Description
This article describes how to set up manual discovery for all FortiAPs on a FortiGate to minimize downtime after disconnection.
Scope
FortiOS release v7.2, v7.4. All forti FortiAP models and versions
Solution
There are 6 discovery methods that a FortiAP can use to discover a FortiGate interface with a Security Fabric enabled access.
1(static) → 2(dhcp) → 3(dns) → 7(fortiapcloud) → 5(multicast) → 6(broadcast)
As per default, all FortiAP are pre-configured to use auto-discovery, it will try the sequence above until successful discovery and adoption
Per default, it will try 3 times and wait up to 5 seconds to have a response from FortiGate, and then switch to the next discovery method.
The fastest method is setting Static IP AC addressing on the FortiAP, but not always can be easily enforced, especially to deploy tens or hundreds of devices.
Now from v7.2 and onwards, along with using DHCP or DNS methods, it is possible to use FortiAP configuration profile and push commands to a FortiAPafter first successfully adoption.
Let’s assume there is a FortiGate with a Security Fabric interface enabled, with an IP address 192.168.10.254 configured on it, it is possible to create a configuration profile that includes both AC IP address and discovery method
Fortigate # config wireless-controller apcfg-profile
Fortigate (apcfg-profile) # show
config wireless-controller apcfg-profile
edit "static_discovery"
set ap-family fap-u
set ac-type specify
set ac-timer 3
set ac-ip 192.168.10.254
config command-list
edit 1
set name "AC_IPADDR_1"
set value "192.168.10.254"
next
edit 2
set name "AC_DISCOVERY_TYPE"
set value "1"
next
end
next
end
It can be associated with a FortiAP profile (wtp-profile).
Fortigate (233G-default) # show
config wireless-controller wtp-profile
edit "233G-Default"
set apcfg-profile "static_discovery"
end
After a successful first discovery, FortiAP will receive configuration commands and wait 3 seconds to try to join the FortiGate using this config. Following reconnection times will be greatly improved from automatic or even DCHP/DNS methods.
Note:
Consider configure at last entry for 'AC_DISCOVERY_TYPE' because it FortiAP will apply this immediately after receiving it.
If there is a missing/wrong parameter regarding discovery type (like AC_IPADDR_1) FAP will not connect until logging directly on the device and correcting it.
Use this method to enforce any discovery method to use or to apply other configuration variables.
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.