fortiap 221c, 11c & fortigate 60d - juve · pdf filefortiap 221c, 11c & fortigate...
TRANSCRIPT
JUVE Consulting BVBA ∙ Roosgrachtlaan 27, B-3400 Landen ∙ Tel.: +32 (491) 56.35.96 ∙
Whitepaper: Fortinet wireless
Title: FortiAP 221C, 11C & Fortigate 60D
Author: Jurgen Vermeulen [email protected] +32 (491) 56.35.96
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Table of Contents
11/07/2014, V 1.0 <public> Page i
Table of Contents
1 INTRODUCTION ...................................................................................................................... 1
2 TEST SETUP ............................................................................................................................. 2
2.1 FIREWALL & WLC .................................................................................................................... 2
2.2 MAIN ACCESS POINTS ................................................................................................................ 2
2.3 THIN ACCESS POINT................................................................................................................... 3
2.4 LOCAL NETWORK ...................................................................................................................... 4
2.5 TESTING EQUIPMENT ................................................................................................................. 4
3 TEST CONFIGURATION ............................................................................................................ 5
3.1 CONNECTING THE ACCESS POINTS ................................................................................................ 5
3.2 THE FORTIAP PROFILES.............................................................................................................. 6
3.3 SSID CONFIGURATION ............................................................................................................... 7
3.4 FIREWALL POLICIES ................................................................................................................... 9
3.5 LOCAL AP MANAGEMENT INTERFACE .......................................................................................... 10
4 TEST RESULTS – LOCAL NETWORK ......................................................................................... 11
4.1 PERFORMANCE - CLEAR TEXT CONNECTION (DTLS DISABLED) ............................................................ 11
4.1.1 BRIDGED MODE (WIFIKEUH SSID) .................................................................................................... 11
4.1.2 TUNNELED MODE (WIFIKEUH2 SSID)................................................................................................ 12
4.2 PERFORMANCE - ENCRYPTED CONNECTION (DTLS ENABLED)............................................................. 13
4.2.1 BRIDGED MODE (WIFIKEUH SSID) .................................................................................................... 13
4.2.2 TUNNELED MODE (WIFIKEUH2 SSID)................................................................................................ 13
4.3 RANGE ................................................................................................................................ 14
4.4 GENERIC REMARKS ................................................................................................................. 14
4.4.1 HTTP CONNECTION TO THE AP ........................................................................................................ 14
4.4.2 CLEAR TEXT CONNECTION BY DEFAULT ............................................................................................... 14
4.4.3 FIRMWARE ................................................................................................................................... 14
4.5 BUGS ENCOUNTERED ............................................................................................................... 15
4.5.1 BRIDGED MODE DHCP BUG ............................................................................................................. 15
4.5.2 AP UNSTABLE WHEN MAKING FREQUENT CONFIGURATION CHANGES ...................................................... 15
5 TEST RESULTS - REMOTE OFFICE USING FORTIAP 11C ............................................................ 16
5.1 INTRODUCTION ...................................................................................................................... 16
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Table of Contents
11/07/2014, V 1.0 <public> Page ii
5.2 PERFORMANCE – DTLS DISABLED .............................................................................................. 16
5.3 PERFORMANCE – DTLS ENABLED ............................................................................................... 17
5.4 RANGE ................................................................................................................................ 18
5.5 EASE OF USE ......................................................................................................................... 18
5.6 GENERIC REMARKS ................................................................................................................. 18
5.6.1 HTTP CONNECTION TO THE AP ........................................................................................................ 18
5.6.2 CLEAR TEXT CONNECTION BY DEFAULT ............................................................................................... 18
5.6.3 NO EASY WAY TO CONNECT TO A REMOTE AP’S INTERFACE .................................................................. 18
6 CONCLUSION ........................................................................................................................ 19
7 MORE INFORMATION ........................................................................................................... 20
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Introduction
11/07/2014, V 1.0 <public> Page 1
1 Introduction
I’ve been running a Fortigate 60D firewall for a while now and was looking to replace my home
wireless by a more stable solution. Since my Fortigate can also be used as a WLC for FortiAP access
points, I decided to give them a try.
The main focus on the document will be on basic installation and performance, but there are more
features available. The test setup will have 2 SSIDs configured on the local LAN (bridged and
tunneled), and the tunneled SSID will be made available for remote users using the FortiAP 11C.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test setup
11/07/2014, V 1.0 <public> Page 2
2 Test setup
2.1 Firewall & WLC The firewall used in the test is Fortinet’s Fortigate 60D with following configuration:
- LAN interface, WAN interface + secondary WAN link
- UTM enabled
- No dedicated interface for FortiAP
- FortiOS 5.2.0
2.2 Main access points
For this test, I used 2 FortiAP 221C units. The main specs are:
- Dual radio.
- Internal antenna’s
- 802.1 AC capable (on 2nd radio)
- POE capable
- 1 Gbps connection
- Firmware 5.2.0
One AP is located on the ground floor, 1 AP is located on the first floor. A mounting bracket is
provided in the package, a power adapter isn’t. I have mine powered by a POE switch, but you can
use a POE injector as well (GPI-115).
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test setup
11/07/2014, V 1.0 <public> Page 3
2.3 Thin access point
As remote AP, I’ll be using a FortiAP 11C unit. This is the entry level thin AP and has the following
specs:
- Single radio.
- Internal antenna
- Wireless b/g/N on 2,4 GHz.
- 2 Gbps connections: LAN & WAN
- Firmware 5.2
This AP will be used in a road warrior setup and connected to some DSL and cable home Internet
connections for testing.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test setup
11/07/2014, V 1.0 <public> Page 4
2.4 Local network The LAN network is built on TP-LINK smart managed switches. Both the access points and firewall are
connected to a TP-Link SG2424P switch.
2.5 Testing equipment The following equipment was used during the tests:
- Samsung galaxy tab 3 8.0 inch
- Samsung series 5 laptop (Win7 pro 64 bit)
- Desktop computer (Win7 pro 64 bit)
- Wifi speed test: android application to test your network speed. Server executable installed
on the Win7 machines.
- XBMC
Unfortunately, I don’t have any AC capable equipment today, so I wasn’t able to test this.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test configuration
11/07/2014, V 1.0 <public> Page 5
3 Test configuration
3.1 Connecting the Access Points Connecting the equipment to the network is very easy:
- Enable CAPWAP on the Fortigate interface(s) facing the AP
- Enable wireless controller feature in case it is turned off.
- Create a wireless profile & assign correct country code
- Hook up the AP to the network.
- Authorize it on the Fortigate.
- Assign the profile created in step 3 (right-click on the AP name)
The result is something like this:
Under Monitor -> wireless health you can get an overview of generic wireless related data:
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test configuration
11/07/2014, V 1.0 <public> Page 6
Under Client monitor, you get an overview of all wireless clients that are currently connected:
3.2 The FortiAP profiles The FortiAP profile contains all settings you want to assign to a specific AP or group of AP’s. Each AP
hardware has a specific default profile, and you can create custom profiles as you wish.
Spectrum analysis will give you readings on rogue access points and can help you determine which
are the best wireless channels to use. I disabled channel 11 on radio 1, as it is the most used in my
neighbourhood and using it has a performance impact.
The client load balancing features allow for the access points to pass clients to least used nodes or to
spread the frequencies between the different access points.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test configuration
11/07/2014, V 1.0 <public> Page 7
By default, the AP and Fortinet support both clear text or DTLS encryption channels. If both are
available, clear text will be chosen automatically. You can force encryption by either changing the AP
or WLC profile configuration. Using DTLS combined with tunneled traffic (see below) does have a
performance impact.
For the FortiAP 11C, since this will be used off-site and it needs to connect to the firewall over the
Internet, we will statically configure the controller’s IP or hostname. Connect to the AP using HTTP
and modify the AC address accordingly:
This will allow the AP to connect to the Fortigate on its internal or external interface, no matter
where it is located. For a remote AP, you should use DTLS, but I choose to force this on the Fortigate
side on the WTP profile, for increased flexibility.
3.3 SSID configuration Each AP can handle multiple SSIDs. You create the ones you need on the Fortigate WLC and assign
the required ones to each FortiAP profile. There are 2 ways to configure an SSID:
- Bridged to local interface: this will use the AP’s LAN interface to send data to the network.
You can use this mode when the AP is connected directly to your LAN and you want to avoid
the overhead of tunneling traffic towards the Fortigate.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test configuration
11/07/2014, V 1.0 <public> Page 8
- Tunneled mode: all traffic from and to clients connected to these SSIDs will be sent through
a tunnel between the AP and firewall. You can create several networks assigned to different
profiles and these networks only need to exist at the firewall, not on the AP’s LAN connection
point.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test configuration
11/07/2014, V 1.0 <public> Page 9
3.4 Firewall policies You can create policies using the assigned network interfaces linked to the SSIDs.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test configuration
11/07/2014, V 1.0 <public> Page 10
3.5 Local AP management interface It is possible to make some configuration changes to the AP through HTTP or telnet (needs to be
manually enabled + access will be disabled once a connection to a WLC is made). This is needed
when you connect the AP to a remote location and it isn’t able to autodiscover the WLC parameters.
You can also assign a static IP and monitor the wireless radio.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results – local network
11/07/2014, V 1.0 <public> Page 11
4 Test results – local network
4.1 Performance - clear text connection (DTLS disabled)
4.1.1 Bridged mode (Wifikeuh SSID)
When connected to the AP in bridged mode, it’s possible to get an average throughput of 39 mbps,
which is better than what I’ve seen on my other equipment. The signal allows to play back a 1080p
mkv with 5.1 surround without any issues when not too far away from the AP.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results – local network
11/07/2014, V 1.0 <public> Page 12
4.1.2 Tunneled mode (Wifikeuh2 SSID)
Next, I switched to the Wifikeuh2 SSID, which has all traffic tunneled towards the Foritgate WLC, and
is then routed onto the network. Results were very similar:
There’s little overhead and you don’t notice any difference when connected to this SSID. Video kept
playing smoothly as well.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results – local network
11/07/2014, V 1.0 <public> Page 13
4.2 Performance - encrypted connection (DTLS enabled)
4.2.1 Bridged mode (Wifikeuh SSID)
When connected in bridge mode, you observe no speed difference when connected. This is logical,
because all traffic is handed off through the LAN port of the AP, directly onto the network instead of
being sent through the tunnel. Only control data is encrypted over the link between the AP and the
WLC.
4.2.2 Tunneled mode (Wifikeuh2 SSID)
Where you do notice a difference, is in the tunneled SSIDs. When performing the same tests on a
DTLS channel, my performance dropped to around 11 mbps:
Both the AP’s and the Fortigate’s CPU went very high. While this speed is more than enough to do
some surfing and office work, don’t expect to stream full HD content over the DTLS link without any
issues. If the AP is located remotely and needs to connect over an untrusted connection, DTLS is a
must have, so keep this in mind when scaling the equipment.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results – local network
11/07/2014, V 1.0 <public> Page 14
4.3 Range One of the main drawbacks of my old wifi equipment was range. I used to have a Linksys WRT54GS,
flashed DD-WRT on it and boosted transmit power to maximum to get some decent coverage. My
second AP was a Netgear router with Wireless-N, dual band radio and that was barely able to server
1 floor in the house. Roaming between them was also impossible.
I was pleasantly surprised that with 2 access points, I now have decent wireless coverage throughout
the entire house (ground floor, first floor and second floor), while having a lot of concrete and metal
used throughout the house. Roaming is also working very well, thanks to the cooperation between
the access points. I didn’t perform any VOIP tests yet, but I don’t get disconnected for a minute
anymore when moving from one floor to another.
4.4 Generic remarks
4.4.1 HTTP Connection to the AP
While telnet gets disabled once the AP connects to the controller, and there aren’t that many options
to configure on the AP, having a HTTPS interface would be preferred over HTTP. In the meantime,
take this into account and make sure to use a different password and change it frequently in order to
manage the AP from the web interface.
4.4.2 Clear text connection by default
The recommended setup for deploying AP’s is slightly different from what I did, ie. Connecting the
AP’s to a dedicated Fortigate interface that is separated from the rest of the network, so I
understand that from a performance point of view, the default way of connecting the AP is using a
clear text connection. However, since we’re talking about a security product, I would rather see the
most secure option being chosen in case of multiple possibilities. By default, both clear text and DTLS
are enabled, so logic would be to use DTLS. If you want to use clear text as default to bypass possible
performance impact , make ‘clear text’ the default setting and not both options.
4.4.3 Firmware
The FAP 221C is a new product and the FortiOS 5.2.0 being a new ‘major’ release, there still are some
hiccups. The AP’s second radio sometimes doesn’t appear as functional in the Managed AP view,
while it seems active on the AP itself, performing frequent changes confuse the AP and Fortigate, and
I had to do 2 or 3 reboots of the AP’s because of some weird behavior.
Once I put on a final configuration and didn’t fiddle with it every couple of minutes, the setup was
very stable though. These are some minor issues that should disappear in the coming firmware
updates.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results – local network
11/07/2014, V 1.0 <public> Page 15
4.5 Bugs encountered
4.5.1 Bridged mode DHCP bug
When you connect to a SSID that is configured to be bridged over the AP’s interface (not using tunnel
mode), it happens that you can’t get an IP from the DHCP server. I haven’t been able to pinpoint the
exact problem, but there are other people experiencing the same issue. When connected in tunnel
mode, I never experienced this issue. A reboot restores connectivity, but it can happen again at
random.
4.5.2 AP unstable when making frequent configuration changes
I did notice the AP’s becoming unstable when making a lot of changes to the configuration. This was
adding and removing SSID’s, changing frequencies, … I didn’t notice issues when I left the
configuration alone, so it shouldn’t be a real issue when in production.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results - remote office using FortiAP 11C
11/07/2014, V 1.0 <public> Page 16
5 Test results - remote office using FortiAP 11C
5.1 Introduction After conducting the LAN tests, I setup the FortiAP 11C to be used as a secure connection to the main
network from any remote location. I did perform a speed test with DTLS disabled to show the
difference in speed, however in this scenario you should really go for security over performance.
5.2 Performance – DTLS disabled
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results - remote office using FortiAP 11C
11/07/2014, V 1.0 <public> Page 17
5.3 Performance – DTLS enabled
Performance is pretty good for a remote user, even with DTLS enabled. In any case, it is more than
enough to be able to work and have a video call. When taking Belgium into account, most home
Internet lines do have very high download bandwidth (10 to 160 Mbps), but limited upload
bandwidth of around 4 to 6 Mbps.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results - remote office using FortiAP 11C
11/07/2014, V 1.0 <public> Page 18
5.4 Range Range is pretty good considering the form factor of the device. It doesn’t go as far as a regular AP,
but I was able to move around on the same floor without losing connectivity. Don’t expect any
decent signal when moving up or down a floor though.
5.5 Ease of use Staging the AP is a matter of minutes. Once this has been performed, you can just give it to anyone
and they can set it up in just 2 minutes. Plug an Ethernet cable into the wan port and plug the unit
into a power plug, and wait until the connection to the firewall is up. No need to fiddle around with
VPN clients or network settings, the user just has the same experience as being inside the office.
5.6 Generic remarks
5.6.1 HTTP Connection to the AP
Same as for the central access points, the use of HTTPS would be more appropriate, since these
access points are connected in untrusted environments.
5.6.2 Clear text connection by default
By default, both clear text and DTLS are enabled, so logic would be to use DTLS. The main use of
these Aps is to create a secured home office, so not using DTLS would compromise security.
5.6.3 No easy way to connect to a remote AP’s interface
While most of the configuration is performed from the Fortigate WLC, in some cases it can be useful
to be able to connect to the web interface or cli of the AP itself. Adding a shortcut launching a
console session from the Fortinet would make this a lot easier, and if the DTLS tunnel is used, you
can bypass problems with ISP’s blocking HTTP/HTTPS/… which will stop you from connecting to the
AP.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Conclusion
11/07/2014, V 1.0 <public> Page 19
6 Conclusion I’m very happy with the performance of the AP’s and the interconnection between wireless and
security. Range and throughput on the AP’s is very good, there are some minor bugs present in the
current firmware but nothing shocking and It is very easy to deploy. I didn’t test every feature yet
and focused on performance for now, but I’m very impressed with what you get for the money. Most
AP’s are a lot more expensive and having to manage a separate WLC can be a hurdle. Another option
are cloud-managed networks using Meraki/Aerohive/… but if you already have Fortinet equipment
installed, the seamless integration is a real plus.
As for the FortiAP 11C, it is a really cheap solution to allow people to work remotely without the
hassle of VPN clients, overlapping subnets, … It really is plug&play and very portable.
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless More information
11/07/2014, V 1.0 <public> Page 20
7 More information
For more information, a live demo or quote, don’t hesitate to contact us:
JUVE Consulting
Jurgen Vermeulen
+32 (491) 56.35.96