, right-click and select Diagnostics and Tools to open diagnostics
about a station.

From here, you can perform basic actions, such as quarantine or disassociate workstation. The health icons
are color-coded and will give an immediate indication of any issues, such as poor signal strength or SnR.

There is an option to display a graph which, by default, will show bandwidth but can also show SnR. The
graphing is limited to approximately 10 minutes of data.

If you select the Logs tab, you can see a logical log of station connection events. This log is useful for quickly
diagnosing common connectivity issues, such as incorrect passwords or pre-shared keys, because the
association and authentication steps the wireless client performs are listed in the log. You can see details of
each log event by clicking the Details button. Here, you will see further information about any failures.

Filter the log and export its contents into a text file for a more detailed analysis.

LAN Edge 7.6 Architect Study Guide 314

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate—Wi-Fi Events
FortiGate > Log & Report > System Events > WiFi Events
• Provides a historical log of
wireless-related events
• To view specific station information
• Add the following columns:
• Band
• Data Rate
• Physical AP
• Add a filter for Station Mac
• To monitor a specific AP
• Add the following columns
• Physical AP
• Add a filter for Physical AP
Extensive
additional
information can be
added to the table

© Fortinet Inc. All Rights Reserved. 21

The Events table provides a whole-controller historical view of the wireless network. You can use this to
identify events that affect both clients and APs over time.

Adding additional columns and filtering allows you to focus in on wireless clients or APs that are misbehaving.

LAN Edge 7.6 Architect Study Guide 315

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiManager—Managed AP View
• Centralized view of all managed FortiManager > AP Manager > Managed FortiGate

APs
• All APs shown from all FortiGate
controllers under management
• Shows basic status information
about APs
• Online or offline
• Client count Status of all APs
• Rogues detected
• Radio configuration
APs can be
• Can group APs grouped

• Used for display and monitoring

• Based on specific FortiManager only

© Fortinet Inc. All Rights Reserved. 22

When FortiManager is installed in the network, you can use it to perform basic monitoring of the status of APs
and clients. The main benefit of using FortiManager is that you can get an overall view of the APs installed on
the network without having to go to each FortiGate in turn. However, the amount of information available on
FortiManager, specifically about the status of radios, is less than what is being available on FortiGate.

The Managed APs view is mostly used for configuration, rebooting, upgrading, or assigning profiles.
However, you can also see useful metrics here. The total number of managed APs is shown, together with a
count of the APs that are offline and online. Clicking on the rogue AP count icon will take you to a complete list
of the rogue APs detected by all of the APs on the network. Likewise, clicking the client's connected icon will
take you to a table that shows all clients connected to all of the APs managed by FortiManager.

You can also group APs for display and monitoring purposes. These groups are used inside FortiManager
only. Groups to organize the displays so you can drill down and monitor APs in a more organized way. APs
can belong to multiple groups, but the groups are specific to a controller and an AP type.

LAN Edge 7.6 Architect Study Guide 316

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiManager—Managed AP View (Contd)
• Centralized spectrum analysis FortiManager > AP Manager > More > Diagnostics and Tools

• Connect to any appropriately

configured AP and analyze the local
spectrum
• Display interference strength
• Instantaneously Real-time spectrum
view and over time
• Plotted over a minute (1 minute)

• Display interference duration or

duty cycle
• Instantaneously
• Plotted over a minute
Real-time duty
• Display detected interferers cycle and over time
(1 minute)
• Interference pattern compared to a
library and the best indication of type
is displayed Detected Interferers

© Fortinet Inc. All Rights Reserved. 23

FortiManager also includes the ability to perform a centralized spectrum analysis. Some FortiAPs can operate
their wireless chipset in two modes. The first mode is normal mode, which supports wireless client
connectivity, and the second puts the radio into spectrum analysis mode. Refer to the AP datasheet to see if
an AP is capable of spectrum analysis. To put the radio into spectrum analysis mode, you will need to
configure both radios of an AP as dedicated monitors. The best way to do this is to create and assign an AP
profile. Once done, you will be able to right-click an AP and select View Spectrum Analysis.

By default, the 2.4 GHz range is selected for analysis, although you can choose 5 GHz as well. When
selecting 5 GHz, you will need to choose a range of channels to scan. There are three useful pieces of
information displayed.

The first two graphs cover signal interference—all the power of the interfering signal. This is usually a
measure of how close the interference source is. The smaller the negative number, the more powerful the
signal is. You can see the instantaneous value as well as a plot of the signal strength over the last 60
seconds.

The duty cycle is a measure of how constant the interference is. The longer the duty cycle, the more
disruptive the potential issue.

The final table shows a list of detected interferers. FortiManager will compare the spectrum signature against
an inbuilt library of known interference sources and display its best guess as to what the interferer is.

Interpreting the output of the spectrum analyzer requires experience and practice. Experimenting with, and
viewing, the output of the spectrum analyzer is recommended. The more experience you get looking at
different spectra, the easier it becomes to identify unusual events.

LAN Edge 7.6 Architect Study Guide 317

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiManager—Client Monitor
• Full list of all clients associated with the APs
• Add columns for more information
• Tables are sortable to highlight clients that are having issues
• The Rate and Signal Strength columns are recommended

AP Manager > Managed FortiAPs > Managed FortiGate > Clients

© Fortinet Inc. All Rights Reserved. 24

The Client Monitor shows a list of all the clients currently associated with the APs. If you have created
different groups of APs, the list will be filtered depending on which AP the clients are connected to. You can
add extra columns; the Rate measure displays the downstream link rate from the AP to the client. Together
with the Signal Strength column, this is probably the quickest way to determine the health of a station’s
wireless connection. As with other tables, you can sort the columns to identify clients that are having issues.

LAN Edge 7.6 Architect Study Guide 318

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Regular Monitoring Is Essential
Wireless capacity Wireless health
• As a guide, a healthy interface should • Noise
maintain rates of: • Ideally -92 or weaker
• Utilization < 75% • High -80s is OK
• Client count < 30 • Low -80s or stronger is not good
• Temporary peaks above this are expected • Signal strength
• Should match or better design criteria
• In general should be -64 or stronger
• SnR
• Should be 15 minimum
• 25 or more is preferable
• Best possible link rates
• Be aware of a client’s capabilities
• Ensure they are connected to the most
suitable interface

© Fortinet Inc. All Rights Reserved. 25

Finally, the key to using monitoring tools correctly is understanding what good and bad metrics are. You can
then use the tools to identify parts of the network that are in trouble. Regular monitoring is essential, and you
should aim to keep your wireless metrics within the ranges shown on this slide.

The lower the channel noise, the better. Signal strength is measured in negative decibels—the greater the
negative number, the weaker the signal. For noise, a signal weaker than -92 is considered optimal. A signal in
the high -80s is acceptable. A signal in the low -80s or -70s indicates significant interference that you should
investigate using a spectrum analyzer.

The wireless network is designed and specified with a target signal strength for clients. You should make sure
that the majority of your clients have that minimum signal strength or greater. It is not unusual to have a small
number of weaker stations. For example, wireless devices enter and leave buildings, which can cause small
numbers of low signal strength clients to appear and disappear. Generally, you should see signal strengths of
-64 or stronger, with a good SnR of at least 15, but preferably 25 or more. Newer, higher speed standards
generally require a higher signal strength and a greater SnR, but these numbers provide a good baseline and
allow most wireless connections to work.

Finally, the ultimate indicator of health is the link rates that the client and AP use to communicate with each
other. Before you can make a judgment on the link rate, you first need to understand the specifications of the
wireless client to identify the maximum link rate you can use. Often, devices will be equipped with one- or two-
stream 2.4 GHz-capable and 5 GHz-capable clients. Analysis of the link rates being used may show that,
rather than connecting near the theoretical maximums of 433 Mbps (for a one-stream 802.11ac client) or 866
Mbps (for a two-stream client), which you might expect, they are connecting closer to 65 Mbps. Often, this is
simply a result of the clients connecting to the 2.4 GHz radio rather than a more suitable 5 GHz radio. Equally,
link rates will be reduced if the underlying metrics (loss, retry, signal strength, and noise) are impacted.

LAN Edge 7.6 Architect Study Guide 319

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

Monitor and Troubleshoot FortiGate and

FortiSwitch Communication

© Fortinet Inc. All Rights Reserved. 26

In this section, you will learn how to monitor and troubleshoot FortiLink connectivity between FortiGate and
FortiSwitch.

LAN Edge 7.6 Architect Study Guide 320

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
FortiGate and FortiSwitch Communication Issues
• Common issues:
• Configuration errors
• Physical connectivity problems
• Firmware mismatches

© Fortinet Inc. All Rights Reserved. 27

Monitoring and troubleshooting communication issues between FortiGate and FortiSwitch is crucial for
maintaining a stable and efficient network. The FortiLink protocol enables FortiGate to manage FortiSwitch
devices and ensures seamless integration of FortiSwitch devices into the Fortinet Security Fabric. However,
communication issues can arise because of misconfigurations, connectivity problems, or firmware
mismatches.

Effective monitoring involves checking system logs, interface status, and configurations, while troubleshooting
focuses on identifying physical layer issues, verifying network settings, and using diagnostic commands to
resolve any disruptions in connectivity.

LAN Edge 7.6 Architect Study Guide 321

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Diagnosing Connectivity
• Monitor connectivity status on FortiGate:
#execute switch-controller get-conn-status – (FortiSwitch connection status)
#execute switch-controller diagnose-connection – (Interface, DHCP, and NTP connection status)
• FortiSwitch is not shown as online on FortiGate
• On FortiGate:
On FortiGate verify that
DHCP is enabled for the
FortiLink interface

• On FortiSwitch:
• #get system interface: Verify that the interface is getting an IP address from FortiLink
• #diagnose switch physical-ports summary: Port status and VLAN must be on 4094
FortiSwitch # diagnose switch physical-ports summary
Portname Status Tpid Vlan Duplex Speed Flags Discard
__________ ______ ____ ____ ______ _____ ____________ _________
...
port24 up 8100 4094 full 1G QS,TS, none
...

© Fortinet Inc. All Rights Reserved. 28

For successful FortiLink connectivity between FortiGate and FortiSwitch, it is essential to verify a few key
configurations and some basic diagnose commands that could be useful to monitor and troubleshoot the
connectivity between FortiGate and FortiSwitch.

To monitor and troubleshoot connectivity between FortiGate and FortiSwitch, you can start by examining the
FortiSwitch connection status on FortiGate using the command #execute switch-controller get-
conn-status. The command #execute switch-controller diagnose-connection is useful to
assess the status of the Fortilink interface, DHCP, and NTP configurations. These basic commands provide a
first look into network integrity and connectivity.

The same steps can be performed on FortiSwitch through the CLI. On the FortiSwitch CLI, use #get
system interface to confirm the interface is receiving an IP address through the FortiLink connection.

Run #diagnose switch physical-ports summary to check port status and ensure VLAN 4094 is
applied, as this VLAN is required for the FortiLink connection.

LAN Edge 7.6 Architect Study Guide 322

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Diagnosing Connectivity (Contd)
• Verify that NTP is in sync
• If the date is not accurate, the FortiLink connection to FortiGate could fail
• Check NTP configuration on both FortiGate and FortiSwitch, and run the following command
on both devices:
#show system ntp
• Other useful commands to run on FortiGate CLI:
• Verify DHCP configuration
#show system dhcp server | grep -f "<FortiLink interface name>"
• Verify fortilink interface configuration
#show system interface <fortilink interface name>
• Check status of all synchronization processes
#exec switch-controller get-sync-status all
• Connectivity graph information for FortiLink
#execute switch-controller get-physical-conn <standard/dot>

© Fortinet Inc. All Rights Reserved. 29

Another step is to confirm that NTP is synchronized across FortiGate and FortiSwitch devices, as incorrect
date and time settings can disrupt the FortiLink connection.

Additionally, checking the DHCP settings on the FortiLink interface is important to ensure accurate IP address
allocation.

Verify the configuration of the FortiLink interface itself and check the synchronization status for all FortiSwitch
devices linked to FortiGate to ensure alignment across all devices. Diagnostic commands allow you to
troubleshoot each FortiSwitch connection, and examining the connectivity graph provides insight into the
physical link status. These checks, conducted regularly, help in maintaining reliable and secure FortiLink
operations.

LAN Edge 7.6 Architect Study Guide 323

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Firmware Mismatches
• FortiLink compatibility

© Fortinet Inc. All Rights Reserved. 30

Using incompatible firmware versions between FortiGate and FortiSwitch can lead to issues in the
management, functionality, and stability of the FortiLink connection.

Firmware mismatches can lead to issues, such as FortiSwitch devices not appearing on the FortiGate
interface for management, or limited or broken functionality.

Fortinet provides a FortiSwitch/FortiGate compatibility matrix. You can find the FortiLink Compatibility
document on the Fortinet Document Library website.

LAN Edge 7.6 Architect Study Guide 324

 Monitor and Troubleshoot
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Review
 Apply FortiAIOPs on LAN Edge
 Monitor a wireless network
 Manage FortiAP devices through FortiManager
 Monitor and troubleshoot FortiLink connectivity between FortiGate and
FortiSwitch

© Fortinet Inc. All Rights Reserved. 31

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use FortiAIOPs in the LAN Edge
solution, monitor a wireless network, and troubleshoot a FortiLink connection.

LAN Edge 7.6 Architect Study Guide 325

 Brave-Dumps.com
DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.