I have done the following to setup a FortiGate 60E with a UniFi Nano AP so I can have WiFi for some networks but looking for some advice if its done correct so far...
Created separate VLAN interfaces Office (VLAN ID 50) & Guest VLAN (VLAN ID:70) with dhcp and assigned each to FortiSwitch interface.
Created a firewall policy for the VLANs to WAN (internet access).
Plugged in the UniFi AP to Switch Port 2 & assigned the native VLAN as Office and allowed VLANs as Guest
From this point the Desktop UniFi controller (on my laptop on the Office network) can see the Access Point / adopt it and the AP has gets an IP from the Office range. However I am wondering should the AP be independent from any of the VLANs?
I know how to create the SSID's and VLANs / tags within UniFi but I am just concerned if the AP should have an IP from the Office range or if I need a seperate network and just allow through ports so controller can manage it?
Whilst its a UniFi AP my query is more around the FortiGate setup side so posting here hoping someones come across this?
Typically it is best practice to have a separate management vlan for access points and other network equipment. This helps prevent issues with broadcast storms, arp poisoning and dhcp spoofing that could potentially happen on a vlan that is used by client computers. You want the management traffic from the aps to the controller to not have any interruptions from client traffic issue.
Hello keven11,
The setup that you have right now will work, however as a best practice and if you plan on expanding your Wi-Fi network in the future with more AP's, you should use a dedicated VLAN for the AP Management. You can create and use the Management VLAN as native, and tag Office and Guest.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.