fortiap 221c, 11c & fortigate 60d - juve · pdf filefortiap 221c, 11c & fortigate...

JUVE Consulting BVBA ∙ Roosgrachtlaan 27, B-3400 Landen ∙ Tel.: +32 (491) 56.35.96 ∙

Whitepaper: Fortinet wireless

Title: FortiAP 221C, 11C & Fortigate 60D

Author: Jurgen Vermeulen [email protected] +32 (491) 56.35.96

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Table of Contents

11/07/2014, V 1.0 <public> Page i

Table of Contents

1 INTRODUCTION ...................................................................................................................... 1

2 TEST SETUP ............................................................................................................................. 2

2.1 FIREWALL & WLC .................................................................................................................... 2

2.2 MAIN ACCESS POINTS ................................................................................................................ 2

2.3 THIN ACCESS POINT................................................................................................................... 3

2.4 LOCAL NETWORK ...................................................................................................................... 4

2.5 TESTING EQUIPMENT ................................................................................................................. 4

3 TEST CONFIGURATION ............................................................................................................ 5

3.1 CONNECTING THE ACCESS POINTS ................................................................................................ 5

3.2 THE FORTIAP PROFILES.............................................................................................................. 6

3.3 SSID CONFIGURATION ............................................................................................................... 7

3.4 FIREWALL POLICIES ................................................................................................................... 9

3.5 LOCAL AP MANAGEMENT INTERFACE .......................................................................................... 10

4 TEST RESULTS – LOCAL NETWORK ......................................................................................... 11

4.1 PERFORMANCE - CLEAR TEXT CONNECTION (DTLS DISABLED) ............................................................ 11

4.1.1 BRIDGED MODE (WIFIKEUH SSID) .................................................................................................... 11

4.1.2 TUNNELED MODE (WIFIKEUH2 SSID)................................................................................................ 12

4.2 PERFORMANCE - ENCRYPTED CONNECTION (DTLS ENABLED)............................................................. 13

4.2.1 BRIDGED MODE (WIFIKEUH SSID) .................................................................................................... 13

4.2.2 TUNNELED MODE (WIFIKEUH2 SSID)................................................................................................ 13

4.3 RANGE ................................................................................................................................ 14

4.4 GENERIC REMARKS ................................................................................................................. 14

4.4.1 HTTP CONNECTION TO THE AP ........................................................................................................ 14

4.4.2 CLEAR TEXT CONNECTION BY DEFAULT ............................................................................................... 14

4.4.3 FIRMWARE ................................................................................................................................... 14

4.5 BUGS ENCOUNTERED ............................................................................................................... 15

4.5.1 BRIDGED MODE DHCP BUG ............................................................................................................. 15

4.5.2 AP UNSTABLE WHEN MAKING FREQUENT CONFIGURATION CHANGES ...................................................... 15

5 TEST RESULTS - REMOTE OFFICE USING FORTIAP 11C ............................................................ 16

5.1 INTRODUCTION ...................................................................................................................... 16

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Table of Contents

11/07/2014, V 1.0 <public> Page ii

5.2 PERFORMANCE – DTLS DISABLED .............................................................................................. 16

5.3 PERFORMANCE – DTLS ENABLED ............................................................................................... 17

5.4 RANGE ................................................................................................................................ 18

5.5 EASE OF USE ......................................................................................................................... 18

5.6 GENERIC REMARKS ................................................................................................................. 18

5.6.1 HTTP CONNECTION TO THE AP ........................................................................................................ 18

5.6.2 CLEAR TEXT CONNECTION BY DEFAULT ............................................................................................... 18

5.6.3 NO EASY WAY TO CONNECT TO A REMOTE AP’S INTERFACE .................................................................. 18

6 CONCLUSION ........................................................................................................................ 19

7 MORE INFORMATION ........................................................................................................... 20

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Introduction

11/07/2014, V 1.0 <public> Page 1

1 Introduction

I’ve been running a Fortigate 60D firewall for a while now and was looking to replace my home

wireless by a more stable solution. Since my Fortigate can also be used as a WLC for FortiAP access

points, I decided to give them a try.

The main focus on the document will be on basic installation and performance, but there are more

features available. The test setup will have 2 SSIDs configured on the local LAN (bridged and

tunneled), and the tunneled SSID will be made available for remote users using the FortiAP 11C.

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test setup

11/07/2014, V 1.0 <public> Page 2

2 Test setup

2.1 Firewall & WLC The firewall used in the test is Fortinet’s Fortigate 60D with following configuration:

- LAN interface, WAN interface + secondary WAN link

- UTM enabled

- No dedicated interface for FortiAP

- FortiOS 5.2.0

2.2 Main access points

For this test, I used 2 FortiAP 221C units. The main specs are:

- Dual radio.

- Internal antenna’s

- 802.1 AC capable (on 2nd radio)

- POE capable

- 1 Gbps connection

- Firmware 5.2.0

One AP is located on the ground floor, 1 AP is located on the first floor. A mounting bracket is

provided in the package, a power adapter isn’t. I have mine powered by a POE switch, but you can

use a POE injector as well (GPI-115).


11/07/2014, V 1.0 <public> Page 3

2.3 Thin access point

As remote AP, I’ll be using a FortiAP 11C unit. This is the entry level thin AP and has the following

specs:

- Single radio.

- Internal antenna

- Wireless b/g/N on 2,4 GHz.

- 2 Gbps connections: LAN & WAN

- Firmware 5.2

This AP will be used in a road warrior setup and connected to some DSL and cable home Internet

connections for testing.


11/07/2014, V 1.0 <public> Page 4

2.4 Local network The LAN network is built on TP-LINK smart managed switches. Both the access points and firewall are

connected to a TP-Link SG2424P switch.

2.5 Testing equipment The following equipment was used during the tests:

- Samsung galaxy tab 3 8.0 inch

- Samsung series 5 laptop (Win7 pro 64 bit)

- Desktop computer (Win7 pro 64 bit)

- Wifi speed test: android application to test your network speed. Server executable installed

on the Win7 machines.

- XBMC

Unfortunately, I don’t have any AC capable equipment today, so I wasn’t able to test this.

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test configuration

11/07/2014, V 1.0 <public> Page 5

3 Test configuration

3.1 Connecting the Access Points Connecting the equipment to the network is very easy:

- Enable CAPWAP on the Fortigate interface(s) facing the AP

- Enable wireless controller feature in case it is turned off.

- Create a wireless profile & assign correct country code

- Hook up the AP to the network.

- Authorize it on the Fortigate.

- Assign the profile created in step 3 (right-click on the AP name)

The result is something like this:

Under Monitor -> wireless health you can get an overview of generic wireless related data:


11/07/2014, V 1.0 <public> Page 6

Under Client monitor, you get an overview of all wireless clients that are currently connected:

3.2 The FortiAP profiles The FortiAP profile contains all settings you want to assign to a specific AP or group of AP’s. Each AP

hardware has a specific default profile, and you can create custom profiles as you wish.

Spectrum analysis will give you readings on rogue access points and can help you determine which

are the best wireless channels to use. I disabled channel 11 on radio 1, as it is the most used in my

neighbourhood and using it has a performance impact.

The client load balancing features allow for the access points to pass clients to least used nodes or to

spread the frequencies between the different access points.


11/07/2014, V 1.0 <public> Page 7

By default, the AP and Fortinet support both clear text or DTLS encryption channels. If both are

available, clear text will be chosen automatically. You can force encryption by either changing the AP

or WLC profile configuration. Using DTLS combined with tunneled traffic (see below) does have a

performance impact.

For the FortiAP 11C, since this will be used off-site and it needs to connect to the firewall over the

Internet, we will statically configure the controller’s IP or hostname. Connect to the AP using HTTP

and modify the AC address accordingly:

This will allow the AP to connect to the Fortigate on its internal or external interface, no matter

where it is located. For a remote AP, you should use DTLS, but I choose to force this on the Fortigate

side on the WTP profile, for increased flexibility.

3.3 SSID configuration Each AP can handle multiple SSIDs. You create the ones you need on the Fortigate WLC and assign

the required ones to each FortiAP profile. There are 2 ways to configure an SSID:

- Bridged to local interface: this will use the AP’s LAN interface to send data to the network.

You can use this mode when the AP is connected directly to your LAN and you want to avoid

the overhead of tunneling traffic towards the Fortigate.


11/07/2014, V 1.0 <public> Page 8

- Tunneled mode: all traffic from and to clients connected to these SSIDs will be sent through

a tunnel between the AP and firewall. You can create several networks assigned to different

profiles and these networks only need to exist at the firewall, not on the AP’s LAN connection

point.


11/07/2014, V 1.0 <public> Page 9

3.4 Firewall policies You can create policies using the assigned network interfaces linked to the SSIDs.


11/07/2014, V 1.0 <public> Page 10

3.5 Local AP management interface It is possible to make some configuration changes to the AP through HTTP or telnet (needs to be

manually enabled + access will be disabled once a connection to a WLC is made). This is needed

when you connect the AP to a remote location and it isn’t able to autodiscover the WLC parameters.

You can also assign a static IP and monitor the wireless radio.

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results – local network

11/07/2014, V 1.0 <public> Page 11

4 Test results – local network

4.1 Performance - clear text connection (DTLS disabled)

4.1.1 Bridged mode (Wifikeuh SSID)

When connected to the AP in bridged mode, it’s possible to get an average throughput of 39 mbps,

which is better than what I’ve seen on my other equipment. The signal allows to play back a 1080p

mkv with 5.1 surround without any issues when not too far away from the AP.


11/07/2014, V 1.0 <public> Page 12

4.1.2 Tunneled mode (Wifikeuh2 SSID)

Next, I switched to the Wifikeuh2 SSID, which has all traffic tunneled towards the Foritgate WLC, and

is then routed onto the network. Results were very similar:

There’s little overhead and you don’t notice any difference when connected to this SSID. Video kept

playing smoothly as well.


11/07/2014, V 1.0 <public> Page 13

4.2 Performance - encrypted connection (DTLS enabled)

4.2.1 Bridged mode (Wifikeuh SSID)

When connected in bridge mode, you observe no speed difference when connected. This is logical,

because all traffic is handed off through the LAN port of the AP, directly onto the network instead of

being sent through the tunnel. Only control data is encrypted over the link between the AP and the

WLC.

4.2.2 Tunneled mode (Wifikeuh2 SSID)

Where you do notice a difference, is in the tunneled SSIDs. When performing the same tests on a

DTLS channel, my performance dropped to around 11 mbps:

Both the AP’s and the Fortigate’s CPU went very high. While this speed is more than enough to do

some surfing and office work, don’t expect to stream full HD content over the DTLS link without any

issues. If the AP is located remotely and needs to connect over an untrusted connection, DTLS is a

must have, so keep this in mind when scaling the equipment.


11/07/2014, V 1.0 <public> Page 14

4.3 Range One of the main drawbacks of my old wifi equipment was range. I used to have a Linksys WRT54GS,

flashed DD-WRT on it and boosted transmit power to maximum to get some decent coverage. My

second AP was a Netgear router with Wireless-N, dual band radio and that was barely able to server

1 floor in the house. Roaming between them was also impossible.

I was pleasantly surprised that with 2 access points, I now have decent wireless coverage throughout

the entire house (ground floor, first floor and second floor), while having a lot of concrete and metal

used throughout the house. Roaming is also working very well, thanks to the cooperation between

the access points. I didn’t perform any VOIP tests yet, but I don’t get disconnected for a minute

anymore when moving from one floor to another.

4.4 Generic remarks

4.4.1 HTTP Connection to the AP

While telnet gets disabled once the AP connects to the controller, and there aren’t that many options

to configure on the AP, having a HTTPS interface would be preferred over HTTP. In the meantime,

take this into account and make sure to use a different password and change it frequently in order to

manage the AP from the web interface.

4.4.2 Clear text connection by default

The recommended setup for deploying AP’s is slightly different from what I did, ie. Connecting the

AP’s to a dedicated Fortigate interface that is separated from the rest of the network, so I

understand that from a performance point of view, the default way of connecting the AP is using a

clear text connection. However, since we’re talking about a security product, I would rather see the

most secure option being chosen in case of multiple possibilities. By default, both clear text and DTLS

are enabled, so logic would be to use DTLS. If you want to use clear text as default to bypass possible

performance impact , make ‘clear text’ the default setting and not both options.

4.4.3 Firmware

The FAP 221C is a new product and the FortiOS 5.2.0 being a new ‘major’ release, there still are some

hiccups. The AP’s second radio sometimes doesn’t appear as functional in the Managed AP view,

while it seems active on the AP itself, performing frequent changes confuse the AP and Fortigate, and

I had to do 2 or 3 reboots of the AP’s because of some weird behavior.

Once I put on a final configuration and didn’t fiddle with it every couple of minutes, the setup was

very stable though. These are some minor issues that should disappear in the coming firmware

updates.


11/07/2014, V 1.0 <public> Page 15

4.5 Bugs encountered

4.5.1 Bridged mode DHCP bug

When you connect to a SSID that is configured to be bridged over the AP’s interface (not using tunnel

mode), it happens that you can’t get an IP from the DHCP server. I haven’t been able to pinpoint the

exact problem, but there are other people experiencing the same issue. When connected in tunnel

mode, I never experienced this issue. A reboot restores connectivity, but it can happen again at

random.

4.5.2 AP unstable when making frequent configuration changes

I did notice the AP’s becoming unstable when making a lot of changes to the configuration. This was

adding and removing SSID’s, changing frequencies, … I didn’t notice issues when I left the

configuration alone, so it shouldn’t be a real issue when in production.

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Test results - remote office using FortiAP 11C

11/07/2014, V 1.0 <public> Page 16

5 Test results - remote office using FortiAP 11C

5.1 Introduction After conducting the LAN tests, I setup the FortiAP 11C to be used as a secure connection to the main

network from any remote location. I did perform a speed test with DTLS disabled to show the

difference in speed, however in this scenario you should really go for security over performance.

5.2 Performance – DTLS disabled


11/07/2014, V 1.0 <public> Page 17

5.3 Performance – DTLS enabled

Performance is pretty good for a remote user, even with DTLS enabled. In any case, it is more than

enough to be able to work and have a video call. When taking Belgium into account, most home

Internet lines do have very high download bandwidth (10 to 160 Mbps), but limited upload

bandwidth of around 4 to 6 Mbps.


11/07/2014, V 1.0 <public> Page 18

5.4 Range Range is pretty good considering the form factor of the device. It doesn’t go as far as a regular AP,

but I was able to move around on the same floor without losing connectivity. Don’t expect any

decent signal when moving up or down a floor though.

5.5 Ease of use Staging the AP is a matter of minutes. Once this has been performed, you can just give it to anyone

and they can set it up in just 2 minutes. Plug an Ethernet cable into the wan port and plug the unit

into a power plug, and wait until the connection to the firewall is up. No need to fiddle around with

VPN clients or network settings, the user just has the same experience as being inside the office.

5.6 Generic remarks

5.6.1 HTTP Connection to the AP

Same as for the central access points, the use of HTTPS would be more appropriate, since these

access points are connected in untrusted environments.

5.6.2 Clear text connection by default

By default, both clear text and DTLS are enabled, so logic would be to use DTLS. The main use of

these Aps is to create a secured home office, so not using DTLS would compromise security.

5.6.3 No easy way to connect to a remote AP’s interface

While most of the configuration is performed from the Fortigate WLC, in some cases it can be useful

to be able to connect to the web interface or cli of the AP itself. Adding a shortcut launching a

console session from the Fortinet would make this a lot easier, and if the DTLS tunnel is used, you

can bypass problems with ISP’s blocking HTTP/HTTPS/… which will stop you from connecting to the

AP.

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless Conclusion

11/07/2014, V 1.0 <public> Page 19

6 Conclusion I’m very happy with the performance of the AP’s and the interconnection between wireless and

security. Range and throughput on the AP’s is very good, there are some minor bugs present in the

current firmware but nothing shocking and It is very easy to deploy. I didn’t test every feature yet

and focused on performance for now, but I’m very impressed with what you get for the money. Most

AP’s are a lot more expensive and having to manage a separate WLC can be a hurdle. Another option

are cloud-managed networks using Meraki/Aerohive/… but if you already have Fortinet equipment

installed, the seamless integration is a real plus.

As for the FortiAP 11C, it is a really cheap solution to allow people to work remotely without the

hassle of VPN clients, overlapping subnets, … It really is plug&play and very portable.

FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless More information

11/07/2014, V 1.0 <public> Page 20

7 More information

For more information, a live demo or quote, don’t hesitate to contact us:

JUVE Consulting

Jurgen Vermeulen

[email protected]

+32 (491) 56.35.96

fortiap 221c, 11c & fortigate 60d - juve · pdf filefortiap 221c, 11c & fortigate...

Documents